|
 |
2da12e |
diff --git a/policy/mls b/policy/mls
|
|
|
2da12e |
index 9e0c245..53c2f8c 100644
|
|
|
2da12e |
--- a/policy/mls
|
|
|
2da12e |
+++ b/policy/mls
|
|
|
2da12e |
@@ -177,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
|
|
2da12e |
|
|
|
2da12e |
|
|
|
2da12e |
# the socket "read" ops (note the check is dominance of the low level)
|
|
|
2da12e |
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
|
|
|
2da12e |
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
|
|
|
2da12e |
(( l1 dom l2 ) or
|
|
|
2da12e |
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
|
|
2da12e |
( t1 == mlsnetread ));
|
|
|
6b4b4b |
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
|
|
6b4b4b |
index aa51ab2..2e75ec7 100644
|
|
|
6b4b4b |
--- a/policy/modules/admin/sudo.if
|
|
|
6b4b4b |
+++ b/policy/modules/admin/sudo.if
|
|
|
6b4b4b |
@@ -126,3 +126,22 @@ interface(`sudo_exec',`
|
|
|
6b4b4b |
|
|
|
6b4b4b |
can_exec($1, sudo_exec_t)
|
|
|
6b4b4b |
')
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
+######################################
|
|
|
6b4b4b |
+## <summary>
|
|
|
6b4b4b |
+## Allow to manage sudo database in called domain.
|
|
|
6b4b4b |
+## </summary>
|
|
|
6b4b4b |
+## <param name="domain">
|
|
|
6b4b4b |
+## <summary>
|
|
|
6b4b4b |
+## Domain allowed access.
|
|
|
6b4b4b |
+## </summary>
|
|
|
6b4b4b |
+## </param>
|
|
|
6b4b4b |
+#
|
|
|
6b4b4b |
+interface(`sudo_manage_db',`
|
|
|
6b4b4b |
+ gen_require(`
|
|
|
6b4b4b |
+ type sudo_db_t;
|
|
|
6b4b4b |
+ ')
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
+ manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
|
|
|
6b4b4b |
+ manage_files_pattern($1, sudo_db_t, sudo_db_t)
|
|
|
6b4b4b |
+')
|
|
|
6b4b4b |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
|
|
6b4b4b |
index 9a8ff3e..0960389 100644
|
|
|
6b4b4b |
--- a/policy/modules/kernel/corecommands.fc
|
|
|
6b4b4b |
+++ b/policy/modules/kernel/corecommands.fc
|
|
|
6b4b4b |
@@ -61,6 +61,8 @@ ifdef(`distro_redhat',`
|
|
|
6b4b4b |
/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
|
|
|
6b4b4b |
+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
|
|
|
6b4b4b |
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
@@ -482,6 +484,8 @@ ifdef(`distro_suse', `
|
|
|
6b4b4b |
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
|
|
|
6b4b4b |
+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
ifdef(`distro_suse',`
|
|
|
6b4b4b |
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
')
|
|
|
2da12e |
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
|
|
|
2da12e |
index 947af6c..59fe535 100644
|
|
|
2da12e |
--- a/policy/modules/services/postgresql.fc
|
|
|
2da12e |
+++ b/policy/modules/services/postgresql.fc
|
|
|
2da12e |
@@ -12,6 +12,8 @@
|
|
|
2da12e |
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
|
|
|
2da12e |
+/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
+
|
|
|
2da12e |
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
|
|
2da12e |
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
|
|
2da12e |
index 2ef9dc6..cc76bdc 100644
|
|
|
2da12e |
--- a/policy/modules/services/ssh.te
|
|
|
2da12e |
+++ b/policy/modules/services/ssh.te
|
|
|
2da12e |
@@ -56,6 +56,7 @@ ssh_server_template(sshd)
|
|
|
2da12e |
init_daemon_domain(sshd_t, sshd_exec_t)
|
|
|
2da12e |
mls_trusted_object(sshd_t)
|
|
|
2da12e |
mls_process_write_all_levels(sshd_t)
|
|
|
2da12e |
+mls_dbus_send_all_levels(sshd_t)
|
|
|
2da12e |
|
|
|
2da12e |
type sshd_initrc_exec_t;
|
|
|
2da12e |
init_script_file(sshd_initrc_exec_t)
|
|
|
2da12e |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
|
|
2da12e |
index b88e8a2..b13579d 100644
|
|
|
2da12e |
--- a/policy/modules/system/init.if
|
|
|
2da12e |
+++ b/policy/modules/system/init.if
|
|
|
2da12e |
@@ -2602,7 +2602,7 @@ interface(`init_rw_tcp_sockets',`
|
|
|
2da12e |
type init_t;
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
- allow $1 init_t:tcp_socket { read write };
|
|
|
2da12e |
+ allow $1 init_t:tcp_socket { read write getattr getopt setopt };
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
########################################
|
|
|
2da12e |
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
|
|
|
2da12e |
index 12c7fa6..0cd667e 100644
|
|
|
2da12e |
--- a/policy/modules/system/ipsec.if
|
|
|
2da12e |
+++ b/policy/modules/system/ipsec.if
|
|
|
2da12e |
@@ -541,3 +541,22 @@ interface(`ipsec_mgmt_systemctl',`
|
|
|
2da12e |
|
|
|
2da12e |
ps_process_pattern($1, ipsec_mgmt_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
+
|
|
|
2da12e |
+########################################
|
|
|
2da12e |
+## <summary>
|
|
|
2da12e |
+## Do not audit attempts to write the ipsec
|
|
|
2da12e |
+## log files.
