* Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
- Merge pull request #187 from rhatdan/container-selinux - Allow rhsmcertd domain signull kernel. - Allow container-selinux to handle all policy for container processes - Fix label for nagios plugins in nagios file conxtext file - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add SELinux support for systemd-initctl daemon - Add SELinux support for systemd-bootchart - su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 - Add module_load permission to can_load_kernmodule - Add module_load permission to class system - Add the validate_trans access vector to the security class - Restore connecto permssions for init_t
This commit is contained in:
Lukas Vrabec
parent
eb8104a967
commit
fd7fb37552
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -57726,7 +57726,7 @@ index 0000000..79f1250
|
|||||||
+
|
+
|
||||||
+fs_getattr_xattr_fs(naemon_t)
|
+fs_getattr_xattr_fs(naemon_t)
|
||||||
diff --git a/nagios.fc b/nagios.fc
|
diff --git a/nagios.fc b/nagios.fc
|
||||||
index d78dfc3..40e1c77 100644
|
index d78dfc3..c781b72 100644
|
||||||
--- a/nagios.fc
|
--- a/nagios.fc
|
||||||
+++ b/nagios.fc
|
+++ b/nagios.fc
|
||||||
@@ -1,88 +1,113 @@
|
@@ -1,88 +1,113 @@
|
||||||
@ -57774,13 +57774,13 @@ index d78dfc3..40e1c77 100644
|
|||||||
+
|
+
|
||||||
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||||
+/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
+/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||||
+
|
|
||||||
+ifdef(`distro_debian',`
|
+ifdef(`distro_debian',`
|
||||||
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
||||||
+')
|
+')
|
||||||
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
||||||
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0)
|
||||||
|
+
|
||||||
+# admin plugins
|
+# admin plugins
|
||||||
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
|
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
|
||||||
|
|
||||||
@ -57792,106 +57792,132 @@ index d78dfc3..40e1c77 100644
|
|||||||
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
||||||
|
|
||||||
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
||||||
+# mail plugins
|
-
|
||||||
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+
|
-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+# system plugins
|
-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
-
|
||||||
|
-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+# services plugins
|
|
||||||
/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
-
|
-
|
||||||
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
||||||
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
-
|
||||||
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
||||||
|
|
||||||
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
||||||
|
-
|
||||||
|
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
||||||
|
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
||||||
|
-
|
||||||
|
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
|
||||||
|
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
|
||||||
|
-
|
||||||
|
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
||||||
|
+# mail plugins
|
||||||
|
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
||||||
|
+
|
||||||
|
+# system plugins
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
|
+# services plugins
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
+# openshift plugins
|
+# openshift plugins
|
||||||
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
||||||
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
||||||
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
||||||
+# label all nagios plugin as unconfined by default
|
+# label all nagios plugin as unconfined by default
|
||||||
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
|
|
||||||
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
|
|
||||||
+# eventhandlers
|
+# eventhandlers
|
||||||
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
||||||
+/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
+/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
||||||
|
+
|
||||||
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
|
||||||
diff --git a/nagios.if b/nagios.if
|
diff --git a/nagios.if b/nagios.if
|
||||||
index 0641e97..f3b1111 100644
|
index 0641e97..f3b1111 100644
|
