|
|
437f84 |
diff --git a/aiccu.te b/aiccu.te
|
|
|
437f84 |
index 6e4206c..a9039ce 100644
|
|
|
437f84 |
--- a/aiccu.te
|
|
|
437f84 |
+++ b/aiccu.te
|
|
|
437f84 |
@@ -69,6 +69,10 @@ optional_policy(`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ pcscd_stream_connect(aiccu_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
sysnet_dns_name_resolve(aiccu_t)
|
|
|
437f84 |
sysnet_domtrans_ifconfig(aiccu_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
diff --git a/antivirus.te b/antivirus.te
|
|
|
437f84 |
index 8ba9c95..83590aa 100644
|
|
|
437f84 |
--- a/antivirus.te
|
|
|
437f84 |
+++ b/antivirus.te
|
|
|
437f84 |
@@ -37,7 +37,7 @@ typealias antivirus_unit_file_t alias { clamd_unit_file_t };
|
|
|
437f84 |
systemd_unit_file(antivirus_unit_file_t)
|
|
|
437f84 |
|
|
|
437f84 |
type antivirus_conf_t;
|
|
|
437f84 |
-typealias antivirus_conf_t alias { clamd_etc_t };
|
|
|
437f84 |
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
|
|
|
437f84 |
files_config_file(antivirus_conf_t)
|
|
|
437f84 |
|
|
|
437f84 |
type antivirus_var_run_t;
|
|
|
437f84 |
@@ -166,6 +166,7 @@ dev_read_urand(antivirus_domain)
|
|
|
437f84 |
|
|
|
437f84 |
domain_dontaudit_read_all_domains_state(antivirus_domain)
|
|
|
437f84 |
|
|
|
437f84 |
+files_dontaudit_read_security_files(antivirus_domain)
|
|
|
437f84 |
files_read_etc_runtime_files(antivirus_domain)
|
|
|
437f84 |
files_search_spool(antivirus_domain)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -190,8 +191,6 @@ userdom_dontaudit_search_user_home_dirs(antivirus_domain)
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`antivirus_can_scan_system',`
|
|
|
437f84 |
files_read_non_security_files(antivirus_domain)
|
|
|
437f84 |
- #files_dontaudit_read_all_non_security_files(antivirus_domain)
|
|
|
437f84 |
- files_dontaudit_read_security_files(antivirus_domain)
|
|
|
437f84 |
files_getattr_all_pipes(antivirus_domain)
|
|
|
437f84 |
files_getattr_all_sockets(antivirus_domain)
|
|
|
437f84 |
dev_getattr_all_blk_files(antivirus_domain)
|
|
|
437f84 |
diff --git a/apache.fc b/apache.fc
|
|
|
437f84 |
index 43bb1c9..b903cc0 100644
|
|
|
437f84 |
--- a/apache.fc
|
|
|
437f84 |
+++ b/apache.fc
|
|
|
437f84 |
@@ -133,6 +133,7 @@ ifdef(`distro_suse', `
|
|
|
437f84 |
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
+/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
|
437f84 |
diff --git a/apache.if b/apache.if
|
|
|
437f84 |
index 64beed7..9426db5 100644
|
|
|
437f84 |
--- a/apache.if
|
|
|
437f84 |
+++ b/apache.if
|
|
|
437f84 |
@@ -74,6 +74,8 @@ template(`apache_content_template',`
|
|
|
437f84 |
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
|
437f84 |
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
|
437f84 |
|
|
|
437f84 |
+ allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
|
|
|
437f84 |
+
|
|
|
437f84 |
# Allow the web server to run scripts and serve pages
|
|
|
437f84 |
tunable_policy(`httpd_builtin_scripting',`
|
|
|
437f84 |
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
|
437f84 |
diff --git a/apache.te b/apache.te
|
|
|
437f84 |
index 21d7195..bce7760 100644
|
|
|
437f84 |
--- a/apache.te
|
|
|
437f84 |
+++ b/apache.te
|
|
|
437f84 |
@@ -474,7 +474,7 @@ role system_r types httpd_passwd_t;
|
|
|
437f84 |
# Apache server local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
|
|
|
437f84 |
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
|
|
437f84 |
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
|
|
|
437f84 |
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
|
|
437f84 |
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
437f84 |
allow httpd_t self:fd use;
|
|
|
437f84 |
@@ -510,6 +510,7 @@ allow httpd_t httpd_log_t:dir setattr;
|
|
|
437f84 |
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
|
437f84 |
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
|
437f84 |
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
|
437f84 |
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
|
437f84 |
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
|
437f84 |
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
|
437f84 |
# cjp: need to refine create interfaces to
|
|
|
437f84 |
@@ -1035,6 +1036,7 @@ optional_policy(`
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
passenger_exec(httpd_t)
|
|
|
437f84 |
+ passenger_kill(httpd_t)
|
|
|
437f84 |
passenger_manage_pid_content(httpd_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
@@ -1649,7 +1651,7 @@ allow httpd_t httpd_script_type:unix_stream_socket connectto;
|
|
|
437f84 |
|
|
|
437f84 |
allow httpd_t httpd_script_exec_type:file read_file_perms;
|
|
|
437f84 |
allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
|
|
|
437f84 |
-allow httpd_t httpd_script_type:process { signal sigkill sigstop };
|
|
|
437f84 |
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
|
|
|
437f84 |
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
|
|
437f84 |
|
|
|
437f84 |
allow httpd_script_type self:process { setsched signal_perms };
|
|
|
437f84 |
@@ -1660,6 +1662,7 @@ allow httpd_script_type httpd_t:fd use;
|
|
|
437f84 |
allow httpd_script_type httpd_t:process sigchld;
|
|
|
437f84 |
|
|
|
437f84 |
dontaudit httpd_script_type httpd_t:tcp_socket { read write };
|
|
|
437f84 |
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
|
|
|
437f84 |
|
|
|
437f84 |
fs_getattr_xattr_fs(httpd_script_type)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/apcupsd.te b/apcupsd.te
|
|
|
437f84 |
index a370cb8..5206035 100644
|
|
|
437f84 |
--- a/apcupsd.te
|
|
|
437f84 |
+++ b/apcupsd.te
|
|
|
437f84 |
@@ -82,6 +82,8 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_rw_generic_usb_dev(apcupsd_t)
|
|
|
437f84 |
|
|
|
437f84 |
+domain_signull_all_domains(apcupsd_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
files_manage_etc_runtime_files(apcupsd_t)
|
|
|
437f84 |
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/automount.te b/automount.te
|
|
|
437f84 |
index f27656d..11dbe9d 100644
|
|
|
437f84 |
--- a/automount.te
|
|
|
437f84 |
+++ b/automount.te
|
|
|
437f84 |
@@ -89,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
|
|
|
437f84 |
|
|
|
437f84 |
files_dontaudit_write_var_dirs(automount_t)
|
|
|
437f84 |
files_getattr_all_dirs(automount_t)
|
|
|
437f84 |
+files_getattr_all_files(automount_t)
|
|
|
437f84 |
files_getattr_default_dirs(automount_t)
|
|
|
437f84 |
files_getattr_home_dir(automount_t)
|
|
|
437f84 |
files_getattr_isid_type_dirs(automount_t)
|
|
|
437f84 |
diff --git a/bind.if b/bind.if
|
|
|
437f84 |
index 6c2dbe4..43b445c 100644
|
|
|
437f84 |
--- a/bind.if
|
|
|
437f84 |
+++ b/bind.if
|
|
|
437f84 |
@@ -408,6 +408,25 @@ interface(`bind_udp_chat_named',`
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
+## Allow the domain to read bind state files in /proc.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`bind_read_state',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type named_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ kernel_search_proc($1)
|
|
|
437f84 |
+ ps_process_pattern($1, named_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
## All of the rules required to
|
|
|
437f84 |
## administrate an bind environment.
|
|
|
437f84 |
## </summary>
|
|
|
437f84 |
diff --git a/chronyd.te b/chronyd.te
|
|
|
437f84 |
index 7d723c0..d0c8001 100644
|
|
|
437f84 |
--- a/chronyd.te
|
|
|
437f84 |
+++ b/chronyd.te
|
|
|
437f84 |
@@ -87,6 +87,7 @@ domain_dontaudit_getsession_all_domains(chronyd_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_rand(chronyd_t)
|
|
|
437f84 |
dev_read_urand(chronyd_t)
|
|
|
437f84 |
+dev_read_sysfs(chronyd_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_rw_realtime_clock(chronyd_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/cloudform.te b/cloudform.te
|
|
|
437f84 |
index 786d623..496ce03 100644
|
|
|
437f84 |
--- a/cloudform.te
|
|
|
437f84 |
+++ b/cloudform.te
|
|
|
437f84 |
@@ -270,8 +270,9 @@ files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
|
|
437f84 |
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
|
|
437f84 |
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
|
|
437f84 |
#needed by dbomatic
|
|
|
437f84 |
-files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
|
|
|
437f84 |
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
|
|
|
437f84 |
|
|
|
437f84 |
corecmd_exec_bin(mongod_t)
|
|
|
437f84 |
corecmd_exec_shell(mongod_t)
|
|
|
437f84 |
diff --git a/conman.te b/conman.te
|
|
|
437f84 |
index 0de2d4d..d6b0314 100644
|
|
|
437f84 |
--- a/conman.te
|
|
|
437f84 |
+++ b/conman.te
|
|
|
437f84 |
@@ -25,7 +25,7 @@ allow conman_t self:process { setrlimit signal_perms };
|
|
|
437f84 |
|
|
|
437f84 |
allow conman_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow conman_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
437f84 |
-allow conman_t self:tcp_socket { listen create_socket_perms };
|
|
|
437f84 |
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
|
|
|
437f84 |
manage_files_pattern(conman_t, conman_log_t, conman_log_t)
|
|
|
437f84 |
@@ -40,6 +40,10 @@ auth_read_passwd(conman_t)
|
|
|
437f84 |
|
|
|
437f84 |
logging_send_syslog_msg(conman_t)
|
|
|
437f84 |
|
|
|
437f84 |
+sysnet_dns_name_resolve(conman_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+userdom_use_user_ptys(conman_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
freeipmi_stream_connect(conman_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
diff --git a/cups.fc b/cups.fc
|
|
|
437f84 |
index afe482b..9437dbe 100644
|
|
|
437f84 |
--- a/cups.fc
|
|
|
437f84 |
+++ b/cups.fc
|
|
|
437f84 |
@@ -76,10 +76,14 @@
|
|
|
437f84 |
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
|
|
|
437f84 |
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
|
437f84 |
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
-/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
|
437f84 |
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
+
|
|
|
437f84 |
|
|
|
437f84 |
/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/dhcp.te b/dhcp.te
|
|
|
437f84 |