|
|
|
2da12e |
+## </summary>
|
|
|
2da12e |
+## <param name="domain">
|
|
|
2da12e |
+## <summary>
|
|
|
2da12e |
+## Domain to not audit.
|
|
|
2da12e |
+## </summary>
|
|
|
2da12e |
+## </param>
|
|
|
2da12e |
+#
|
|
|
2da12e |
+interface(`ipsec_dontaudit_write_log',`
|
|
|
2da12e |
+ gen_require(`
|
|
|
2da12e |
+ type ipsec_log_t;
|
|
|
2da12e |
+ ')
|
|
|
2da12e |
+
|
|
|
2da12e |
+ dontaudit $1 ipsec_log_t:file rw_inherited_file_perms;
|
|
|
2da12e |
+')
|
|
|
2da12e |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
|
|
2da12e |
index ca1b2bc..b3417f5 100644
|
|
|
2da12e |
--- a/policy/modules/system/sysnetwork.te
|
|
|
2da12e |
+++ b/policy/modules/system/sysnetwork.te
|
|
|
2da12e |
@@ -447,6 +447,7 @@ optional_policy(`
|
|
|
2da12e |
optional_policy(`
|
|
|
2da12e |
ipsec_write_pid(ifconfig_t)
|
|
|
2da12e |
ipsec_setcontext_default_spd(ifconfig_t)
|
|
|
2da12e |
+ ipsec_dontaudit_write_log(ifconfig_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
optional_policy(`
|
|
|
2da12e |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
|
|
2da12e |
index db531dc..7c2a68e 100644
|
|
|
2da12e |
--- a/policy/modules/system/systemd.te
|
|
|
2da12e |
+++ b/policy/modules/system/systemd.te
|
|
|
2da12e |
@@ -96,6 +96,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
|
|
2da12e |
|
|
|
2da12e |
mls_file_read_all_levels(systemd_logind_t)
|
|
|
2da12e |
mls_file_write_all_levels(systemd_logind_t)
|
|
|
2da12e |
+mls_dbus_send_all_levels(systemd_logind_t)
|
|
|
2da12e |
|
|
|
2da12e |
files_delete_tmpfs_files(systemd_logind_t)
|
|
|
2da12e |
|
|
|
2da12e |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
|
|
2da12e |
index 05274ae..29b37bc 100644
|
|
|
2da12e |
--- a/policy/modules/system/userdomain.if
|
|
|
2da12e |
+++ b/policy/modules/system/userdomain.if
|
|
|
2da12e |
@@ -169,6 +169,7 @@ template(`userdom_base_user_template',`
|
|
|
2da12e |
|
|
|
2da12e |
optional_policy(`
|
|
|
2da12e |
ssh_rw_stream_sockets($1_usertype)
|
|
|
2da12e |
+ ssh_rw_dgram_sockets($1_usertype)
|
|
|
2da12e |
ssh_delete_tmp($1_t)
|
|
|
2da12e |
ssh_signal($1_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
@@ -718,8 +719,8 @@ template(`userdom_common_user_template',`
|
|
|
2da12e |
application_getattr_socket($1_usertype)
|
|
|
2da12e |
|
|
|
2da12e |
|
|
|
2da12e |
- ifdef(`enabled_mls',`
|
|
|
2da12e |
- init_rw_tcp_sockets($1_usertype)
|
|
|
2da12e |
+ ifdef(`enable_mls',`
|
|
|
2da12e |
+ init_rw_tcp_sockets($1_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
logging_send_syslog_msg($1_t)
|