||||||
--- a/nagios.if
|
--- a/nagios.if
|
||||||
@ -89271,7 +89297,7 @@ index 6dbc905..4b17c93 100644
|
|||||||
- admin_pattern($1, rhsmcertd_lock_t)
|
- admin_pattern($1, rhsmcertd_lock_t)
|
||||||
')
|
')
|
||||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||||
index d32e1a2..1271bf3 100644
|
index d32e1a2..7239c98 100644
|
||||||
--- a/rhsmcertd.te
|
--- a/rhsmcertd.te
|
||||||
+++ b/rhsmcertd.te
|
+++ b/rhsmcertd.te
|
||||||
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
|
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
|
||||||
@ -89310,13 +89336,14 @@ index d32e1a2..1271bf3 100644
|
|||||||
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
||||||
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
|
||||||
|
|
||||||
@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
|
||||||
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
||||||
|
|
||||||
kernel_read_network_state(rhsmcertd_t)
|
kernel_read_network_state(rhsmcertd_t)
|
||||||
+kernel_read_net_sysctls(rhsmcertd_t)
|
+kernel_read_net_sysctls(rhsmcertd_t)
|
||||||
kernel_read_system_state(rhsmcertd_t)
|
kernel_read_system_state(rhsmcertd_t)
|
||||||
+kernel_read_sysctl(rhsmcertd_t)
|
+kernel_read_sysctl(rhsmcertd_t)
|
||||||
|
+kernel_signull(rhsmcertd_t)
|
||||||
+
|
+
|
||||||
+corenet_tcp_connect_http_port(rhsmcertd_t)
|
+corenet_tcp_connect_http_port(rhsmcertd_t)
|
||||||
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
|
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
|
||||||
@ -114709,7 +114736,7 @@ index facdee8..2cff369 100644
|
|||||||
+ domtrans_pattern($1,container_file_t, $2)
|
+ domtrans_pattern($1,container_file_t, $2)
|
||||||
')
|
')
|
||||||
diff --git a/virt.te b/virt.te
|
diff --git a/virt.te b/virt.te
|
||||||
index f03dcf5..b5b9ca5 100644
|
index f03dcf5..482c24b 100644
|
||||||
--- a/virt.te
|
--- a/virt.te
|
||||||
+++ b/virt.te
|
+++ b/virt.te
|
||||||
@@ -1,451 +1,411 @@
|
@@ -1,451 +1,411 @@
|
||||||
@ -115789,7 +115816,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+dev_read_sysfs(virtlogd_t)
|
+dev_read_sysfs(virtlogd_t)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(virtlogd_t)
|
+logging_send_syslog_msg(virtlogd_t)
|
||||||
+
|
|
||||||
+auth_use_nsswitch(virtlogd_t)
|
+auth_use_nsswitch(virtlogd_t)
|
||||||
+
|
+
|
||||||
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
|
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
|
||||||
@ -116045,7 +116072,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+init_system_domain(virsh_t, virsh_exec_t)
|
+init_system_domain(virsh_t, virsh_exec_t)
|
||||||
+typealias virsh_t alias xm_t;
|
+typealias virsh_t alias xm_t;
|
||||||
+typealias virsh_exec_t alias xm_exec_t;
|
+typealias virsh_exec_t alias xm_exec_t;
|
||||||
|
+
|
||||||
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
|
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
|
||||||
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
||||||
+allow virsh_t self:fifo_file rw_fifo_file_perms;
|
+allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||||
@ -116133,10 +116160,10 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
|
|
||||||
-logging_send_syslog_msg(virsh_t)
|
-logging_send_syslog_msg(virsh_t)
|
||||||
+systemd_exec_systemctl(virsh_t)
|
+systemd_exec_systemctl(virsh_t)
|
||||||
+
|
|
||||||
+auth_read_passwd(virsh_t)
|
|
||||||
|
|
||||||
-miscfiles_read_localization(virsh_t)
|
-miscfiles_read_localization(virsh_t)
|
||||||
|
+auth_read_passwd(virsh_t)
|
||||||
|
+
|
||||||
+logging_send_syslog_msg(virsh_t)
|
+logging_send_syslog_msg(virsh_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(virsh_t)
|
sysnet_dns_name_resolve(virsh_t)
|
||||||
@ -116301,7 +116328,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
selinux_get_enforce_mode(virtd_lxc_t)
|
selinux_get_enforce_mode(virtd_lxc_t)
|
||||||
selinux_get_fs_mount(virtd_lxc_t)
|
selinux_get_fs_mount(virtd_lxc_t)
|
||||||
selinux_validate_context(virtd_lxc_t)
|
selinux_validate_context(virtd_lxc_t)
|
||||||
@@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t)
|
@@ -974,194 +1268,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||||
selinux_compute_relabel_context(virtd_lxc_t)
|
selinux_compute_relabel_context(virtd_lxc_t)
|
||||||
selinux_compute_user_contexts(virtd_lxc_t)
|
selinux_compute_user_contexts(virtd_lxc_t)
|
||||||
|