index cdb4d60..5d61f10 100644
|
|
|
437f84 |
--- a/dhcp.te
|
|
|
437f84 |
+++ b/dhcp.te
|
|
|
437f84 |
@@ -103,13 +103,26 @@ auth_use_nsswitch(dhcpd_t)
|
|
|
437f84 |
|
|
|
437f84 |
logging_send_syslog_msg(dhcpd_t)
|
|
|
437f84 |
|
|
|
437f84 |
+sysnet_read_config(dhcpd_t)
|
|
|
437f84 |
sysnet_read_dhcp_config(dhcpd_t)
|
|
|
437f84 |
|
|
|
437f84 |
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
|
|
|
437f84 |
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`dhcpd_use_ldap',`
|
|
|
437f84 |
- sysnet_use_ldap(dhcpd_t)
|
|
|
437f84 |
+ allow dhcpd_t self:tcp_socket create_socket_perms;
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+tunable_policy(`dhcpd_use_ldap',`
|
|
|
437f84 |
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
|
|
|
437f84 |
+ corenet_tcp_sendrecv_generic_node(dhcpd_t)
|
|
|
437f84 |
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
|
|
|
437f84 |
+ corenet_tcp_connect_ldap_port(dhcpd_t)
|
|
|
437f84 |
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+tunable_policy(`dhcpd_use_ldap',`
|
|
|
437f84 |
+ ldap_read_certs(dhcpd_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
ifdef(`distro_gentoo',`
|
|
|
437f84 |
diff --git a/docker.te b/docker.te
|
|
|
437f84 |
index c80e06c..73e71c1 100644
|
|
|
437f84 |
--- a/docker.te
|
|
|
437f84 |
+++ b/docker.te
|
|
|
437f84 |
@@ -97,6 +97,7 @@ manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
|
437f84 |
manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
|
437f84 |
manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
|
437f84 |
manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
|
437f84 |
+allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
|
|
|
437f84 |
files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
|
|
437f84 |
@@ -135,12 +136,14 @@ files_read_etc_files(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
fs_read_cgroup_files(docker_t)
|
|
|
437f84 |
fs_read_tmpfs_symlinks(docker_t)
|
|
|
437f84 |
+fs_getattr_all_fs(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
storage_raw_rw_fixed_disk(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
auth_use_nsswitch(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
init_read_state(docker_t)
|
|
|
437f84 |
+init_status(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
logging_send_audit_msgs(docker_t)
|
|
|
437f84 |
logging_send_syslog_msg(docker_t)
|
|
|
437f84 |
@@ -220,6 +223,12 @@ term_mounton_unallocated_ttys(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
modutils_domtrans_insmod(docker_t)
|
|
|
437f84 |
|
|
|
437f84 |
+systemd_status_all_unit_files(docker_t)
|
|
|
437f84 |
+systemd_start_systemd_services(docker_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+userdom_stream_connect(docker_t)
|
|
|
437f84 |
+userdom_search_user_home_content(docker_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
dbus_system_bus_client(docker_t)
|
|
|
437f84 |
init_dbus_chat(docker_t)
|
|
|
437f84 |
diff --git a/drbd.fc b/drbd.fc
|
|
|
437f84 |
index 671a3fb..c781675 100644
|
|
|
437f84 |
--- a/drbd.fc
|
|
|
437f84 |
+++ b/drbd.fc
|
|
|
437f84 |
@@ -3,7 +3,7 @@
|
|
|
437f84 |
/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
|
|
|
437f84 |
/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
-/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
|
|
|
437f84 |
+/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
|
|
|
437f84 |
/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
|
|
|
437f84 |
diff --git a/exim.fc b/exim.fc
|
|
|
437f84 |
index dc0254b..9df498d 100644
|
|
|
437f84 |
--- a/exim.fc
|
|
|
437f84 |
+++ b/exim.fc
|
|
|
437f84 |
@@ -3,6 +3,8 @@
|
|
|
437f84 |
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
|
|
|
437f84 |
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
|
|
|
437f84 |
+
|
|
|
437f84 |
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
|
|
|
437f84 |
diff --git a/exim.if b/exim.if
|
|
|
437f84 |
index ef3b449..4a8d053 100644
|
|
|
437f84 |
--- a/exim.if
|
|
|
437f84 |
+++ b/exim.if
|
|
|
437f84 |
@@ -241,8 +241,46 @@ interface(`exim_manage_spool_files',`
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
-## All of the rules required to administrate
|
|
|
437f84 |
-## an exim environment.
|
|
|
437f84 |
+## Read exim var lib files.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`exim_read_var_lib_files',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type exim_var_lib_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
|
|
|
437f84 |
+ files_search_var_lib($1)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Create, read, and write exim var lib files.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`exim_manage_var_lib_files',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type exim_var_lib_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
|
|
|
437f84 |
+ files_search_var_lib($1)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## All of the rules required to
|
|
|
437f84 |
+## administrate an exim environment.
|
|
|
437f84 |
## </summary>
|
|
|
437f84 |
## <param name="domain">
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
@@ -257,8 +295,9 @@ interface(`exim_manage_spool_files',`
|
|
|
437f84 |
#
|
|
|
437f84 |
interface(`exim_admin',`
|
|
|
437f84 |
gen_require(`
|
|
|
437f84 |
- type exim_t, exim_initrc_exec_t, exim_log_t;
|
|
|
437f84 |
- type exim_tmp_t, exim_spool_t, exim_var_run_t;
|
|
|
437f84 |
+ type exim_t, exim_spool_t, exim_log_t;
|
|
|
437f84 |
+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
|
|
|
437f84 |
+ type exim_keytab_t;
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
allow $1 exim_t:process signal_perms;
|
|
|
437f84 |
@@ -273,6 +312,9 @@ interface(`exim_admin',`
|
|
|
437f84 |
role_transition $2 exim_initrc_exec_t system_r;
|
|
|
437f84 |
allow $2 system_r;
|
|
|
437f84 |
|
|
|
437f84 |
+ files_search_etc($1)
|
|
|
437f84 |
+ admin_pattern($1, exim_keytab_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
files_search_spool($1)
|
|
|
437f84 |
admin_pattern($1, exim_spool_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/exim.te b/exim.te
|
|
|
437f84 |
index 3e86b12..5495c90 100644
|
|
|
437f84 |
--- a/exim.te
|
|
|
437f84 |
+++ b/exim.te
|
|
|
437f84 |
@@ -1,4 +1,4 @@
|
|
|
437f84 |
-policy_module(exim, 1.5.4)
|
|
|
437f84 |
+policy_module(exim, 1.6.1)
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
#
|
|
|
437f84 |
@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
|
|
|
437f84 |
type exim_initrc_exec_t;
|
|
|
437f84 |
init_script_file(exim_initrc_exec_t)
|
|
|
437f84 |
|
|
|
437f84 |
+type exim_var_lib_t;
|
|
|
437f84 |
+files_type(exim_var_lib_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
type exim_log_t;
|
|
|
437f84 |
logging_log_file(exim_log_t)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
|
|
|
437f84 |
type exim_var_run_t;
|
|
|
437f84 |
files_pid_file(exim_var_run_t)
|
|
|
437f84 |
|
|
|
437f84 |
+ifdef(`distro_debian',`
|
|
|
437f84 |
+ init_daemon_run_dir(exim_var_run_t, "exim4")
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
########################################
|
|
|
437f84 |
#
|
|
|
437f84 |
# Local policy
|
|
|
437f84 |
@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow exim_t self:unix_stream_socket { accept listen };
|
|
|
437f84 |
allow exim_t self:tcp_socket { accept listen };
|
|
|
437f84 |
|
|
|
437f84 |
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
append_files_pattern(exim_t, exim_log_t, exim_log_t)
|
|
|
437f84 |
create_files_pattern(exim_t, exim_log_t, exim_log_t)
|
|
|
437f84 |
setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
|
|
|
437f84 |
@@ -88,6 +97,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
|
|
|
437f84 |
|
|
|
437f84 |
can_exec(exim_t, exim_exec_t)
|
|
|
437f84 |
|
|
|
437f84 |
+kernel_read_crypto_sysctls(exim_t)
|
|
|
437f84 |
kernel_read_kernel_sysctls(exim_t)
|
|
|
437f84 |
kernel_read_network_state(exim_t)
|
|
|
437f84 |
kernel_read_system_state(exim_t)
|
|
|
437f84 |
@@ -122,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_rand(exim_t)
|
|
|
437f84 |
dev_read_urand(exim_t)
|
|
|
437f84 |
+dev_read_sysfs(exim_t)
|
|
|
437f84 |
|
|
|
437f84 |
domain_use_interactive_fds(exim_t)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -134,6 +145,7 @@ fs_getattr_xattr_fs(exim_t)
|
|
|
437f84 |
fs_list_inotifyfs(exim_t)
|
|
|
437f84 |
|
|
|
437f84 |
auth_use_nsswitch(exim_t)
|
|
|
437f84 |
+auth_domtrans_chk_passwd(exim_t)
|
|
|
437f84 |
|
|
|
437f84 |
logging_send_syslog_msg(exim_t)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -175,6 +187,7 @@ optional_policy(`
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
cron_read_pipes(exim_t)
|
|
|
437f84 |
cron_rw_system_job_pipes(exim_t)
|
|
|
437f84 |
+ cron_use_system_job_fds(exim_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
@@ -186,7 +199,7 @@ optional_policy(`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- kerberos_keytab_template(exim, exim_t)
|
|
|
437f84 |
+ kerberos_keytab_template(exim, exim_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
diff --git a/fprintd.te b/fprintd.te
|
|
|
437f84 |
index ed04b9e..72b7712 100644
|
|
|
437f84 |
--- a/fprintd.te
|
|
|
437f84 |
+++ b/fprintd.te
|
|
|
437f84 |
@@ -33,6 +33,8 @@ dev_read_sysfs(fprintd_t)
|
|
|
437f84 |
dev_read_urand(fprintd_t)
|
|
|
437f84 |
dev_rw_generic_usb_dev(fprintd_t)
|
|
|
437f84 |
|
|
|
437f84 |
+files_dontaudit_list_tmp(fprintd_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
fs_getattr_all_fs(fprintd_t)
|
|
|
437f84 |
|
|
|
437f84 |
auth_use_nsswitch(fprintd_t)
|
|
|
437f84 |
diff --git a/freeipmi.te b/freeipmi.te
|
|
|
437f84 |
index 8071a76..0710d79 100644
|
|
|
437f84 |
--- a/freeipmi.te
|
|
|
437f84 |
+++ b/freeipmi.te
|
|
|
437f84 |
@@ -40,6 +40,7 @@ files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_rand(freeipmi_domain)
|
|
|
437f84 |
dev_read_urand(freeipmi_domain)
|
|
|
437f84 |
+dev_rw_ipmi_dev(freeipmi_domain)
|
|
|
437f84 |
|
|
|
437f84 |
sysnet_dns_name_resolve(freeipmi_domain)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -50,7 +51,6 @@ sysnet_dns_name_resolve(freeipmi_domain)
