* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.
This commit is contained in:
parent
c88e657c3d
commit
feb8dbd59b
@ -27255,7 +27255,7 @@ index 2479587..890e1e2 100644
|
||||
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index 3efd5b6..9e85ea0 100644
|
||||
index 3efd5b6..f645c21 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -23,11 +23,17 @@ interface(`auth_role',`
|
||||
@ -27317,7 +27317,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
|
||||
@@ -95,69 +117,68 @@ interface(`auth_use_pam',`
|
||||
interface(`auth_login_pgm_domain',`
|
||||
gen_require(`
|
||||
type var_auth_t, auth_cache_t;
|
||||
@ -27375,6 +27375,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
mls_file_downgrade($1)
|
||||
mls_process_set_level($1)
|
||||
+ mls_process_write_to_clearance($1)
|
||||
+ mls_process_write_all_levels($1)
|
||||
mls_fd_share_all_levels($1)
|
||||
|
||||
auth_use_pam($1)
|
||||
@ -27426,7 +27427,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
|
||||
@@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27452,7 +27453,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
## Execute a login_program in the target domain,
|
||||
## with a range transition.
|
||||
## </summary>
|
||||
@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
|
||||
@@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27477,7 +27478,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
## Manage authentication cache
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
@ -27486,7 +27487,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
|
||||
@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27511,7 +27512,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
## Execute chkpwd programs in the chkpwd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
|
||||
@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
|
||||
|
||||
auth_domtrans_chk_passwd($1)
|
||||
role $2 types chkpwd_t;
|
||||
@ -27537,7 +27538,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
|
||||
|
||||
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
|
||||
auth_dontaudit_read_shadow($1)
|
||||
@ -27545,7 +27546,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
|
||||
@@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
|
||||
|
||||
allow $1 shadow_t:file manage_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
@ -27556,7 +27557,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
|
||||
@@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
@ -27608,7 +27609,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
|
||||
@@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
|
||||
allow $1 lastlog_t:file { rw_file_perms lock setattr };
|
||||
')
|
||||
|
||||
@ -27639,7 +27640,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
|
||||
@@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -27670,7 +27671,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
|
||||
@@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
|
||||
#
|
||||
interface(`auth_signal_pam',`
|
||||
gen_require(`
|
||||
@ -27689,7 +27690,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
|
||||
@@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -27727,7 +27728,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
|
||||
@@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
@ -27761,7 +27762,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
|
||||
@@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
|
||||
files_search_pids($1)
|
||||
allow $1 pam_var_run_t:dir manage_dir_perms;
|
||||
allow $1 pam_var_run_t:file manage_file_perms;
|
||||
@ -27772,7 +27773,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
|
||||
@@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
|
||||
files_search_pids($1)
|
||||
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
|
||||
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
|
||||
