diff options
| -rw-r--r-- | policy/modules/contrib/apache.if | 2 | ||||
| -rw-r--r-- | policy/modules/contrib/dracut.fc | 3 | ||||
| -rw-r--r-- | policy/modules/contrib/dracut.if | 8 | ||||
| -rw-r--r-- | policy/modules/contrib/dracut.te | 29 | ||||
| -rw-r--r-- | policy/modules/contrib/networkmanager.te | 8 | ||||
| -rw-r--r-- | policy/modules/contrib/rpm.fc | 3 | ||||
| -rw-r--r-- | policy/modules/system/libraries.te | 4 | ||||
| -rw-r--r-- | policy/modules/system/modutils.if | 9 | ||||
| -rw-r--r-- | policy/modules/system/modutils.te | 2 | ||||
| -rw-r--r-- | policy/modules/system/udev.if | 2 |
10 files changed, 28 insertions, 42 deletions
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if index a1d19055..6696f6b8 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -479,7 +479,7 @@ interface(`apache_read_all_ra_content',` ## </param> ## <rolecap/> # -interface(`apache_append_all_ra_content_files',` +interface(`apache_append_all_ra_content',` gen_require(` attribute httpd_ra_content; ') diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dracut.fc index fca0d673..75533ca3 100644 --- a/policy/modules/contrib/dracut.fc +++ b/policy/modules/contrib/dracut.fc @@ -1,4 +1,5 @@ # # /usr # -/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) +/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) +/usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) diff --git a/policy/modules/contrib/dracut.if b/policy/modules/contrib/dracut.if index 929fffd3..e8a0e53b 100644 --- a/policy/modules/contrib/dracut.if +++ b/policy/modules/contrib/dracut.if @@ -46,7 +46,7 @@ interface(`dracut_run',` ######################################## ## <summary> -## Allow domain to manage dracut temporary files +## Read/write dracut temporary files ## </summary> ## <param name="domain"> ## <summary> @@ -54,7 +54,7 @@ interface(`dracut_run',` ## </summary> ## </param> # -interface(`dracut_manage_tmp_files',` +interface(`dracut_rw_tmp_files',` gen_require(` type dracut_tmp_t; ') @@ -62,8 +62,6 @@ interface(`dracut_manage_tmp_files',` files_search_var($1) files_search_tmp($1) - manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) - manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) - read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) + rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t) ') diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te index 4bd6cb36..d61e49e2 100644 --- a/policy/modules/contrib/dracut.te +++ b/policy/modules/contrib/dracut.te @@ -15,23 +15,27 @@ files_tmp_file(dracut_tmp_t) # Local policy # allow dracut_t self:process setfscreate; +allow dracut_t self:capability dac_override; allow dracut_t self:fifo_file rw_fifo_file_perms; allow dracut_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) -manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) -files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +files_tmp_filetrans(dracut_t, dracut_tmp_t, dir) manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) logging_log_filetrans(dracut_t, dracut_var_log_t, file) +kernel_read_messages(dracut_t) kernel_read_system_state(dracut_t) corecmd_exec_bin(dracut_t) corecmd_exec_shell(dracut_t) -corecmd_read_all_executables(dracut_t) +corecmd_mmap_all_executables(dracut_t) +dev_read_kmsg(dracut_t) dev_read_sysfs(dracut_t) domain_use_interactive_fds(dracut_t) @@ -42,35 +46,22 @@ files_read_kernel_modules(dracut_t) files_read_usr_files(dracut_t) files_search_pids(dracut_t) -fstools_exec(dracut_t) - -libs_domtrans_ldconfig(dracut_t) +libs_exec_ldconfig(dracut_t) libs_exec_ld_so(dracut_t) libs_exec_lib_files(dracut_t) miscfiles_read_localization(dracut_t) -modutils_exec_depmod(dracut_t) -modutils_exec_insmod(dracut_t) -modutils_list_module_config(dracut_t) +modutils_list_module_config(dracut_t) #find /etc/modprobe.d modutils_read_module_config(dracut_t) modutils_read_module_deps(dracut_t) -mount_exec(dracut_t) - -seutil_exec_setfiles(dracut_t) - -udev_exec(dracut_t) udev_read_rules_files(dracut_t) +userdom_search_user_home_dirs(dracut_t) userdom_use_user_terminals(dracut_t) optional_policy(` - dmesg_exec(dracut_t) -') - -optional_policy(` - lvm_exec(dracut_t) lvm_read_config(dracut_t) ') diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index 8e89b436..1e1dab0f 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -295,14 +295,6 @@ domain_use_interactive_fds(wpa_cli_t) files_read_etc_files(wpa_cli_t) files_search_pids(wpa_cli_t) -fs_manage_tmpfs_dirs(wpa_cli_t) -fs_manage_tmpfs_sockets(wpa_cli_t) -fs_manage_tmpfs_sockets(NetworkManager_t) -fs_rw_tmpfs_files(wpa_cli_t) -fs_rw_tmpfs_files(NetworkManager_t) -fs_search_tmpfs(wpa_cli_t) -fs_search_tmpfs(NetworkManager_t) - term_dontaudit_use_console(wpa_cli_t) getty_use_fds(wpa_cli_t) diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc index b206bf68..b2a0b6a2 100644 --- a/policy/modules/contrib/rpm.fc +++ b/policy/modules/contrib/rpm.fc @@ -7,6 +7,7 @@ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -27,9 +28,11 @@ ifdef(`distro_redhat', ` /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ') +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 50332d34..5a16f990 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -131,10 +131,6 @@ optional_policy(` ') optional_policy(` - dracut_manage_tmp_files(ldconfig_t) -') - -optional_policy(` puppet_rw_tmp(ldconfig_t) ') diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 19d328a7..ad5f8780 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -39,7 +39,7 @@ interface(`modutils_read_module_deps',` ######################################## ## <summary> -## List the module configuration option files +## List the module configuration option files ## </summary> ## <param name="domain"> ## <summary> @@ -53,11 +53,14 @@ interface(`modutils_list_module_config',` type modules_conf_t; ') + # This file type can be in /etc or + # /lib(64)?/modules + files_search_etc($1) + files_search_boot($1) + list_dirs_pattern($1, modules_conf_t, modules_conf_t) ') - - ######################################## ## <summary> ## Read the configuration options used when diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 43e99e54..78137a56 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -89,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - dracut_manage_tmp_files(depmod_t) + dracut_rw_tmp_files(depmod_t) ') optional_policy(` diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 46c8e827..8f59ae98 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -184,6 +184,8 @@ interface(`udev_read_rules_files',` type udev_rules_t; ') + files_search_etc($1) # /etc/udev/rules.d + udev_search_pids($1) # /run/udev/rules.d read_files_pattern($1, udev_rules_t, udev_rules_t) ') |