|
|
|
437f84 |
|
|
|
437f84 |
files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
|
|
|
437f84 |
|
|
|
437f84 |
-dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
|
|
|
437f84 |
|
|
|
437f84 |
allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/gear.fc b/gear.fc
|
|
|
437f84 |
index 5eabf35..98c012c 100644
|
|
|
437f84 |
--- a/gear.fc
|
|
|
437f84 |
+++ b/gear.fc
|
|
|
437f84 |
@@ -1,7 +1,7 @@
|
|
|
437f84 |
/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
-/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
|
|
|
437f84 |
-
|
|
|
437f84 |
-/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
|
|
|
437f84 |
+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
+/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
|
|
|
437f84 |
+/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0)
|
|
|
437f84 |
/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
|
|
|
437f84 |
diff --git a/gear.te b/gear.te
|
|
|
437f84 |
index 6c32f79..cb68ca9 100644
|
|
|
437f84 |
--- a/gear.te
|
|
|
437f84 |
+++ b/gear.te
|
|
|
437f84 |
@@ -25,11 +25,15 @@ systemd_unit_file(gear_unit_file_t)
|
|
|
437f84 |
#
|
|
|
437f84 |
# gear local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
+allow gear_t self:capability { chown net_admin fowner dac_override };
|
|
|
437f84 |
+allow gear_t self:capability2 block_suspend;
|
|
|
437f84 |
allow gear_t self:process { getattr signal_perms };
|
|
|
437f84 |
allow gear_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow gear_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
437f84 |
allow gear_t self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
|
|
|
437f84 |
+
|
|
|
437f84 |
manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
|
|
|
437f84 |
manage_files_pattern(gear_t, gear_log_t, gear_log_t)
|
|
|
437f84 |
manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
|
|
|
437f84 |
@@ -43,6 +47,7 @@ manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
|
|
|
437f84 |
manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
|
|
|
437f84 |
manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
|
|
|
437f84 |
files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
|
|
|
437f84 |
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
|
|
|
437f84 |
manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
|
|
|
437f84 |
@@ -56,6 +61,7 @@ kernel_read_all_sysctls(gear_t)
|
|
|
437f84 |
kernel_rw_net_sysctls(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
domain_use_interactive_fds(gear_t)
|
|
|
437f84 |
+domain_read_all_domains_state(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
corecmd_exec_bin(gear_t)
|
|
|
437f84 |
corecmd_exec_shell(gear_t)
|
|
|
437f84 |
@@ -66,6 +72,11 @@ corenet_tcp_sendrecv_generic_node(gear_t)
|
|
|
437f84 |
corenet_tcp_sendrecv_generic_port(gear_t)
|
|
|
437f84 |
corenet_tcp_bind_gear_port(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
+dev_mounton_sysfs(gear_t)
|
|
|
437f84 |
+dev_mount_sysfs_fs(gear_t)
|
|
|
437f84 |
+dev_unmount_sysfs_fs(gear_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+files_mounton_rootfs(gear_t)
|
|
|
437f84 |
files_read_etc_files(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
fs_read_cgroup_files(gear_t)
|
|
|
437f84 |
@@ -75,6 +86,9 @@ auth_use_nsswitch(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
init_read_state(gear_t)
|
|
|
437f84 |
init_dbus_chat(gear_t)
|
|
|
437f84 |
+init_enable_services(gear_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+iptables_domtrans(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
logging_send_audit_msgs(gear_t)
|
|
|
437f84 |
logging_send_syslog_msg(gear_t)
|
|
|
437f84 |
@@ -87,8 +101,25 @@ seutil_read_default_contexts(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
sysnet_dns_name_resolve(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
+sysnet_exec_ifconfig(gear_t)
|
|
|
437f84 |
+sysnet_manage_ifconfig_run(gear_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
systemd_manage_all_unit_files(gear_t)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ hostname_exec(gear_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ dbus_system_bus_client(gear_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
docker_stream_connect(gear_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ openshift_manage_lib_dirs(gear_t)
|
|
|
437f84 |
+ openshift_manage_lib_files(gear_t)
|
|
|
437f84 |
+ openshift_relabelfrom_lib(gear_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
diff --git a/glance.te b/glance.te
|
|
|
437f84 |
index 16dcb5b..2d17fe6 100644
|
|
|
437f84 |
--- a/glance.te
|
|
|
437f84 |
+++ b/glance.te
|
|
|
437f84 |
@@ -5,6 +5,13 @@ policy_module(glance, 1.0.2)
|
|
|
437f84 |
# Declarations
|
|
|
437f84 |
#
|
|
|
437f84 |
|
|
|
437f84 |
+## <desc>
|
|
|
437f84 |
+##
|
|
|
437f84 |
+## Allow glance domain to manage fuse files
|
|
|
437f84 |
+##
|
|
|
437f84 |
+## </desc>
|
|
|
437f84 |
+gen_tunable(glance_use_fusefs, false)
|
|
|
437f84 |
+
|
|
|
437f84 |
attribute glance_domain;
|
|
|
437f84 |
|
|
|
437f84 |
glance_basic_types_template(glance_registry)
|
|
|
437f84 |
@@ -77,6 +84,19 @@ libs_exec_ldconfig(glance_domain)
|
|
|
437f84 |
|
|
|
437f84 |
sysnet_dns_name_resolve(glance_domain)
|
|
|
437f84 |
|
|
|
437f84 |
+tunable_policy(`glance_use_fusefs',`
|
|
|
437f84 |
+ fs_manage_fusefs_dirs(glance_domain)
|
|
|
437f84 |
+ fs_manage_fusefs_files(glance_domain)
|
|
|
437f84 |
+ fs_read_fusefs_symlinks(glance_domain)
|
|
|
437f84 |
+ fs_getattr_fusefs(glance_domain)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ mysql_read_db_lnk_files(glance_domain)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
########################################
|
|
|
437f84 |
#
|
|
|
437f84 |
# Registry local policy
|
|
|
437f84 |
@@ -122,6 +142,8 @@ corenet_tcp_connect_mysqld_port(glance_api_t)
|
|
|
437f84 |
corenet_tcp_connect_http_port(glance_api_t)
|
|
|
437f84 |
|
|
|
437f84 |
corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
|
|
|
437f84 |
+corenet_tcp_connect_commplex_main_port(glance_api_t)
|
|
|
437f84 |
+corenet_tcp_connect_http_cache_port(glance_api_t)
|
|
|
437f84 |
|
|
|
437f84 |
corenet_sendrecv_hplip_server_packets(glance_api_t)
|
|
|
437f84 |
corenet_tcp_bind_hplip_port(glance_api_t)
|
|
|
437f84 |
diff --git a/gnome.te b/gnome.te
|
|
|
437f84 |
index 5314f96..ea1115c 100644
|
|
|
437f84 |
--- a/gnome.te
|
|
|
437f84 |
+++ b/gnome.te
|
|
|
437f84 |
@@ -226,7 +226,6 @@ allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
|
|
|
437f84 |
filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
|
|
|
437f84 |
filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
|
|
|
437f84 |
filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
|
|
|
437f84 |
-filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
|
437f84 |
manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
|
437f84 |
diff --git a/iscsi.if b/iscsi.if
|
|
|
437f84 |
index 2ea1241..a7e1562 100644
|
|
|
437f84 |
--- a/iscsi.if
|
|
|
437f84 |
+++ b/iscsi.if
|
|
|
437f84 |
@@ -117,6 +117,28 @@ interface(`iscsi_filetrans_named_content',`
|
|
|
437f84 |
files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Execute iscsi server in the iscsi domain.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed to transition.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`iscsi_systemctl',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type iscsid_t;
|
|
|
437f84 |
+ type iscsi_unit_file_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ systemd_exec_systemctl($1)
|
|
|
437f84 |
+ allow $1 iscsi_unit_file_t:file read_file_perms;
|
|
|
437f84 |
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
|
|
|
437f84 |
+
|
|
|
437f84 |
+ ps_process_pattern($1, iscsid_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
diff --git a/iscsi.te b/iscsi.te
|
|
|
437f84 |
index 56d45ec..b25cfd0 100644
|
|
|
437f84 |
--- a/iscsi.te
|
|
|
437f84 |
+++ b/iscsi.te
|
|
|
437f84 |
@@ -90,6 +90,9 @@ corenet_sendrecv_winshadow_client_packets(iscsid_t)
|
|
|
437f84 |
corenet_tcp_connect_winshadow_port(iscsid_t)
|
|
|
437f84 |
corenet_tcp_sendrecv_winshadow_port(iscsid_t)
|
|
|
437f84 |
|
|
|
437f84 |
+corecmd_exec_bin(iscsid_t)
|
|
|
437f84 |
+corecmd_exec_shell(iscsid_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
dev_read_urand(iscsid_t)
|
|
|
437f84 |
dev_rw_sysfs(iscsid_t)
|
|
|
437f84 |
dev_rw_userio_dev(iscsid_t)
|
|
|
437f84 |
@@ -108,5 +111,9 @@ logging_send_syslog_msg(iscsid_t)
|
|
|
437f84 |
modutils_read_module_config(iscsid_t)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ iscsi_systemctl(iscsid_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
tgtd_manage_semaphores(iscsid_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
diff --git a/keepalived.te b/keepalived.te
|
|
|
437f84 |
index 535f79b..dc5c775 100644
|
|
|
437f84 |
--- a/keepalived.te
|
|
|
437f84 |
+++ b/keepalived.te
|
|
|
437f84 |
@@ -33,6 +33,9 @@ files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
|
|
|
437f84 |
kernel_read_system_state(keepalived_t)
|
|
|
437f84 |
kernel_read_network_state(keepalived_t)
|
|
|
437f84 |
|
|
|
437f84 |
+corecmd_exec_bin(keepalived_t)
|
|
|
437f84 |
+corecmd_exec_shell(keepalived_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
auth_use_nsswitch(keepalived_t)
|
|
|
437f84 |
|
|
|
437f84 |
corenet_tcp_connect_connlcli_port(keepalived_t)
|
|
|
437f84 |
diff --git a/keystone.te b/keystone.te
|
|
|
437f84 |
index a82637c..c21beab 100644
|
|
|
437f84 |
--- a/keystone.te
|
|
|
437f84 |
+++ b/keystone.te
|
|
|
437f84 |
@@ -78,6 +78,7 @@ libs_exec_ldconfig(keystone_t)
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
mysql_stream_connect(keystone_t)
|
|
|
437f84 |
mysql_tcp_connect(keystone_t)
|
|
|
437f84 |
+ mysql_read_db_lnk_files(keystone_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
diff --git a/logrotate.te b/logrotate.te
|
|
|
437f84 |
index f8c5464..17ea89c 100644
|
|
|
437f84 |
--- a/logrotate.te
|
|
|
437f84 |
+++ b/logrotate.te
|
|
|
437f84 |
@@ -38,7 +38,7 @@ files_type(logrotate_var_lib_t)
