|
 |
2da12e |
diff --git a/policy/mls b/policy/mls
|
|
|
2da12e |
index 9e0c245..53c2f8c 100644
|
|
|
2da12e |
--- a/policy/mls
|
|
|
2da12e |
+++ b/policy/mls
|
|
|
2da12e |
@@ -177,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
|
|
2da12e |
|
|
|
2da12e |
|
|
|
2da12e |
# the socket "read" ops (note the check is dominance of the low level)
|
|
|
2da12e |
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
|
|
|
2da12e |
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
|
|
|
2da12e |
(( l1 dom l2 ) or
|
|
|
2da12e |
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
|
|
2da12e |
( t1 == mlsnetread ));
|
|
|
6b4b4b |
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
|
|
6b4b4b |
index aa51ab2..2e75ec7 100644
|
|
|
6b4b4b |
--- a/policy/modules/admin/sudo.if
|
|
|
6b4b4b |
+++ b/policy/modules/admin/sudo.if
|
|
|
6b4b4b |
@@ -126,3 +126,22 @@ interface(`sudo_exec',`
|
|
|
6b4b4b |
|
|
|
6b4b4b |
can_exec($1, sudo_exec_t)
|
|
|
6b4b4b |
')
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
+######################################
|
|
|
6b4b4b |
+## <summary>
|
|
|
6b4b4b |
+## Allow to manage sudo database in called domain.
|
|
|
6b4b4b |
+## </summary>
|
|
|
6b4b4b |
+## <param name="domain">
|
|
|
6b4b4b |
+## <summary>
|
|
|
6b4b4b |
+## Domain allowed access.
|
|
|
6b4b4b |
+## </summary>
|
|
|
6b4b4b |
+## </param>
|
|
|
6b4b4b |
+#
|
|
|
6b4b4b |
+interface(`sudo_manage_db',`
|
|
|
6b4b4b |
+ gen_require(`
|
|
|
6b4b4b |
+ type sudo_db_t;
|
|
|
6b4b4b |
+ ')
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
+ manage_dirs_pattern($1, sudo_db_t, sudo_db_t)
|
|
|
6b4b4b |
+ manage_files_pattern($1, sudo_db_t, sudo_db_t)
|
|
|
6b4b4b |
+')
|
|
|
6b4b4b |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
|
|
5b5f49 |
index 9a8ff3e..423b99a 100644
|
|
|
6b4b4b |
--- a/policy/modules/kernel/corecommands.fc
|
|
|
6b4b4b |
+++ b/policy/modules/kernel/corecommands.fc
|
|
|
6b4b4b |
@@ -61,6 +61,8 @@ ifdef(`distro_redhat',`
|
|
|
6b4b4b |
/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
|
|
|
6b4b4b |
+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
|
|
|
6b4b4b |
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
5b5f49 |
@@ -482,6 +484,9 @@ ifdef(`distro_suse', `
|
|
|
6b4b4b |
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
|
|
|
6b4b4b |
+/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
5b5f49 |
+/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
+
|
|
|
6b4b4b |
ifdef(`distro_suse',`
|
|
|
6b4b4b |
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
|
|
6b4b4b |
')
|
|
|
5b5f49 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
|
|
5b5f49 |
index 75c7b9d..6842334 100644
|
|
|
5b5f49 |
--- a/policy/modules/kernel/filesystem.if
|
|
|
5b5f49 |
+++ b/policy/modules/kernel/filesystem.if
|
|
|
5b5f49 |
@@ -1685,6 +1685,25 @@ interface(`fs_cifs_entry_type',`
|
|
|
5b5f49 |
domain_entry_file($1, cifs_t)
|
|
|
5b5f49 |
')
|
|
|
5b5f49 |
|
|
|
5b5f49 |
+########################################
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
+## Make general progams in CIFS an entrypoint for
|
|
|
5b5f49 |
+## the specified domain.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## <param name="domain">
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
+## The domain for which cifs_t is an entrypoint.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## </param>
|
|
|
5b5f49 |
+#
|
|
|
5b5f49 |
+interface(`fs_cifs_entrypoint',`
|
|
|
5b5f49 |
+ gen_require(`
|
|
|
5b5f49 |
+ type cifs_t;
|
|
|
5b5f49 |
+ ')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+ allow $1 cifs_t:file entrypoint;
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
#######################################
|
|
|
5b5f49 |
## <summary>
|
|
|
5b5f49 |
## Create, read, write, and delete dirs
|
|
|
5b5f49 |
@@ -2326,6 +2345,44 @@ interface(`fs_exec_fusefs_files',`
|
|
|
5b5f49 |
|
|
|
5b5f49 |
########################################
|
|
|
5b5f49 |
## <summary>
|
|
|
5b5f49 |
+## Make general progams in FUSEFS an entrypoint for
|
|
|
5b5f49 |
+## the specified domain.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## <param name="domain">
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
+## The domain for which fusefs_t is an entrypoint.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## </param>
|
|
|
5b5f49 |
+#
|
|
|
5b5f49 |
+interface(`fs_fusefs_entry_type',`
|
|
|
5b5f49 |
+ gen_require(`
|
|
|
5b5f49 |
+ type fusefs_t;
|
|
|
5b5f49 |
+ ')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+ domain_entry_file($1, fusefs_t)
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+########################################
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
+## Make general progams in FUSEFS an entrypoint for
|
|
|
5b5f49 |
+## the specified domain.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## <param name="domain">
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
+## The domain for which fusefs_t is an entrypoint.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## </param>
|
|
|
5b5f49 |
+#
|
|
|
5b5f49 |
+interface(`fs_fusefs_entrypoint',`
|
|
|
5b5f49 |
+ gen_require(`
|
|
|
5b5f49 |
+ type fusefs_t;
|
|
|
5b5f49 |
+ ')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+ allow $1 fusefs_t:file entrypoint;
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+########################################
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
## Create, read, write, and delete files
|
|
|
5b5f49 |
## on a FUSEFS filesystem.
|
|
|
5b5f49 |
## </summary>
|
|
|
5b5f49 |
@@ -3049,6 +3106,25 @@ interface(`fs_nfs_entry_type',`
|
|
|
5b5f49 |
|
|
|
5b5f49 |
########################################
|
|
|
5b5f49 |
## <summary>
|
|
|
5b5f49 |
+## Make general progams in NFS an entrypoint for
|
|
|
5b5f49 |
+## the specified domain.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## <param name="domain">
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
+## The domain for which nfs_t is an entrypoint.
|
|
|
5b5f49 |
+## </summary>
|
|
|
5b5f49 |
+## </param>
|
|
|
5b5f49 |
+#
|
|
|
5b5f49 |
+interface(`fs_nfs_entrypoint',`
|
|
|
5b5f49 |
+ gen_require(`
|
|
|
5b5f49 |
+ type nfs_t;
|
|
|
5b5f49 |
+ ')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+ allow $1 nfs_t:file entrypoint;
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+########################################
|
|
|
5b5f49 |
+## <summary>
|
|
|
5b5f49 |
## Append files
|
|
|
5b5f49 |
## on a NFS filesystem.
|
|
|
5b5f49 |
## </summary>
|
|
|
2da12e |
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
|
|
|
2da12e |
index 947af6c..59fe535 100644
|
|
|
2da12e |
--- a/policy/modules/services/postgresql.fc
|
|
|
2da12e |
+++ b/policy/modules/services/postgresql.fc
|
|
|
2da12e |
@@ -12,6 +12,8 @@
|
|
|
2da12e |
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
|
|
|
2da12e |
+/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
+
|
|
|
2da12e |
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
|
|
2da12e |
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
|
|
2da12e |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
|
|
|
5b5f49 |
index 2ef9dc6..7e306f4 100644
|
|
|
2da12e |
--- a/policy/modules/services/ssh.te
