From 1d153ea0ea097de3eeabc1879bd6339d0bb212a5 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 22 2010 22:36:47 +0000 Subject: - Fix up Xguest policy --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 9973c32..50c1fe5 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -104,7 +104,7 @@ httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # -httpd_tty_comm = false +httpd_tty_comm = true # Run CGI in the main httpd domain # diff --git a/policy-F14.patch b/policy-F14.patch index 0e002d9..2b4238e 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -206,7 +206,7 @@ index 3316f6e..f85244d 100644 +gen_tunable(allow_console_login,false) + diff --git a/policy/mcs b/policy/mcs -index af90ef2..fbd2c40 100644 +index af90ef2..9fef0f8 100644 --- a/policy/mcs +++ b/policy/mcs @@ -86,10 +86,10 @@ mlsconstrain file { create relabelto } @@ -222,14 +222,15 @@ index af90ef2..fbd2c40 100644 (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } -@@ -98,7 +98,7 @@ mlsconstrain process { transition dyntransition } - mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 == mcsptraceall )); - --mlsconstrain process { sigkill sigstop } -+mlsconstrain process { signal sigkill sigstop } +@@ -101,6 +101,9 @@ mlsconstrain process { ptrace } + mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); ++mlsconstrain process { signal } ++ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); ++ + # + # MCS policy for SELinux-enabled databases # diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index f76ed8a..9a9526a 100644 @@ -1172,7 +1173,7 @@ index 95dbcf3..bdba9c5 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if -index 0948921..b83f3db 100644 +index 0948921..f198119 100644 --- a/policy/modules/admin/shorewall.if +++ b/policy/modules/admin/shorewall.if @@ -18,6 +18,24 @@ interface(`shorewall_domtrans',` @@ -1239,20 +1240,30 @@ index 0948921..b83f3db 100644 ') allow $1 shorewall_t:process { ptrace signal_perms }; -@@ -153,12 +191,12 @@ interface(`shorewall_admin',` - files_search_locks($1) +@@ -147,18 +185,18 @@ interface(`shorewall_admin',` + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + +- files_search_locks($1) ++ files_list_locks($1) admin_pattern($1, shorewall_lock_t) - files_search_pids($1) - admin_pattern($1, shorewall_var_run_t) - - files_search_var_lib($1) +- files_search_var_lib($1) ++ files_list_var_lib($1) admin_pattern($1, shorewall_var_lib_t) -+ logging_search_logs($1) +- files_search_tmp($1) ++ logging_list_logs($1) + admin_pattern($1, shorewall_log_t) + - files_search_tmp($1) ++ files_list_tmp($1) admin_pattern($1, shorewall_tmp_t) ') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te @@ -1391,10 +1402,10 @@ index d2c068d..914e1ac 100644 ## ## diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te -index 51f7c3a..707fb3d 100644 +index 51f7c3a..eb63a79 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te -@@ -36,6 +36,8 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) +@@ -36,15 +36,17 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) @@ -1403,6 +1414,17 @@ index 51f7c3a..707fb3d 100644 term_use_all_terms(shutdown_t) auth_use_nsswitch(shutdown_t) + auth_write_login_records(shutdown_t) + +-init_dontaudit_write_utmp(shutdown_t) +-init_read_utmp(shutdown_t) ++init_rw_utmp(shutdown_t) + init_telinit(shutdown_t) + ++logging_search_logs(shutdown_t) + logging_send_audit_msgs(shutdown_t) + + miscfiles_read_localization(shutdown_t) @@ -55,5 +57,10 @@ optional_policy(` ') @@ -2230,7 +2252,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..250935a 100644 +index f5afe78..594dc0f 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,7 @@ interface(`gnome_role',` @@ -2243,7 +2265,7 @@ index f5afe78..250935a 100644 ## ## ## -@@ -46,19 +45,276 @@ interface(`gnome_role',` +@@ -46,37 +45,313 @@ interface(`gnome_role',` ## ## # @@ -2284,11 +2306,12 @@ index f5afe78..250935a 100644 +## Dontaudit search gnome homedir content (.config) +## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_gconf_config',` +interface(`gnome_dontaudit_search_config',` + gen_require(` + attribute gnome_home_type; @@ -2522,10 +2545,15 @@ index f5afe78..250935a 100644 +## read gconf config files +## +## - ## - ## Domain allowed access. - ## -@@ -71,12 +327,31 @@ template(`gnome_read_gconf_config',` ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_config',` + gen_require(` + type gconf_etc_t; + ') allow $1 gconf_etc_t:dir list_dir_perms; read_files_pattern($1, gconf_etc_t, gconf_etc_t) @@ -2709,7 +2737,7 @@ index f5afe78..250935a 100644 ## # -interface(`gnome_manage_config',` -+template(`gnome_list_home_config',` ++interface(`gnome_list_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; @@ -2749,7 +2777,7 @@ index f5afe78..250935a 100644 +## +## +# -+template(`gnome_read_home_config',` ++interface(`gnome_read_home_config',` + gen_require(` + type config_home_t; + ') @@ -3672,7 +3700,7 @@ index 9a6d67d..47aa143 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..7c260fa 100644 +index cbf4bec..0a9a921 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -3745,7 +3773,7 @@ index cbf4bec..7c260fa 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,89 @@ optional_policy(` +@@ -266,3 +291,90 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -3824,6 +3852,7 @@ index cbf4bec..7c260fa 100644 + nsplugin_rw_exec(mozilla_plugin_t) + nsplugin_manage_home_dirs(mozilla_plugin_t) + nsplugin_manage_home_files(mozilla_plugin_t) ++ nsplugin_signal(mozilla_plugin_t) +') + +optional_policy(` @@ -3937,10 +3966,10 @@ index 0000000..63abc5c +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 -index 0000000..c779d44 +index 0000000..9439746 --- /dev/null +++ b/policy/modules/apps/nsplugin.if -@@ -0,0 +1,392 @@ +@@ -0,0 +1,411 @@ + +## policy for nsplugin + @@ -4111,6 +4140,7 @@ index 0000000..c779d44 + allow $1 nsplugin_t:unix_stream_socket connectto; + allow nsplugin_t $1:process signal; +') ++ +####################################### +## +## The per role template for the nsplugin module. @@ -4333,6 +4363,24 @@ index 0000000..c779d44 + allow $2 nsplugin_exec_t:file entrypoint; + domtrans_pattern($1, nsplugin_exec_t, $2) +') ++ ++######################################## ++## ++## Send generic signals to user nsplugin processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_signal',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:process signal; ++') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 index 0000000..7bc0dcf @@ -5118,10 +5166,10 @@ index 0000000..15778fd +# No types are sandbox_exec_t diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..5dd356f +index 0000000..587c440 --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,336 @@ +@@ -0,0 +1,339 @@ + +## policy for sandbox + @@ -5214,6 +5262,7 @@ index 0000000..5dd356f + application_type($1_t) + + mls_rangetrans_target($1_t) ++ mcs_untrusted_proc($1_t) + + type $1_file_t, sandbox_file_type; + files_type($1_file_t) @@ -5247,6 +5296,7 @@ index 0000000..5dd356f + + type $1_t, sandbox_x_domain; + application_type($1_t) ++ mcs_untrusted_proc($1_t) + + type $1_file_t, sandbox_file_type; + files_type($1_file_t) @@ -5269,6 +5319,7 @@ index 0000000..5dd356f + + type $1_client_t, sandbox_x_domain; + application_type($1_client_t) ++ mcs_untrusted_proc($1_t) + + type $1_client_tmpfs_t, sandbox_tmpfs_type; + files_tmpfs_file($1_client_tmpfs_t) @@ -7898,7 +7949,7 @@ index 3517db2..bd4c23d 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..96a406d 100644 +index 5302dac..000c53a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8221,7 +8272,32 @@ index 5302dac..96a406d 100644 ## Read and write files in the /var directory. ## ## -@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',` +@@ -5053,6 +5288,24 @@ interface(`files_manage_mounttab',` + + ######################################## + ## ++## List generic lock directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## + ## Search the locks directory (/var/lock). + ## + ## +@@ -5138,12 +5391,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -8239,7 +8315,7 @@ index 5302dac..96a406d 100644 ') ######################################## -@@ -5317,6 +5552,43 @@ interface(`files_search_pids',` +@@ -5317,6 +5570,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -8283,7 +8359,7 @@ index 5302dac..96a406d 100644 ######################################## ## ## Do not audit attempts to search -@@ -5524,6 +5796,26 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5524,6 +5814,26 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -8310,7 +8386,7 @@ index 5302dac..96a406d 100644 ## Read all process ID files. ## ## -@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',` +@@ -5541,6 +5851,7 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -8318,7 +8394,7 @@ index 5302dac..96a406d 100644 ') ######################################## -@@ -5826,3 +6119,229 @@ interface(`files_unconfined',` +@@ -5826,3 +6137,229 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -9197,6 +9273,51 @@ index e4f98ce..806026c 100644 ######################################## # # Unlabeled process local policy +diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if +index f52faaf..3d62385 100644 +--- a/policy/modules/kernel/mcs.if ++++ b/policy/modules/kernel/mcs.if +@@ -102,3 +102,30 @@ interface(`mcs_process_set_categories',` + + typeattribute $1 mcssetcats; + ') ++ ++######################################## ++## ++## Make specified process type MCS untrusted. ++## ++## ++##