@ -27780,7 +27781,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
|
||||
@@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27806,7 +27807,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
## Read login records files (/var/log/wtmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
|
||||
@@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
|
||||
|
||||
logging_rw_generic_log_dirs($1)
|
||||
allow $1 wtmp_t:file manage_file_perms;
|
||||
@ -27832,7 +27833,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
|
||||
@@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
@ -27849,7 +27850,7 @@ index 3efd5b6..9e85ea0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
|
||||
@@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
@ -37269,7 +37270,7 @@ index d43f3b1..870bc36 100644
|
||||
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
|
||||
index 3822072..1b9a765 100644
|
||||
index 3822072..929107c 100644
|
||||
--- a/policy/modules/system/selinuxutil.if
|
||||
+++ b/policy/modules/system/selinuxutil.if
|
||||
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
|
||||
@ -37289,7 +37290,7 @@ index 3822072..1b9a765 100644
|
||||
+ type load_policy_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 load_policy_exec_t:file audit_access;
|
||||
+ allow $1 load_policy_exec_t:file execute;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -37486,7 +37487,7 @@ index 3822072..1b9a765 100644
|
||||
+ type setfiles_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 setfiles_exec_t:file audit_access;
|
||||
+ allow $1 setfiles_exec_t:file execute;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -37863,28 +37864,10 @@ index 3822072..1b9a765 100644
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',`
|
||||
@@ -1067,6 +1512,24 @@ interface(`seutil_get_semanage_read_lock',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
+## Allow access check on module store
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`seutil_access_check_semanage_read_lock',`
|
||||
+ gen_require(`
|
||||
+ type semanage_read_lock_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 semanage_read_lock_t:file audit_access;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Dontaudit access check on module store
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -37898,7 +37881,7 @@ index 3822072..1b9a765 100644
|
||||
+ type semanage_read_lock_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 semanage_read_lock_t:file audit_access;
|
||||
+ dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
@ -37906,7 +37889,7 @@ index 3822072..1b9a765 100644
|
||||
## Get trans lock on module store
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||
@@ -1137,3 +1600,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
|
||||
selinux_dontaudit_get_fs_mount($1)
|
||||
seutil_dontaudit_read_config($1)
|
||||
')
|
||||
|
@ -21620,7 +21620,7 @@ index 62d22cb..f8ab4af 100644
|
||||
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
|
||||
')
|
||||
diff --git a/dbus.te b/dbus.te
|
||||
index c9998c8..94ff984 100644
|
||||
index c9998c8..011faba 100644
|
||||
--- a/dbus.te
|
||||
+++ b/dbus.te
|
||||
@@ -4,17 +4,15 @@ gen_require(`
|
||||
@ -21744,7 +21744,7 @@ index c9998c8..94ff984 100644
|
||||
mls_fd_use_all_levels(system_dbusd_t)
|
||||
mls_rangetrans_target(system_dbusd_t)
|
||||
mls_file_read_all_levels(system_dbusd_t)
|
||||
@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
@@ -123,66 +122,166 @@ term_dontaudit_use_console(system_dbusd_t)
|
||||
auth_use_nsswitch(system_dbusd_t)
|
||||
auth_read_pam_console_data(system_dbusd_t)
|
||||
|
||||
@ -21753,6 +21753,7 @@ index c9998c8..94ff984 100644
|
||||
+corecmd_read_bin_sockets(system_dbusd_t)
|
||||
+# needed for system-tools-backends
|
||||
+corecmd_exec_shell(system_dbusd_t)
|
||||
+corecmd_exec_bin(system_dbusd_t)
|
||||
+
|
||||
+domain_use_interactive_fds(system_dbusd_t)
|
||||