|
|
|
2da12e |
+++ b/policy/modules/services/ssh.te
|
|
|
2da12e |
@@ -56,6 +56,7 @@ ssh_server_template(sshd)
|
|
|
2da12e |
init_daemon_domain(sshd_t, sshd_exec_t)
|
|
|
2da12e |
mls_trusted_object(sshd_t)
|
|
|
2da12e |
mls_process_write_all_levels(sshd_t)
|
|
|
2da12e |
+mls_dbus_send_all_levels(sshd_t)
|
|
|
2da12e |
|
|
|
2da12e |
type sshd_initrc_exec_t;
|
|
|
2da12e |
init_script_file(sshd_initrc_exec_t)
|
|
|
5b5f49 |
@@ -512,6 +513,10 @@ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
|
|
|
5b5f49 |
userdom_use_user_terminals(ssh_keygen_t)
|
|
|
5b5f49 |
|
|
|
5b5f49 |
optional_policy(`
|
|
|
5b5f49 |
+ glusterd_manage_lib_files(ssh_keygen_t)
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+optional_policy(`
|
|
|
5b5f49 |
seutil_sigchld_newrole(ssh_keygen_t)
|
|
|
5b5f49 |
')
|
|
|
5b5f49 |
|
|
|
2da12e |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
|
|
2da12e |
index b88e8a2..b13579d 100644
|
|
|
2da12e |
--- a/policy/modules/system/init.if
|
|
|
2da12e |
+++ b/policy/modules/system/init.if
|
|
|
2da12e |
@@ -2602,7 +2602,7 @@ interface(`init_rw_tcp_sockets',`
|
|
|
2da12e |
type init_t;
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
- allow $1 init_t:tcp_socket { read write };
|
|
|
2da12e |
+ allow $1 init_t:tcp_socket { read write getattr getopt setopt };
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
########################################
|
|
|
2da12e |
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
|
|
|
2da12e |
index 12c7fa6..0cd667e 100644
|
|
|
2da12e |
--- a/policy/modules/system/ipsec.if
|
|
|
2da12e |
+++ b/policy/modules/system/ipsec.if
|
|
|
2da12e |
@@ -541,3 +541,22 @@ interface(`ipsec_mgmt_systemctl',`
|
|
|
2da12e |
|
|
|
2da12e |
ps_process_pattern($1, ipsec_mgmt_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
+
|
|
|
2da12e |
+########################################
|
|
|
2da12e |
+## <summary>
|
|
|
2da12e |
+## Do not audit attempts to write the ipsec
|
|
|
2da12e |
+## log files.
|
|
|
2da12e |
+## </summary>
|
|
|
2da12e |
+## <param name="domain">
|
|
|
2da12e |
+## <summary>
|
|
|
2da12e |
+## Domain to not audit.
|
|
|
2da12e |
+## </summary>
|
|
|
2da12e |
+## </param>
|
|
|
2da12e |
+#
|
|
|
2da12e |
+interface(`ipsec_dontaudit_write_log',`
|
|
|
2da12e |
+ gen_require(`
|
|
|
2da12e |
+ type ipsec_log_t;
|
|
|
2da12e |
+ ')
|
|
|
2da12e |
+
|
|
|
2da12e |
+ dontaudit $1 ipsec_log_t:file rw_inherited_file_perms;
|
|
|
2da12e |
+')
|
|
|
5b5f49 |
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
|
|
|
5b5f49 |
index f0ed532..4080213 100644
|
|
|
5b5f49 |
--- a/policy/modules/system/iptables.te
|
|
|
5b5f49 |
+++ b/policy/modules/system/iptables.te
|
|
|
5b5f49 |
@@ -139,6 +139,10 @@ optional_policy(`
|
|
|
5b5f49 |
')
|
|
|
5b5f49 |
|
|
|
5b5f49 |
optional_policy(`
|
|
|
5b5f49 |
+ ctdbd_read_lib_files(iptables_t)
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
+optional_policy(`
|
|
|
5b5f49 |
neutron_rw_inherited_pipes(iptables_t)
|
|
|
5b5f49 |
neutron_sigchld(iptables_t)
|
|
|
5b5f49 |
')
|
|
|
5b5f49 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
|
|
5b5f49 |
index 077c808..a9691cb 100644
|
|
|
5b5f49 |
--- a/policy/modules/system/logging.te
|
|
|
5b5f49 |
+++ b/policy/modules/system/logging.te
|
|
|
5b5f49 |
@@ -20,6 +20,14 @@ gen_tunable(logging_syslogd_can_sendmail, false)
|
|
|
5b5f49 |
## </desc>
|
|
|
5b5f49 |
gen_tunable(logging_syslogd_use_tty, true)
|
|
|
5b5f49 |
|
|
|
5b5f49 |
+## <desc>
|
|
|
5b5f49 |
+##
|
|
|
5b5f49 |
+## Allow syslogd the ability to call nagios plugins. It is
|
|
|
5b5f49 |
+## turned on by omprog rsyslog plugin.