++## Make specified process type MCS untrusted. This ++## prevents this process from sending signals to other processes ++## with different mcs labels ++## object. ++##

++## ++## ++## ++## The type of the process. ++## ++## ++# ++interface(`mcs_untrusted_proc',` ++ gen_require(` ++ attribute mcsuntrustedproc; ++ ') ++ ++ typeattribute $1 mcsuntrustedproc; ++') ++ +diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te +index 0e5b661..dbf577f 100644 +--- a/policy/modules/kernel/mcs.te ++++ b/policy/modules/kernel/mcs.te +@@ -10,3 +10,5 @@ attribute mcsptraceall; + attribute mcssetcats; + attribute mcswriteall; + attribute mcsreadall; ++attribute mcsuntrustedproc; ++ diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index f8b357c..bc1ed0f 100644 --- a/policy/modules/kernel/selinux.if @@ -10707,10 +10828,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..799db36 +index 0000000..a09ca52 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,475 @@ +@@ -0,0 +1,478 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -11084,8 +11205,11 @@ index 0000000..799db36 +') + +optional_policy(` ++ optional_policy(` ++ samba_run_unconfined_net(unconfined_t, unconfined_r) ++ ') ++ + samba_role_notrans(unconfined_r) -+ samba_run_unconfined_net(unconfined_t, unconfined_r) +# samba_run_winbind_helper(unconfined_t, unconfined_r) + samba_run_smbcontrol(unconfined_t, unconfined_r) +') @@ -11426,7 +11550,7 @@ index 1bd5812..3b3ba64 100644 /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..022c079 100644 +index 0b827c5..8961dba 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -11501,8 +11625,32 @@ index 0b827c5..022c079 100644 ##################################### ## ## All of the rules required to administrate +@@ -286,18 +326,18 @@ interface(`abrt_admin',` + role_transition $2 abrt_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, abrt_etc_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, abrt_var_log_t) + +- files_search_var($1) ++ files_list_var($1) + admin_pattern($1, abrt_var_cache_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, abrt_var_run_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, abrt_tmp_t) + ') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 98646c4..2bd70ae 100644 +index 98646c4..5be7dc8 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1) @@ -11510,10 +11658,10 @@ index 98646c4..2bd70ae 100644 # +## -+##

-+## Allow ABRT to modify public files -+## used for public file transfer services. -+##

++##

++## Allow ABRT to modify public files ++## used for public file transfer services. ++##