|
||||||
@ -116328,8 +116355,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+ hal_dbus_chat(virtd_lxc_t)
|
+ hal_dbus_chat(virtd_lxc_t)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ container_exec_lib(virtd_lxc_t)
|
+ container_exec_lib(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
@ -116341,7 +116367,8 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ unconfined_domain(virtd_lxc_t)
|
+ unconfined_domain(virtd_lxc_t)
|
||||||
+')
|
+')
|
||||||
@ -116374,89 +116401,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+tunable_policy(`deny_ptrace',`',`
|
+tunable_policy(`deny_ptrace',`',`
|
||||||
+ allow svirt_sandbox_domain self:process ptrace;
|
+ allow svirt_sandbox_domain self:process ptrace;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
|
||||||
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
|
||||||
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
|
||||||
-allow svirt_lxc_domain self:sem create_sem_perms;
|
|
||||||
-allow svirt_lxc_domain self:shm create_shm_perms;
|
|
||||||
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
|
||||||
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
||||||
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
||||||
-
|
|
||||||
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
|
||||||
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
|
||||||
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
|
||||||
-
|
|
||||||
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
|
||||||
-
|
|
||||||
-allow svirt_lxc_domain virsh_t:fd use;
|
|
||||||
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
|
||||||
-allow svirt_lxc_domain virsh_t:process sigchld;
|
|
||||||
-
|
|
||||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
|
||||||
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
|
||||||
-
|
|
||||||
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
||||||
-
|
|
||||||
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
|
||||||
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
|
||||||
-
|
|
||||||
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
|
||||||
-
|
|
||||||
-kernel_getattr_proc(svirt_lxc_domain)
|
|
||||||
-kernel_list_all_proc(svirt_lxc_domain)
|
|
||||||
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
|
||||||
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
|
||||||
-kernel_read_system_state(svirt_lxc_domain)
|
|
||||||
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-corecmd_exec_all_executables(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
|
||||||
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
|
||||||
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
|
||||||
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
|
||||||
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
|
||||||
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
|
||||||
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
|
||||||
-# files_entrypoint_all_files(svirt_lxc_domain)
|
|
||||||
-files_list_var(svirt_lxc_domain)
|
|
||||||
-files_list_var_lib(svirt_lxc_domain)
|
|
||||||
-files_search_all(svirt_lxc_domain)
|
|
||||||
-files_read_config_files(svirt_lxc_domain)
|
|
||||||
-files_read_usr_files(svirt_lxc_domain)
|
|
||||||
-files_read_usr_symlinks(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-fs_getattr_all_fs(svirt_lxc_domain)
|
|
||||||
-fs_list_inotifyfs(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
|
||||||
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
|
||||||
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
|
||||||
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
|
||||||
-auth_search_pam_console_data(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-clock_read_adjtime(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-init_read_utmp(svirt_lxc_domain)
|
|
||||||
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-miscfiles_read_localization(svirt_lxc_domain)
|
|
||||||
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
|
||||||
-miscfiles_read_fonts(svirt_lxc_domain)
|
|
||||||
-
|
|
||||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
|
||||||
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
||||||
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
||||||
@ -116546,28 +116491,112 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
||||||
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
||||||
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
||||||
+
|
|
||||||
|
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
||||||
|
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
||||||
|
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
||||||
|
-allow svirt_lxc_domain self:sem create_sem_perms;
|
||||||
|
-allow svirt_lxc_domain self:shm create_shm_perms;
|
||||||
|
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
||||||
|
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
||||||
|
-
|
||||||
|
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
||||||
|
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
||||||
|
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
||||||
|
-
|
||||||
|
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
||||||
|
-
|
||||||
|
-allow svirt_lxc_domain virsh_t:fd use;
|
||||||
|
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
||||||
|
-allow svirt_lxc_domain virsh_t:process sigchld;
|
||||||
|
-
|
||||||
|
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
||||||
|
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
||||||
|
-
|
||||||
|
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||||
|
-
|
||||||
|
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
||||||
|
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
||||||
|
-
|
||||||
|
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
||||||
|
-
|
||||||
|
-kernel_getattr_proc(svirt_lxc_domain)
|
||||||
|
-kernel_list_all_proc(svirt_lxc_domain)
|
||||||
|
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
||||||
|
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
||||||
|
-kernel_read_system_state(svirt_lxc_domain)
|
||||||
|
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-corecmd_exec_all_executables(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
||||||
|
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
||||||
|
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
||||||
|
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
||||||
|
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
||||||
|
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
||||||
|
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
||||||
|
-# files_entrypoint_all_files(svirt_lxc_domain)
|
||||||
|
-files_list_var(svirt_lxc_domain)
|
||||||
|
-files_list_var_lib(svirt_lxc_domain)
|
||||||
|
-files_search_all(svirt_lxc_domain)
|
||||||
|
-files_read_config_files(svirt_lxc_domain)
|
||||||
|
-files_read_usr_files(svirt_lxc_domain)
|
||||||
|
-files_read_usr_symlinks(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-fs_getattr_all_fs(svirt_lxc_domain)
|
||||||
|
-fs_list_inotifyfs(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
||||||
|
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
||||||
|
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
||||||
|
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
||||||
|
-auth_search_pam_console_data(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-clock_read_adjtime(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-init_read_utmp(svirt_lxc_domain)
|
||||||
|
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-miscfiles_read_localization(svirt_lxc_domain)
|
||||||
|
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
||||||
|
-miscfiles_read_fonts(svirt_lxc_domain)
|
||||||
|
-
|
||||||
|
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+tunable_policy(`virt_sandbox_share_apache_content',`
|
+tunable_policy(`virt_sandbox_share_apache_content',`
|
||||||
+ apache_exec_modules(svirt_sandbox_domain)
|
+ apache_exec_modules(svirt_sandbox_domain)
|
||||||
+ apache_read_sys_content(svirt_sandbox_domain)
|
+ apache_read_sys_content(svirt_sandbox_domain)
|
||||||
+ ')
|
+ ')
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- udev_read_pid_files(svirt_lxc_domain)
|
||||||
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
||||||
+')
|
')
|
||||||
+
|
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
|
- apache_exec_modules(svirt_lxc_domain)
|
||||||
|
- apache_read_sys_content(svirt_lxc_domain)
|
||||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
- udev_read_pid_files(svirt_lxc_domain)
|
|
||||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -116597,11 +116626,9 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+ fs_mount_fusefs(svirt_sandbox_domain)