|
|
|
437f84 |
|
|
|
437f84 |
# Change ownership on log files.
|
|
|
437f84 |
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
|
|
|
437f84 |
-dontaudit logrotate_t self:capability sys_resource;
|
|
|
437f84 |
+dontaudit logrotate_t self:capability { sys_resource net_admin };
|
|
|
437f84 |
|
|
|
437f84 |
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/logwatch.te b/logwatch.te
|
|
|
437f84 |
index 7569cd9..aea48db 100644
|
|
|
437f84 |
--- a/logwatch.te
|
|
|
437f84 |
+++ b/logwatch.te
|
|
|
437f84 |
@@ -187,6 +187,8 @@ dev_read_sysfs(logwatch_mail_t)
|
|
|
437f84 |
logging_read_all_logs(logwatch_mail_t)
|
|
|
437f84 |
|
|
|
437f84 |
mta_read_home(logwatch_mail_t)
|
|
|
437f84 |
+mta_filetrans_home_content(logwatch_mail_t)
|
|
|
437f84 |
+mta_filetrans_admin_home_content(logwatch_mail_t)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
cron_use_system_job_fds(logwatch_mail_t)
|
|
|
437f84 |
diff --git a/mock.if b/mock.if
|
|
|
437f84 |
index 6568bfe..f5b98e6 100644
|
|
|
437f84 |
--- a/mock.if
|
|
|
437f84 |
+++ b/mock.if
|
|
|
437f84 |
@@ -53,6 +53,7 @@ interface(`mock_read_lib_files',`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
files_search_var_lib($1)
|
|
|
437f84 |
+ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
|
437f84 |
read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/mock.te b/mock.te
|
|
|
437f84 |
index fc64201..1bf717f 100644
|
|
|
437f84 |
--- a/mock.te
|
|
|
437f84 |
+++ b/mock.te
|
|
|
437f84 |
@@ -192,7 +192,7 @@ optional_policy(`
|
|
|
437f84 |
#
|
|
|
437f84 |
# mock_build local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
-allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
|
|
|
437f84 |
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
|
|
|
437f84 |
dontaudit mock_build_t self:capability audit_write;
|
|
|
437f84 |
allow mock_build_t self:process { fork setsched setpgid signal_perms };
|
|
|
437f84 |
allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
|
|
437f84 |
@@ -269,6 +269,7 @@ init_dontaudit_stream_connect(mock_build_t)
|
|
|
437f84 |
|
|
|
437f84 |
libs_exec_ldconfig(mock_build_t)
|
|
|
437f84 |
|
|
|
437f84 |
+term_use_all_inherited_terms(mock_build_t)
|
|
|
437f84 |
userdom_use_inherited_user_ptys(mock_build_t)
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`mock_enable_homedirs',`
|
|
|
437f84 |
diff --git a/motion.te b/motion.te
|
|
|
437f84 |
index b694afc..c7f4eb5 100644
|
|
|
437f84 |
--- a/motion.te
|
|
|
437f84 |
+++ b/motion.te
|
|
|
437f84 |
@@ -26,7 +26,7 @@ files_type(motion_data_t)
|
|
|
437f84 |
# motion local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
allow motion_t self:udp_socket { create connect getattr };
|
|
|
437f84 |
-allow motion_t self:tcp_socket { bind create setopt listen };
|
|
|
437f84 |
+allow motion_t self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
allow motion_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
|
|
|
437f84 |
@@ -43,6 +43,7 @@ files_var_filetrans(motion_t, motion_data_t, { dir file })
|
|
|
437f84 |
|
|
|
437f84 |
corenet_tcp_bind_http_cache_port(motion_t)
|
|
|
437f84 |
corenet_tcp_bind_transproxy_port(motion_t)
|
|
|
437f84 |
+corenet_tcp_bind_us_cli_port(motion_t)
|
|
|
437f84 |
corenet_tcp_connect_http_port(motion_t)
|
|
|
437f84 |
corenet_tcp_bind_generic_node(motion_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/mozilla.te b/mozilla.te
|
|
|
437f84 |
index e76899c..a4f86f5 100644
|
|
|
437f84 |
--- a/mozilla.te
|
|
|
437f84 |
+++ b/mozilla.te
|
|
|
437f84 |
@@ -442,6 +442,7 @@ dev_dontaudit_read_mtrr(mozilla_plugin_t)
|
|
|
437f84 |
xserver_dri_domain(mozilla_plugin_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_dontaudit_getattr_all(mozilla_plugin_t)
|
|
|
437f84 |
+dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
|
|
|
437f84 |
|
|
|
437f84 |
domain_use_interactive_fds(mozilla_plugin_t)
|
|
|
437f84 |
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
|
|
|
437f84 |
@@ -458,6 +459,10 @@ fs_read_noxattr_fs_files(mozilla_plugin_t)
|
|
|
437f84 |
fs_read_hugetlbfs_files(mozilla_plugin_t)
|
|
|
437f84 |
fs_exec_hugetlbfs_files(mozilla_plugin_t)
|
|
|
437f84 |
|
|
|
437f84 |
+storage_raw_read_removable_device(mozilla_plugin_t)
|
|
|
437f84 |
+fs_read_removable_files(mozilla_plugin_t)
|
|
|
437f84 |
+fs_read_removable_symlinks(mozilla_plugin_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
application_exec(mozilla_plugin_t)
|
|
|
437f84 |
application_dontaudit_signull(mozilla_plugin_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/mta.fc b/mta.fc
|
|
|
437f84 |
index cb2791a..1e1a679 100644
|
|
|
437f84 |
--- a/mta.fc
|
|
|
437f84 |
+++ b/mta.fc
|
|
|
437f84 |
@@ -1,7 +1,7 @@
|
|
|
437f84 |
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
+HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
|
437f84 |
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
|
437f84 |
HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -17,10 +17,10 @@ ifdef(`distro_redhat',`
|
|
|
437f84 |
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
-/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
|
437f84 |
+/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
|
437f84 |
/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
|
437f84 |
@@ -42,3 +42,4 @@ ifdef(`distro_redhat',`
|
|
|
437f84 |
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
|
|
437f84 |
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
|
|
437f84 |
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
|
437f84 |
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
|
437f84 |
diff --git a/mta.if b/mta.if
|
|
|
437f84 |
index e968c28..8f217ea 100644
|
|
|
437f84 |
--- a/mta.if
|
|
|
437f84 |
+++ b/mta.if
|
|
|
437f84 |
@@ -1174,6 +1174,7 @@ interface(`mta_filetrans_admin_home_content',`
|
|
|
437f84 |
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
|
|
|
437f84 |
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
|
|
|
437f84 |
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
|
|
|
437f84 |
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
@@ -1198,6 +1199,7 @@ interface(`mta_filetrans_home_content',`
|
|
|
437f84 |
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
|
|
|
437f84 |
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
|
|
|
437f84 |
userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
|
|
|
437f84 |
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
diff --git a/mysql.if b/mysql.if
|
|
|
437f84 |
index 404ed6d..a77dc09 100644
|
|
|
437f84 |
--- a/mysql.if
|
|
|
437f84 |
+++ b/mysql.if
|
|
|
437f84 |
@@ -233,6 +233,24 @@ interface(`mysql_append_db_files',`
|
|
|
437f84 |
files_search_var_lib($1)
|
|
|
437f84 |
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
+#######################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Read and write to the MySQL database directory.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`mysql_read_db_lnk_files',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type mysqld_db_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ files_search_var_lib($1)
|
|
|
437f84 |
+ read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
|
|
|
437f84 |
#######################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
diff --git a/mysql.te b/mysql.te
|
|
|
437f84 |
index 699587e..6e73360 100644
|
|
|
437f84 |
--- a/mysql.te
|
|
|
437f84 |
+++ b/mysql.te
|
|
|
437f84 |
@@ -132,6 +132,7 @@ auth_use_nsswitch(mysqld_t)
|
|
|
437f84 |
logging_send_syslog_msg(mysqld_t)
|
|
|
437f84 |
|
|
|
437f84 |
sysnet_read_config(mysqld_t)
|
|
|
437f84 |
+sysnet_exec_ifconfig(mysqld_t)
|
|
|
437f84 |
|
|
|
437f84 |
ifdef(`distro_redhat',`
|
|
|
437f84 |
filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
|
|
|
437f84 |
diff --git a/nova.te b/nova.te
|
|
|
437f84 |
index d5b54e5..2d9ab86 100644
|
|
|
437f84 |
--- a/nova.te
|
|
|
437f84 |
+++ b/nova.te
|
|
|
437f84 |
@@ -46,6 +46,7 @@ files_pid_file(nova_var_run_t)
|
|
|
437f84 |
# nova general domain local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
|
|
|
437f84 |
+allow nova_domain self:process signal_perms;
|
|
|
437f84 |
allow nova_domain self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow nova_domain self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
allow nova_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
437f84 |
@@ -76,6 +77,11 @@ fs_getattr_xattr_fs(nova_domain)
|
|
|
437f84 |
libs_exec_ldconfig(nova_domain)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ mysql_stream_connect(nova_domain)
|
|
|
437f84 |
+ mysql_read_db_lnk_files(nova_domain)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
sysnet_read_config(nova_domain)
|
|
|
437f84 |
sysnet_exec_ifconfig(nova_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
@@ -142,10 +148,6 @@ auth_use_nsswitch(nova_cert_t)
|
|
|
437f84 |
miscfiles_read_certs(nova_cert_t)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- mysql_stream_connect(nova_cert_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
postgresql_stream_connect(nova_cert_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
@@ -176,10 +178,6 @@ allow nova_console_t self:udp_socket create_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
auth_use_nsswitch(nova_console_t)
|
|
|
437f84 |
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- mysql_stream_connect(nova_console_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
#######################################
|
|
|
437f84 |
#
|
|
|
437f84 |
# nova direct local policy
|
|
|
437f84 |
@@ -270,6 +268,8 @@ optional_policy(`
|
|
|
437f84 |
allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
437f84 |
allow nova_scheduler_t self:udp_socket create_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
+auth_read_passwd(nova_scheduler_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
#optional_policy(`
|
|
|
437f84 |
# unconfined_domain(nova_scheduler_t)
|
|
|
437f84 |
#')
|
|
|
437f84 |
diff --git a/openshift.fc b/openshift.fc
|
|
|
437f84 |
index 1d4e039..95b6381 100644
|
|
|
437f84 |
--- a/openshift.fc
|
|
|
437f84 |
+++ b/openshift.fc
|
|
|
437f84 |
@@ -5,7 +5,7 @@
|
|
|
437f84 |
|
|
|
437f84 |
/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
|
|
437f84 |
/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
|
|
437f84 |
-/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
|
|
437f84 |
+/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
|
|
437f84 |
/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
|
|
437f84 |
/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/openshift.if b/openshift.if
|
|
|
437f84 |
index 9451b83..a472b52 100644
|
|
|
437f84 |
--- a/openshift.if
|
|
|
437f84 |
+++ b/openshift.if
|
|
|
437f84 |
@@ -362,6 +362,26 @@ interface(`openshift_manage_content',`
|
|
|
437f84 |
manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Relabel openshift library files
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`openshift_relabelfrom_lib',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type openshift_var_lib_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ files_search_var_lib($1)
|
|
|
437f84 |
+ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
|
437f84 |
+ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
#######################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
## Create private objects in the
|
|
|
437f84 |
@@ -416,7 +436,6 @@ interface(`openshift_read_pid_files',`
|
|
|
437f84 |
allow $1 openshift_var_run_t:file read_file_perms;
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
-
|
|
|
437f84 |
########################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
## All of the rules required to administrate
|
|
|
437f84 |
diff --git a/openshift.te b/openshift.te
|
|
|
437f84 |
index ebd0c68..93fd0ea 100644
|
|
|
437f84 |
--- a/openshift.te
|
|
|
437f84 |
+++ b/openshift.te
|
|
|
437f84 |
@@ -321,6 +321,10 @@ optional_policy(`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ gear_search_lib(openshift_domain)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
gpg_entry_type(openshift_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/openvpn.te b/openvpn.te
