diff --git a/aiccu.te b/aiccu.te
index 6e4206c..a9039ce 100644
--- a/aiccu.te
+++ b/aiccu.te
@@ -69,6 +69,10 @@ optional_policy(`
')
optional_policy(`
+ pcscd_stream_connect(aiccu_t)
+')
+
+optional_policy(`
sysnet_dns_name_resolve(aiccu_t)
sysnet_domtrans_ifconfig(aiccu_t)
')
diff --git a/antivirus.te b/antivirus.te
index 8ba9c95..83590aa 100644
--- a/antivirus.te
+++ b/antivirus.te
@@ -37,7 +37,7 @@ typealias antivirus_unit_file_t alias { clamd_unit_file_t };
systemd_unit_file(antivirus_unit_file_t)
type antivirus_conf_t;
-typealias antivirus_conf_t alias { clamd_etc_t };
+typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
files_config_file(antivirus_conf_t)
type antivirus_var_run_t;
@@ -166,6 +166,7 @@ dev_read_urand(antivirus_domain)
domain_dontaudit_read_all_domains_state(antivirus_domain)
+files_dontaudit_read_security_files(antivirus_domain)
files_read_etc_runtime_files(antivirus_domain)
files_search_spool(antivirus_domain)
@@ -190,8 +191,6 @@ userdom_dontaudit_search_user_home_dirs(antivirus_domain)
tunable_policy(`antivirus_can_scan_system',`
files_read_non_security_files(antivirus_domain)
- #files_dontaudit_read_all_non_security_files(antivirus_domain)
- files_dontaudit_read_security_files(antivirus_domain)
files_getattr_all_pipes(antivirus_domain)
files_getattr_all_sockets(antivirus_domain)
dev_getattr_all_blk_files(antivirus_domain)
diff --git a/apache.fc b/apache.fc
index 43bb1c9..b903cc0 100644
--- a/apache.fc
+++ b/apache.fc
@@ -133,6 +133,7 @@ ifdef(`distro_suse', `
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/apache.if b/apache.if
index 64beed7..9426db5 100644
--- a/apache.if
+++ b/apache.if
@@ -74,6 +74,8 @@ template(`apache_content_template',`
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write };
+
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
diff --git a/apache.te b/apache.te
index 21d7195..bce7760 100644
--- a/apache.te
+++ b/apache.te
@@ -474,7 +474,7 @@ role system_r types httpd_passwd_t;
# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -510,6 +510,7 @@ allow httpd_t httpd_log_t:dir setattr;
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
# cjp: need to refine create interfaces to
@@ -1035,6 +1036,7 @@ optional_policy(`
optional_policy(`
passenger_exec(httpd_t)
+ passenger_kill(httpd_t)
passenger_manage_pid_content(httpd_t)
')
@@ -1649,7 +1651,7 @@ allow httpd_t httpd_script_type:unix_stream_socket connectto;
allow httpd_t httpd_script_exec_type:file read_file_perms;
allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
-allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
allow httpd_t httpd_script_exec_type:dir list_dir_perms;
allow httpd_script_type self:process { setsched signal_perms };
@@ -1660,6 +1662,7 @@ allow httpd_script_type httpd_t:fd use;
allow httpd_script_type httpd_t:process sigchld;
dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
fs_getattr_xattr_fs(httpd_script_type)
diff --git a/apcupsd.te b/apcupsd.te
index a370cb8..5206035 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -82,6 +82,8 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
diff --git a/automount.te b/automount.te
index f27656d..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
@@ -89,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
files_getattr_isid_type_dirs(automount_t)
diff --git a/bind.if b/bind.if
index 6c2dbe4..43b445c 100644
--- a/bind.if
+++ b/bind.if
@@ -408,6 +408,25 @@ interface(`bind_udp_chat_named',`
########################################
## <summary>
+## Allow the domain to read bind state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_state',`
+ gen_require(`
+ type named_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an bind environment.
## </summary>
diff --git a/chronyd.te b/chronyd.te
index 7d723c0..d0c8001 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -87,6 +87,7 @@ domain_dontaudit_getsession_all_domains(chronyd_t)
dev_read_rand(chronyd_t)
dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
dev_rw_realtime_clock(chronyd_t)
diff --git a/cloudform.te b/cloudform.te
index 786d623..496ce03 100644
--- a/cloudform.te
+++ b/cloudform.te
@@ -270,8 +270,9 @@ files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
#needed by dbomatic
-files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
corecmd_exec_bin(mongod_t)
corecmd_exec_shell(mongod_t)
diff --git a/conman.te b/conman.te
index 0de2d4d..d6b0314 100644
--- a/conman.te
+++ b/conman.te
@@ -25,7 +25,7 @@ allow conman_t self:process { setrlimit signal_perms };
allow conman_t self:fifo_file rw_fifo_file_perms;
allow conman_t self:unix_stream_socket create_stream_socket_perms;
-allow conman_t self:tcp_socket { listen create_socket_perms };
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
manage_files_pattern(conman_t, conman_log_t, conman_log_t)
@@ -40,6 +40,10 @@ auth_read_passwd(conman_t)
logging_send_syslog_msg(conman_t)
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
optional_policy(`
freeipmi_stream_connect(conman_t)
')
diff --git a/cups.fc b/cups.fc
index afe482b..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
@@ -76,10 +76,14 @@
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/dhcp.te b/dhcp.te
index cdb4d60..5d61f10 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -103,13 +103,26 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
+sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
tunable_policy(`dhcpd_use_ldap',`
- sysnet_use_ldap(dhcpd_t)
+ allow dhcpd_t self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ corenet_tcp_sendrecv_generic_if(dhcpd_t)
+ corenet_tcp_sendrecv_generic_node(dhcpd_t)
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+ corenet_tcp_connect_ldap_port(dhcpd_t)
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ ldap_read_certs(dhcpd_t)
')
ifdef(`distro_gentoo',`
diff --git a/docker.te b/docker.te
index c80e06c..73e71c1 100644
--- a/docker.te
+++ b/docker.te
@@ -97,6 +97,7 @@ manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
+allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
@@ -135,12 +136,14 @@ files_read_etc_files(docker_t)
fs_read_cgroup_files(docker_t)
fs_read_tmpfs_symlinks(docker_t)
+fs_getattr_all_fs(docker_t)
storage_raw_rw_fixed_disk(docker_t)
auth_use_nsswitch(docker_t)
init_read_state(docker_t)
+init_status(docker_t)
logging_send_audit_msgs(docker_t)
logging_send_syslog_msg(docker_t)
@@ -220,6 +223,12 @@ term_mounton_unallocated_ttys(docker_t)
modutils_domtrans_insmod(docker_t)
+systemd_status_all_unit_files(docker_t)
+systemd_start_systemd_services(docker_t)
+
+userdom_stream_connect(docker_t)
+userdom_search_user_home_content(docker_t)
+
optional_policy(`
dbus_system_bus_client(docker_t)
init_dbus_chat(docker_t)
diff --git a/drbd.fc b/drbd.fc
index 671a3fb..c781675 100644
--- a/drbd.fc
+++ b/drbd.fc
@@ -3,7 +3,7 @@
/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
-/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
diff --git a/exim.fc b/exim.fc
index dc0254b..9df498d 100644
--- a/exim.fc
+++ b/exim.fc
@@ -3,6 +3,8 @@
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0)
+
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
diff --git a/exim.if b/exim.if
index ef3b449..4a8d053 100644
--- a/exim.if
+++ b/exim.if
@@ -241,8 +241,46 @@ interface(`exim_manage_spool_files',`
########################################
## <summary>
-## All of the rules required to administrate
-## an exim environment.