+domain_read_all_domains_state(system_dbusd_t)
|
||||
@ -21924,7 +21925,7 @@ index c9998c8..94ff984 100644
|
||||
kernel_read_kernel_sysctls(session_bus_type)
|
||||
|
||||
corecmd_list_bin(session_bus_type)
|
||||
@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
|
||||
corecmd_read_bin_pipes(session_bus_type)
|
||||
corecmd_read_bin_sockets(session_bus_type)
|
||||
|
||||
@ -21949,7 +21950,7 @@ index c9998c8..94ff984 100644
|
||||
files_dontaudit_search_var(session_bus_type)
|
||||
|
||||
fs_getattr_romfs(session_bus_type)
|
||||
@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
||||
fs_list_inotifyfs(session_bus_type)
|
||||
fs_dontaudit_list_nfs(session_bus_type)
|
||||
|
||||
@ -21957,7 +21958,7 @@ index c9998c8..94ff984 100644
|
||||
selinux_validate_context(session_bus_type)
|
||||
selinux_compute_access_vector(session_bus_type)
|
||||
selinux_compute_create_context(session_bus_type)
|
||||
@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
|
||||
auth_read_pam_console_data(session_bus_type)
|
||||
|
||||
logging_send_audit_msgs(session_bus_type)
|
||||
@ -21999,7 +22000,7 @@ index c9998c8..94ff984 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -244,5 +354,9 @@ optional_policy(`
|
||||
@@ -244,5 +355,9 @@ optional_policy(`
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
@ -30267,10 +30268,10 @@ index c21a528..a746a2b 100644
|
||||
/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
|
||||
|
||||
diff --git a/glance.if b/glance.if
|
||||
index 9eacb2c..2f3fa34 100644
|
||||
index 9eacb2c..7b19ad2 100644
|
||||
--- a/glance.if
|
||||
+++ b/glance.if
|
||||
@@ -1,5 +1,36 @@
|
||||
@@ -1,5 +1,38 @@
|
||||
## <summary>OpenStack image registry and delivery service.</summary>
|
||||
|
||||
+#######################################
|
||||
@ -30302,12 +30303,14 @@ index 9eacb2c..2f3fa34 100644
|
||||
+
|
||||
+ logging_send_syslog_msg($1_t)
|
||||
+
|
||||
+ auth_use_nsswitch($1_t)
|
||||
+
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to
|
||||
@@ -26,9 +57,9 @@ interface(`glance_domtrans_registry',`
|
||||
@@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
|
||||
## run glance api.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -30319,7 +30322,7 @@ index 9eacb2c..2f3fa34 100644
|
||||
## </param>
|
||||
#
|
||||
interface(`glance_domtrans_api',`
|
||||
@@ -242,8 +273,13 @@ interface(`glance_admin',`
|
||||
@@ -242,8 +275,13 @@ interface(`glance_admin',`
|
||||
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -39451,7 +39454,7 @@ index f6c00d8..7b777ab 100644
|
||||
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
|
||||
')
|
||||
diff --git a/kerberos.te b/kerberos.te
|
||||
index 8833d59..534f815 100644
|
||||
index 8833d59..61910d0 100644
|
||||
--- a/kerberos.te
|
||||
+++ b/kerberos.te
|
||||
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
|
||||
@ -39774,8 +39777,12 @@ index 8833d59..534f815 100644
|
||||
|
||||
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
|
||||
|
||||
@@ -303,26 +341,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
|
||||
@@ -301,27 +339,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
|
||||
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
|
||||
|
||||
+kernel_read_system_state(kpropd_t)
|
||||
+
|
||||
corecmd_exec_bin(kpropd_t)
|
||||
|
||||
-corenet_all_recvfrom_unlabeled(kpropd_t)
|
||||
@ -39795,13 +39802,14 @@ index 8833d59..534f815 100644
|
||||
|
||||
selinux_validate_context(kpropd_t)
|
||||
|
||||
logging_send_syslog_msg(kpropd_t)
|
||||
-logging_send_syslog_msg(kpropd_t)
|
||||
+auth_use_nsswitch(kpropd_t)
|
||||
|
||||
-miscfiles_read_localization(kpropd_t)
|
||||
-
|
||||
+logging_send_syslog_msg(kpropd_t)
|
||||
|
||||
seutil_read_file_contexts(kpropd_t)
|
||||
|
||||
sysnet_dns_name_resolve(kpropd_t)
|
||||
diff --git a/kerneloops.if b/kerneloops.if
|
||||
index 714448f..fa0c994 100644
|
||||
--- a/kerneloops.if
|
||||
