diff --git a/Changelog b/Changelog index f6bcd1c..e0f27c9 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,6 @@ +- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh. - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes - to handle usage from userhelper. + to handle usage from userhelper from Dan Walsh. - Patch to allow amavis to read spamassassin libraries from Dan Walsh. - Patch to allow slocate to getattr other filesystems and directories on those filesystems from Dan Walsh. diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index 9bcf82e..f92c331 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.4.0) +policy_module(logwatch,1.4.1) ################################# # @@ -95,6 +95,10 @@ optional_policy(` ') optional_policy(` + avahi_dontaudit_search_pid(logwatch_t) +') + +optional_policy(` bind_read_config(logwatch_t) bind_read_zone(logwatch_t) ') diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 5eaf2ad..2889825 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -39,3 +39,21 @@ interface(`avahi_stream_connect',` files_search_pids($1) stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t) ') + +######################################## +## +## Do not audit attempts to search the avahi pid directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`avahi_dontaudit_search_pid',` + gen_require(` + type avahi_var_run_t; + ') + + dontaudit $1 avahi_var_run_t:dir search_dir_perms; +') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index d5e722c..20b67d3 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi,1.5.0) +policy_module(avahi,1.5.1) ######################################## #