+## Read exim var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_var_lib_files',`
+ gen_require(`
+ type exim_var_lib_t;
+ ')
+
+ read_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, and write exim var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_manage_var_lib_files',`
+ gen_require(`
+ type exim_var_lib_t;
+ ')
+
+ manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an exim environment.
## </summary>
## <param name="domain">
## <summary>
@@ -257,8 +295,9 @@ interface(`exim_manage_spool_files',`
#
interface(`exim_admin',`
gen_require(`
- type exim_t, exim_initrc_exec_t, exim_log_t;
- type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ type exim_t, exim_spool_t, exim_log_t;
+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
+ type exim_keytab_t;
')
allow $1 exim_t:process signal_perms;
@@ -273,6 +312,9 @@ interface(`exim_admin',`
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
+ files_search_etc($1)
+ admin_pattern($1, exim_keytab_t)
+
files_search_spool($1)
admin_pattern($1, exim_spool_t)
diff --git a/exim.te b/exim.te
index 3e86b12..5495c90 100644
--- a/exim.te
+++ b/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.5.4)
+policy_module(exim, 1.6.1)
########################################
#
@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
type exim_initrc_exec_t;
init_script_file(exim_initrc_exec_t)
+type exim_var_lib_t;
+files_type(exim_var_lib_t)
+
type exim_log_t;
logging_log_file(exim_log_t)
@@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t)
type exim_var_run_t;
files_pid_file(exim_var_run_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(exim_var_run_t, "exim4")
+')
+
########################################
#
# Local policy
@@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket { accept listen };
allow exim_t self:tcp_socket { accept listen };
+manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
+
append_files_pattern(exim_t, exim_log_t, exim_log_t)
create_files_pattern(exim_t, exim_log_t, exim_log_t)
setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
@@ -88,6 +97,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file })
can_exec(exim_t, exim_exec_t)
+kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
kernel_read_network_state(exim_t)
kernel_read_system_state(exim_t)
@@ -122,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t)
dev_read_rand(exim_t)
dev_read_urand(exim_t)
+dev_read_sysfs(exim_t)
domain_use_interactive_fds(exim_t)
@@ -134,6 +145,7 @@ fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
auth_use_nsswitch(exim_t)
+auth_domtrans_chk_passwd(exim_t)
logging_send_syslog_msg(exim_t)
@@ -175,6 +187,7 @@ optional_policy(`
optional_policy(`
cron_read_pipes(exim_t)
cron_rw_system_job_pipes(exim_t)
+ cron_use_system_job_fds(exim_t)
')
optional_policy(`
@@ -186,7 +199,7 @@ optional_policy(`
')
optional_policy(`
- kerberos_keytab_template(exim, exim_t)
+ kerberos_keytab_template(exim, exim_t)
')
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
index ed04b9e..72b7712 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -33,6 +33,8 @@ dev_read_sysfs(fprintd_t)
dev_read_urand(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
+files_dontaudit_list_tmp(fprintd_t)
+
fs_getattr_all_fs(fprintd_t)
auth_use_nsswitch(fprintd_t)
diff --git a/freeipmi.te b/freeipmi.te
index 8071a76..0710d79 100644
--- a/freeipmi.te
+++ b/freeipmi.te
@@ -40,6 +40,7 @@ files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
dev_read_rand(freeipmi_domain)
dev_read_urand(freeipmi_domain)
+dev_rw_ipmi_dev(freeipmi_domain)
sysnet_dns_name_resolve(freeipmi_domain)
@@ -50,7 +51,6 @@ sysnet_dns_name_resolve(freeipmi_domain)
files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
-dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
diff --git a/gear.fc b/gear.fc
index 5eabf35..98c012c 100644
--- a/gear.fc
+++ b/gear.fc
@@ -1,7 +1,7 @@
/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
-/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
-
-/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
+/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0)
/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.te b/gear.te
index 6c32f79..cb68ca9 100644
--- a/gear.te
+++ b/gear.te
@@ -25,11 +25,15 @@ systemd_unit_file(gear_unit_file_t)
#
# gear local policy
#
+allow gear_t self:capability { chown net_admin fowner dac_override };
+allow gear_t self:capability2 block_suspend;
allow gear_t self:process { getattr signal_perms };
allow gear_t self:fifo_file rw_fifo_file_perms;
allow gear_t self:unix_stream_socket create_stream_socket_perms;
allow gear_t self:tcp_socket create_stream_socket_perms;
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+
manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
manage_files_pattern(gear_t, gear_log_t, gear_log_t)
manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
@@ -43,6 +47,7 @@ manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
@@ -56,6 +61,7 @@ kernel_read_all_sysctls(gear_t)
kernel_rw_net_sysctls(gear_t)
domain_use_interactive_fds(gear_t)
+domain_read_all_domains_state(gear_t)
corecmd_exec_bin(gear_t)
corecmd_exec_shell(gear_t)
@@ -66,6 +72,11 @@ corenet_tcp_sendrecv_generic_node(gear_t)
corenet_tcp_sendrecv_generic_port(gear_t)
corenet_tcp_bind_gear_port(gear_t)
+dev_mounton_sysfs(gear_t)
+dev_mount_sysfs_fs(gear_t)
+dev_unmount_sysfs_fs(gear_t)
+
+files_mounton_rootfs(gear_t)
files_read_etc_files(gear_t)
fs_read_cgroup_files(gear_t)
@@ -75,6 +86,9 @@ auth_use_nsswitch(gear_t)
init_read_state(gear_t)
init_dbus_chat(gear_t)
+init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
logging_send_audit_msgs(gear_t)
logging_send_syslog_msg(gear_t)
@@ -87,8 +101,25 @@ seutil_read_default_contexts(gear_t)
sysnet_dns_name_resolve(gear_t)
+sysnet_exec_ifconfig(gear_t)
+sysnet_manage_ifconfig_run(gear_t)
+
systemd_manage_all_unit_files(gear_t)
optional_policy(`
+ hostname_exec(gear_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gear_t)
+')
+
+optional_policy(`
docker_stream_connect(gear_t)
')
+
+optional_policy(`
+ openshift_manage_lib_dirs(gear_t)
+ openshift_manage_lib_files(gear_t)
+ openshift_relabelfrom_lib(gear_t)
+')
diff --git a/glance.fc b/glance.fc
index c21a528..a746a2b 100644
--- a/glance.fc
+++ b/glance.fc
@@ -1,8 +1,14 @@
/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openstack-glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0)
-/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