|
|
|
5b5f49 |
+##
|
|
|
5b5f49 |
+## </desc>
|
|
|
5b5f49 |
+gen_tunable(logging_syslogd_run_nagios_plugins, false)
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
attribute logfile;
|
|
|
5b5f49 |
|
|
|
5b5f49 |
type auditctl_t;
|
|
|
5b5f49 |
@@ -505,6 +513,12 @@ tunable_policy(`logging_syslogd_can_sendmail',`
|
|
|
5b5f49 |
corenet_tcp_connect_smtp_port(syslogd_t)
|
|
|
5b5f49 |
')
|
|
|
5b5f49 |
|
|
|
5b5f49 |
+optional_policy(`
|
|
|
5b5f49 |
+ tunable_policy(`logging_syslogd_run_nagios_plugins',`
|
|
|
5b5f49 |
+ nagios_domtrans_unconfined_plugins(syslogd_t)
|
|
|
5b5f49 |
+ ')
|
|
|
5b5f49 |
+')
|
|
|
5b5f49 |
+
|
|
|
5b5f49 |
dev_filetrans(syslogd_t, devlog_t, sock_file)
|
|
|
5b5f49 |
dev_read_sysfs(syslogd_t)
|
|
|
5b5f49 |
dev_read_rand(syslogd_t)
|
|
|
2da12e |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
|
|
2da12e |
index ca1b2bc..b3417f5 100644
|
|
|
2da12e |
--- a/policy/modules/system/sysnetwork.te
|
|
|
2da12e |
+++ b/policy/modules/system/sysnetwork.te
|
|
|
2da12e |
@@ -447,6 +447,7 @@ optional_policy(`
|
|
|
2da12e |
optional_policy(`
|
|
|
2da12e |
ipsec_write_pid(ifconfig_t)
|
|
|
2da12e |
ipsec_setcontext_default_spd(ifconfig_t)
|
|
|
2da12e |
+ ipsec_dontaudit_write_log(ifconfig_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
optional_policy(`
|
|
|
2da12e |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
|
|
2da12e |
index db531dc..7c2a68e 100644
|
|
|
2da12e |
--- a/policy/modules/system/systemd.te
|
|
|
2da12e |
+++ b/policy/modules/system/systemd.te
|
|
|
2da12e |
@@ -96,6 +96,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
|
|
|
2da12e |
|
|
|
2da12e |
mls_file_read_all_levels(systemd_logind_t)
|
|
|
2da12e |
mls_file_write_all_levels(systemd_logind_t)
|
|
|
2da12e |
+mls_dbus_send_all_levels(systemd_logind_t)
|
|
|
2da12e |
|
|
|
2da12e |
files_delete_tmpfs_files(systemd_logind_t)
|
|
|
2da12e |
|
|
|
2da12e |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
|
|
2da12e |
index 05274ae..29b37bc 100644
|
|
|
2da12e |
--- a/policy/modules/system/userdomain.if
|
|
|
2da12e |
+++ b/policy/modules/system/userdomain.if
|
|
|
2da12e |
@@ -169,6 +169,7 @@ template(`userdom_base_user_template',`
|
|
|
2da12e |
|
|
|
2da12e |
optional_policy(`
|
|
|
2da12e |
ssh_rw_stream_sockets($1_usertype)
|
|
|
2da12e |
+ ssh_rw_dgram_sockets($1_usertype)
|
|
|
2da12e |
ssh_delete_tmp($1_t)
|
|
|
2da12e |
ssh_signal($1_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
@@ -718,8 +719,8 @@ template(`userdom_common_user_template',`
|
|
|
2da12e |
application_getattr_socket($1_usertype)
|
|
|
2da12e |
|
|
|
2da12e |
|
|
|
2da12e |
- ifdef(`enabled_mls',`
|
|
|
2da12e |
- init_rw_tcp_sockets($1_usertype)
|
|
|
2da12e |
+ ifdef(`enable_mls',`
|
|
|
2da12e |
+ init_rw_tcp_sockets($1_t)
|
|
|
2da12e |
')
|
|
|
2da12e |
|
|
|
2da12e |
logging_send_syslog_msg($1_t)
|