|
|
|
437f84 |
index 265896b..fcda1bc 100644
|
|
|
437f84 |
--- a/openvpn.te
|
|
|
437f84 |
+++ b/openvpn.te
|
|
|
437f84 |
@@ -26,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
|
|
|
437f84 |
## connect to the TCP network.
|
|
|
437f84 |
##
|
|
|
437f84 |
## </desc>
|
|
|
437f84 |
-gen_tunable(openvpn_can_network_connect, false)
|
|
|
437f84 |
+gen_tunable(openvpn_can_network_connect, true)
|
|
|
437f84 |
|
|
|
437f84 |
attribute_role openvpn_roles;
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/openwsman.te b/openwsman.te
|
|
|
437f84 |
index 49dc5ef..3bcd32c 100644
|
|
|
437f84 |
--- a/openwsman.te
|
|
|
437f84 |
+++ b/openwsman.te
|
|
|
437f84 |
@@ -9,6 +9,12 @@ type openwsman_t;
|
|
|
437f84 |
type openwsman_exec_t;
|
|
|
437f84 |
init_daemon_domain(openwsman_t, openwsman_exec_t)
|
|
|
437f84 |
|
|
|
437f84 |
+type openwsman_tmp_t;
|
|
|
437f84 |
+files_tmp_file(openwsman_tmp_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+type openwsman_tmpfs_t;
|
|
|
437f84 |
+files_tmpfs_file(openwsman_tmpfs_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
type openwsman_log_t;
|
|
|
437f84 |
logging_log_file(openwsman_log_t)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -22,10 +28,21 @@ systemd_unit_file(openwsman_unit_file_t)
|
|
|
437f84 |
#
|
|
|
437f84 |
# openwsman local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
+
|
|
|
437f84 |
+allow openwsman_t self:capability setuid;
|
|
|
437f84 |
+
|
|
|
437f84 |
allow openwsman_t self:process { fork };
|
|
|
437f84 |
allow openwsman_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
437f84 |
-allow openwsman_t self:tcp_socket { create_socket_perms listen };
|
|
|
437f84 |
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
|
|
|
437f84 |
+
|
|
|
437f84 |
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
|
|
|
437f84 |
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
|
|
|
437f84 |
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
|
|
|
437f84 |
+
|
|
|
437f84 |
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
|
|
|
437f84 |
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
|
|
|
437f84 |
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
|
|
|
437f84 |
|
|
|
437f84 |
manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
|
|
|
437f84 |
logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
|
|
|
437f84 |
@@ -34,10 +51,24 @@ manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
|
|
|
437f84 |
files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
|
|
|
437f84 |
|
|
|
437f84 |
auth_use_nsswitch(openwsman_t)
|
|
|
437f84 |
+auth_domtrans_chkpwd(openwsman_t)
|
|
|
437f84 |
|
|
|
437f84 |
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
|
|
|
437f84 |
corenet_tcp_bind_vnc_port(openwsman_t)
|
|
|
437f84 |
+corenet_tcp_bind_http_port(openwsman_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_urand(openwsman_t)
|
|
|
437f84 |
|
|
|
437f84 |
logging_send_syslog_msg(openwsman_t)
|
|
|
437f84 |
+logging_send_audit_msgs(openwsman_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ sblim_stream_connect_sfcbd(openwsman_t)
|
|
|
437f84 |
+ sblim_rw_semaphores_sfcbd(openwsman_t)
|
|
|
437f84 |
+ sblim_getattr_exec_sfcbd(openwsman_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ unconfined_domain(openwsman_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/passenger.if b/passenger.if
|
|
|
437f84 |
index 0ec51d4..2d8335f 100644
|
|
|
437f84 |
--- a/passenger.if
|
|
|
437f84 |
+++ b/passenger.if
|
|
|
437f84 |
@@ -159,3 +159,22 @@ interface(`passenger_manage_tmp_files',`
|
|
|
437f84 |
manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
|
|
|
437f84 |
manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Send kill signals to passenger.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`passenger_kill',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type passenger_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ allow $1 passenger_t:process sigkill;
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
diff --git a/pegasus.te b/pegasus.te
|
|
|
437f84 |
index 6c3afa0..37539ec 100644
|
|
|
437f84 |
--- a/pegasus.te
|
|
|
437f84 |
+++ b/pegasus.te
|
|
|
437f84 |
@@ -203,6 +203,8 @@ optional_policy(`
|
|
|
437f84 |
# pegasus openlmi service local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
|
|
|
437f84 |
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
init_manage_transient_unit(pegasus_openlmi_admin_t)
|
|
|
437f84 |
init_disable_services(pegasus_openlmi_admin_t)
|
|
|
437f84 |
init_enable_services(pegasus_openlmi_admin_t)
|
|
|
437f84 |
@@ -217,6 +219,9 @@ systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
|
|
|
437f84 |
|
|
|
437f84 |
allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
|
|
|
437f84 |
+logging_read_generic_logs(pegasus_openlmi_admin_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
dbus_system_bus_client(pegasus_openlmi_admin_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/puppet.fc b/puppet.fc
|
|
|
437f84 |
index 8c0b242..cad91e2 100644
|
|
|
437f84 |
--- a/puppet.fc
|
|
|
437f84 |
+++ b/puppet.fc
|
|
|
437f84 |
@@ -1,11 +1,19 @@
|
|
|
437f84 |
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
|
|
437f84 |
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
|
|
437f84 |
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
|
|
|
437f84 |
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
|
|
437f84 |
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
|
|
437f84 |
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
|
|
437f84 |
+#helper scripts
|
|
|
437f84 |
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
|
|
437f84 |
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
|
|
437f84 |
+
|
|
|
437f84 |
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
|
|
437f84 |
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
|
|
437f84 |
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
|
|
437f84 |
+
|
|
|
437f84 |
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
|
|
437f84 |
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
|
|
437f84 |
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
|
|
437f84 |
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
|
|
437f84 |
diff --git a/puppet.te b/puppet.te
|
|
|
437f84 |
index a375475..0903e67 100644
|
|
|
437f84 |
--- a/puppet.te
|
|
|
437f84 |
+++ b/puppet.te
|
|
|
437f84 |
@@ -1,4 +1,4 @@
|
|
|
437f84 |
-policy_module(puppet, 1.3.0)
|
|
|
437f84 |
+policy_module(puppet, 1.4.0)
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
#
|
|
|
437f84 |
@@ -11,7 +11,7 @@ policy_module(puppet, 1.3.0)
|
|
|
437f84 |
## types.
|
|
|
437f84 |
##
|
|
|
437f84 |
## </desc>
|
|
|
437f84 |
-gen_tunable(puppet_manage_all_files, false)
|
|
|
437f84 |
+gen_tunable(puppetagent_manage_all_files, false)
|
|
|
437f84 |
|
|
|
437f84 |
## <desc>
|
|
|
437f84 |
##
|
|
|
437f84 |
@@ -20,15 +20,18 @@ gen_tunable(puppet_manage_all_files, false)
|
|
|
437f84 |
## </desc>
|
|
|
437f84 |
gen_tunable(puppetmaster_use_db, false)
|
|
|
437f84 |
|
|
|
437f84 |
-type puppet_t;
|
|
|
437f84 |
-type puppet_exec_t;
|
|
|
437f84 |
-init_daemon_domain(puppet_t, puppet_exec_t)
|
|
|
437f84 |
+type puppetagent_t;
|
|
|
437f84 |
+type puppetagent_exec_t;
|
|
|
437f84 |
+typealias puppetagent_exec_t alias puppet_exec_t;
|
|
|
437f84 |
+typealias puppetagent_t alias puppet_t;
|
|
|
437f84 |
+init_daemon_domain(puppetagent_t, puppetagent_exec_t)
|
|
|
437f84 |
|
|
|
437f84 |
type puppet_etc_t;
|
|
|
437f84 |
files_config_file(puppet_etc_t)
|
|
|
437f84 |
|
|
|
437f84 |
-type puppet_initrc_exec_t;
|
|
|
437f84 |
-init_script_file(puppet_initrc_exec_t)
|
|
|
437f84 |
+type puppetagent_initrc_exec_t;
|
|
|
437f84 |
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
|
|
|
437f84 |
+init_script_file(puppetagent_initrc_exec_t)
|
|
|
437f84 |
|
|
|
437f84 |
type puppet_log_t;
|
|
|
437f84 |
logging_log_file(puppet_log_t)
|
|
|
437f84 |
@@ -62,205 +65,142 @@ files_tmp_file(puppetmaster_tmp_t)
|
|
|
437f84 |
# Puppet personal policy
|
|
|
437f84 |
#
|
|
|
437f84 |
|
|
|
437f84 |
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
|
|
|
437f84 |
-allow puppet_t self:process { signal signull getsched setsched };
|
|
|
437f84 |
-allow puppet_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
437f84 |
-allow puppet_t self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
-allow puppet_t self:udp_socket create_socket_perms;
|
|
|
437f84 |
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
|
|
|
437f84 |
+allow puppetagent_t self:process { signal signull getsched setsched };
|
|
|
437f84 |
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
437f84 |
+allow puppetagent_t self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
+allow puppetagent_t self:udp_socket create_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
-read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
|
|
437f84 |
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
|
|
|
437f84 |
|
|
|
437f84 |
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
|
437f84 |
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
|
437f84 |
-files_search_var_lib(puppet_t)
|
|
|
437f84 |
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
|
437f84 |
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
|
437f84 |
+files_search_var_lib(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
|
437f84 |
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
|
437f84 |
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
|
|
|
437f84 |
+manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
|
|
|
437f84 |
+manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
|
|
|
437f84 |
+files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
|
|
|
437f84 |
|
|
|
437f84 |
-create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
|
|
|
437f84 |
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
|
437f84 |
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
|
437f84 |
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
|
|
|
437f84 |
+create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
|
|
|
437f84 |
+create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
|
|
|
437f84 |
+append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
|
|
|
437f84 |
+logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
|
|
|
437f84 |
|
|
|
437f84 |
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
|
|
437f84 |
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
|
|
437f84 |
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
|
|
437f84 |
+manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
|
|
|
437f84 |
+manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
|
|
|
437f84 |
+files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
|
|
|
437f84 |
|
|
|
437f84 |
-kernel_dontaudit_search_sysctl(puppet_t)
|
|
|
437f84 |
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
|
|
437f84 |
-kernel_read_system_state(puppet_t)
|
|
|
437f84 |
-kernel_read_crypto_sysctls(puppet_t)
|
|
|
437f84 |
-kernel_read_kernel_sysctls(puppet_t)
|
|
|
437f84 |
+kernel_dontaudit_search_sysctl(puppetagent_t)
|
|
|
437f84 |
+kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
|
|
|
437f84 |
+kernel_read_system_state(puppetagent_t)
|
|
|
437f84 |
+kernel_read_crypto_sysctls(puppetagent_t)
|
|
|
437f84 |
+kernel_read_kernel_sysctls(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-corecmd_read_all_executables(puppet_t)
|
|
|
437f84 |
-corecmd_dontaudit_access_all_executables(puppet_t)
|
|
|
437f84 |
-corecmd_exec_bin(puppet_t)
|
|
|
437f84 |
-corecmd_exec_shell(puppet_t)
|
|
|
437f84 |
+corecmd_read_all_executables(puppetagent_t)
|
|
|
437f84 |
+corecmd_dontaudit_access_all_executables(puppetagent_t)
|
|
|
437f84 |
+corecmd_exec_bin(puppetagent_t)
|
|
|
437f84 |
+corecmd_exec_shell(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-corenet_all_recvfrom_netlabel(puppet_t)
|
|
|
437f84 |
-corenet_tcp_sendrecv_generic_if(puppet_t)
|
|
|
437f84 |
-corenet_tcp_sendrecv_generic_node(puppet_t)
|
|
|
437f84 |
-corenet_tcp_bind_generic_node(puppet_t)
|
|
|
437f84 |
-corenet_tcp_connect_puppet_port(puppet_t)
|
|
|
437f84 |
-corenet_sendrecv_puppet_client_packets(puppet_t)
|
|
|
437f84 |
+corenet_all_recvfrom_netlabel(puppetagent_t)
|
|
|
437f84 |
+corenet_tcp_sendrecv_generic_if(puppetagent_t)
|
|
|
437f84 |
+corenet_tcp_sendrecv_generic_node(puppetagent_t)
|
|
|
437f84 |
+corenet_tcp_bind_generic_node(puppetagent_t)
|
|
|
437f84 |
+corenet_tcp_connect_puppet_port(puppetagent_t)
|
|
|
437f84 |
+corenet_sendrecv_puppet_client_packets(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-dev_read_rand(puppet_t)
|
|
|
437f84 |
-dev_read_sysfs(puppet_t)
|
|
|
437f84 |
-dev_read_urand(puppet_t)
|
|
|
437f84 |
+dev_read_rand(puppetagent_t)
|
|
|
437f84 |
+dev_read_sysfs(puppetagent_t)
|
|
|
437f84 |
+dev_read_urand(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-domain_read_all_domains_state(puppet_t)
|
|
|
437f84 |
-domain_interactive_fd(puppet_t)
|
|
|
437f84 |
+domain_read_all_domains_state(puppetagent_t)
|
|
|
437f84 |
+domain_interactive_fd(puppetagent_t)
|
|
|
437f84 |
+domain_named_filetrans(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-files_manage_config_files(puppet_t)
|
|
|
437f84 |
-files_manage_config_dirs(puppet_t)
|
|
|
437f84 |
-files_manage_etc_dirs(puppet_t)
|
|
|
437f84 |
-files_manage_etc_files(puppet_t)
|
|
|
437f84 |
-files_read_usr_symlinks(puppet_t)
|
|
|
437f84 |
-files_relabel_config_dirs(puppet_t)
|
|
|
437f84 |
-files_relabel_config_files(puppet_t)
|
|
|
437f84 |
+files_manage_config_files(puppetagent_t)
|
|
|
437f84 |
+files_manage_config_dirs(puppetagent_t)
|
|
|
437f84 |
+files_manage_etc_dirs(puppetagent_t)
|
|
|
437f84 |
+files_manage_etc_files(puppetagent_t)
|
|
|
437f84 |
+files_read_usr_symlinks(puppetagent_t)
|
|
|
437f84 |
+files_relabel_config_dirs(puppetagent_t)
|
|
|
437f84 |
+files_relabel_config_files(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-selinux_set_all_booleans(puppet_t)
|
|
|
437f84 |
-selinux_set_generic_booleans(puppet_t)
|
|
|
437f84 |
-selinux_validate_context(puppet_t)
|
|
|
437f84 |
+selinux_set_all_booleans(puppetagent_t)
|
|
|
437f84 |
+selinux_set_generic_booleans(puppetagent_t)
|
|
|
437f84 |
+selinux_validate_context(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
|
|
437f84 |
-term_dontaudit_getattr_all_ttys(puppet_t)
|
|
|
437f84 |
+term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
|
|
|
437f84 |
+term_dontaudit_getattr_all_ttys(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-auth_use_nsswitch(puppet_t)
|
|
|
437f84 |
+auth_use_nsswitch(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-init_all_labeled_script_domtrans(puppet_t)
|
|
|
437f84 |
-init_domtrans_script(puppet_t)
|
|
|
437f84 |
-init_read_utmp(puppet_t)
|
|
|
437f84 |
-init_signull_script(puppet_t)
|
|
|
437f84 |
+init_all_labeled_script_domtrans(puppetagent_t)
|
|
|
437f84 |
+init_domtrans_script(puppetagent_t)
|
|
|
437f84 |
+init_read_utmp(puppetagent_t)
|
|
|
437f84 |
+init_signull_script(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-logging_send_syslog_msg(puppet_t)
|
|
|
437f84 |
+logging_send_syslog_msg(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-miscfiles_read_hwdata(puppet_t)
|
|
|
437f84 |
+miscfiles_read_hwdata(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-seutil_domtrans_setfiles(puppet_t)
|
|
|
437f84 |
-seutil_domtrans_semanage(puppet_t)
|
|
|
437f84 |
-seutil_read_file_contexts(puppet_t)
|
|
|
437f84 |
+seutil_domtrans_setfiles(puppetagent_t)
|
|
|
437f84 |
+seutil_domtrans_semanage(puppetagent_t)
|
|
|
437f84 |
+seutil_read_file_contexts(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-sysnet_run_ifconfig(puppet_t, system_r)
|
|
|
437f84 |
+sysnet_run_ifconfig(puppetagent_t, system_r)
|
|
|
437f84 |
|
|
|
437f84 |
-usermanage_access_check_groupadd(puppet_t)
|
|
|
437f84 |
-usermanage_access_check_passwd(puppet_t)
|
|
|
437f84 |
-usermanage_access_check_useradd(puppet_t)
|
|
|
437f84 |
+usermanage_access_check_groupadd(puppetagent_t)
|
|
|
437f84 |
+usermanage_access_check_passwd(puppetagent_t)
|
|
|
437f84 |
+usermanage_access_check_useradd(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-tunable_policy(`puppet_manage_all_files',`
|
|
|
437f84 |
- files_manage_non_security_files(puppet_t)
|
|
|
437f84 |
+tunable_policy(`puppetagent_manage_all_files',`
|
|
|
437f84 |
+ files_manage_non_security_files(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- cfengine_read_lib_files(puppet_t)
|
|
|
437f84 |
+ mysql_stream_connect(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- consoletype_exec(puppet_t)
|
|
|
437f84 |
+ postgresql_stream_connect(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- hostname_exec(puppet_t)
|
|
|
437f84 |
+ cfengine_read_lib_files(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- mount_domtrans(puppet_t)
|
|
|
437f84 |
+ consoletype_exec(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- mta_send_mail(puppet_t)
|
|
|
437f84 |
+ hostname_exec(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- portage_domtrans(puppet_t)
|
|
|
437f84 |
- portage_domtrans_fetch(puppet_t)
|
|
|
437f84 |
- portage_domtrans_gcc_config(puppet_t)
|
|
|
437f84 |
+ mount_domtrans(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- files_rw_var_files(puppet_t)
|
|
|
437f84 |
-
|
|
|
437f84 |
- rpm_domtrans(puppet_t)
|
|
|
437f84 |
- rpm_manage_db(puppet_t)
|
|
|
437f84 |
- rpm_manage_log(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- unconfined_domain(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- auth_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- alsa_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- bootloader_filetrans_config(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- devicekit_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- dnsmasq_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- kerberos_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- libs_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- miscfiles_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- mta_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- modules_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- networkmanager_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- nx_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- postfix_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
-
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- openshift_initrc_domtrans(puppet_t)
|
|
|
437f84 |
+ mta_send_mail(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- quota_filetrans_named_content(puppet_t)
|
|
|
437f84 |
+ portage_domtrans(puppetagent_t)
|
|
|
437f84 |
+ portage_domtrans_fetch(puppetagent_t)
|
|
|
437f84 |
+ portage_domtrans_gcc_config(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- sysnet_filetrans_named_content(puppet_t)
|
|
|
437f84 |
-')
|
|
|
437f84 |
+ files_rw_var_files(puppetagent_t)
|
|
|
437f84 |
|
|
|
437f84 |
-optional_policy(`
|
|
|
437f84 |
- virt_filetrans_home_content(puppet_t)
|
|
|
437f84 |
+ rpm_domtrans(puppetagent_t)
|
|
|
437f84 |
+ rpm_manage_db(puppetagent_t)
|
|
|
437f84 |
+ rpm_manage_log(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
- ssh_filetrans_admin_home_content(puppet_t)
|
|
|
437f84 |
+ unconfined_domain_noaudit(puppetagent_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
diff --git a/quantum.te b/quantum.te
|
|
|
437f84 |
index 52bad99..156e9af 100644
|
|
|
437f84 |
--- a/quantum.te
|
|
|
437f84 |
+++ b/quantum.te
|
|
|
437f84 |
@@ -29,13 +29,17 @@ systemd_unit_file(neutron_unit_file_t)
|
|
|
437f84 |
# Local policy
|
|
|
437f84 |
#
|
|
|
437f84 |
|
|
|
437f84 |
-allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
|
|
|
437f84 |
-allow neutron_t self:process { setsched setrlimit };
|
|
|
437f84 |
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
|
|
|
437f84 |
+allow neutron_t self:capability2 block_suspend;
|
|
|
437f84 |
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
|
|
|
437f84 |
+
|
|
|
437f84 |
allow neutron_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow neutron_t self:key manage_key_perms;
|
|
|
437f84 |
allow neutron_t self:tcp_socket { accept listen };
|
|
|
437f84 |
allow neutron_t self:unix_stream_socket { accept listen };
|
|
|
437f84 |
allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
437f84 |
+allow neutron_t self:rawip_socket create_socket_perms;
|
|
|
437f84 |
+allow neutron_t self:packet_socket create_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
|
437f84 |
append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
|
437f84 |
@@ -44,18 +48,21 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
|
437f84 |
logging_log_filetrans(neutron_t, neutron_log_t, dir)
|
|
|
437f84 |
|
|
|
437f84 |
manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
|
|
|
437f84 |
-files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
|
|
|
437f84 |
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
|
|
|
437f84 |
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
|
|
|
437f84 |
|
|
|
437f84 |
manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
|
|
437f84 |
manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
|
|
437f84 |
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
|
|
437f84 |
files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
|
|
|
437f84 |
|
|
|
437f84 |
can_exec(neutron_t, neutron_tmp_t)
|
|
|
437f84 |
|
|
|
437f84 |
-kernel_read_kernel_sysctls(neutron_t)
|
|
|
437f84 |
kernel_read_system_state(neutron_t)
|
|
|
437f84 |
kernel_read_network_state(neutron_t)
|
|
|
437f84 |
kernel_request_load_module(neutron_t)
|
|
|
437f84 |
+kernel_rw_kernel_sysctl(neutron_t)
|
|
|
437f84 |
+kernel_rw_net_sysctls(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
corecmd_exec_shell(neutron_t)
|
|
|
437f84 |
corecmd_exec_bin(neutron_t)
|
|
|
437f84 |
@@ -71,7 +78,9 @@ corenet_tcp_bind_neutron_port(neutron_t)
|
|
|
437f84 |
corenet_tcp_connect_keystone_port(neutron_t)
|
|
|
437f84 |
corenet_tcp_connect_amqp_port(neutron_t)
|
|
|
437f84 |
corenet_tcp_connect_mysqld_port(neutron_t)
|
|
|
437f84 |
+corenet_tcp_connect_osapi_compute_port(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
+domain_read_all_domains_state(neutron_t)
|
|
|
437f84 |
domain_named_filetrans(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_sysfs(neutron_t)
|
|
|
437f84 |
@@ -82,6 +91,8 @@ dev_unmount_sysfs_fs(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
files_mounton_non_security(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
+fs_getattr_all_fs(neutron_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
auth_use_nsswitch(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
libs_exec_ldconfig(neutron_t)
|
|
|
437f84 |
@@ -89,6 +100,9 @@ libs_exec_ldconfig(neutron_t)
|
|
|
437f84 |
logging_send_audit_msgs(neutron_t)
|
|
|
437f84 |
logging_send_syslog_msg(neutron_t)
|
|
|
437f84 |
|
|
|
437f84 |
+netutils_exec(neutron_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+# need to stay in neutron
|
|
|
437f84 |
sysnet_exec_ifconfig(neutron_t)
|
|
|
437f84 |
sysnet_manage_ifconfig_run(neutron_t)
|
|
|
437f84 |
sysnet_filetrans_named_content_ifconfig(neutron_t)
|
|
|
437f84 |
@@ -109,16 +123,19 @@ optional_policy(`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ modutils_domtrans_insmod(neutron_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
mysql_stream_connect(neutron_t)
|
|
|
437f84 |
+ mysql_read_db_lnk_files(neutron_t)
|
|
|
437f84 |
mysql_read_config(neutron_t)
|
|
|
437f84 |
-
|
|
|
437f84 |
mysql_tcp_connect(neutron_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
postgresql_stream_connect(neutron_t)
|
|
|
437f84 |
postgresql_unpriv_client(neutron_t)
|
|
|
437f84 |
-
|
|
|
437f84 |
postgresql_tcp_connect(neutron_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
@@ -129,4 +146,8 @@ optional_policy(`
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
sudo_exec(neutron_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ udev_domtrans(neutron_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
diff --git a/rabbitmq.te b/rabbitmq.te
|
|
|
437f84 |
index 7d5630f..9fb98a1 100644
|
|
|
437f84 |
--- a/rabbitmq.te
|
|
|
437f84 |
+++ b/rabbitmq.te
|
|
|
437f84 |
@@ -87,6 +87,7 @@ corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
|
|
|
437f84 |
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
|
|
437f84 |
corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
|
|
|
437f84 |
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
|
|
|
437f84 |
+corenet_tcp_connect_http_port(rabbitmq_beam_t)
|
|
|
437f84 |
|
|
|
437f84 |
domain_read_all_domains_state(rabbitmq_beam_t)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -127,7 +128,7 @@ allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
|
|
|
437f84 |
|
|
|
437f84 |
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
|
|
|
437f84 |
+allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms;
|
|
|
437f84 |
|
|
|
437f84 |
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/rhcs.te b/rhcs.te
|
|
|
437f84 |
index 4fd3b77..503838b 100644
|
|
|
437f84 |
--- a/rhcs.te
|
|
|
437f84 |
+++ b/rhcs.te
|
|
|