|
+ fs_mount_fusefs(svirt_sandbox_domain)
|
||||||
+ fs_unmount_fusefs(svirt_sandbox_domain)
|
+ fs_unmount_fusefs(svirt_sandbox_domain)
|
||||||
+ fs_exec_fusefs_files(svirt_sandbox_domain)
|
+ fs_exec_fusefs_files(svirt_sandbox_domain)
|
||||||
')
|
+')
|
||||||
|
+
|
||||||
optional_policy(`
|
+optional_policy(`
|
||||||
- apache_exec_modules(svirt_lxc_domain)
|
|
||||||
- apache_read_sys_content(svirt_lxc_domain)
|
|
||||||
+ container_read_share_files(svirt_sandbox_domain)
|
+ container_read_share_files(svirt_sandbox_domain)
|
||||||
+ container_exec_share_files(svirt_sandbox_domain)
|
+ container_exec_share_files(svirt_sandbox_domain)
|
||||||
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
|
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
|
||||||
@ -116618,16 +116645,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
#
|
#
|
||||||
+virt_sandbox_domain_template(container)
|
+virt_sandbox_domain_template(container)
|
||||||
+typealias container_t alias svirt_lxc_net_t;
|
+typealias container_t alias svirt_lxc_net_t;
|
||||||
+virt_default_capabilities(container_t)
|
+# Policy moved to container-selinux policy package
|
||||||
+dontaudit container_t self:capability fsetid;
|
|
||||||
+dontaudit container_t self:capability2 block_suspend ;
|
|
||||||
+allow container_t self:process { execstack execmem };
|
|
||||||
+manage_chr_files_pattern(container_t, container_file_t, container_file_t)
|
|
||||||
+manage_blk_files_pattern(container_t, container_file_t, container_file_t)
|
|
||||||
+
|
|
||||||
+tunable_policy(`virt_sandbox_use_sys_admin',`
|
|
||||||
+ allow container_t self:capability sys_admin;
|
|
||||||
+')
|
|
||||||
|
|
||||||
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||||
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
|
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
|
||||||
@ -116640,12 +116658,18 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
||||||
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
|
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
|
||||||
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
-
|
+########################################
|
||||||
|
+#
|
||||||
|
+# container_t local policy
|
||||||
|
+#
|
||||||
|
+virt_sandbox_domain_template(svirt_qemu_net)
|
||||||
|
+typeattribute svirt_qemu_net_t sandbox_net_domain;
|
||||||
|
|
||||||
-kernel_read_network_state(svirt_lxc_net_t)
|
-kernel_read_network_state(svirt_lxc_net_t)
|
||||||
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
||||||
+tunable_policy(`virt_sandbox_use_mknod',`
|
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
||||||
+ allow container_t self:capability mknod;
|
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
|
||||||
+')
|
+allow svirt_qemu_net_t self:process { execstack execmem };
|
||||||
|
|
||||||
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
||||||
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
||||||
@ -116657,118 +116681,63 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
||||||
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
||||||
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
||||||
+tunable_policy(`virt_sandbox_use_all_caps',`
|
|
||||||
+ allow container_t self:capability all_capability_perms;
|
|
||||||
+ allow container_t self:capability2 all_capability2_perms;
|
|
||||||
+')
|
|
||||||
|
|
||||||
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
|
||||||
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
|
||||||
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
|
||||||
+tunable_policy(`virt_sandbox_use_netlink',`
|
|
||||||
+ allow container_t self:netlink_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
||||||
+ allow container_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_connector_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_crypto_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_fib_lookup_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_generic_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_iscsi_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_netfilter_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_rdma_socket create_socket_perms;
|
|
||||||
+ allow container_t self:netlink_scsitransport_socket create_socket_perms;
