rpms / selinux-policy

Clone
Source Code
GIT

035275 firstboot is leaking a netlink_route socket into iptables. We need to dontaudit

Authored and Committed by Dan Walsh 14 years ago
raw patch tree parent
8 files changed. 12 lines added. 2 lines removed.
policy/modules/admin/firstboot.te
file modified
+4 -0
policy/modules/kernel/devices.fc
file modified
+2 -0
policy/modules/kernel/filesystem.te
file modified
+1 -0
policy/modules/kernel/terminal.te
file modified
+1 -0
policy/modules/roles/unconfineduser.te
file modified
+1 -1
policy/modules/services/hal.te
file modified
+1 -0
policy/modules/services/xserver.te
file modified
+1 -1
policy/modules/system/fstools.te
file modified
+1 -0 
    firstboot is leaking a netlink_route socket into iptables.  We need to dontaudit
    tmpfs_t/devpts_t files can be stored on device_t file system
    unconfined_mono_t can pass file descriptors to chrome_sandbox, so need transition from all unoconfined users types
    Hald can connect to user processes over streams
    xdm_t now changes the brightness level on the system
    mdadm needs to manage hugetlbfs filesystems
file modified
+4 -0
policy/modules/admin/firstboot.te CHANGED
@@ -103,6 +103,10 @@ optional_policy(`
103
103
')
104
104
105
105
optional_policy(`
106
+ iptables_domtrans(firstboot_t)
107
+ ')
108
+
109
+ optional_policy(`
106
110
nis_use_ypbind(firstboot_t)
107
111
')
108
112
file modified
+2 -0
policy/modules/kernel/devices.fc CHANGED
@@ -159,6 +159,8 @@ ifdef(`distro_suse', `
159
159
160
160
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
161
161
162
+ /dev/hugepages(/.*)? <<none>>
163
+ /dev/mqueue(/.*)? <<none>>
162
164
/dev/pts(/.*)? <<none>>
163
165
164
166
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
file modified
+1 -0
policy/modules/kernel/filesystem.te CHANGED
@@ -185,6 +185,7 @@ fs_type(tmpfs_t)
185
185
files_type(tmpfs_t)
186
186
files_mountpoint(tmpfs_t)
187
187
files_poly_parent(tmpfs_t)
188
+ dev_associate(tmpfs_t)
188
189
189
190
# Use a transition SID based on the allocating task SID and the
190
191
# filesystem SID to label inodes in the following filesystem types,
file modified
+1 -0
policy/modules/kernel/terminal.te CHANGED
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
29
29
fs_associate_tmpfs(devpts_t)
30
30
fs_type(devpts_t)
31
31
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
32
+ dev_associate(devpts_t)
32
33
33
34
#
34
35
# devtty_t is the type of /dev/tty.
file modified
+1 -1
policy/modules/roles/unconfineduser.te CHANGED
@@ -226,7 +226,7 @@ optional_policy(`
226
226
')
227
227
228
228
optional_policy(`
229
- chrome_role(unconfined_r, unconfined_t)
229
+ chrome_role(unconfined_r, unconfined_usertype)
230
230
')
231
231
232
232
optional_policy(`
file modified
+1 -0
policy/modules/services/hal.te CHANGED
@@ -225,6 +225,7 @@ sysnet_signal_dhcpc(hald_t)
225
225
226
226
userdom_dontaudit_use_unpriv_user_fds(hald_t)
227
227
userdom_dontaudit_search_user_home_dirs(hald_t)
228
+ userdom_stream_connect(hald_t)
228
229
229
230
netutils_domtrans(hald_t)
230
231
file modified
+1 -1
policy/modules/services/xserver.te CHANGED
@@ -545,7 +545,7 @@ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
545
545
546
546
dev_rwx_zero(xdm_t)
547
547
dev_read_rand(xdm_t)
548
- dev_read_sysfs(xdm_t)
548
+ dev_rw_sysfs(xdm_t)
549
549
dev_getattr_framebuffer_dev(xdm_t)
550
550
dev_setattr_framebuffer_dev(xdm_t)
551
551
dev_getattr_mouse_dev(xdm_t)
file modified
+1 -0
policy/modules/system/fstools.te CHANGED
@@ -120,6 +120,7 @@ fs_getattr_tmpfs_dirs(fsadm_t)
120
120
fs_read_tmpfs_symlinks(fsadm_t)
121
121
fs_manage_nfs_files(fsadm_t)
122
122
fs_manage_cifs_files(fsadm_t)
123
+ fs_rw_hugetlbfs_files(fsadm_t)
123
124
# Recreate /mnt/cdrom.
124
125
files_manage_mnt_dirs(fsadm_t)
125
126
# for tune2fs

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation