|
 |
4e9cfe |
diff --git a/certmonger.te b/certmonger.te
|
|
|
b148e1 |
index 0803529e4a..0585431e14 100644
|
|
|
4e9cfe |
--- a/certmonger.te
|
|
|
4e9cfe |
+++ b/certmonger.te
|
|
|
4e9cfe |
@@ -144,6 +144,7 @@ optional_policy(`
|
|
|
4e9cfe |
optional_policy(`
|
|
|
4e9cfe |
pki_rw_tomcat_cert(certmonger_t)
|
|
|
4e9cfe |
pki_read_tomcat_lib_files(certmonger_t)
|
|
|
4e9cfe |
+ pki_tomcat_systemctl(certmonger_t)
|
|
|
4e9cfe |
')
|
|
|
4e9cfe |
|
|
|
4e9cfe |
optional_policy(`
|
|
|
bfef90 |
diff --git a/keepalived.te b/keepalived.te
|
|
|
b148e1 |
index c4f0c3237b..4b5c0e4ecf 100644
|
|
|
bfef90 |
--- a/keepalived.te
|
|
|
bfef90 |
+++ b/keepalived.te
|
|
|
bfef90 |
@@ -24,7 +24,7 @@ application_executable_file(keepalived_unconfined_script_exec_t)
|
|
|
bfef90 |
#
|
|
|
bfef90 |
|
|
|
bfef90 |
allow keepalived_t self:capability { net_admin net_raw kill };
|
|
|
bfef90 |
-allow keepalived_t self:process { signal_perms };
|
|
|
bfef90 |
+allow keepalived_t self:process { signal_perms setpgid };
|
|
|
bfef90 |
allow keepalived_t self:netlink_socket create_socket_perms;
|
|
|
bfef90 |
allow keepalived_t self:netlink_generic_socket create_socket_perms;
|
|
|
bfef90 |
allow keepalived_t self:netlink_netfilter_socket create_socket_perms;
|
|
|
a3dbbd |
diff --git a/lldpad.te b/lldpad.te
|
|
|
b148e1 |
index 42e5578f22..3399d597a8 100644
|
|
|
a3dbbd |
--- a/lldpad.te
|
|
|
a3dbbd |
+++ b/lldpad.te
|
|
|
a3dbbd |
@@ -64,3 +64,7 @@ optional_policy(`
|
|
|
a3dbbd |
optional_policy(`
|
|
|
a3dbbd |
networkmanager_dgram_send(lldpad_t)
|
|
|
a3dbbd |
')
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+optional_policy(`
|
|
|
a3dbbd |
+ virt_dgram_send(lldpad_t)
|
|
|
a3dbbd |
+')
|
|
|
b148e1 |
diff --git a/openvswitch.te b/openvswitch.te
|
|
|
b148e1 |
index d37f970208..1dc8a63a6b 100644
|
|
|
b148e1 |
--- a/openvswitch.te
|
|
|
b148e1 |
+++ b/openvswitch.te
|
|
|
b148e1 |
@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
|
|
|
b148e1 |
# openvswitch local policy
|
|
|
b148e1 |
#
|
|
|
b148e1 |
|
|
|
b148e1 |
-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid };
|
|
|
b148e1 |
+allow openvswitch_t self:capability { dac_override net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
|
|
|
b148e1 |
allow openvswitch_t self:capability2 block_suspend;
|
|
|
b148e1 |
allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
|
|
|
b148e1 |
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
|
|
|
b148e1 |
@@ -41,6 +41,7 @@ allow openvswitch_t self:tcp_socket create_stream_socket_perms;
|
|
|
b148e1 |
allow openvswitch_t self:netlink_socket create_socket_perms;
|
|
|
b148e1 |
allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
b148e1 |
allow openvswitch_t self:netlink_generic_socket create_socket_perms;
|
|
|
b148e1 |
+allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto };
|
|
|
b148e1 |
|
|
|
b148e1 |
can_exec(openvswitch_t, openvswitch_exec_t)
|
|
|
b148e1 |
|
|
|
b148e1 |
@@ -69,6 +70,7 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
|
|
b148e1 |
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
|
|
b148e1 |
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file })
|
|
|
b148e1 |
|
|
|
b148e1 |
+kernel_load_module(openvswitch_t)
|
|
|
b148e1 |
kernel_read_network_state(openvswitch_t)
|
|
|
b148e1 |
kernel_read_system_state(openvswitch_t)
|
|
|
b148e1 |
kernel_request_load_module(openvswitch_t)
|
|
|
b148e1 |
@@ -87,6 +89,8 @@ corecmd_exec_shell(openvswitch_t)
|
|
|
b148e1 |
dev_read_rand(openvswitch_t)
|
|
|
b148e1 |
dev_read_urand(openvswitch_t)
|
|
|
b148e1 |
dev_read_sysfs(openvswitch_t)
|
|
|
b148e1 |
+dev_rw_vfio_dev(openvswitch_t)
|
|
|
b148e1 |
+corenet_rw_tun_tap_dev(openvswitch_t)
|
|
|
b148e1 |
|
|
|
b148e1 |
domain_use_interactive_fds(openvswitch_t)
|
|
|
b148e1 |
|
|
|
b148e1 |
@@ -111,6 +115,10 @@ modutils_read_module_deps(openvswitch_t)
|
|
|
b148e1 |
|
|
|
b148e1 |
sysnet_dns_name_resolve(openvswitch_t)
|
|
|
b148e1 |
|
|
|
b148e1 |
+logging_send_audit_msgs(openvswitch_t)
|
|
|
b148e1 |
+
|
|
|
b148e1 |
+write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
|
|
b148e1 |
+
|
|
|
b148e1 |
optional_policy(`
|
|
|
b148e1 |
hostname_exec(openvswitch_t)
|
|
|
b148e1 |
')
|
|
|
4e9cfe |
diff --git a/pki.if b/pki.if
|
|
|
b148e1 |
index f18fcc68fc..f69ae02984 100644
|
|
|
4e9cfe |
--- a/pki.if
|
|
|
4e9cfe |
+++ b/pki.if
|
|
|
4e9cfe |
@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
|
|
|
4e9cfe |
files_search_pids($1)
|
|
|
4e9cfe |
stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
|
|
|
4e9cfe |
')
|
|
|
4e9cfe |
+
|
|
|
4e9cfe |
+########################################
|
|
|
4e9cfe |
+## <summary>
|
|
|
4e9cfe |
+## Execute pki in the pkit_tomcat_t domain.
|
|
|
4e9cfe |
+## </summary>
|
|
|
4e9cfe |
+## <param name="domain">
|
|
|
4e9cfe |
+## <summary>
|
|
|
4e9cfe |
+## Domain allowed to transition.
|
|
|
4e9cfe |
+## </summary>
|
|
|
4e9cfe |
+## </param>
|
|
|
4e9cfe |
+#
|
|
|
4e9cfe |
+interface(`pki_tomcat_systemctl',`
|
|
|
4e9cfe |
+ gen_require(`
|
|
|
4e9cfe |
+ type pki_tomcat_t;
|
|
|
4e9cfe |
+ type pki_tomcat_unit_file_t;
|
|
|
4e9cfe |
+ ')
|
|
|
4e9cfe |
+
|
|
|
4e9cfe |
+ systemd_exec_systemctl($1)
|
|
|
4e9cfe |
+ systemd_read_fifo_file_passwd_run($1)
|
|
|
4e9cfe |
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
|
|
|
4e9cfe |
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
|
|
|
4e9cfe |
+
|
|
|
4e9cfe |
+ ps_process_pattern($1, pki_tomcat_t)
|
|
|
4e9cfe |
+')
|
|
|
bfef90 |
diff --git a/rhcs.if b/rhcs.if
|
|
|
b148e1 |
index 59e5d7e3b7..145d67f2a0 100644
|
|
|
bfef90 |
--- a/rhcs.if
|
|
|
bfef90 |
+++ b/rhcs.if
|
|
|
bfef90 |
@@ -957,3 +957,22 @@ interface(`rhcs_start_haproxy_services',`
|
|
|
bfef90 |
systemd_exec_systemctl($1)
|
|
|
bfef90 |
allow $1 haproxy_unit_file_t:service {status start};
|
|
|
bfef90 |
')
|
|
|
bfef90 |
+
|
|
|
bfef90 |
+########################################
|
|
|
bfef90 |
+## <summary>
|
|
|
bfef90 |
+## Create log files with a named file
|
|
|
bfef90 |
+## type transition.
|
|
|
bfef90 |
+## </summary>
|
|
|
bfef90 |
+## <param name="domain">
|
|
|
bfef90 |
+## <summary>
|
|
|
bfef90 |
+## Domain allowed access.