@ -42048,10 +42056,10 @@ index 0000000..236707b
|
||||
+
|
||||
diff --git a/linuxptp.te b/linuxptp.te
|
||||
new file mode 100644
|
||||
index 0000000..affa9bd
|
||||
index 0000000..15aea48
|
||||
--- /dev/null
|
||||
+++ b/linuxptp.te
|
||||
@@ -0,0 +1,173 @@
|
||||
@@ -0,0 +1,172 @@
|
||||
+policy_module(linuxptp, 1.0.0)
|
||||
+
|
||||
+
|
||||
@ -42224,7 +42232,6 @@ index 0000000..affa9bd
|
||||
+optional_policy(`
|
||||
+ gpsd_rw_shm(ptp4l_t)
|
||||
+')
|
||||
+
|
||||
diff --git a/lircd.if b/lircd.if
|
||||
index dff21a7..b6981c8 100644
|
||||
--- a/lircd.if
|
||||
@ -54533,7 +54540,7 @@ index 94b9734..448a7e8 100644
|
||||
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
||||
diff --git a/networkmanager.if b/networkmanager.if
|
||||
index 86dc29d..1cd0d0e 100644
|
||||
index 86dc29d..98fdac1 100644
|
||||
--- a/networkmanager.if
|
||||
+++ b/networkmanager.if
|
||||
@@ -2,7 +2,7 @@
|
||||
@ -54757,7 +54764,7 @@ index 86dc29d..1cd0d0e 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -241,13 +306,13 @@ interface(`networkmanager_append_log_files',`
|
||||
@@ -241,13 +306,32 @@ interface(`networkmanager_append_log_files',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -54770,10 +54777,29 @@ index 86dc29d..1cd0d0e 100644
|
||||
files_search_pids($1)
|
||||
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
||||
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage NetworkManager PID sock files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`networkmanager_manage_pid_sock_files',`
|
||||
+ gen_require(`
|
||||
+ type NetworkManager_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_pids($1)
|
||||
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
')
|
||||
|
||||
####################################
|
||||
@@ -272,14 +337,33 @@ interface(`networkmanager_stream_connect',`
|
||||
@@ -272,14 +356,33 @@ interface(`networkmanager_stream_connect',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -54809,7 +54835,7 @@ index 86dc29d..1cd0d0e 100644
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
@@ -287,33 +371,132 @@ interface(`networkmanager_stream_connect',`
|
||||
@@ -287,33 +390,132 @@ interface(`networkmanager_stream_connect',`
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
@ -61915,7 +61941,7 @@ index 6837e9a..21e6dae 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 openvpn_initrc_exec_t system_r;
|
||||
diff --git a/openvpn.te b/openvpn.te
|
||||
index 63957a3..ba34f72 100644
|
||||
index 63957a3..57fbf6d 100644
|
||||
--- a/openvpn.te
|
||||
+++ b/openvpn.te
|
||||
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
|
||||
@ -62040,7 +62066,7 @@ index 63957a3..ba34f72 100644
|
||||
')
|
||||
|
||||
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',`
|
||||
@@ -164,10 +188,20 @@ tunable_policy(`openvpn_can_network_connect',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -62054,13 +62080,14 @@ index 63957a3..ba34f72 100644
|
||||
optional_policy(`
|
||||
+ networkmanager_stream_connect(openvpn_t)
|
||||
+ networkmanager_manage_pid_files(openvpn_t)
|
||||
+ networkmanager_manage_pid_sock_files(openvpn_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
dbus_system_bus_client(openvpn_t)
|
||||
dbus_connect_system_bus(openvpn_t)
|
||||
|
||||
@@ -175,3 +208,27 @@ optional_policy(`
|
||||
@@ -175,3 +209,27 @@ optional_policy(`
|
||||
networkmanager_dbus_chat(openvpn_t)
|
||||
')
|
||||
')
|
||||
@ -73549,10 +73576,10 @@ index 6643b49..dd0c3d3 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/puppet.fc b/puppet.fc
|
||||
index d68e26d..cad91e2 100644
|
||||
index d68e26d..d2c4d2a 100644
|
||||
--- a/puppet.fc
|
||||
+++ b/puppet.fc
|
||||
@@ -1,18 +1,20 @@
|
||||
@@ -1,18 +1,21 @@
|
||||
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
||||
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
||||
|
||||
@ -73567,6 +73594,7 @@ index d68e26d..cad91e2 100644
|
||||
+#helper scripts