437f84 |
@@ -593,6 +593,7 @@ logging_send_syslog_msg(groupd_t)
|
|
|
437f84 |
allow haproxy_t self:capability { dac_override kill };
|
|
|
437f84 |
|
|
|
437f84 |
allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
|
|
|
437f84 |
+allow haproxy_t self:capability2 block_suspend;
|
|
|
437f84 |
allow haproxy_t self:process { fork setrlimit signal_perms };
|
|
|
437f84 |
allow haproxy_t self:fifo_file rw_fifo_file_perms;
|
|
|
437f84 |
allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
437f84 |
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
|
|
437f84 |
index d193f7a..87038e7 100644
|
|
|
437f84 |
--- a/rhsmcertd.te
|
|
|
437f84 |
+++ b/rhsmcertd.te
|
|
|
437f84 |
@@ -53,6 +53,7 @@ kernel_read_system_state(rhsmcertd_t)
|
|
|
437f84 |
kernel_read_sysctl(rhsmcertd_t)
|
|
|
437f84 |
|
|
|
437f84 |
corenet_tcp_connect_http_port(rhsmcertd_t)
|
|
|
437f84 |
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
|
|
|
437f84 |
corenet_tcp_connect_squid_port(rhsmcertd_t)
|
|
|
437f84 |
|
|
|
437f84 |
corecmd_exec_bin(rhsmcertd_t)
|
|
|
437f84 |
diff --git a/rsync.te b/rsync.te
|
|
|
437f84 |
index d7db2d9..7a6ca6c 100644
|
|
|
437f84 |
--- a/rsync.te
|
|
|
437f84 |
+++ b/rsync.te
|
|
|
437f84 |
@@ -170,4 +170,6 @@ auth_can_read_shadow_passwords(rsync_t)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
swift_manage_data_files(rsync_t)
|
|
|
437f84 |
+ swift_manage_lock(rsync_t)
|
|
|
437f84 |
+ swift_filetrans_named_lock(rsync_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
diff --git a/sandbox.if b/sandbox.if
|
|
|
437f84 |
index 89bc443..a2cb772 100644
|
|
|
437f84 |
--- a/sandbox.if
|
|
|
437f84 |
+++ b/sandbox.if
|
|
|
437f84 |
@@ -22,14 +22,42 @@ interface(`sandbox_transition',`
|
|
|
437f84 |
attribute sandbox_domain;
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
- allow $1 sandbox_domain:process transition;
|
|
|
437f84 |
- dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
|
|
|
437f84 |
- role $2 types sandbox_domain;
|
|
|
437f84 |
- allow sandbox_domain $1:process { sigchld signull };
|
|
|
437f84 |
- allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
|
|
437f84 |
- dontaudit sandbox_domain $1:process signal;
|
|
|
437f84 |
- dontaudit sandbox_domain $1:key { link read search view };
|
|
|
437f84 |
- dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
|
|
|
437f84 |
+ sandbox_dyntransition($1) #885288
|
|
|
437f84 |
+ allow $1 sandbox_domain:process transition;
|
|
|
437f84 |
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
|
|
|
437f84 |
+
|
|
|
437f84 |
+ role $2 types sandbox_domain;
|
|
|
437f84 |
+
|
|
|
437f84 |
+ allow sandbox_domain $1:process { sigchld signull };
|
|
|
437f84 |
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
|
|
437f84 |
+
|
|
|
437f84 |
+ dontaudit sandbox_domain $1:process signal;
|
|
|
437f84 |
+ dontaudit sandbox_domain $1:key { link read search view };
|
|
|
437f84 |
+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Execute sandbox in the sandbox domain, and
|
|
|
437f84 |
+## allow the specified role the sandbox domain.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+## <param name="role">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## The role to be allowed the sandbox domain.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`sandbox_dyntransition',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ attribute sandbox_domain;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ allow $1 sandbox_domain:process dyntransition;
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
diff --git a/sandboxX.if b/sandboxX.if
|
|
|
437f84 |
index 3258f45..03bdcef 100644
|
|
|
437f84 |
--- a/sandboxX.if
|
|
|
437f84 |
+++ b/sandboxX.if
|
|
|
437f84 |
@@ -26,6 +26,7 @@ interface(`sandbox_x_transition',`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
allow $1 sandbox_x_domain:process { signal_perms transition };
|
|
|
437f84 |
+ allow $1 sandbox_x_domain:process dyntransition;
|
|
|
437f84 |
dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
|
|
|
437f84 |
allow sandbox_x_domain $1:process { sigchld signull };
|
|
|
437f84 |
allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
|
|
|
437f84 |
diff --git a/sblim.if b/sblim.if
|
|
|
437f84 |
index d4aa009..562666e 100644
|
|
|
437f84 |
--- a/sblim.if
|
|
|
437f84 |
+++ b/sblim.if
|
|
|
437f84 |
@@ -86,6 +86,84 @@ interface(`sblim_filetrans_named_content',`
|
|
|
437f84 |
|
|
|
437f84 |
########################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
+## Connect to sblim_sfcb over a unix stream socket.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`sblim_stream_connect_sfcbd',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type sblim_sfcb_t, sblim_var_lib_t;
|
|
|
437f84 |
+ type sblim_tmp_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ files_search_pids($1)
|
|
|
437f84 |
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
|
|
|
437f84 |
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+#######################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Getattr on sblim executable.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed to transition.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`sblim_getattr_exec_sfcbd',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type sblim_sfcbd_exec_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ allow $1 sblim_sfcbd_exec_t:file getattr;
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Connect to sblim_sfcb over a unix stream socket.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`sblim_stream_connect_sfcb',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type sblim_sfcb_t, sblim_var_lib_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ files_search_pids($1)
|
|
|
437f84 |
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+#######################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Allow read and write access to sblim semaphores.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`sblim_rw_semaphores_sfcbd',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type sblim_sfcbd_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ allow $1 sblim_sfcbd_t:sem rw_sem_perms;
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+
|
|
|
437f84 |
+########################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
## All of the rules required to administrate
|
|
|
437f84 |
## an gatherd environment
|
|
|
437f84 |
## </summary>
|
|
|
437f84 |
diff --git a/sblim.te b/sblim.te
|
|
|
437f84 |
index 20f5040..21c15bb 100644
|
|
|
437f84 |
--- a/sblim.te
|
|
|
437f84 |
+++ b/sblim.te
|
|
|
437f84 |
@@ -157,9 +157,19 @@ auth_use_nsswitch(sblim_sfcbd_t)
|
|
|
437f84 |
|
|
|
437f84 |
corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
|
|
|
437f84 |
corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
|
|
|
437f84 |
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
|
|
|
437f84 |
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+corecmd_exec_shell(sblim_sfcbd_t)
|
|
|
437f84 |
+corecmd_exec_bin(sblim_sfcbd_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_rand(sblim_sfcbd_t)
|
|
|
437f84 |
dev_read_urand(sblim_sfcbd_t)
|
|
|
437f84 |
|
|
|
437f84 |
domain_read_all_domains_state(sblim_sfcbd_t)
|
|
|
437f84 |
domain_use_interactive_fds(sblim_sfcbd_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ rpm_exec(sblim_sfcbd_t)
|
|
|
437f84 |
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
diff --git a/sensord.fc b/sensord.fc
|
|
|
437f84 |
index 97926d2..9be989a 100644
|
|
|
437f84 |
--- a/sensord.fc
|
|
|
437f84 |
+++ b/sensord.fc
|
|
|
437f84 |
@@ -4,6 +4,6 @@
|
|
|
437f84 |
|
|
|
437f84 |
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
-/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
|
|
|
437f84 |
+/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
|
|
|
437f84 |
diff --git a/slocate.te b/slocate.te
|
|
|
437f84 |
index 8417705..669d253 100644
|
|
|
437f84 |
--- a/slocate.te
|
|
|
437f84 |
+++ b/slocate.te
|
|
|
437f84 |
@@ -61,3 +61,8 @@ ifdef(`enable_mls',`
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
cron_system_entry(locate_t, locate_exec_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
+ mock_getattr_lib(locate_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
diff --git a/snapper.fc b/snapper.fc
|
|
|
437f84 |
index 660fcd2..d1d72f2 100644
|
|
|
437f84 |
--- a/snapper.fc
|
|
|
437f84 |
+++ b/snapper.fc
|
|
|
437f84 |
@@ -6,3 +6,5 @@ HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0)
|
|
|
437f84 |
/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
|
|
|
437f84 |
+
|
|
|
437f84 |
+/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
|
|
|
437f84 |
diff --git a/spamassassin.te b/spamassassin.te
|
|
|
437f84 |
index 32f670e..e8531d9 100644
|
|
|
437f84 |
--- a/spamassassin.te
|
|
|
437f84 |
+++ b/spamassassin.te
|
|
|
437f84 |
@@ -275,12 +275,17 @@ manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
|
437f84 |
manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
|
437f84 |
manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
|
437f84 |
userdom_append_user_home_content_files(spamc_t)
|
|
|
437f84 |
+spamassassin_filetrans_home_content(spamc_t)
|
|
|
437f84 |
+spamassassin_filetrans_admin_home_content(spamc_t)
|
|
|
437f84 |
# for /root/.pyzor
|
|
|
437f84 |
allow spamc_t self:capability dac_override;
|
|
|
437f84 |
|
|
|
437f84 |
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
437f84 |
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
437f84 |
|
|
|
437f84 |
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
|
|
|
437f84 |
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
# Allow connecting to a local spamd
|
|
|
437f84 |
allow spamc_t spamd_t:unix_stream_socket connectto;
|
|
|
437f84 |
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
|
|
|
437f84 |
diff --git a/sssd.te b/sssd.te
|
|
|
437f84 |
index fb39837..eb8bb88 100644
|
|
|
437f84 |
--- a/sssd.te
|
|
|
437f84 |
+++ b/sssd.te
|
|
|
437f84 |
@@ -68,6 +68,7 @@ kernel_request_load_module(sssd_t)
|
|
|
437f84 |
corenet_udp_bind_generic_port(sssd_t)
|
|
|
437f84 |
corenet_dontaudit_udp_bind_all_ports(sssd_t)
|
|
|
437f84 |
corenet_tcp_connect_kerberos_password_port(sssd_t)
|
|
|
437f84 |
+corenet_tcp_connect_smbd_port(sssd_t)
|
|
|
437f84 |
|
|
|
437f84 |
corecmd_exec_bin(sssd_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/stapserver.te b/stapserver.te
|
|
|
437f84 |
index e472397..6aeecac 100644
|
|
|
437f84 |
--- a/stapserver.te
|
|
|
437f84 |
+++ b/stapserver.te
|
|
|
437f84 |
@@ -72,6 +72,7 @@ files_list_tmp(stapserver_t)
|
|
|
437f84 |
files_search_kernel_modules(stapserver_t)
|
|
|
437f84 |
|
|
|
437f84 |
fs_search_cgroup_dirs(stapserver_t)
|
|
|
437f84 |
+fs_getattr_all_fs(stapserver_t)
|
|
|
437f84 |
|
|
|
437f84 |
auth_use_nsswitch(stapserver_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/swift.fc b/swift.fc
|
|
|
437f84 |
index 744f0ce..b07d112 100644
|
|
|
437f84 |
--- a/swift.fc
|
|
|
437f84 |
+++ b/swift.fc
|
|
|
437f84 |
@@ -15,8 +15,11 @@
|
|
|
437f84 |
/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
|
437f84 |
/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
+/usr/bin/swift-proxy-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
|
437f84 |
+
|
|
|
437f84 |
/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
+/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0)
|
|
|
437f84 |
/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
|
|
|
437f84 |
/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/swift.if b/swift.if
|
|
|
437f84 |
index df82c36..6a1f575 100644
|
|
|
437f84 |
--- a/swift.if
|
|
|
437f84 |
+++ b/swift.if
|
|
|
437f84 |
@@ -59,6 +59,43 @@ interface(`swift_manage_data_files',`
|
|
|
437f84 |
manage_dirs_pattern($1, swift_data_t, swift_data_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
+#####################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Read and write swift lock files.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`swift_manage_lock',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type swift_lock_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ files_search_locks($1)
|
|
|
437f84 |
+ manage_files_pattern($1, swift_lock_t, swift_lock_t)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+#######################################
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Transition content labels to swift named content
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## <param name="domain">
|
|
|
437f84 |
+## <summary>
|
|
|
437f84 |
+## Domain allowed access.
|
|
|
437f84 |
+## </summary>
|
|
|
437f84 |
+## </param>
|
|
|
437f84 |
+#
|
|
|
437f84 |
+interface(`swift_filetrans_named_lock',`
|
|
|
437f84 |
+ gen_require(`
|
|
|
437f84 |
+ type swift_lock_t;
|
|
|
437f84 |
+ ')
|
|
|
437f84 |
+
|
|
|
437f84 |
+ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
########################################
|
|
|
437f84 |
## <summary>
|
|
|
437f84 |
## Execute swift server in the swift domain.
|
|
|
437f84 |
diff --git a/swift.te b/swift.te
|
|
|
437f84 |
index 7bef550..7fce837 100644
|
|
|
437f84 |
--- a/swift.te
|
|
|
437f84 |
+++ b/swift.te
|
|
|
437f84 |
@@ -9,8 +9,14 @@ type swift_t;
|
|
|
437f84 |
type swift_exec_t;
|
|
|
437f84 |
init_daemon_domain(swift_t, swift_exec_t)
|
|
|
437f84 |
|
|
|
437f84 |
+type swift_lock_t;
|
|
|
437f84 |
+files_lock_file(swift_lock_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
type swift_tmp_t;
|
|
|
437f84 |
-files_tmpfs_file(swift_tmp_t)
|
|
|
437f84 |
+files_tmp_file(swift_tmp_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
+type swift_tmpfs_t;
|
|
|
437f84 |
+files_tmpfs_file(swift_tmpfs_t)
|
|
|
437f84 |
|
|
|
437f84 |
type swift_var_cache_t;
|
|
|
437f84 |
files_type(swift_var_cache_t)
|
|
|
437f84 |
@@ -36,10 +42,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms;
|
|
|
437f84 |
allow swift_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
437f84 |
allow swift_t self:unix_dgram_socket create_socket_perms;
|
|
|
437f84 |
|
|
|
437f84 |
+manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
|
|
|
437f84 |
+manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
|
|
|
437f84 |
+files_lock_filetrans(swift_t, swift_lock_t, { dir file })
|
|
|
437f84 |
+
|
|
|
437f84 |
manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
|
|
|
437f84 |
manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
|
|
|
437f84 |
files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
|
|
|
437f84 |
|
|
|
437f84 |
+manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
|
|
|
437f84 |
+manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
|
|
|
437f84 |
+fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
|
|
|
437f84 |
+
|
|
|
437f84 |
manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
|
|
|
437f84 |
manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
|
|
|
437f84 |
manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
|
|
|
437f84 |
@@ -59,7 +73,12 @@ kernel_dgram_send(swift_t)
|
|
|
437f84 |
kernel_read_system_state(swift_t)
|
|
|
437f84 |
kernel_read_network_state(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
+# bug in swift
|
|
|
437f84 |
+corenet_tcp_bind_xserver_port(swift_t)
|
|
|
437f84 |
+corenet_tcp_bind_http_cache_port(swift_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
corecmd_exec_shell(swift_t)
|
|
|
437f84 |
+corecmd_exec_bin(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
dev_read_urand(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
@@ -67,6 +86,8 @@ domain_use_interactive_fds(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
files_dontaudit_search_home(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
+fs_getattr_all_fs(swift_t)
|
|
|
437f84 |
+
|
|
|
437f84 |
auth_use_nsswitch(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
libs_exec_ldconfig(swift_t)
|
|
|
437f84 |
@@ -77,4 +98,5 @@ userdom_dontaudit_search_user_home_dirs(swift_t)
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
rpm_exec(swift_t)
|
|
|
437f84 |
+ rpm_dontaudit_manage_db(swift_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
diff --git a/tgtd.te b/tgtd.te
|
|
|
437f84 |
index 60f4ce9..704a0e2 100644
|
|
|
437f84 |
--- a/tgtd.te
|
|
|
437f84 |
+++ b/tgtd.te
|
|
|
437f84 |
@@ -56,6 +56,7 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
|
|
|
437f84 |
|
|
|
437f84 |
kernel_read_system_state(tgtd_t)
|
|
|
437f84 |
kernel_read_fs_sysctls(tgtd_t)
|
|
|
437f84 |
+kernel_read_network_state(tgtd_t)
|
|
|
437f84 |
|
|
|
437f84 |
corenet_all_recvfrom_netlabel(tgtd_t)
|
|
|
437f84 |
corenet_tcp_sendrecv_generic_if(tgtd_t)
|
|
|
437f84 |
diff --git a/ulogd.te b/ulogd.te
|
|
|
437f84 |
index bd23e7f..022c367 100644
|
|
|
437f84 |
--- a/ulogd.te
|
|
|
437f84 |
+++ b/ulogd.te
|
|
|
437f84 |
@@ -44,7 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
|
|
|
437f84 |
setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
|
|
|
437f84 |
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
|
|
|
437f84 |
|
|
|
437f84 |
-
|
|
|
437f84 |
+kernel_request_load_module(ulogd_t)
|
|
|
437f84 |
|
|
|
437f84 |
sysnet_dns_name_resolve(ulogd_t)
|
|
|
437f84 |
|
|
|
437f84 |
diff --git a/virt.te b/virt.te
|
|
|
437f84 |
index 57af4d0..1df2084 100644
|
|
|
437f84 |
--- a/virt.te
|
|
|
437f84 |
+++ b/virt.te
|
|
|
437f84 |
@@ -522,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`virt_use_samba',`
|
|
|
437f84 |
- fs_manage_nfs_files(virtd_t)
|
|
|
437f84 |
+ fs_manage_cifs_dirs(virtd_t)
|
|
|
437f84 |
fs_manage_cifs_files(virtd_t)
|
|
|
437f84 |
fs_read_cifs_symlinks(virtd_t)
|
|
|
437f84 |
')
|
|
|
437f84 |
@@ -1168,6 +1168,7 @@ allow svirt_sandbox_domain self:msgq create_msgq_perms;
|
|
|
437f84 |
allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
437f84 |
allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
|
437f84 |
allow svirt_sandbox_domain self:passwd rootok;
|
|
|
437f84 |
+allow svirt_sandbox_domain self:filesystem associate;
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`deny_ptrace',`',`
|
|
|
437f84 |
allow svirt_sandbox_domain self:process ptrace;
|
|
|
437f84 |
@@ -1256,11 +1257,16 @@ optional_policy(`
|
|
|
437f84 |
docker_manage_lib_files(svirt_lxc_net_t)
|
|
|
437f84 |
docker_manage_lib_dirs(svirt_lxc_net_t)
|
|
|
437f84 |
docker_read_share_files(svirt_sandbox_domain)
|
|
|
437f84 |
+ docker_exec_lib(svirt_sandbox_domain)
|
|
|
437f84 |
docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
|
|
|
437f84 |
docker_use_ptys(svirt_sandbox_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
+ gear_read_pid_files(svirt_sandbox_domain)
|
|
|
437f84 |
+')
|
|
|
437f84 |
+
|
|
|
437f84 |
+optional_policy(`
|
|
|
437f84 |
mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
@@ -1283,8 +1289,8 @@ tunable_policy(`virt_use_nfs',`
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`virt_use_samba',`
|
|
|
437f84 |
- fs_manage_nfs_files(svirt_sandbox_domain)
|
|
|
437f84 |
fs_manage_cifs_files(svirt_sandbox_domain)
|
|
|
437f84 |
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
|
|
|
437f84 |
fs_read_cifs_symlinks(svirt_sandbox_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
@@ -1671,5 +1677,3 @@ optional_policy(`
|
|
|
437f84 |
optional_policy(`
|
|
|
437f84 |
systemd_dbus_chat_logind(sandbox_net_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
-
|
|
|
437f84 |
-
|
|
|
437f84 |
diff --git a/zabbix.te b/zabbix.te
|
|
|
437f84 |
index 614e66c..551c4e9 100644
|
|
|
437f84 |
--- a/zabbix.te
|
|
|
437f84 |
+++ b/zabbix.te
|
|
|
437f84 |
@@ -125,9 +125,9 @@ zabbix_agent_tcp_connect(zabbix_t)
|
|
|
437f84 |
logging_send_syslog_msg(zabbix_t)
|
|
|
437f84 |
|
|
|
437f84 |
tunable_policy(`zabbix_can_network',`
|
|
|
437f84 |
- corenet_sendrecv_all_client_packets(zabbix_t)
|
|
|
437f84 |
- corenet_tcp_connect_all_ports(zabbix_t)
|
|
|
437f84 |
- corenet_tcp_sendrecv_all_ports(zabbix_t)
|
|
|
437f84 |
+ corenet_sendrecv_all_client_packets(zabbix_domain)
|
|
|
437f84 |
+ corenet_tcp_connect_all_ports(zabbix_domain)
|
|
|
437f84 |
+ corenet_tcp_sendrecv_all_ports(zabbix_domain)
|
|
|
437f84 |
')
|
|
|
437f84 |
|
|
|
437f84 |
optional_policy(`
|