|
|
|
bfef90 |
+## </summary>
|
|
|
bfef90 |
+## </param>
|
|
|
bfef90 |
+#
|
|
|
bfef90 |
+interface(`rhcs_named_filetrans_log_dir',`
|
|
|
bfef90 |
+ gen_require(`
|
|
|
bfef90 |
+ type var_log_t;
|
|
|
bfef90 |
+ ')
|
|
|
bfef90 |
+
|
|
|
bfef90 |
+ logging_log_named_filetrans($1, var_log_t, dir, "bundles")
|
|
|
bfef90 |
+')
|
|
|
bfef90 |
diff --git a/rhcs.te b/rhcs.te
|
|
|
b148e1 |
index a95c73dc7e..a5aec03a82 100644
|
|
|
bfef90 |
--- a/rhcs.te
|
|
|
bfef90 |
+++ b/rhcs.te
|
|
|
b148e1 |
@@ -319,6 +319,10 @@ optional_policy(`
|
|
|
b148e1 |
ricci_dontaudit_rw_modcluster_pipes(cluster_t)
|
|
|
bfef90 |
')
|
|
|
bfef90 |
|
|
|
b148e1 |
+optional_policy(`
|
|
|
bfef90 |
+ rhcs_named_filetrans_log_dir(cluster_t)
|
|
|
bfef90 |
+')
|
|
|
bfef90 |
+
|
|
|
b148e1 |
optional_policy(`
|
|
|
bfef90 |
rpc_systemctl_nfsd(cluster_t)
|
|
|
bfef90 |
rpc_systemctl_rpcd(cluster_t)
|
|
|
a3dbbd |
diff --git a/tomcat.te b/tomcat.te
|
|
|
b148e1 |
index 97bdd60c90..e35ae6b3d9 100644
|
|
|
a3dbbd |
--- a/tomcat.te
|
|
|
a3dbbd |
+++ b/tomcat.te
|
|
|
a3dbbd |
@@ -51,6 +51,9 @@ optional_policy(`
|
|
|
a3dbbd |
# tomcat domain policy
|
|
|
a3dbbd |
#
|
|
|
a3dbbd |
|
|
|
a3dbbd |
+allow tomcat_t self:capability { dac_override setuid kill };
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+allow tomcat_t self:process { setcap signal signull };
|
|
|
a3dbbd |
allow tomcat_domain self:fifo_file rw_fifo_file_perms;
|
|
|
a3dbbd |
allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
a3dbbd |
|
|
|
bfef90 |
@@ -82,6 +85,7 @@ corenet_tcp_connect_amqp_port(tomcat_domain)
|
|
|
bfef90 |
corenet_tcp_connect_oracle_port(tomcat_domain)
|
|
|
bfef90 |
corenet_tcp_connect_ibm_dt_2_port(tomcat_domain)
|
|
|
bfef90 |
corenet_tcp_connect_unreserved_ports(tomcat_domain)
|
|
|
bfef90 |
+corenet_tcp_connect_mssql_port(tomcat_domain)
|
|
|
bfef90 |
|
|
|
bfef90 |
dev_read_rand(tomcat_domain)
|
|
|
bfef90 |
dev_read_urand(tomcat_domain)
|
|
|
a3dbbd |
diff --git a/virt.if b/virt.if
|
|
|
b148e1 |
index 1d17889f38..c6792a5a37 100644
|
|
|
a3dbbd |
--- a/virt.if
|
|
|
a3dbbd |
+++ b/virt.if
|
|
|
a3dbbd |
@@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
|
|
|
a3dbbd |
dontaudit $1 virtd_t:dir search_dir_perms;
|
|
|
a3dbbd |
dontaudit $1 virtd_t:file read_file_perms;
|
|
|
a3dbbd |
dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
|
|
|
a3dbbd |
+')
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+#######################################
|
|
|
a3dbbd |
+## <summary>
|
|
|
a3dbbd |
+## Send to libvirt with a unix dgram socket.
|
|
|
a3dbbd |
+## </summary>
|
|
|
a3dbbd |
+## <param name="domain">
|
|
|
a3dbbd |
+## <summary>
|
|
|
a3dbbd |
+## Domain allowed access.
|
|
|
a3dbbd |
+## </summary>
|
|
|
a3dbbd |
+## </param>
|
|
|
a3dbbd |
+#
|
|
|
a3dbbd |
+interface(`virt_dgram_send',`
|
|
|
a3dbbd |
+ gen_require(`
|
|
|
a3dbbd |
+ type virtd_t, virt_var_run_t;
|
|
|
a3dbbd |
+ ')
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+ files_search_pids($1)
|
|
|
a3dbbd |
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
|
|
a3dbbd |
')
|
|
|
a3dbbd |
\ No newline at end of file
|