|
|
||||||
+', `
|
|
||||||
+ logging_dontaudit_send_audit_msgs(container_t)
|
|
||||||
+')
|
|
||||||
|
|
||||||
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
|
||||||
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
|
||||||
+allow container_t virt_lxc_var_run_t:dir list_dir_perms;
|
|
||||||
+allow container_t virt_lxc_var_run_t:file read_file_perms;
|
|
||||||
|
|
||||||
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
|
|
||||||
-dev_read_rand(svirt_lxc_net_t)
|
|
||||||
-dev_read_sysfs(svirt_lxc_net_t)
|
|
||||||
-dev_read_urand(svirt_lxc_net_t)
|
|
||||||
+kernel_read_irq_sysctls(container_t)
|
|
||||||
+kernel_read_messages(container_t)
|
|
||||||
|
|
||||||
-files_read_kernel_modules(svirt_lxc_net_t)
|
|
||||||
+dev_read_sysfs(container_t)
|
|
||||||
+dev_read_mtrr(container_t)
|
|
||||||
+dev_read_rand(container_t)
|
|
||||||
+dev_read_urand(container_t)
|
|
||||||
|
|
||||||
-fs_mount_cgroup(svirt_lxc_net_t)
|
|
||||||
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
|
|
||||||
-fs_rw_cgroup_files(svirt_lxc_net_t)
|
|
||||||
+files_read_kernel_modules(container_t)
|
|
||||||
|
|
||||||
-auth_use_nsswitch(svirt_lxc_net_t)
|
|
||||||
+fs_noxattr_type(container_file_t)
|
|
||||||
|
|
||||||
-logging_send_audit_msgs(svirt_lxc_net_t)
|
|
||||||
+term_pty(container_file_t)
|
|
||||||
|
|
||||||
-userdom_use_user_ptys(svirt_lxc_net_t)
|
|
||||||
+logging_send_syslog_msg(container_t)
|
|
||||||
|
|
||||||
-optional_policy(`
|
|
||||||
- rpm_read_db(svirt_lxc_net_t)
|
|
||||||
+tunable_policy(`virt_sandbox_use_audit',`
|
|
||||||
+ logging_send_audit_msgs(container_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
-#######################################
|
|
||||||
+userdom_use_user_ptys(container_t)
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
#
|
|
||||||
-# Prot exec local policy
|
|
||||||
+# container_t local policy
|
|
||||||
#
|
|
||||||
+virt_sandbox_domain_template(svirt_qemu_net)
|
|
||||||
+typeattribute svirt_qemu_net_t sandbox_net_domain;
|
|
||||||
+
|
|
||||||
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
|
||||||
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
|
|
||||||
+allow svirt_qemu_net_t self:process { execstack execmem };
|
|
||||||
+
|
|
||||||
+tunable_policy(`virt_sandbox_use_netlink',`
|
+tunable_policy(`virt_sandbox_use_netlink',`
|
||||||
+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
|
+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
|
||||||
+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
||||||
+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
|
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
||||||
|
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
||||||
|
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
||||||
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||||
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||||
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||||
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||||
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
|
||||||
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
|
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
|
||||||
+
|
|
||||||
|
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
||||||
|
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
||||||
+term_use_generic_ptys(svirt_qemu_net_t)
|
+term_use_generic_ptys(svirt_qemu_net_t)
|
||||||
+term_use_ptmx(svirt_qemu_net_t)
|
+term_use_ptmx(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-dev_getattr_mtrr_dev(svirt_lxc_net_t)
|
||||||
|
-dev_read_rand(svirt_lxc_net_t)
|
||||||
|
-dev_read_sysfs(svirt_lxc_net_t)
|
||||||
|
-dev_read_urand(svirt_lxc_net_t)
|
||||||
+dev_rw_kvm(svirt_qemu_net_t)
|
+dev_rw_kvm(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-files_read_kernel_modules(svirt_lxc_net_t)
|
||||||
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
||||||
|
|
||||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
-fs_mount_cgroup(svirt_lxc_net_t)
|
||||||
|
-fs_manage_cgroup_dirs(svirt_lxc_net_t)
|
||||||
|
-fs_rw_cgroup_files(svirt_lxc_net_t)
|
||||||
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||||
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
||||||
+
|
|
||||||
|
-auth_use_nsswitch(svirt_lxc_net_t)
|
||||||