+## +gen_tunable(abrt_anon_write, false) + @@ -11571,7 +11719,7 @@ index 98646c4..2bd70ae 100644 +userdom_dontaudit_read_admin_home_files(abrt_t) + +tunable_policy(`abrt_anon_write',` -+ miscfiles_manage_public_files(abrt_t) ++ miscfiles_manage_public_files(abrt_t) +') + +optional_policy(` @@ -11580,21 +11728,19 @@ index 98646c4..2bd70ae 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,7 +170,12 @@ optional_policy(` +@@ -150,6 +170,11 @@ optional_policy(` ') optional_policy(` -- policykit_dbus_chat(abrt_t) + nsplugin_read_rw_files(abrt_t) + nsplugin_read_home(abrt_t) +') + +optional_policy(` -+ policykit_dbus_chat(abrt_t) + policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) - policykit_read_reload(abrt_t) -@@ -178,6 +203,12 @@ optional_policy(` +@@ -178,12 +203,18 @@ optional_policy(` ') optional_policy(` @@ -11607,6 +11753,13 @@ index 98646c4..2bd70ae 100644 sssd_stream_connect(abrt_t) ') + ######################################## + # +-# abrt--helper local policy ++# abrt-helper local policy + # + + allow abrt_helper_t self:capability { chown setgid sys_nice }; @@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) domain_read_all_domains_state(abrt_helper_t) @@ -11615,37 +11768,51 @@ index 98646c4..2bd70ae 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -217,11 +249,26 @@ term_dontaudit_use_all_ttys(abrt_helper_t) +@@ -216,7 +248,8 @@ miscfiles_read_localization(abrt_helper_t) + term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) - ifdef(`hide_broken_symptoms', ` +-ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + domain_dontaudit_leaks(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) -+ optional_policy(` -+ rpm_dontaudit_leaks(abrt_helper_t) -+ ') dev_dontaudit_read_all_blk_files(abrt_helper_t) - dev_dontaudit_read_all_chr_files(abrt_helper_t) +@@ -224,4 +257,18 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) - ') + ++ optional_policy(` ++ rpm_dontaudit_leaks(abrt_helper_t) ++ ') ++') + -+ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + gen_require(` -+ attribute domain; ++ attribute domain; + ') + -+ allow abrt_t self:capability sys_resource; ++ allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; -+') + ') diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if -index c0f858d..b46f76f 100644 +index c0f858d..fe060aa 100644 --- a/policy/modules/services/accountsd.if +++ b/policy/modules/services/accountsd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run accountsd. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`accountsd_domtrans',` @@ -138,7 +138,7 @@ interface(`accountsd_admin',` type accountsd_t; ') @@ -11693,20 +11860,20 @@ index 8559cdc..49c0cc8 100644 # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te -index de8b791..9ec36b9 100644 +index de8b791..7e2cdf2 100644 --- a/policy/modules/services/afs.te +++ b/policy/modules/services/afs.te -@@ -82,6 +82,10 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) +@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t) - kernel_rw_afs_state(afs_t) + sysnet_dns_name_resolve(afs_t) -+ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + kernel_rw_unlabeled_files(afs_t) +') + - corenet_all_recvfrom_unlabeled(afs_t) - corenet_all_recvfrom_netlabel(afs_t) - corenet_tcp_sendrecv_generic_if(afs_t) + ######################################## + # + # AFS bossserver local policy diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc new file mode 100644 index 0000000..069518f @@ -11721,10 +11888,10 @@ index 0000000..069518f +/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if new file mode 100644 -index 0000000..420c856 +index 0000000..6bf0ad6 --- /dev/null +++ b/policy/modules/services/aiccu.if -@@ -0,0 +1,118 @@ +@@ -0,0 +1,116 @@ +## Automatic IPv6 Connectivity Client Utility. + +######################################## @@ -11732,9 +11899,9 @@ index 0000000..420c856 +## Execute a domain transition to run aiccu. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`aiccu_domtrans',` @@ -11746,7 +11913,6 @@ index 0000000..420c856 + corecmd_search_bin($1) +') + -+ +######################################## +## +## Execute aiccu server in the aiccu domain. @@ -11805,7 +11971,6 @@ index 0000000..420c856 + files_search_pids($1) +') + -+ +######################################## +## +## All of the rules required to administrate @@ -11838,14 +12003,14 @@ index 0000000..420c856 + allow $2 system_r; + + admin_pattern($1, aiccu_etc_t) -+ files_search_etc($1) ++ files_list_etc($1) + + admin_pattern($1, aiccu_var_run_t) -+ files_search_pids($1) ++ files_list_pids($1) +') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te new file mode 100644 -index 0000000..416c49e +index 0000000..4b9dc88 --- /dev/null +++ b/policy/modules/services/aiccu.te @@ -0,0 +1,71 @@ @@ -11886,8 +12051,8 @@ index 0000000..416c49e + +allow aiccu_t aiccu_etc_t:file read_file_perms; + -+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) ++manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) ++manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) + +kernel_read_system_state(aiccu_t) @@ -11920,6 +12085,34 @@ index 0000000..416c49e + +sysnet_domtrans_ifconfig(aiccu_t) +sysnet_dns_name_resolve(aiccu_t) +diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if +index 838d25b..0b0db39 100644 +--- a/policy/modules/services/aide.if ++++ b/policy/modules/services/aide.if +@@ -33,6 +33,7 @@ interface(`aide_domtrans',` + ## The role to allow the AIDE domain. + ## + ## ++## + # + interface(`aide_run',` + gen_require(` +diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if +index 0370dba..af5d229 100644 +--- a/policy/modules/services/aisexec.if ++++ b/policy/modules/services/aisexec.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run aisexec. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`aisexec_domtrans',` diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te index 97c9cae..c24bd66 100644 --- a/policy/modules/services/aisexec.te @@ -11957,11 +12150,10 @@ index 0000000..aeb1888 +/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if new file mode 100644 -index 0000000..581ae6e +index 0000000..8e6e2c3 --- /dev/null +++ b/policy/modules/services/ajaxterm.if -@@ -0,0 +1,72 @@ -+ +@@ -0,0 +1,68 @@ +## policy for ajaxterm + +######################################## @@ -11969,9 +12161,9 @@ index 0000000..581ae6e +## Execute a domain transition to run ajaxterm. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# +interface(`ajaxterm_domtrans',` @@ -11982,14 +12174,13 @@ index 0000000..581ae6e + domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t) +') + -+ +######################################## +## +## Execute ajaxterm server in the ajaxterm domain. +## +## +## -+## The type of the process performing this action. ++## Domain allowed to transition. +## +## +# @@ -12020,8 +12211,7 @@ index 0000000..581ae6e +# +interface(`ajaxterm_admin',` + gen_require(` -+ type ajaxterm_t; -+ type ajaxterm_initrc_exec_t; ++ type ajaxterm_t, ajaxterm_initrc_exec_t; + ') + + allow $1 ajaxterm_t:process { ptrace signal_perms }; @@ -12031,15 +12221,14 @@ index 0000000..581ae6e + domain_system_change_exemption($1) + role_transition $2 ajaxterm_initrc_exec_t system_r; + allow $2 system_r; -+ +') diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te new file mode 100644 -index 0000000..3441758 +index 0000000..cf6af13 --- /dev/null +++ b/policy/modules/services/ajaxterm.te @@ -0,0 +1,56 @@ -+policy_module(ajaxterm,1.0.0) ++policy_module(ajaxterm, 1.0.0) + +######################################## +# @@ -12071,7 +12260,7 @@ index 0000000..3441758 +allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; +allow ajaxterm_t self:tcp_socket create_stream_socket_perms; + -+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; ++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom }; +term_create_pty(ajaxterm_t, ajaxterm_devpts_t) + +manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) @@ -12095,6 +12284,41 @@ index 0000000..3441758 +miscfiles_read_localization(ajaxterm_t) + +sysnet_dns_name_resolve(ajaxterm_t) +diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if +index ceb2142..e31d92a 100644 +--- a/policy/modules/services/amavis.if ++++ b/policy/modules/services/amavis.if +@@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',` + type amavis_var_run_t; + ') + +- allow $1 amavis_var_run_t:file setattr; ++ allow $1 amavis_var_run_t:file setattr_file_perms; + files_search_pids($1) + ') + +diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te +index c3a1903..ec40291 100644 +--- a/policy/modules/services/amavis.te ++++ b/policy/modules/services/amavis.te +@@ -76,7 +76,7 @@ files_search_spool(amavis_t) + + # tmp files + manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) +-allow amavis_t amavis_tmp_t:dir setattr; ++allow amavis_t amavis_tmp_t:dir setattr_dir_perms; + files_tmp_filetrans(amavis_t, amavis_tmp_t, file) + + # var/lib files for amavis +@@ -86,7 +86,7 @@ manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) + files_search_var_lib(amavis_t) + + # log files +-allow amavis_t amavis_var_log_t:dir setattr; ++allow amavis_t amavis_var_log_t:dir setattr_dir_perms; + manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) + manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) + logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 9e39aa5..8603d4d 100644 --- a/policy/modules/services/apache.fc @@ -12163,16 +12387,17 @@ index 9e39aa5..8603d4d 100644 +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index c9e1a44..2244b11 100644 +index c9e1a44..ba64143 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if -@@ -13,17 +13,14 @@ +@@ -13,17 +13,13 @@ # template(`apache_content_template',` gen_require(` - attribute httpdcontent; - attribute httpd_exec_scripts; - attribute httpd_script_exec_type; +- attribute httpd_exec_scripts; +- attribute httpd_script_exec_type; ++ attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_sys_content_t; ') @@ -12186,7 +12411,7 @@ index c9e1a44..2244b11 100644 typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) -@@ -36,16 +33,18 @@ template(`apache_content_template',` +@@ -36,25 +32,25 @@ template(`apache_content_template',` domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; @@ -12207,16 +12432,17 @@ index c9e1a44..2244b11 100644 typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) -@@ -54,7 +53,7 @@ template(`apache_content_template',` - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) +- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) +- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; - allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; + allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -86,7 +85,6 @@ template(`apache_content_template',` +@@ -86,7 +82,6 @@ template(`apache_content_template',` manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -12224,7 +12450,7 @@ index c9e1a44..2244b11 100644 kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -95,6 +93,7 @@ template(`apache_content_template',` +@@ -95,6 +90,7 @@ template(`apache_content_template',` dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) @@ -12232,7 +12458,7 @@ index c9e1a44..2244b11 100644 files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) -@@ -108,19 +107,6 @@ template(`apache_content_template',` +@@ -108,19 +104,6 @@ template(`apache_content_template',` seutil_dontaudit_search_config(httpd_$1_script_t) @@ -12252,7 +12478,7 @@ index c9e1a44..2244b11 100644 # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -@@ -140,6 +126,7 @@ template(`apache_content_template',` +@@ -140,26 +123,36 @@ template(`apache_content_template',` allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -12260,7 +12486,10 @@ index c9e1a44..2244b11 100644 ') tunable_policy(`httpd_enable_cgi',` -@@ -148,14 +135,19 @@ template(`apache_content_template',` + allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; + ++ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) ++ # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -12280,7 +12509,13 @@ index c9e1a44..2244b11 100644 allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; -@@ -172,6 +164,7 @@ template(`apache_content_template',` + ++ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; ++ + kernel_read_system_state(httpd_$1_script_t) + + dev_read_urand(httpd_$1_script_t) +@@ -172,6 +165,7 @@ template(`apache_content_template',` libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) @@ -12288,7 +12523,7 @@ index c9e1a44..2244b11 100644 ') optional_policy(` -@@ -182,15 +175,13 @@ template(`apache_content_template',` +@@ -182,10 +176,6 @@ template(`apache_content_template',` optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) @@ -12299,14 +12534,27 @@ index c9e1a44..2244b11 100644 ') optional_policy(` - nscd_socket_use(httpd_$1_script_t) +@@ -211,16 +201,15 @@ template(`apache_content_template',` + interface(`apache_role',` + gen_require(` + attribute httpdcontent; +- type httpd_user_content_t, httpd_user_htaccess_t; +- type httpd_user_script_t, httpd_user_script_exec_t; +- type httpd_user_ra_content_t, httpd_user_rw_content_t; ++ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; ++ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; ') -+ -+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write }; - ') - ######################################## -@@ -229,6 +220,13 @@ interface(`apache_role',` + role $1 types httpd_user_script_t; + + allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; + +- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; ++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; + + manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) +@@ -229,6 +218,13 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -12320,7 +12568,7 @@ index c9e1a44..2244b11 100644 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -243,6 +241,8 @@ interface(`apache_role',` +@@ -243,6 +239,8 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) @@ -12329,33 +12577,33 @@ index c9e1a44..2244b11 100644 tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) -@@ -312,6 +312,25 @@ interface(`apache_domtrans',` +@@ -312,6 +310,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') +###################################### +## -+## Allow the specified domain to execute apache -+## in the caller domain. ++## Allow the specified domain to execute apache ++## in the caller domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`apache_exec',` -+ gen_require(` -+ type httpd_exec_t; -+ ') ++ gen_require(` ++ type httpd_exec_t; ++ ') + -+ can_exec($1, httpd_exec_t) ++ can_exec($1, httpd_exec_t) +') + ####################################### ## ## Send a generic signal to apache. -@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -400,7 +417,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -12364,7 +12612,16 @@ index c9e1a44..2244b11 100644 ') ######################################## -@@ -526,6 +545,25 @@ interface(`apache_rw_cache_files',` +@@ -482,7 +499,7 @@ interface(`apache_setattr_cache_dirs',` + type httpd_cache_t; + ') + +- allow $1 httpd_cache_t:dir setattr; ++ allow $1 httpd_cache_t:dir setattr_dir_perms; + ') + + ######################################## +@@ -526,6 +543,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -12390,7 +12647,16 @@ index c9e1a44..2244b11 100644 ## Apache cache. ## ## -@@ -740,6 +778,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -694,7 +730,7 @@ interface(`apache_dontaudit_append_log',` + type httpd_log_t; + ') + +- dontaudit $1 httpd_log_t:file { getattr append }; ++ dontaudit $1 httpd_log_t:file append_file_perms; + ') + + ######################################## +@@ -740,6 +776,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -12416,7 +12682,7 @@ index c9e1a44..2244b11 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -756,6 +813,7 @@ interface(`apache_list_modules',` +@@ -756,6 +811,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -12424,7 +12690,7 @@ index c9e1a44..2244b11 100644 ') ######################################## -@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',` +@@ -814,6 +870,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -12432,57 +12698,51 @@ index c9e1a44..2244b11 100644 files_search_var($1) ') -@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',` - ') - - files_search_var($1) -+ apache_search_sys_content($1) - manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) +@@ -841,6 +898,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') +###################################### +## -+## Allow the specified domain to read -+## apache system content rw files. ++## Allow the specified domain to read ++## apache system content rw files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +## +# +interface(`apache_read_sys_content_rw_files',` -+ gen_require(` ++ gen_require(` + type httpd_sys_rw_content_t; + ') + -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + +###################################### +## -+## Allow the specified domain to manage -+## apache system content rw files. ++## Allow the specified domain to manage ++## apache system content rw files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +## +# +interface(`apache_manage_sys_content_rw',` -+ gen_require(` ++ gen_require(` + type httpd_sys_rw_content_t; + ') + -+ files_search_var($1) -+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ files_search_var($1) ++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + +######################################## @@ -12513,11 +12773,12 @@ index c9e1a44..2244b11 100644 ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',` +@@ -857,7 +982,11 @@ interface(`apache_manage_sys_content',` + interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; - type httpd_sys_script_t; -+ type httpd_sys_content_t; +- type httpd_sys_script_t; ++ type httpd_sys_script_t, httpd_sys_content_t; + ') + + tunable_policy(`httpd_enable_cgi',` @@ -12525,7 +12786,19 @@ index c9e1a44..2244b11 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -916,9 +1045,10 @@ interface(`apache_domtrans_all_scripts',` + ## + ## + ## +-## Role allowed access.. ++## Role allowed access. + ## + ## ++## + # + interface(`apache_run_all_scripts',` + gen_require(` +@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -12534,33 +12807,33 @@ index c9e1a44..2244b11 100644 ') ######################################## -@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',` +@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') +###################################### +## -+## Dontaudit attempts to read and write -+## apache tmp files. ++## Dontaudit attempts to read and write ++## apache tmp files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# +interface(`apache_dontaudit_rw_tmp_files',` -+ gen_require(` -+ type httpd_tmp_t; -+ ') ++ gen_require(` ++ type httpd_tmp_t; ++ ') + -+ dontaudit $1 httpd_tmp_t:file { read write }; ++ dontaudit $1 httpd_tmp_t:file { read write }; +') + ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -12569,38 +12842,66 @@ index c9e1a44..2244b11 100644 ') ######################################## -@@ -1172,7 +1324,7 @@ interface(`apache_admin',` - type httpd_modules_t, httpd_lock_t; - type httpd_var_run_t, httpd_php_tmp_t; +@@ -1165,17 +1314,14 @@ interface(`apache_cgi_domain',` + # + interface(`apache_admin',` + gen_require(` +- attribute httpdcontent; +- attribute httpd_script_exec_type; +- ++ attribute httpdcontent, httpd_script_exec_type; + type httpd_t, httpd_config_t, httpd_log_t; +- type httpd_modules_t, httpd_lock_t; +- type httpd_var_run_t, httpd_php_tmp_t; ++ type httpd_modules_t, httpd_lock_t, httpd_bool_t; ++ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t; -+ type httpd_initrc_exec_t, httpd_bool_t; ') - allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1354,43 @@ interface(`apache_admin',` +- allow $1 httpd_t:process { getattr ptrace signal_perms }; ++ allow $1 httpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_t) - kernel_search_proc($1) - allow $1 httpd_t:dir list_dir_perms; -- -+ ps_process_pattern($1, httpd_t) - read_lnk_files_pattern($1, httpd_t, httpd_t) + init_labeled_script_domtrans($1, httpd_initrc_exec_t) +@@ -1186,10 +1332,10 @@ interface(`apache_admin',` + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, httpd_config_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, httpd_log_t) + admin_pattern($1, httpd_modules_t) +@@ -1200,14 +1346,41 @@ interface(`apache_admin',` + admin_pattern($1, httpd_var_run_t) + files_pid_filetrans($1, httpd_var_run_t, file) + +- kernel_search_proc($1) +- allow $1 httpd_t:dir list_dir_perms; +- +- read_lnk_files_pattern($1, httpd_t, httpd_t) +- admin_pattern($1, httpdcontent) admin_pattern($1, httpd_script_exec_type) + + seutil_domtrans_setfiles($1) + ++ files_list_tmp($1) admin_pattern($1, httpd_tmp_t) admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) + -+ifdef(`TODO',` -+ apache_set_booleans($1, $2, $3, httpd_bool_t ) -+ seutil_setsebool_role_template($1, $3, $2) -+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; -+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; -+') ++ ifdef(`TODO',` ++ apache_set_booleans($1, $2, $3, httpd_bool_t) ++ seutil_setsebool_role_template($1, $3, $2) ++ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; ++ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; ++ ') +') + +######################################## @@ -12609,7 +12910,7 @@ index c9e1a44..2244b11 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -12619,155 +12920,267 @@ index c9e1a44..2244b11 100644 + ') + + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; -+ dontaudit $1 httpd_t:tcp_socket { read write }; ++ dontaudit $1 httpd_t:tcp_socket { read write }; + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 08dfa0c..86641dd 100644 +index 08dfa0c..300dffb 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0) +@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0) # Declarations # +selinux_genbool(httpd_bool_t) + ## - ##

- ## Allow Apache to modify public files -@@ -36,6 +38,20 @@ gen_tunable(allow_httpd_mod_auth_pam, false) +-##

+-## Allow Apache to modify public files +-## used for public file transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

++##

++## Allow Apache to modify public files ++## used for public file transfer services. Directories/Files must ++## be labeled public_content_rw_t. ++##

+ ## + gen_tunable(allow_httpd_anon_write, false) ## - ##

-+## Allow httpd scripts and modules execmem/execstack -+##

+-##

+-## Allow Apache to use mod_auth_pam +-##

++##

++## Allow Apache to use mod_auth_pam ++##

+ ## + gen_tunable(allow_httpd_mod_auth_pam, false) + + ## +-##

+-## Allow httpd to use built in scripting (usually php) +-##

++##

++## Allow Apache to use mod_auth_pam ++##

++## ++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) ++ ++## ++##

++## Allow httpd scripts and modules execmem/execstack ++##

+## +gen_tunable(httpd_execmem, false) + +## -+##

-+## Allow httpd daemon to change system limits -+##

++##

++## Allow httpd daemon to change system limits ++##

+## +gen_tunable(httpd_setrlimit, false) + +## -+##

- ## Allow httpd to use built in scripting (usually php) - ##

++##

++## Allow httpd to use built in scripting (usually php) ++##

## -@@ -43,13 +59,20 @@ gen_tunable(httpd_builtin_scripting, false) + gen_tunable(httpd_builtin_scripting, false) ## - ##

+-##

-## Allow HTTPD scripts and modules to connect to the network using TCP. -+## Allow HTTPD scripts and modules to connect to the network using any TCP port. - ##

+-##

++##

++## Allow HTTPD scripts and modules to connect to the network using any TCP port. ++##

## gen_tunable(httpd_can_network_connect, false) ## - ##

-+## Allow HTTPD scripts and modules to connect to cobbler over the network. -+##

+-##

+-## Allow HTTPD scripts and modules to connect to databases over the network. +-##

++##

++## Allow HTTPD scripts and modules to connect to cobbler over the network. ++##

+## +gen_tunable(httpd_can_network_connect_cobbler, false) + +## -+##

- ## Allow HTTPD scripts and modules to connect to databases over the network. - ##

++##

++## Allow HTTPD scripts and modules to connect to databases over the network. ++##

## -@@ -57,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false) + gen_tunable(httpd_can_network_connect_db, false) ## - ##

-+## Allow httpd to connect to memcache server -+##

+-##

+-## Allow httpd to act as a relay +-##

++##

++## Allow httpd to connect to memcache server ++##

+## +gen_tunable(httpd_can_network_memcache, false) + +## -+##

- ## Allow httpd to act as a relay - ##

++##

++## Allow httpd to act as a relay ++##

## -@@ -71,6 +101,13 @@ gen_tunable(httpd_can_sendmail, false) + gen_tunable(httpd_can_network_relay, false) ## - ##

-+## Allow http daemon to check spam -+##

+-##

+-## Allow http daemon to send mail +-##

++##

++## Allow http daemon to send mail ++##

+ ## + gen_tunable(httpd_can_sendmail, false) + + ## +-##

+-## Allow Apache to communicate with avahi service via dbus +-##

++##

++## Allow http daemon to check spam ++##

+## +gen_tunable(httpd_can_check_spam, false) + +## -+##

- ## Allow Apache to communicate with avahi service via dbus - ##

++##

++## Allow Apache to communicate with avahi service via dbus ++##

## -@@ -78,7 +115,7 @@ gen_tunable(httpd_dbus_avahi, false) + gen_tunable(httpd_dbus_avahi, false) ## - ##

+-##

-## Allow httpd cgi support -+## Allow httpd to execute cgi scripts - ##

+-##

++##

++## Allow httpd to execute cgi scripts ++##

## gen_tunable(httpd_enable_cgi, false) -@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false) ## - ##

-+## Allow httpd to read user content -+##

+-##

+-## Allow httpd to act as a FTP server by +-## listening on the ftp port. +-##

++##

++## Allow httpd to act as a FTP server by ++## listening on the ftp port. ++##

+ ## + gen_tunable(httpd_enable_ftp_server, false) + + ## +-##

+-## Allow httpd to read home directories +-##

++##

++## Allow httpd to read home directories ++##

+ ## + gen_tunable(httpd_enable_homedirs, false) + + ## +-##

+-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. +-##

++##

++## Allow httpd to read user content ++##

+## +gen_tunable(httpd_read_user_content, false) + +## -+##

- ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. - ##

++##

++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ++##

## -@@ -107,6 +151,13 @@ gen_tunable(httpd_ssi_exec, false) + gen_tunable(httpd_ssi_exec, false) ## - ##

-+## Allow Apache to execute tmp content. -+##

+-##

+-## Unify HTTPD to communicate with the terminal. +-## Needed for entering the passphrase for certificates at +-## the terminal. +-##

++##

++## Allow Apache to execute tmp content. ++##

+## +gen_tunable(httpd_tmp_exec, false) + +## -+##

- ## Unify HTTPD to communicate with the terminal. - ## Needed for entering the passphrase for certificates at - ## the terminal. -@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false) ++##

++## Unify HTTPD to communicate with the terminal. ++## Needed for entering the passphrase for certificates at ++## the terminal. ++##

+ ## + gen_tunable(httpd_tty_comm, false) ## - ##

+-##

+-## Unify HTTPD handling of all content files. +-##

++##

++## Unify HTTPD handling of all content files. ++##

+ ## + gen_tunable(httpd_unified, false) + + ## +-##

+-## Allow httpd to access cifs file systems +-##

++##

++## Allow httpd to access cifs file systems ++##

+ ## + gen_tunable(httpd_use_cifs, false) + + ## +-##

-## Allow httpd to run gpg -+## Allow httpd to run gpg in gpg-web domain - ##

+-##

++##

++## Allow httpd to run gpg in gpg-web domain ++##

## gen_tunable(httpd_use_gpg, false) -@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false) + + ## +-##

+-## Allow httpd to access nfs file systems +-##

++##

++## Allow httpd to access nfs file systems ++##

## gen_tunable(httpd_use_nfs, false) +## -+##

-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. -+##

++##

++## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. ++##

+## +gen_tunable(allow_httpd_sys_script_anon_write, false) + attribute httpdcontent; attribute httpd_user_content_type; -@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -12776,10 +13189,17 @@ index 08dfa0c..86641dd 100644 +typeattribute httpd_sys_content_t httpdcontent; # customizable +typeattribute httpd_sys_rw_content_t httpdcontent; # customizable +typeattribute httpd_sys_ra_content_t httpdcontent; # customizable ++ ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; ++typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; ++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; ++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; ++typealias httpd_sys_script_t alias httpd_fastcgi_script_t; type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -12790,7 +13210,7 @@ index 08dfa0c..86641dd 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -12798,7 +13218,17 @@ index 08dfa0c..86641dd 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms; +@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t) + type httpd_var_run_t; + files_pid_file(httpd_var_run_t) + ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; ++ + # File Type of squirrelmail attachments + type squirrelmail_spool_t; + files_tmp_file(squirrelmail_spool_t) +@@ -286,6 +369,7 @@ allow httpd_t self:udp_socket create_socket_perms; manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -12806,7 +13236,7 @@ index 08dfa0c..86641dd 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +439,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -12814,7 +13244,7 @@ index 08dfa0c..86641dd 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,8 +450,10 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -12825,7 +13255,7 @@ index 08dfa0c..86641dd 100644 corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +465,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -12841,7 +13271,7 @@ index 08dfa0c..86641dd 100644 domain_use_interactive_fds(httpd_t) -@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t) +@@ -402,6 +489,10 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -12852,7 +13282,7 @@ index 08dfa0c..86641dd 100644 libs_read_lib_files(httpd_t) -@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +507,70 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -12872,24 +13302,23 @@ index 08dfa0c..86641dd 100644 - auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) + logging_send_audit_msgs(httpd_t) -+') + ') + -+## -+##

-+## Allow Apache to use mod_auth_pam -+##

-+## -+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` -+tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` ++ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) - ') ++ ') ') -@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',` + tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_mssql_port(httpd_t) ++ corenet_sendrecv_mssql_client_packets(httpd_t) ++') ++ +tunable_policy(`httpd_can_network_memcache',` + corenet_tcp_connect_memcache_port(httpd_t) +') @@ -12909,20 +13338,24 @@ index 08dfa0c..86641dd 100644 + corenet_sendrecv_squid_client_packets(httpd_t) +') + ++tunable_policy(`httpd_execmem',` ++ allow httpd_t self:process { execmem execstack }; ++ allow httpd_sys_script_t self:process { execmem execstack }; ++ allow httpd_suexec_t self:process { execmem execstack }; ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) - ') - ++') ++ +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) -+') -+ - tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` - fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') -@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + + tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` +@@ -456,6 +583,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -12933,20 +13366,22 @@ index 08dfa0c..86641dd 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',` - userdom_read_user_home_content_files(httpd_t) +@@ -466,8 +597,12 @@ tunable_policy(`httpd_enable_ftp_server',` + corenet_tcp_bind_ftp_port(httpd_t) ') +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_t) +tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` -+ can_exec(httpd_t, httpd_tmp_t) ++ can_exec(httpd_t, httpd_tmp_t) +') + +tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` -+ can_exec(httpd_sys_script_t, httpd_tmp_t) -+') -+ ++ can_exec(httpd_sys_script_t, httpd_tmp_t) + ') + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_t) +@@ -475,6 +610,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -12959,7 +13394,7 @@ index 08dfa0c..86641dd 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +625,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -12976,7 +13411,7 @@ index 08dfa0c..86641dd 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',` +@@ -500,8 +650,10 @@ tunable_policy(`httpd_ssi_exec',` # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -12987,7 +13422,7 @@ index 08dfa0c..86641dd 100644 ') optional_policy(` -@@ -513,7 +647,13 @@ optional_policy(` +@@ -513,7 +665,13 @@ optional_policy(` ') optional_policy(` @@ -13002,7 +13437,7 @@ index 08dfa0c..86641dd 100644 ') optional_policy(` -@@ -528,7 +668,7 @@ optional_policy(` +@@ -528,7 +686,7 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -13011,7 +13446,7 @@ index 08dfa0c..86641dd 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +677,12 @@ optional_policy(` +@@ -537,8 +695,12 @@ optional_policy(` ') optional_policy(` @@ -13025,7 +13460,7 @@ index 08dfa0c..86641dd 100644 ') ') -@@ -557,6 +701,7 @@ optional_policy(` +@@ -557,6 +719,7 @@ optional_policy(` optional_policy(` # Allow httpd to work with mysql @@ -13033,7 +13468,7 @@ index 08dfa0c..86641dd 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +712,7 @@ optional_policy(` +@@ -567,6 +730,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -13041,37 +13476,24 @@ index 08dfa0c..86641dd 100644 ') optional_policy(` -@@ -577,12 +723,29 @@ optional_policy(` +@@ -577,6 +741,16 @@ optional_policy(` ') optional_policy(` -+ passenger_domtrans(httpd_t) -+ passenger_manage_pid_content(httpd_t) -+ passenger_read_lib_files(httpd_t) ++ passenger_domtrans(httpd_t) ++ passenger_manage_pid_content(httpd_t) ++ passenger_read_lib_files(httpd_t) +') + +optional_policy(` + rpc_search_nfs_state_data(httpd_t) +') + -+tunable_policy(`httpd_execmem',` -+ allow httpd_t self:process { execmem execstack }; -+ allow httpd_sys_script_t self:process { execmem execstack }; -+ allow httpd_suexec_t self:process { execmem execstack }; -+') -+ +optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) -+ postgresql_tcp_connect(httpd_sys_script_t) - ') - ') - -@@ -591,6 +754,11 @@ optional_policy(` +@@ -591,6 +765,11 @@ optional_policy(` ') optional_policy(` @@ -13083,7 +13505,7 @@ index 08dfa0c..86641dd 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +771,10 @@ optional_policy(` +@@ -603,6 +782,10 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -13094,7 +13516,7 @@ index 08dfa0c..86641dd 100644 ######################################## # # Apache helper local policy -@@ -618,6 +790,10 @@ logging_send_syslog_msg(httpd_helper_t) +@@ -618,6 +801,10 @@ logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) @@ -13105,12 +13527,57 @@ index 08dfa0c..86641dd 100644 ######################################## # # Apache PHP script local policy -@@ -699,17 +875,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -654,28 +841,27 @@ libs_exec_lib_files(httpd_php_t) + userdom_use_unpriv_users_fds(httpd_php_t) + + tunable_policy(`httpd_can_network_connect_db',` +- corenet_tcp_connect_mysqld_port(httpd_t) +- corenet_sendrecv_mysqld_client_packets(httpd_t) +- corenet_tcp_connect_mysqld_port(httpd_sys_script_t) +- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) +- corenet_tcp_connect_mysqld_port(httpd_suexec_t) +- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) +- +- corenet_tcp_connect_mssql_port(httpd_t) +- corenet_sendrecv_mssql_client_packets(httpd_t) +- corenet_tcp_connect_mssql_port(httpd_sys_script_t) +- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) +- corenet_tcp_connect_mssql_port(httpd_suexec_t) +- corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_mssql_port(httpd_php_t) ++ corenet_sendrecv_mssql_client_packets(httpd_php_t) + ') + + optional_policy(` + mysql_stream_connect(httpd_php_t) ++ mysql_rw_db_sockets(httpd_php_t) + mysql_read_config(httpd_php_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ mysql_tcp_connect(httpd_php_t) ++ ') + ') + + optional_policy(` + postgresql_stream_connect(httpd_php_t) ++ postgresql_unpriv_client(httpd_php_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_php_t) ++ ') + ') + + ######################################## +@@ -699,17 +885,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + ++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) ++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) ++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) @@ -13127,15 +13594,17 @@ index 08dfa0c..86641dd 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +917,21 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,10 +931,20 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') -+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_mssql_port(httpd_suexec_t) ++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ++') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) ++ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) @@ -13144,13 +13613,10 @@ index 08dfa0c..86641dd 100644 + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+') -+tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +957,12 @@ optional_policy(` +@@ -769,6 +970,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -13158,12 +13624,25 @@ index 08dfa0c..86641dd 100644 + mysql_stream_connect(httpd_suexec_t) + mysql_rw_db_sockets(httpd_suexec_t) + mysql_read_config(httpd_suexec_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ mysql_tcp_connect(httpd_suexec_t) ++ ') ++') ++ ++optional_policy(` ++ postgresql_stream_connect(httpd_suexec_t) ++ postgresql_unpriv_client(httpd_suexec_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_suexec_t) ++ ') +') + ######################################## # # Apache system script local policy -@@ -792,9 +986,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) +@@ -792,9 +1012,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -13177,14 +13656,19 @@ index 08dfa0c..86641dd 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1001,28 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,6 +1027,33 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') +optional_policy(` -+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -+ spamassassin_domtrans_client(httpd_t) -+ ') ++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` ++ spamassassin_domtrans_client(httpd_t) ++ ') ++') ++ ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_mssql_port(httpd_sys_script_t) ++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -13206,10 +13690,23 @@ index 08dfa0c..86641dd 100644 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1050,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -822,7 +1073,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + ') + + tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_sys_script_t) ++ userdom_search_user_home_dirs(httpd_sys_script_t) + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -830,6 +1081,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_read_user_content',` ++ userdom_read_user_home_content_files(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) @@ -13223,15 +13720,28 @@ index 08dfa0c..86641dd 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1072,7 @@ optional_policy(` +@@ -842,10 +1107,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ mysql_tcp_connect(httpd_sys_script_t) ++ ') ') optional_policy(` -@@ -891,11 +1122,33 @@ optional_policy(` + postgresql_stream_connect(httpd_sys_script_t) ++ postgresql_unpriv_client(httpd_sys_script_t) ++ ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_sys_script_t) ++ ') + ') + + ######################################## +@@ -891,11 +1166,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -13249,25 +13759,66 @@ index 08dfa0c..86641dd 100644 + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - ') -+ -+tunable_policy(`httpd_read_user_content',` -+ userdom_read_user_home_content_files(httpd_user_script_t) -+ userdom_read_user_home_content_files(httpd_suexec_t) +') + -+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` ++tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) -+') -+ -+# Removal of fastcgi, will cause problems without the following -+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t }; -+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; -+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; -+typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -+ ++ userdom_read_user_home_content_files(httpd_suexec_t) ++ userdom_read_user_home_content_files(httpd_user_script_t) + ') +diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if +index e342775..d3451b8 100644 +--- a/policy/modules/services/apcupsd.if ++++ b/policy/modules/services/apcupsd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run apcupsd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`apcupsd_domtrans',` +@@ -83,9 +83,9 @@ interface(`apcupsd_read_log',` + ## apcupsd log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`apcupsd_append_log',` +@@ -103,9 +103,9 @@ interface(`apcupsd_append_log',` + ## Execute a domain transition to run httpd_apcupsd_cgi_script. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`apcupsd_cgi_script_domtrans',` +@@ -140,10 +140,8 @@ interface(`apcupsd_cgi_script_domtrans',` + # + interface(`apcupsd_admin',` + gen_require(` +- type apcupsd_t, apcupsd_tmp_t; +- type apcupsd_log_t, apcupsd_lock_t; +- type apcupsd_var_run_t; +- type apcupsd_initrc_exec_t; ++ type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; ++ type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t; + ') + + allow $1 apcupsd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index 67c91aa..472ddad 100644 --- a/policy/modules/services/apcupsd.te @@ -13283,11 +13834,49 @@ index 67c91aa..472ddad 100644 mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') +diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if +index 1ea99b2..49e6c74 100644 +--- a/policy/modules/services/apm.if ++++ b/policy/modules/services/apm.if +@@ -52,7 +52,7 @@ interface(`apm_write_pipes',` + type apmd_t; + ') + +- allow $1 apmd_t:fifo_file write; ++ allow $1 apmd_t:fifo_file write_fifo_file_perms; + ') + + ######################################## +@@ -89,7 +89,7 @@ interface(`apm_append_log',` + ') + + logging_search_logs($1) +- allow $1 apmd_log_t:file append; ++ allow $1 apmd_log_t:file append_file_perms; + ') + + ######################################## +@@ -108,6 +108,5 @@ interface(`apm_stream_connect',` + ') + + files_search_pids($1) +- allow $1 apmd_var_run_t:sock_file write; +- allow $1 apmd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) + ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..c7cba00 100644 +index 1c8c27e..62bc936 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te -@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; +@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) + # + # Declarations + # ++ + type apmd_t; + type apmd_exec_t; + init_daemon_domain(apmd_t, apmd_exec_t) +@@ -62,6 +63,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; @@ -13295,7 +13884,7 @@ index 1c8c27e..c7cba00 100644 allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; -@@ -81,6 +82,7 @@ kernel_rw_all_sysctls(apmd_t) +@@ -81,6 +83,7 @@ kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) @@ -13303,7 +13892,7 @@ index 1c8c27e..c7cba00 100644 dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -142,9 +144,8 @@ ifdef(`distro_redhat',` +@@ -142,9 +145,8 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) @@ -13314,7 +13903,7 @@ index 1c8c27e..c7cba00 100644 ') optional_policy(` -@@ -155,6 +156,15 @@ ifdef(`distro_redhat',` +@@ -155,6 +157,15 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') @@ -13388,10 +13977,18 @@ index b9e94c4..608e3a1 100644 ') diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if -index d80a16b..f384848 100644 +index d80a16b..a43e006 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if -@@ -68,7 +68,8 @@ interface(`automount_read_state',` +@@ -29,7 +29,6 @@ interface(`automount_domtrans',` + ## + ## + # +-# + interface(`automount_signal',` + gen_require(` + type automount_t; +@@ -68,7 +67,8 @@ interface(`automount_read_state',` type automount_t; ') @@ -13401,7 +13998,16 @@ index d80a16b..f384848 100644 ') ######################################## -@@ -149,7 +150,7 @@ interface(`automount_admin',` +@@ -123,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` + type automount_tmp_t; + ') + +- dontaudit $1 automount_tmp_t:dir getattr; ++ dontaudit $1 automount_tmp_t:dir getattr_dir_perms; + ') + + ######################################## +@@ -149,7 +149,7 @@ interface(`automount_admin',` type automount_var_run_t, automount_initrc_exec_t; ') @@ -13423,7 +14029,7 @@ index 39799db..6189565 100644 userdom_dontaudit_use_unpriv_user_fds(automount_t) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if -index 210ca0b..e51354d 100644 +index 210ca0b..11e1ba9 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',` @@ -13434,8 +14040,18 @@ index 210ca0b..e51354d 100644 allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') +@@ -150,8 +151,7 @@ interface(`avahi_dontaudit_search_pid',` + # + interface(`avahi_admin',` + gen_require(` +- type avahi_t, avahi_var_run_t; +- type avahi_initrc_exec_t; ++ type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + ') + + allow $1 avahi_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te -index b7bf6f0..803adbf 100644 +index b7bf6f0..52dcf09 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) @@ -13445,16 +14061,44 @@ index b7bf6f0..803adbf 100644 +manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) - allow avahi_t avahi_var_run_t:dir setattr; +-allow avahi_t avahi_var_run_t:dir setattr; -files_pid_filetrans(avahi_t, avahi_var_run_t, file) ++allow avahi_t avahi_var_run_t:dir setattr_dir_perms; +files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) kernel_read_system_state(avahi_t) kernel_read_kernel_sysctls(avahi_t) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if -index 44a1e3d..71f5514 100644 +index 44a1e3d..7e9d2fb 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if +@@ -186,7 +186,7 @@ interface(`bind_write_config',` + ') + + write_files_pattern($1, named_conf_t, named_conf_t) +- allow $1 named_conf_t:file setattr; ++ allow $1 named_conf_t:file setattr_file_perms; + ') + + ######################################## +@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',` + type named_var_run_t; + ') + +- allow $1 named_var_run_t:dir setattr; ++ allow $1 named_var_run_t:dir setattr_dir_perms; + ') + + ######################################## +@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',` + type named_zone_t; + ') + +- allow $1 named_zone_t:dir setattr; ++ allow $1 named_zone_t:dir setattr_dir_perms; + ') + + ######################################## @@ -308,6 +308,27 @@ interface(`bind_read_zone',` ######################################## @@ -13483,19 +14127,21 @@ index 44a1e3d..71f5514 100644 ## Manage BIND zone files. ## ## -@@ -359,9 +380,9 @@ interface(`bind_udp_chat_named',` +@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; - type named_conf_t, named_var_lib_t, named_var_run_t; -+ type named_conf_t, named_var_run_t; - type named_cache_t, named_zone_t; +- type named_cache_t, named_zone_t; - type dnssec_t, ndc_t; +- type named_initrc_exec_t; ++ type named_conf_t, named_var_run_t, named_cache_t; ++ type named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_keytab_t; - type named_initrc_exec_t; ') -@@ -391,8 +412,7 @@ interface(`bind_admin',` + allow $1 named_t:process { ptrace signal_perms }; +@@ -391,8 +411,7 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -13506,9 +14152,24 @@ index 44a1e3d..71f5514 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..ece1f1f 100644 +index 4deca04..0bde225 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te +@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0) + # + + ## +-##