+/usr/lib/systemd/system/openstack-glance-api.* -- gen_context(system_u:object_r:glance_api_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-registry.* -- gen_context(system_u:object_r:glance_registry_unit_file_t,s0)
+/usr/lib/systemd/system/openstack-glance-scrubber.* -- gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0)
+
+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
+/usr/bin/glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_exec_t,s0)
/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
diff --git a/glance.if b/glance.if
index 229782f..2f3fa34 100644
--- a/glance.if
+++ b/glance.if
@@ -19,10 +19,16 @@ template(`glance_basic_types_template',`
type $1_t, glance_domain;
type $1_exec_t;
+ type $1_unit_file_t;
+ systemd_unit_file($1_unit_file_t)
+
kernel_read_system_state($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
+
+ logging_send_syslog_msg($1_t)
+
')
########################################
diff --git a/glance.te b/glance.te
index 16dcb5b..109dc9b 100644
--- a/glance.te
+++ b/glance.te
@@ -1,10 +1,32 @@
-policy_module(glance, 1.0.2)
+policy_module(glance, 1.1.0)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Determine whether glance-api can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(glance_api_can_network, false)
+
+## <desc>
+## <p>
+## Allow glance domain to manage fuse files
+## </p>
+## </desc>
+gen_tunable(glance_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow glance domain to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(glance_use_execmem, false)
+
attribute glance_domain;
glance_basic_types_template(glance_registry)
@@ -25,6 +47,12 @@ init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
init_script_file(glance_api_initrc_exec_t)
+glance_basic_types_template(glance_scrubber)
+init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t)
+
+type glance_scrubber_initrc_exec_t;
+init_script_file(glance_scrubber_initrc_exec_t)
+
type glance_log_t;
logging_log_file(glance_log_t)
@@ -77,6 +105,21 @@ libs_exec_ldconfig(glance_domain)
sysnet_dns_name_resolve(glance_domain)
+tunable_policy(`glance_use_fusefs',`
+ fs_manage_fusefs_dirs(glance_domain)
+ fs_manage_fusefs_files(glance_domain)
+ fs_read_fusefs_symlinks(glance_domain)
+ fs_getattr_fusefs(glance_domain)
+')
+
+tunable_policy(`glance_use_execmem',`
+ allow glance_domain self:process { execmem execstack };
+')
+
+optional_policy(`
+ mysql_read_db_lnk_files(glance_domain)
+')
+
########################################
#
# Registry local policy
@@ -102,6 +145,10 @@ optional_policy(`
mysql_tcp_connect(glance_registry_t)
')
+optional_policy(`
+ unconfined_domain(glance_registry_t)
+')
+
########################################
#
# Api local policy
@@ -122,12 +169,24 @@ corenet_tcp_connect_mysqld_port(glance_api_t)
corenet_tcp_connect_http_port(glance_api_t)
corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+corenet_tcp_connect_commplex_main_port(glance_api_t)
+corenet_tcp_connect_http_cache_port(glance_api_t)
corenet_sendrecv_hplip_server_packets(glance_api_t)
corenet_tcp_bind_hplip_port(glance_api_t)
fs_getattr_xattr_fs(glance_api_t)
+tunable_policy(`glance_api_can_network',`
+ corenet_sendrecv_all_client_packets(glance_api_t)
+ corenet_tcp_connect_all_ports(glance_api_t)
+ corenet_tcp_sendrecv_all_ports(glance_api_t)
+')
+
optional_policy(`
mysql_stream_connect(glance_api_t)
')
+
+optional_policy(`
+ unconfined_domain(glance_api_t)
+')
diff --git a/gnome.te b/gnome.te
index 5314f96..ea1115c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -226,7 +226,6 @@ allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
diff --git a/iscsi.if b/iscsi.if
index 2ea1241..a7e1562 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -117,6 +117,28 @@ interface(`iscsi_filetrans_named_content',`
files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
')
+########################################
+## <summary>
+## Execute iscsi server in the iscsi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iscsi_systemctl',`
+ gen_require(`
+ type iscsid_t;
+ type iscsi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 iscsi_unit_file_t:file read_file_perms;
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, iscsid_t)
+')
########################################
## <summary>
diff --git a/iscsi.te b/iscsi.te
index 56d45ec..b25cfd0 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -90,6 +90,9 @@ corenet_sendrecv_winshadow_client_packets(iscsid_t)
corenet_tcp_connect_winshadow_port(iscsid_t)
corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+corecmd_exec_bin(iscsid_t)
+corecmd_exec_shell(iscsid_t)
+
dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -108,5 +111,9 @@ logging_send_syslog_msg(iscsid_t)
modutils_read_module_config(iscsid_t)
optional_policy(`
+ iscsi_systemctl(iscsid_t)
+')
+
+optional_policy(`
tgtd_manage_semaphores(iscsid_t)
')
diff --git a/keepalived.te b/keepalived.te
index 535f79b..dc5c775 100644
--- a/keepalived.te
+++ b/keepalived.te
@@ -33,6 +33,9 @@ files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
kernel_read_system_state(keepalived_t)
kernel_read_network_state(keepalived_t)
+corecmd_exec_bin(keepalived_t)
+corecmd_exec_shell(keepalived_t)
+
auth_use_nsswitch(keepalived_t)
corenet_tcp_connect_connlcli_port(keepalived_t)
diff --git a/keystone.te b/keystone.te
index a82637c..c21beab 100644
--- a/keystone.te
+++ b/keystone.te
@@ -78,6 +78,7 @@ libs_exec_ldconfig(keystone_t)
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
+ mysql_read_db_lnk_files(keystone_t)
')
optional_policy(`
diff --git a/logrotate.te b/logrotate.te
index f8c5464..17ea89c 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -38,7 +38,7 @@ files_type(logrotate_var_lib_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
-dontaudit logrotate_t self:capability sys_resource;
+dontaudit logrotate_t self:capability { sys_resource net_admin };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/logwatch.te b/logwatch.te
index 7569cd9..aea48db 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -187,6 +187,8 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
mta_read_home(logwatch_mail_t)
+mta_filetrans_home_content(logwatch_mail_t)
+mta_filetrans_admin_home_content(logwatch_mail_t)
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
diff --git a/mock.if b/mock.if
index 6568bfe..f5b98e6 100644
--- a/mock.if
+++ b/mock.if
@@ -53,6 +53,7 @@ interface(`mock_read_lib_files',`
')
files_search_var_lib($1)
+ list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