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
||||||
+
|
|
||||||
|
-logging_send_audit_msgs(svirt_lxc_net_t)
|
||||||
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-userdom_use_user_ptys(svirt_lxc_net_t)
|
||||||
+dev_read_sysfs(svirt_qemu_net_t)
|
+dev_read_sysfs(svirt_qemu_net_t)
|
||||||
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
||||||
+dev_read_rand(svirt_qemu_net_t)
|
+dev_read_rand(svirt_qemu_net_t)
|
||||||
+dev_read_urand(svirt_qemu_net_t)
|
+dev_read_urand(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-optional_policy(`
|
||||||
|
- rpm_read_db(svirt_lxc_net_t)
|
||||||
|
-')
|
||||||
+files_read_kernel_modules(svirt_qemu_net_t)
|
+files_read_kernel_modules(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-#######################################
|
||||||
|
-#
|
||||||
|
-# Prot exec local policy
|
||||||
|
-#
|
||||||
+fs_noxattr_type(container_file_t)
|
+fs_noxattr_type(container_file_t)
|
||||||
+fs_mount_cgroup(svirt_qemu_net_t)
|
+fs_mount_cgroup(svirt_qemu_net_t)
|
||||||
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
||||||
@ -116781,7 +116750,8 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+rpm_read_db(svirt_qemu_net_t)
|
+rpm_read_db(svirt_qemu_net_t)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(svirt_qemu_net_t)
|
+logging_send_syslog_msg(svirt_qemu_net_t)
|
||||||
+
|
|
||||||
|
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||||
+tunable_policy(`virt_sandbox_use_audit',`
|
+tunable_policy(`virt_sandbox_use_audit',`
|
||||||
+ logging_send_audit_msgs(svirt_qemu_net_t)
|
+ logging_send_audit_msgs(svirt_qemu_net_t)
|
||||||
+')
|
+')
|
||||||
@ -116802,7 +116772,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
|
|
||||||
@@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t)
|
@@ -1174,12 +1570,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||||
dev_read_rand(virt_qmf_t)
|
dev_read_rand(virt_qmf_t)
|
||||||
dev_read_urand(virt_qmf_t)
|
dev_read_urand(virt_qmf_t)
|
||||||
|
|
||||||
@ -116817,7 +116787,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
sysnet_read_config(virt_qmf_t)
|
sysnet_read_config(virt_qmf_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -1192,7 +1647,7 @@ optional_policy(`
|
@@ -1192,7 +1588,7 @@ optional_policy(`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -116826,7 +116796,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||||
@@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
@@ -1201,11 +1597,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@ -117000,7 +116970,7 @@ index f03dcf5..b5b9ca5 100644
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
+# container_t local policy
|
+# svirt_kvm_net_t local policy
|
||||||
+#
|
+#
|
||||||
+virt_sandbox_domain_template(svirt_kvm_net)
|
+virt_sandbox_domain_template(svirt_kvm_net)
|
||||||
+typeattribute svirt_kvm_net_t sandbox_net_domain;
|
+typeattribute svirt_kvm_net_t sandbox_net_domain;
|
||||||
|
|||||||
@ -19,7 +19,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 236%{?dist}
|
Release: 237%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -675,6 +675,20 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 08 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
|
||||||
|
- Merge pull request #187 from rhatdan/container-selinux
|
||||||
|
- Allow rhsmcertd domain signull kernel.
|
||||||
|
- Allow container-selinux to handle all policy for container processes
|
||||||
|
- Fix label for nagios plugins in nagios file conxtext file
|
||||||
|
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
|
||||||
|
- Add SELinux support for systemd-initctl daemon
|
||||||
|
- Add SELinux support for systemd-bootchart
|
||||||
|
- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987
|
||||||
|
- Add module_load permission to can_load_kernmodule
|
||||||
|
- Add module_load permission to class system
|
||||||
|
- Add the validate_trans access vector to the security class
|
||||||
|
- Restore connecto permssions for init_t
|
||||||
|
|
||||||
* Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
|
* Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
|
||||||
- Allow kdumpgui domain to read nvme device
|
- Allow kdumpgui domain to read nvme device
|
||||||
- Add amanda_tmpfs_t label. BZ(1243752)
|
- Add amanda_tmpfs_t label. BZ(1243752)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user