|
||||
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
||||
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||
+/usr/bin/start-puppet-ca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
||||
|
||||
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
||||
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
@ -85814,7 +85842,7 @@ index ef3b225..d248cd3 100644
|
||||
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
diff --git a/rpm.te b/rpm.te
|
||||
index 6fc360e..1abda8b 100644
|
||||
index 6fc360e..15fcd26 100644
|
||||
--- a/rpm.te
|
||||
+++ b/rpm.te
|
||||
@@ -1,15 +1,13 @@
|
||||
@ -86156,7 +86184,7 @@ index 6fc360e..1abda8b 100644
|
||||
mls_file_read_all_levels(rpm_script_t)
|
||||
mls_file_write_all_levels(rpm_script_t)
|
||||
|
||||
@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t)
|
||||
@@ -331,30 +331,53 @@ storage_raw_write_fixed_disk(rpm_script_t)
|
||||
|
||||
term_getattr_unallocated_ttys(rpm_script_t)
|
||||
term_list_ptys(rpm_script_t)
|
||||
@ -86186,6 +86214,7 @@ index 6fc360e..1abda8b 100644
|
||||
+init_disable_services(rpm_script_t)
|
||||
+init_enable_services(rpm_script_t)
|
||||
+init_reload_services(rpm_script_t)
|
||||
+init_manage_transient_unit(rpm_script_t)
|
||||
init_domtrans_script(rpm_script_t)
|
||||
init_telinit(rpm_script_t)
|
||||
|
||||
@ -86218,7 +86247,7 @@ index 6fc360e..1abda8b 100644
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
@@ -363,41 +385,69 @@ ifdef(`distro_redhat',`
|
||||
@@ -363,41 +386,69 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -86299,7 +86328,7 @@ index 6fc360e..1abda8b 100644
|
||||
|
||||
optional_policy(`
|
||||
java_domtrans_unconfined(rpm_script_t)
|
||||
@@ -409,6 +459,6 @@ optional_policy(`
|
||||
@@ -409,6 +460,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -97492,7 +97521,7 @@ index a240455..f4d8c79 100644
|
||||
- admin_pattern($1, sssd_log_t)
|
||||
')
|
||||
diff --git a/sssd.te b/sssd.te
|
||||
index 2d8db1f..dbb5dd6 100644
|
||||
index 2d8db1f..fe72f8e 100644
|
||||
--- a/sssd.te
|
||||
+++ b/sssd.te
|
||||
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
|
||||
@ -97550,7 +97579,7 @@ index 2d8db1f..dbb5dd6 100644
|
||||
|
||||
corecmd_exec_bin(sssd_t)
|
||||
|
||||
@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t)
|
||||
@@ -83,28 +79,34 @@ domain_read_all_domains_state(sssd_t)
|
||||
domain_obj_id_change_exemption(sssd_t)
|
||||
|
||||
files_list_tmp(sssd_t)
|
||||
@ -97571,11 +97600,9 @@ index 2d8db1f..dbb5dd6 100644
|
||||
+seutil_rw_login_config_dirs(sssd_t)
|
||||
+seutil_manage_login_config_files(sssd_t)
|
||||
+
|
||||
+seutil_access_check_module_store(sssd_t)
|
||||
+
|
||||
+seutil_access_check_load_policy(sssd_t)
|
||||
+seutil_access_check_setfiles(sssd_t)
|
||||
+seutil_access_check_semanage_read_lock(sssd_t)
|
||||
+seutil_dontaudit_access_check_load_policy(sssd_t)
|
||||
+seutil_dontaudit_access_check_setfiles(sssd_t)
|
||||
+seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
|
||||
|
||||
mls_file_read_to_clearance(sssd_t)
|
||||
mls_socket_read_to_clearance(sssd_t)
|
||||
@ -97591,7 +97618,7 @@ index 2d8db1f..dbb5dd6 100644
|
||||
|
||||
init_read_utmp(sssd_t)
|
||||
|
||||
@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t)
|
||||
@@ -112,18 +114,36 @@ logging_send_syslog_msg(sssd_t)
|
||||
logging_send_audit_msgs(sssd_t)
|
||||
|
||||
miscfiles_read_generic_certs(sssd_t)
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 94%{?dist}
|
||||
Release: 95%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -604,6 +604,9 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
|
||||
- Allow networkmanager manage also openvpn sock pid files.
|
||||
|
||||
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
|
||||
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
|
||||
- Allow sendmail to create dead.letter. BZ(1165443)
|
||||
|
Loading…
Reference in New Issue
Block a user