')
diff --git a/mock.te b/mock.te
index fc64201..1bf717f 100644
--- a/mock.te
+++ b/mock.te
@@ -192,7 +192,7 @@ optional_policy(`
#
# mock_build local policy
#
-allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
dontaudit mock_build_t self:capability audit_write;
allow mock_build_t self:process { fork setsched setpgid signal_perms };
allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -269,6 +269,7 @@ init_dontaudit_stream_connect(mock_build_t)
libs_exec_ldconfig(mock_build_t)
+term_use_all_inherited_terms(mock_build_t)
userdom_use_inherited_user_ptys(mock_build_t)
tunable_policy(`mock_enable_homedirs',`
diff --git a/motion.te b/motion.te
index b694afc..c7f4eb5 100644
--- a/motion.te
+++ b/motion.te
@@ -26,7 +26,7 @@ files_type(motion_data_t)
# motion local policy
#
allow motion_t self:udp_socket { create connect getattr };
-allow motion_t self:tcp_socket { bind create setopt listen };
+allow motion_t self:tcp_socket create_stream_socket_perms;
allow motion_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
@@ -43,6 +43,7 @@ files_var_filetrans(motion_t, motion_data_t, { dir file })
corenet_tcp_bind_http_cache_port(motion_t)
corenet_tcp_bind_transproxy_port(motion_t)
+corenet_tcp_bind_us_cli_port(motion_t)
corenet_tcp_connect_http_port(motion_t)
corenet_tcp_bind_generic_node(motion_t)
diff --git a/mozilla.te b/mozilla.te
index e76899c..a4f86f5 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -442,6 +442,7 @@ dev_dontaudit_read_mtrr(mozilla_plugin_t)
xserver_dri_domain(mozilla_plugin_t)
dev_dontaudit_getattr_all(mozilla_plugin_t)
+dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t)
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -458,6 +459,10 @@ fs_read_noxattr_fs_files(mozilla_plugin_t)
fs_read_hugetlbfs_files(mozilla_plugin_t)
fs_exec_hugetlbfs_files(mozilla_plugin_t)
+storage_raw_read_removable_device(mozilla_plugin_t)
+fs_read_removable_files(mozilla_plugin_t)
+fs_read_removable_symlinks(mozilla_plugin_t)
+
application_exec(mozilla_plugin_t)
application_dontaudit_signull(mozilla_plugin_t)
diff --git a/mta.fc b/mta.fc
index cb2791a..1e1a679 100644
--- a/mta.fc
+++ b/mta.fc
@@ -1,7 +1,7 @@
-HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
@@ -17,10 +17,10 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
-/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -42,3 +42,4 @@ ifdef(`distro_redhat',`
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
index e968c28..8f217ea 100644
--- a/mta.if
+++ b/mta.if
@@ -1174,6 +1174,7 @@ interface(`mta_filetrans_admin_home_content',`
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
')
########################################
@@ -1198,6 +1199,7 @@ interface(`mta_filetrans_home_content',`
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue")
')
########################################
diff --git a/mysql.if b/mysql.if
index 404ed6d..a77dc09 100644
--- a/mysql.if
+++ b/mysql.if
@@ -233,6 +233,24 @@ interface(`mysql_append_db_files',`
files_search_var_lib($1)
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
')
+#######################################
+## <summary>
+## Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_read_db_lnk_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
#######################################
## <summary>
diff --git a/mysql.te b/mysql.te
index 699587e..6e73360 100644
--- a/mysql.te
+++ b/mysql.te
@@ -132,6 +132,7 @@ auth_use_nsswitch(mysqld_t)
logging_send_syslog_msg(mysqld_t)
sysnet_read_config(mysqld_t)
+sysnet_exec_ifconfig(mysqld_t)
ifdef(`distro_redhat',`
filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
diff --git a/nova.te b/nova.te
index d5b54e5..2d9ab86 100644
--- a/nova.te
+++ b/nova.te
@@ -46,6 +46,7 @@ files_pid_file(nova_var_run_t)
# nova general domain local policy
#
+allow nova_domain self:process signal_perms;
allow nova_domain self:fifo_file rw_fifo_file_perms;
allow nova_domain self:tcp_socket create_stream_socket_perms;
allow nova_domain self:unix_stream_socket create_stream_socket_perms;
@@ -76,6 +77,11 @@ fs_getattr_xattr_fs(nova_domain)
libs_exec_ldconfig(nova_domain)
optional_policy(`
+ mysql_stream_connect(nova_domain)
+ mysql_read_db_lnk_files(nova_domain)
+')
+
+optional_policy(`
sysnet_read_config(nova_domain)
sysnet_exec_ifconfig(nova_domain)
')
@@ -142,10 +148,6 @@ auth_use_nsswitch(nova_cert_t)
miscfiles_read_certs(nova_cert_t)
optional_policy(`
- mysql_stream_connect(nova_cert_t)
-')
-
-optional_policy(`
postgresql_stream_connect(nova_cert_t)
')
@@ -176,10 +178,6 @@ allow nova_console_t self:udp_socket create_socket_perms;
auth_use_nsswitch(nova_console_t)
-optional_policy(`
- mysql_stream_connect(nova_console_t)
-')
-
#######################################
#
# nova direct local policy
@@ -270,6 +268,8 @@ optional_policy(`
allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
allow nova_scheduler_t self:udp_socket create_socket_perms;
+auth_read_passwd(nova_scheduler_t)
+
#optional_policy(`
# unconfined_domain(nova_scheduler_t)
#')
diff --git a/openshift.fc b/openshift.fc
index 1d4e039..95b6381 100644
--- a/openshift.fc
+++ b/openshift.fc
@@ -5,7 +5,7 @@
/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
-/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
diff --git a/openshift.if b/openshift.if
index 9451b83..a472b52 100644
--- a/openshift.if
+++ b/openshift.if
@@ -362,6 +362,26 @@ interface(`openshift_manage_content',`
manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
')
+########################################
+## <summary>
+## Relabel openshift library files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openshift_relabelfrom_lib',`
+ gen_require(`
+ type openshift_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
#######################################
## <summary>
## Create private objects in the
@@ -416,7 +436,6 @@ interface(`openshift_read_pid_files',`
allow $1 openshift_var_run_t:file read_file_perms;
')
-
########################################
## <summary>
## All of the rules required to administrate
diff --git a/openshift.te b/openshift.te
index ebd0c68..93fd0ea 100644
--- a/openshift.te
+++ b/openshift.te
@@ -321,6 +321,10 @@ optional_policy(`
')
optional_policy(`
+ gear_search_lib(openshift_domain)
+')
+
+optional_policy(`
gpg_entry_type(openshift_domain)
')
diff --git a/openvpn.te b/openvpn.te
index 265896b..fcda1bc 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -26,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false)
## connect to the TCP network.
## </p>
## </desc>
-gen_tunable(openvpn_can_network_connect, false)
+gen_tunable(openvpn_can_network_connect, true)
attribute_role openvpn_roles;
diff --git a/openwsman.te b/openwsman.te
index 49dc5ef..3bcd32c 100644
--- a/openwsman.te
+++ b/openwsman.te
@@ -9,6 +9,12 @@ type openwsman_t;
type openwsman_exec_t;
init_daemon_domain(openwsman_t, openwsman_exec_t)
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
type openwsman_log_t;
logging_log_file(openwsman_log_t)
@@ -22,10 +28,21 @@ systemd_unit_file(openwsman_unit_file_t)
#
# openwsman local policy
#
+
+allow openwsman_t self:capability setuid;
+
allow openwsman_t self:process { fork };
allow openwsman_t self:fifo_file rw_fifo_file_perms;
allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
-allow openwsman_t self:tcp_socket { create_socket_perms listen };
+allow openwsman_t self:tcp_socket { create_socket_perms accept listen };
+
+manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
@@ -34,10 +51,24 @@ manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
auth_use_nsswitch(openwsman_t)
+auth_domtrans_chkpwd(openwsman_t)
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
dev_read_urand(openwsman_t)
logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+ sblim_stream_connect_sfcbd(openwsman_t)
+ sblim_rw_semaphores_sfcbd(openwsman_t)
+ sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+ unconfined_domain(openwsman_t)
+')
diff --git a/passenger.if b/passenger.if
index 0ec51d4..0e33327 100644
--- a/passenger.if
+++ b/passenger.if
@@ -16,6 +16,7 @@ interface(`passenger_domtrans',`
')
domtrans_pattern($1, passenger_exec_t, passenger_t)
+ allow passenger_t $1:unix_stream_socket { accept getattr read write };
')
######################################
@@ -159,3 +160,22 @@ interface(`passenger_manage_tmp_files',`
manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
+
+########################################
+## <summary>
+## Send kill signals to passenger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_kill',`
+ gen_require(`
+ type passenger_t;
+ ')
+
+ allow $1 passenger_t:process sigkill;
+')
+
diff --git a/pegasus.te b/pegasus.te
index 6c3afa0..37539ec 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -203,6 +203,8 @@ optional_policy(`
# pegasus openlmi service local policy
#
+fs_getattr_all_fs(pegasus_openlmi_admin_t)
+
init_manage_transient_unit(pegasus_openlmi_admin_t)
init_disable_services(pegasus_openlmi_admin_t)
init_enable_services(pegasus_openlmi_admin_t)
@@ -217,6 +219,9 @@ systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+logging_read_syslog_pid(pegasus_openlmi_admin_t)
+logging_read_generic_logs(pegasus_openlmi_admin_t)
+
optional_policy(`
dbus_system_bus_client(pegasus_openlmi_admin_t)
diff --git a/puppet.fc b/puppet.fc
index 8c0b242..cad91e2 100644
--- a/puppet.fc
+++ b/puppet.fc
@@ -1,11 +1,19 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+#helper scripts
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
diff --git a/puppet.te b/puppet.te
index a375475..0903e67 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.3.0)
+policy_module(puppet, 1.4.0)
########################################
#
@@ -11,7 +11,7 @@ policy_module(puppet, 1.3.0)
## types.
## </p>
## </desc>
-gen_tunable(puppet_manage_all_files, false)
+gen_tunable(puppetagent_manage_all_files, false)
## <desc>
## <p>
@@ -20,15 +20,18 @@ gen_tunable(puppet_manage_all_files, false)
## </desc>
gen_tunable(puppetmaster_use_db, false)
-type puppet_t;
-type puppet_exec_t;
-init_daemon_domain(puppet_t, puppet_exec_t)
+type puppetagent_t;
+type puppetagent_exec_t;
+typealias puppetagent_exec_t alias puppet_exec_t;
+typealias puppetagent_t alias puppet_t;
+init_daemon_domain(puppetagent_t, puppetagent_exec_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
+type puppetagent_initrc_exec_t;
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
+init_script_file(puppetagent_initrc_exec_t)
type puppet_log_t;
logging_log_file(puppet_log_t)
@@ -62,205 +65,142 @@ files_tmp_file(puppetmaster_tmp_t)
# Puppet personal policy
#
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
-allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket create_stream_socket_perms;
-allow puppet_t self:udp_socket create_socket_perms;
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+allow puppetagent_t self:process { signal signull getsched setsched };
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetagent_t self:tcp_socket create_stream_socket_perms;
+allow puppetagent_t self:udp_socket create_socket_perms;
-read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-files_search_var_lib(puppet_t)
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppetagent_t)
-manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
-create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
+create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_system_state(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-kernel_read_kernel_sysctls(puppet_t)
+kernel_dontaudit_search_sysctl(puppetagent_t)
+kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
+kernel_read_system_state(puppetagent_t)
+kernel_read_crypto_sysctls(puppetagent_t)
+kernel_read_kernel_sysctls(puppetagent_t)
-corecmd_read_all_executables(puppet_t)
-corecmd_dontaudit_access_all_executables(puppet_t)
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
+corecmd_read_all_executables(puppetagent_t)
+corecmd_dontaudit_access_all_executables(puppetagent_t)
+corecmd_exec_bin(puppetagent_t)
+corecmd_exec_shell(puppetagent_t)
-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-corenet_tcp_bind_generic_node(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_sendrecv_puppet_client_packets(puppet_t)
+corenet_all_recvfrom_netlabel(puppetagent_t)
+corenet_tcp_sendrecv_generic_if(puppetagent_t)
+corenet_tcp_sendrecv_generic_node(puppetagent_t)
+corenet_tcp_bind_generic_node(puppetagent_t)
+corenet_tcp_connect_puppet_port(puppetagent_t)
+corenet_sendrecv_puppet_client_packets(puppetagent_t)
-dev_read_rand(puppet_t)
-dev_read_sysfs(puppet_t)
-dev_read_urand(puppet_t)
+dev_read_rand(puppetagent_t)
+dev_read_sysfs(puppetagent_t)
+dev_read_urand(puppetagent_t)
-domain_read_all_domains_state(puppet_t)
-domain_interactive_fd(puppet_t)
+domain_read_all_domains_state(puppetagent_t)
+domain_interactive_fd(puppetagent_t)
+domain_named_filetrans(puppetagent_t)
-files_manage_config_files(puppet_t)
-files_manage_config_dirs(puppet_t)
-files_manage_etc_dirs(puppet_t)
-files_manage_etc_files(puppet_t)
-files_read_usr_symlinks(puppet_t)
-files_relabel_config_dirs(puppet_t)
-files_relabel_config_files(puppet_t)
+files_manage_config_files(puppetagent_t)
+files_manage_config_dirs(puppetagent_t)
+files_manage_etc_dirs(puppetagent_t)
+files_manage_etc_files(puppetagent_t)
+files_read_usr_symlinks(puppetagent_t)
+files_relabel_config_dirs(puppetagent_t)
+files_relabel_config_files(puppetagent_t)
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
+selinux_set_all_booleans(puppetagent_t)
+selinux_set_generic_booleans(puppetagent_t)
+selinux_validate_context(puppetagent_t)
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_ttys(puppet_t)
+term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
+term_dontaudit_getattr_all_ttys(puppetagent_t)
-auth_use_nsswitch(puppet_t)
+auth_use_nsswitch(puppetagent_t)
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
+init_all_labeled_script_domtrans(puppetagent_t)
+init_domtrans_script(puppetagent_t)
+init_read_utmp(puppetagent_t)
+init_signull_script(puppetagent_t)
-logging_send_syslog_msg(puppet_t)
+logging_send_syslog_msg(puppetagent_t)
-miscfiles_read_hwdata(puppet_t)
+miscfiles_read_hwdata(puppetagent_t)
-seutil_domtrans_setfiles(puppet_t)
-seutil_domtrans_semanage(puppet_t)
-seutil_read_file_contexts(puppet_t)
+seutil_domtrans_setfiles(puppetagent_t)
+seutil_domtrans_semanage(puppetagent_t)
+seutil_read_file_contexts(puppetagent_t)
-sysnet_run_ifconfig(puppet_t, system_r)
+sysnet_run_ifconfig(puppetagent_t, system_r)
-usermanage_access_check_groupadd(puppet_t)
-usermanage_access_check_passwd(puppet_t)
-usermanage_access_check_useradd(puppet_t)
+usermanage_access_check_groupadd(puppetagent_t)
+usermanage_access_check_passwd(puppetagent_t)
+usermanage_access_check_useradd(puppetagent_t)
-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_security_files(puppet_t)
+tunable_policy(`puppetagent_manage_all_files',`
+ files_manage_non_security_files(puppetagent_t)
')
optional_policy(`
- cfengine_read_lib_files(puppet_t)
+ mysql_stream_connect(puppetagent_t)
')
optional_policy(`
- consoletype_exec(puppet_t)
+ postgresql_stream_connect(puppetagent_t)
')
optional_policy(`
- hostname_exec(puppet_t)
+ cfengine_read_lib_files(puppetagent_t)
')
optional_policy(`
- mount_domtrans(puppet_t)
+ consoletype_exec(puppetagent_t)
')
optional_policy(`
- mta_send_mail(puppet_t)
+ hostname_exec(puppetagent_t)
')
optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
+ mount_domtrans(puppetagent_t)
')
optional_policy(`
- files_rw_var_files(puppet_t)
-
- rpm_domtrans(puppet_t)
- rpm_manage_db(puppet_t)
- rpm_manage_log(puppet_t)
-')
-
-optional_policy(`
- unconfined_domain(puppet_t)
-')
-
-optional_policy(`
- auth_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- alsa_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- bootloader_filetrans_config(puppet_t)
-')
-
-optional_policy(`
- devicekit_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- dnsmasq_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- kerberos_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- libs_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- miscfiles_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- mta_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- modules_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- networkmanager_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- nx_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- postfix_filetrans_named_content(puppet_t)
-')
-
-optional_policy(`
- openshift_initrc_domtrans(puppet_t)
+ mta_send_mail(puppetagent_t)
')
optional_policy(`
- quota_filetrans_named_content(puppet_t)
+ portage_domtrans(puppetagent_t)
+ portage_domtrans_fetch(puppetagent_t)
+ portage_domtrans_gcc_config(puppetagent_t)
')
optional_policy(`
- sysnet_filetrans_named_content(puppet_t)
-')
+ files_rw_var_files(puppetagent_t)
-optional_policy(`
- virt_filetrans_home_content(puppet_t)
+ rpm_domtrans(puppetagent_t)
+ rpm_manage_db(puppetagent_t)
+ rpm_manage_log(puppetagent_t)
')
optional_policy(`
- ssh_filetrans_admin_home_content(puppet_t)
+ unconfined_domain_noaudit(puppetagent_t)
')
########################################
diff --git a/quantum.fc b/quantum.fc
index 32dec67..b985b65 100644
--- a/quantum.fc
+++ b/quantum.fc
@@ -4,6 +4,9 @@
/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-metadata-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-netns-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ns-metadata-proxy -- gen_context(system_u:object_r:neutron_exec_t,s0)
/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0)
/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
@@ -26,3 +29,6 @@
/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
+
+/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
+/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0)
diff --git a/quantum.if b/quantum.if
index 3105104..97bbea4 100644
--- a/quantum.if
+++ b/quantum.if
@@ -171,6 +171,7 @@ interface(`neutron_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
+ manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
')
########################################
diff --git a/quantum.te b/quantum.te
index 52bad99..e8c81df 100644
--- a/quantum.te
+++ b/quantum.te
@@ -1,10 +1,18 @@
-policy_module(quantum, 1.0.3)
+policy_module(quantum, 1.1.0)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Determine whether neutron can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(neutron_can_network, false)
+
type neutron_t alias quantum_t;
type neutron_exec_t alias quantum_exec_t;
init_daemon_domain(neutron_t, neutron_exec_t)
@@ -21,6 +29,9 @@ files_tmp_file(neutron_tmp_t)
type neutron_var_lib_t alias quantum_var_lib_t;
files_type(neutron_var_lib_t)
+type neutron_var_run_t alias quantum_var_run_t;
+files_pid_file(neutron_var_run_t)
+
type neutron_unit_file_t alias quantum_unit_file_t;
systemd_unit_file(neutron_unit_file_t)
@@ -29,13 +40,17 @@ systemd_unit_file(neutron_unit_file_t)
# Local policy
#
-allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
-allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
allow neutron_t self:fifo_file rw_fifo_file_perms;
allow neutron_t self:key manage_key_perms;
allow neutron_t self:tcp_socket { accept listen };
-allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen connectto };
allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:rawip_socket create_socket_perms;
+allow neutron_t self:packet_socket create_socket_perms;
manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -44,15 +59,22 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
logging_log_filetrans(neutron_t, neutron_log_t, dir)
manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
+
+manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
+files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
can_exec(neutron_t, neutron_tmp_t)
-kernel_read_kernel_sysctls(neutron_t)
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
kernel_read_system_state(neutron_t)
kernel_read_network_state(neutron_t)
kernel_request_load_module(neutron_t)
@@ -68,10 +90,13 @@ corenet_tcp_sendrecv_all_ports(neutron_t)
corenet_tcp_bind_generic_node(neutron_t)
corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_neutron_port(neutron_t)
corenet_tcp_connect_keystone_port(neutron_t)
corenet_tcp_connect_amqp_port(neutron_t)
corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
+domain_read_all_domains_state(neutron_t)
domain_named_filetrans(neutron_t)
dev_read_sysfs(neutron_t)
@@ -89,10 +114,19 @@ libs_exec_ldconfig(neutron_t)
logging_send_audit_msgs(neutron_t)
logging_send_syslog_msg(neutron_t)
+netutils_exec(neutron_t)
+
+# need to stay in neutron
sysnet_exec_ifconfig(neutron_t)
sysnet_manage_ifconfig_run(neutron_t)
sysnet_filetrans_named_content_ifconfig(neutron_t)
+tunable_policy(`neutron_can_network',`
+ corenet_sendrecv_all_client_packets(neutron_t)
+ corenet_tcp_connect_all_ports(neutron_t)
+ corenet_tcp_sendrecv_all_ports(neutron_t)
+')
+
optional_policy(`
brctl_domtrans(neutron_t)
')
@@ -100,25 +134,32 @@ optional_policy(`
optional_policy(`
dnsmasq_domtrans(neutron_t)
dnsmasq_signal(neutron_t)
- dnsmasq_kill(neutron_t)
dnsmasq_read_state(neutron_t)
')
optional_policy(`
+ rhcs_domtrans_haproxy(neutron_t)
+ rhcs_stream_connect_haproxy(neutron_t)
+')
+
+optional_policy(`
iptables_domtrans(neutron_t)
')
optional_policy(`
+ modutils_domtrans_insmod(neutron_t)
+')
+
+optional_policy(`
mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
mysql_read_config(neutron_t)
-
mysql_tcp_connect(neutron_t)
')
optional_policy(`
postgresql_stream_connect(neutron_t)
postgresql_unpriv_client(neutron_t)
-
postgresql_tcp_connect(neutron_t)
')
@@ -129,4 +170,8 @@ optional_policy(`
optional_policy(`
sudo_exec(neutron_t)
+')
+
+optional_policy(`
+ udev_domtrans(neutron_t)
')
diff --git a/rabbitmq.te b/rabbitmq.te
index 7d5630f..9fb98a1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -87,6 +87,7 @@ corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+corenet_tcp_connect_http_port(rabbitmq_beam_t)
domain_read_all_domains_state(rabbitmq_beam_t)
@@ -127,7 +128,7 @@ allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms;
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
diff --git a/raid.te b/raid.te
index aa0ff54..9e28c38 100644
--- a/raid.te
+++ b/raid.te
@@ -69,6 +69,9 @@ kernel_read_kernel_sysctls(mdadm_t)
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
kernel_setsched(mdadm_t)
+kernel_dontaudit_setsched(mdadm_t)
+kernel_signal(mdadm_t)
+kernel_stream_connect(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
diff --git a/rhcs.if b/rhcs.if
index 1337d42..e6bcb25 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -97,6 +97,26 @@ interface(`rhcs_stream_connect_dlm_controld',`
#####################################
## <summary>
+## Connect to haproxy over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_haproxy',`
+ gen_require(`
+ type haproxy_t, haproxy_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t)
+')
+
+#####################################
+## <summary>
## Allow read and write access to dlm_controld semaphores.
## </summary>
## <param name="domain">
@@ -212,6 +232,25 @@ interface(`rhcs_stream_connect_fenced',`
stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
')
+######################################
+## <summary>
+## Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_haproxy',`
+ gen_require(`
+ type haproxy_t, haproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, haproxy_exec_t, haproxy_t)
+')
+
#####################################
## <summary>
## Execute a domain transition to run gfs_controld.
diff --git a/rhcs.te b/rhcs.te
index 4fd3b77..503838b 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -593,6 +593,7 @@ logging_send_syslog_msg(groupd_t)
allow haproxy_t self:capability { dac_override kill };
allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
+allow haproxy_t self:capability2 block_suspend;
allow haproxy_t self:process { fork setrlimit signal_perms };
allow haproxy_t self:fifo_file rw_fifo_file_perms;
allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d193f7a..87038e7 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -53,6 +53,7 @@ kernel_read_system_state(rhsmcertd_t)
kernel_read_sysctl(rhsmcertd_t)
corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_http_cache_port(rhsmcertd_t)
corenet_tcp_connect_squid_port(rhsmcertd_t)
corecmd_exec_bin(rhsmcertd_t)
diff --git a/rsync.te b/rsync.te
index d7db2d9..7a6ca6c 100644
--- a/rsync.te
+++ b/rsync.te
@@ -170,4 +170,6 @@ auth_can_read_shadow_passwords(rsync_t)
optional_policy(`
swift_manage_data_files(rsync_t)
+ swift_manage_lock(rsync_t)
+ swift_filetrans_named_lock(rsync_t)
')
diff --git a/sandbox.if b/sandbox.if
index 89bc443..a2cb772 100644
--- a/sandbox.if
+++ b/sandbox.if
@@ -22,14 +22,42 @@ interface(`sandbox_transition',`
attribute sandbox_domain;
')
- allow $1 sandbox_domain:process transition;
- dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
- role $2 types sandbox_domain;
- allow sandbox_domain $1:process { sigchld signull };
- allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
- dontaudit sandbox_domain $1:process signal;
- dontaudit sandbox_domain $1:key { link read search view };
- dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+ sandbox_dyntransition($1) #885288
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+
+ role $2 types sandbox_domain;
+
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ dontaudit sandbox_domain $1:process signal;
+ dontaudit sandbox_domain $1:key { link read search view };
+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`sandbox_dyntransition',`
+ gen_require(`
+ attribute sandbox_domain;
+ ')
+
+ allow $1 sandbox_domain:process dyntransition;
')
########################################
diff --git a/sandboxX.if b/sandboxX.if
index 3258f45..03bdcef 100644
--- a/sandboxX.if
+++ b/sandboxX.if
@@ -26,6 +26,7 @@ interface(`sandbox_x_transition',`
')
allow $1 sandbox_x_domain:process { signal_perms transition };
+ allow $1 sandbox_x_domain:process dyntransition;
dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
allow sandbox_x_domain $1:process { sigchld signull };
allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
diff --git a/sblim.if b/sblim.if
index d4aa009..562666e 100644
--- a/sblim.if
+++ b/sblim.if
@@ -86,6 +86,84 @@ interface(`sblim_filetrans_named_content',`
########################################
## <summary>
+## Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcbd',`
+ gen_require(`
+ type sblim_sfcb_t, sblim_var_lib_t;
+ type sblim_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
+#######################################
+## <summary>
+## Getattr on sblim executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sblim_getattr_exec_sfcbd',`
+ gen_require(`
+ type sblim_sfcbd_exec_t;
+ ')
+
+ allow $1 sblim_sfcbd_exec_t:file getattr;
+')
+
+
+########################################
+## <summary>
+## Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcb',`
+ gen_require(`
+ type sblim_sfcb_t, sblim_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+')
+
+#######################################
+## <summary>
+## Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_rw_semaphores_sfcbd',`
+ gen_require(`
+ type sblim_sfcbd_t;
+ ')
+
+ allow $1 sblim_sfcbd_t:sem rw_sem_perms;
+')
+
+
+########################################
+## <summary>
## All of the rules required to administrate
## an gatherd environment
## </summary>
diff --git a/sblim.te b/sblim.te
index 20f5040..21c15bb 100644
--- a/sblim.te
+++ b/sblim.te
@@ -157,9 +157,19 @@ auth_use_nsswitch(sblim_sfcbd_t)
corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
dev_read_rand(sblim_sfcbd_t)
dev_read_urand(sblim_sfcbd_t)
domain_read_all_domains_state(sblim_sfcbd_t)
domain_use_interactive_fds(sblim_sfcbd_t)
+
+optional_policy(`
+ rpm_exec(sblim_sfcbd_t)
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
diff --git a/sensord.fc b/sensord.fc
index 97926d2..9be989a 100644
--- a/sensord.fc
+++ b/sensord.fc
@@ -4,6 +4,6 @@
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
-/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0)
+/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0)
/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0)
diff --git a/slocate.te b/slocate.te
index 8417705..669d253 100644
--- a/slocate.te
+++ b/slocate.te
@@ -61,3 +61,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
+
+optional_policy(`
+ mock_getattr_lib(locate_t)
+')
+
diff --git a/snapper.fc b/snapper.fc
index 660fcd2..d1d72f2 100644
--- a/snapper.fc
+++ b/snapper.fc
@@ -6,3 +6,5 @@ HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0)
/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
+
+/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
diff --git a/spamassassin.te b/spamassassin.te
index 32f670e..e8531d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -275,12 +275,17 @@ manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
userdom_append_user_home_content_files(spamc_t)
+spamassassin_filetrans_home_content(spamc_t)
+spamassassin_filetrans_admin_home_content(spamc_t)
# for /root/.pyzor
allow spamc_t self:capability dac_override;
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
+
# Allow connecting to a local spamd
allow spamc_t spamd_t:unix_stream_socket connectto;
allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
diff --git a/sssd.te b/sssd.te
index fb39837..eb8bb88 100644
--- a/sssd.te
+++ b/sssd.te
@@ -68,6 +68,7 @@ kernel_request_load_module(sssd_t)
corenet_udp_bind_generic_port(sssd_t)
corenet_dontaudit_udp_bind_all_ports(sssd_t)
corenet_tcp_connect_kerberos_password_port(sssd_t)
+corenet_tcp_connect_smbd_port(sssd_t)
corecmd_exec_bin(sssd_t)
diff --git a/stapserver.te b/stapserver.te
index e472397..6aeecac 100644
--- a/stapserver.te
+++ b/stapserver.te
@@ -72,6 +72,7 @@ files_list_tmp(stapserver_t)
files_search_kernel_modules(stapserver_t)
fs_search_cgroup_dirs(stapserver_t)
+fs_getattr_all_fs(stapserver_t)
auth_use_nsswitch(stapserver_t)
diff --git a/swift.fc b/swift.fc
index 744f0ce..7e59e7e 100644
--- a/swift.fc
+++ b/swift.fc
@@ -11,12 +11,16 @@
/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-object-expirer -- gen_context(system_u:object_r:swift_exec_t,s0)
/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-proxy-server -- gen_context(system_u:object_r:swift_exec_t,s0)
+
/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0)
/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
diff --git a/swift.if b/swift.if
index df82c36..6a1f575 100644
--- a/swift.if
+++ b/swift.if
@@ -59,6 +59,43 @@ interface(`swift_manage_data_files',`
manage_dirs_pattern($1, swift_data_t, swift_data_t)
')
+#####################################
+## <summary>
+## Read and write swift lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_manage_lock',`
+ gen_require(`
+ type swift_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, swift_lock_t, swift_lock_t)
+')
+
+#######################################
+## <summary>
+## Transition content labels to swift named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_filetrans_named_lock',`
+ gen_require(`
+ type swift_lock_t;
+ ')
+
+ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
+')
+
########################################
## <summary>
## Execute swift server in the swift domain.
diff --git a/swift.te b/swift.te
index 7bef550..43a0495 100644
--- a/swift.te
+++ b/swift.te
@@ -5,12 +5,27 @@ policy_module(swift, 1.0.0)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether swift can
+## connect to all TCP ports
+## </p>
+## </desc>
+gen_tunable(swift_can_network, false)
+
+
type swift_t;
type swift_exec_t;
init_daemon_domain(swift_t, swift_exec_t)
+type swift_lock_t;
+files_lock_file(swift_lock_t)
+
type swift_tmp_t;
-files_tmpfs_file(swift_tmp_t)
+files_tmp_file(swift_tmp_t)
+
+type swift_tmpfs_t;
+files_tmpfs_file(swift_tmpfs_t)
type swift_var_cache_t;
files_type(swift_var_cache_t)
@@ -36,10 +51,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms;
allow swift_t self:unix_stream_socket create_stream_socket_perms;
allow swift_t self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
+manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
+files_lock_filetrans(swift_t, swift_lock_t, { dir file })
+
manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
+fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
+
manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
@@ -59,7 +82,19 @@ kernel_dgram_send(swift_t)
kernel_read_system_state(swift_t)
kernel_read_network_state(swift_t)
+# bug in swift
+corenet_tcp_bind_xserver_port(swift_t)
+
+corenet_tcp_bind_swift_port(swift_t)
+corenet_tcp_bind_http_cache_port(swift_t)
+
+corenet_tcp_connect_xserver_port(swift_t)
+corenet_tcp_connect_swift_port(swift_t)
+corenet_tcp_connect_keystone_port(swift_t)
+corenet_tcp_connect_memcache_port(swift_t)
+
corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
dev_read_urand(swift_t)
@@ -67,6 +102,8 @@ domain_use_interactive_fds(swift_t)
files_dontaudit_search_home(swift_t)
+fs_getattr_all_fs(swift_t)
+
auth_use_nsswitch(swift_t)
libs_exec_ldconfig(swift_t)
@@ -75,6 +112,17 @@ logging_send_syslog_msg(swift_t)
userdom_dontaudit_search_user_home_dirs(swift_t)
+tunable_policy(`swift_can_network',`
+ corenet_sendrecv_all_client_packets(swift_t)
+ corenet_tcp_connect_all_ports(swift_t)
+ corenet_tcp_sendrecv_all_ports(swift_t)
+')
+
+optional_policy(`
+ apache_search_config(swift_t)
+')
+
optional_policy(`
rpm_exec(swift_t)
+ rpm_dontaudit_manage_db(swift_t)
')
diff --git a/tgtd.te b/tgtd.te
index 60f4ce9..704a0e2 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -56,6 +56,7 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
+kernel_read_network_state(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
corenet_tcp_sendrecv_generic_if(tgtd_t)
diff --git a/ulogd.te b/ulogd.te
index bd23e7f..022c367 100644
--- a/ulogd.te
+++ b/ulogd.te
@@ -44,7 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
-
+kernel_request_load_module(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
diff --git a/virt.te b/virt.te
index 57af4d0..1df2084 100644
--- a/virt.te
+++ b/virt.te
@@ -522,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
- fs_manage_nfs_files(virtd_t)
+ fs_manage_cifs_dirs(virtd_t)
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
@@ -1168,6 +1168,7 @@ allow svirt_sandbox_domain self:msgq create_msgq_perms;
allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
tunable_policy(`deny_ptrace',`',`
allow svirt_sandbox_domain self:process ptrace;
@@ -1256,11 +1257,16 @@ optional_policy(`
docker_manage_lib_files(svirt_lxc_net_t)
docker_manage_lib_dirs(svirt_lxc_net_t)
docker_read_share_files(svirt_sandbox_domain)
+ docker_exec_lib(svirt_sandbox_domain)
docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
docker_use_ptys(svirt_sandbox_domain)
')
optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
')
@@ -1283,8 +1289,8 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
- fs_manage_nfs_files(svirt_sandbox_domain)
fs_manage_cifs_files(svirt_sandbox_domain)
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
fs_read_cifs_symlinks(svirt_sandbox_domain)
')
@@ -1671,5 +1677,3 @@ optional_policy(`
optional_policy(`
systemd_dbus_chat_logind(sandbox_net_domain)
')
-
-
diff --git a/zabbix.te b/zabbix.te
index 614e66c..551c4e9 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -125,9 +125,9 @@ zabbix_agent_tcp_connect(zabbix_t)
logging_send_syslog_msg(zabbix_t)
tunable_policy(`zabbix_can_network',`
- corenet_sendrecv_all_client_packets(zabbix_t)
- corenet_tcp_connect_all_ports(zabbix_t)
- corenet_tcp_sendrecv_all_ports(zabbix_t)
+ corenet_sendrecv_all_client_packets(zabbix_domain)
+ corenet_tcp_connect_all_ports(zabbix_domain)
+ corenet_tcp_sendrecv_all_ports(zabbix_domain)
')
optional_policy(`