+-## Allow BIND to write the master zone files. +-## Generally this is used for dynamic DNS or zone transfers. +-##

++##

++## Allow BIND to write the master zone files. ++## Generally this is used for dynamic DNS or zone transfers. ++##

+ ## + gen_tunable(named_write_master_zones, false) + @@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) @@ -13521,14 +14182,53 @@ index 4deca04..ece1f1f 100644 # read zone files allow named_t named_zone_t:dir list_dir_perms; +@@ -201,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms; + allow ndc_t self:netlink_route_socket r_netlink_socket_perms; + + allow ndc_t dnssec_t:file read_file_perms; +-allow ndc_t dnssec_t:lnk_file { getattr read }; ++allow ndc_t dnssec_t:lnk_file read_lnk_file_perms; + + stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) + + allow ndc_t named_conf_t:file read_file_perms; +-allow ndc_t named_conf_t:lnk_file { getattr read }; ++allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; + + allow ndc_t named_zone_t:dir search_dir_perms; + +@@ -244,7 +245,7 @@ term_dontaudit_use_console(ndc_t) + + # for /etc/rndc.key + ifdef(`distro_redhat',` +- allow ndc_t named_conf_t:dir search; ++ allow ndc_t named_conf_t:dir search_dir_perms; + ') + + optional_policy(` +diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if +index ed4e7a2..a64d94d 100644 +--- a/policy/modules/services/bitlbee.if ++++ b/policy/modules/services/bitlbee.if +@@ -6,7 +6,7 @@ + ## + ## + ## +-## Domain allowed accesss. ++## Domain allowed accesss. + ## + ## + # diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te -index f42cdfc..e74f728 100644 +index f42cdfc..2ba2d1f 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te -@@ -27,6 +27,7 @@ files_type(bitlbee_var_t) - # Local policy +@@ -26,7 +26,8 @@ files_type(bitlbee_var_t) # + # Local policy # +-# ++ +allow bitlbee_t self:capability { setgid setuid }; allow bitlbee_t self:udp_socket create_socket_perms; @@ -13545,10 +14245,36 @@ index f42cdfc..e74f728 100644 sysnet_dns_name_resolve(bitlbee_t) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if -index 3e45431..328302d 100644 +index 3e45431..fa57a6f 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if -@@ -117,6 +117,27 @@ interface(`bluetooth_dbus_chat',` +@@ -14,6 +14,7 @@ + ## User domain for the role + ## + ## ++## + # + interface(`bluetooth_role',` + gen_require(` +@@ -27,7 +28,7 @@ interface(`bluetooth_role',` + + # allow ps to show cdrecord and allow the user to kill it + ps_process_pattern($2, bluetooth_helper_t) +- allow $2 bluetooth_helper_t:process signal; ++ allow $2 bluetooth_helper_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) + manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) +@@ -91,7 +92,7 @@ interface(`bluetooth_read_config',` + type bluetooth_conf_t; + ') + +- allow $1 bluetooth_conf_t:file { getattr read ioctl }; ++ allow $1 bluetooth_conf_t:file read_file_perms; + ') + + ######################################## +@@ -117,6 +118,27 @@ interface(`bluetooth_dbus_chat',` ######################################## ## @@ -13576,15 +14302,37 @@ index 3e45431..328302d 100644 ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## -@@ -194,7 +215,7 @@ interface(`bluetooth_dontaudit_read_helper_state',` +@@ -157,7 +179,7 @@ interface(`bluetooth_run_helper',` + + ######################################## + ## +-## Read bluetooth helper state files. ++## Do not audit attempts to read bluetooth helper state files. + ## + ## + ## +@@ -170,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` + type bluetooth_helper_t; + ') + +- dontaudit $1 bluetooth_helper_t:dir search; +- dontaudit $1 bluetooth_helper_t:file { read getattr }; ++ dontaudit $1 bluetooth_helper_t:dir search_dir_perms; ++ dontaudit $1 bluetooth_helper_t:file read_file_perms; + ') + + ######################################## +@@ -194,9 +216,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; -+ type bluetooth_var_lib_t, bluetooth_var_run_t; ++ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t; type bluetooth_conf_t, bluetooth_conf_rw_t; - type bluetooth_initrc_exec_t; +- type bluetooth_initrc_exec_t; ') + + allow $1 bluetooth_t:process { ptrace signal_perms }; @@ -217,9 +238,6 @@ interface(`bluetooth_admin',` admin_pattern($1, bluetooth_conf_t) admin_pattern($1, bluetooth_conf_rw_t) @@ -13595,6 +14343,18 @@ index 3e45431..328302d 100644 files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) +diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te +index 215b86b..08afbb9 100644 +--- a/policy/modules/services/bluetooth.te ++++ b/policy/modules/services/bluetooth.te +@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0) + # + # Declarations + # ++ + type bluetooth_t; + type bluetooth_exec_t; + init_daemon_domain(bluetooth_t, bluetooth_exec_t) diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc new file mode 100644 index 0000000..c095160 @@ -13611,11 +14371,10 @@ index 0000000..c095160 +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if new file mode 100644 -index 0000000..272bf74 +index 0000000..fa9b95a --- /dev/null +++ b/policy/modules/services/boinc.if -@@ -0,0 +1,151 @@ -+ +@@ -0,0 +1,150 @@ +## policy for boinc + +######################################## @@ -13623,9 +14382,9 @@ index 0000000..272bf74 +## Execute a domain transition to run boinc. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`boinc_domtrans',` @@ -13638,20 +14397,20 @@ index 0000000..272bf74 + +####################################### +## -+## Execute boinc server in the boinc domain. ++## Execute boinc server in the boinc domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`boinc_initrc_domtrans',` -+ gen_require(` -+ type boinc_initrc_exec_t; -+ ') ++ gen_require(` ++ type boinc_initrc_exec_t; ++ ') + -+ init_labeled_script_domtrans($1, boinc_initrc_exec_t) ++ init_labeled_script_domtrans($1, boinc_initrc_exec_t) +') + +######################################## @@ -13689,7 +14448,7 @@ index 0000000..272bf74 + ') + + files_search_var_lib($1) -+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + +######################################## @@ -13709,7 +14468,7 @@ index 0000000..272bf74 + ') + + files_search_var_lib($1) -+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + +######################################## @@ -13727,9 +14486,10 @@ index 0000000..272bf74 + type boinc_var_lib_t; + ') + -+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) -+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + +######################################## @@ -13751,8 +14511,7 @@ index 0000000..272bf74 +# +interface(`boinc_admin',` + gen_require(` -+ type boinc_t, boinc_initrc_exec_t; -+ type boinc_var_lib_t; ++ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; + ') + + allow $1 boinc_t:process { ptrace signal_perms }; @@ -13762,17 +14521,17 @@ index 0000000..272bf74 + domain_system_change_exemption($1) + role_transition $2 boinc_initrc_exec_t system_r; + allow $2 system_r; -+ ++ + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..aaf0ba3 +index 0000000..c9622ef --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,153 @@ -+policy_module(boinc,1.0.0) +@@ -0,0 +1,166 @@ ++policy_module(boinc, 1.0.0) + +######################################## +# @@ -13801,6 +14560,9 @@ index 0000000..aaf0ba3 + +permissive boinc_project_t; + ++type boinc_project_tmp_t; ++files_tmp_file(boinc_project_tmp_t) ++ +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + @@ -13823,15 +14585,15 @@ index 0000000..aaf0ba3 +files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + +manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) -+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file) ++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) + -+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir }) ++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir) + -+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + +kernel_read_system_state(boinc_t) + @@ -13894,16 +14656,20 @@ index 0000000..aaf0ba3 + +allow boinc_project_t self:fifo_file rw_fifo_file_perms; + ++manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) ++manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) ++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file }) ++ +allow boinc_project_t boinc_project_var_lib_t:file entrypoint; -+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) ++manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir }) + +allow boinc_project_t boinc_project_var_lib_t:file execmod; + +allow boinc_project_t boinc_t:shm rw_shm_perms; -+allow boinc_project_t boinc_tmpfs_t:file { read write }; ++allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; + +list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) @@ -13918,13 +14684,19 @@ index 0000000..aaf0ba3 + +corenet_tcp_connect_boinc_port(boinc_project_t) + ++dev_read_rand(boinc_project_t) +dev_read_urand(boinc_project_t) ++dev_read_sysfs(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) + ++miscfiles_read_fonts(boinc_project_t) +miscfiles_read_localization(boinc_project_t) + ++optional_policy(` ++ java_exec(boinc_project_t) ++') diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc new file mode 100644 index 0000000..18f37e2 @@ -13937,10 +14709,10 @@ index 0000000..18f37e2 +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if new file mode 100644 -index 0000000..922c4ba +index 0000000..3964548 --- /dev/null +++ b/policy/modules/services/bugzilla.if -@@ -0,0 +1,81 @@ +@@ -0,0 +1,80 @@ +## Bugzilla server + +######################################## @@ -14000,10 +14772,9 @@ index 0000000..922c4ba +# +interface(`bugzilla_admin',` + gen_require(` -+ type httpd_bugzilla_script_t; -+ type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; -+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t; -+ type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t; ++ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; ++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t; ++ type httpd_bugzilla_htaccess_t; + ') + + allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; @@ -14012,9 +14783,9 @@ index 0000000..922c4ba + files_list_tmp($1) + admin_pattern($1, httpd_bugzilla_tmp_t) + -+ files_search_var_lib(httpd_bugzilla_script_t) ++ files_list_var_lib(httpd_bugzilla_script_t) + -+ apache_search_sys_content($1) ++ apache_list_sys_content($1) + admin_pattern($1, httpd_bugzilla_script_exec_t) + admin_pattern($1, httpd_bugzilla_script_t) + admin_pattern($1, httpd_bugzilla_content_t) @@ -14024,10 +14795,10 @@ index 0000000..922c4ba +') diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te new file mode 100644 -index 0000000..d31736b +index 0000000..c63c8fa --- /dev/null +++ b/policy/modules/services/bugzilla.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,55 @@ +policy_module(bugzilla, 1.0) + +######################################## @@ -14083,7 +14854,6 @@ index 0000000..d31736b +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') -+ diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc new file mode 100644 index 0000000..24d9837 @@ -14121,10 +14891,10 @@ index 0000000..24d9837 +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if new file mode 100644 -index 0000000..89d19e0 +index 0000000..3b41945 --- /dev/null +++ b/policy/modules/services/cachefilesd.if -@@ -0,0 +1,41 @@ +@@ -0,0 +1,35 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. @@ -14141,7 +14911,6 @@ index 0000000..89d19e0 +# +# Define the policy interface for the CacheFiles userspace management daemon. +# -+ +## policy for cachefilesd + +######################################## @@ -14149,9 +14918,9 @@ index 0000000..89d19e0 +## Execute a domain transition to run cachefilesd. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`cachefilesd_domtrans',` @@ -14159,19 +14928,14 @@ index 0000000..89d19e0 + type cachefilesd_t, cachefilesd_exec_t; + ') + -+ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t) -+ -+ allow $1 cachefilesd_t:fd use; -+ allow cachefilesd_t $1:fd use; -+ allow cachefilesd_t $1:fifo_file rw_file_perms; -+ allow cachefilesd_t $1:process sigchld; ++ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) +') diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te new file mode 100644 -index 0000000..e67f987 +index 0000000..575c16e --- /dev/null +++ b/policy/modules/services/cachefilesd.te -@@ -0,0 +1,146 @@ +@@ -0,0 +1,143 @@ +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. @@ -14191,7 +14955,7 @@ index 0000000..e67f987 +# cache, on behalf of the processes accessing the cache through a network +# filesystem such as NFS +# -+policy_module(cachefilesd,1.0.17) ++policy_module(cachefilesd, 1.0.17) + +############################################################################### +# @@ -14216,7 +14980,6 @@ index 0000000..e67f987 +# +type cachefilesd_t; +type cachefilesd_exec_t; -+domain_type(cachefilesd_t) +init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) + +# @@ -14252,36 +15015,33 @@ index 0000000..e67f987 +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow +# rules. +# -+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override }; -+ -+# Basic access -+files_read_etc_files(cachefilesd_t) -+libs_use_ld_so(cachefilesd_t) -+libs_use_shared_libs(cachefilesd_t) -+miscfiles_read_localization(cachefilesd_t) -+logging_send_syslog_msg(cachefilesd_t) -+init_dontaudit_use_script_ptys(cachefilesd_t) -+term_dontaudit_use_generic_ptys(cachefilesd_t) -+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) ++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; + +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; -+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) -+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) -+files_pid_file(cachefilesd_var_run_t) -+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) ++manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) ++manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) ++files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) +files_create_as_is_all_files(cachefilesd_t) + +# Allow access to cachefiles device file -+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; ++allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; + +# Allow access to cache superstructure -+allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir }; -+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; ++allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms }; ++allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms }; + +# Permit statfs on the backing filesystem +fs_getattr_xattr_fs(cachefilesd_t) + ++# Basic access ++files_read_etc_files(cachefilesd_t) ++miscfiles_read_localization(cachefilesd_t) ++logging_send_syslog_msg(cachefilesd_t) ++init_dontaudit_use_script_ptys(cachefilesd_t) ++term_dontaudit_use_generic_ptys(cachefilesd_t) ++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) ++ +############################################################################### +# +# When cachefilesd invokes the kernel module to begin caching, it has to tell @@ -14293,14 +15053,14 @@ index 0000000..e67f987 +# (1) the security context used by the module to access files in the cache, +# as set by the 'secctx' command in /etc/cachefilesd.conf, and +# -+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override }; ++allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; + +# +# (2) the label that will be assigned to new files and directories created in +# the cache by the module, which will be the same as the label on the +# directory pointed to by the 'dir' command. +# -+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as }; ++allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; + +############################################################################### +# @@ -14310,18 +15070,66 @@ index 0000000..e67f987 +# cache. +# +allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; -+allow cachefiles_kernel_t initrc_t:process sigchld; + -+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) -+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) + +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) ++ ++init_sigchld_script(cachefiles_kernel_t) +diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te +index a0dfd2f..d60e2bf 100644 +--- a/policy/modules/services/canna.te ++++ b/policy/modules/services/canna.te +@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms; + allow canna_t self:tcp_socket create_stream_socket_perms; + + manage_files_pattern(canna_t, canna_log_t, canna_log_t) +-allow canna_t canna_log_t:dir setattr; ++allow canna_t canna_log_t:dir setattr_dir_perms; + logging_log_filetrans(canna_t, canna_log_t, { file dir }) + + manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) +diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if +index 6ee2cc8..3105b09 100644 +--- a/policy/modules/services/ccs.if ++++ b/policy/modules/services/ccs.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run ccs. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ccs_domtrans',` diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te -index 4c90b57..bffe6b6 100644 +index 4c90b57..8d7e14e 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te +@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) + manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) + files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) + +-allow ccs_t ccs_var_log_t:dir setattr; ++allow ccs_t ccs_var_log_t:dir setattr_dir_perms; + manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) + manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) + logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) +@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t) + userdom_manage_unpriv_user_shared_mem(ccs_t) + userdom_manage_unpriv_user_semaphores(ccs_t) + +-ifdef(`hide_broken_symptoms', ` ++ifdef(`hide_broken_symptoms',` + corecmd_dontaudit_write_bin_dirs(ccs_t) + files_manage_isid_type_files(ccs_t) + ') @@ -118,5 +118,10 @@ optional_policy(` ') @@ -14333,10 +15141,71 @@ index 4c90b57..bffe6b6 100644 +optional_policy(` unconfined_use_fds(ccs_t) ') +diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if +index fa62787..ffd0da5 100644 +--- a/policy/modules/services/certmaster.if ++++ b/policy/modules/services/certmaster.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run certmaster. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`certmaster_domtrans',` +@@ -108,7 +108,7 @@ interface(`certmaster_manage_log',` + ## + ## + ## +-## The role to be allowed to manage the syslog domain. ++## Role allowed access. + ## + ## + ## +@@ -116,8 +116,7 @@ interface(`certmaster_manage_log',` + interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; +- type certmaster_etc_rw_t, certmaster_var_log_t; +- type certmaster_initrc_exec_t; ++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; + ') + + allow $1 certmaster_t:process { ptrace signal_perms }; +@@ -129,8 +128,8 @@ interface(`certmaster_admin',` + allow $2 system_r; + + files_list_etc($1) +- miscfiles_manage_generic_cert_dirs($1) +- miscfiles_manage_generic_cert_files($1) ++ miscfiles_manage_generic_cert_dirs($1) ++ miscfiles_manage_generic_cert_files($1) + + admin_pattern($1, certmaster_etc_rw_t) + diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te -index 73f03ff..4aef864 100644 +index 73f03ff..dbfd0a6 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te +@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) + + # log files + manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) +-logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) ++logging_log_filetrans(certmaster_t, certmaster_var_log_t, file) + + # pid file + manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) + manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) +-files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) ++files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file }) + + # read meminfo + kernel_read_system_state(certmaster_t) @@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t) corenet_tcp_bind_certmaster_port(certmaster_t) @@ -14345,6 +15214,100 @@ index 73f03ff..4aef864 100644 files_list_var(certmaster_t) files_search_var_lib(certmaster_t) +diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if +index 7a6e5ba..d664be8 100644 +--- a/policy/modules/services/certmonger.if ++++ b/policy/modules/services/certmonger.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run certmonger. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`certmonger_domtrans',` +@@ -166,9 +166,9 @@ interface(`certmonger_admin',` + role_transition $2 certmonger_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, certmonger_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, certmonger_var_run_t) + ') +diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te +index 1a65b5e..1c87fb3 100644 +--- a/policy/modules/services/certmonger.te ++++ b/policy/modules/services/certmonger.te +@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; + + manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) + manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +-files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } ) ++files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir }) + + manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) + manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) +diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if +index d020c93..e5cbcef 100644 +--- a/policy/modules/services/cgroup.if ++++ b/policy/modules/services/cgroup.if +@@ -6,9 +6,9 @@ + ## CG Clear. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`cgroup_domtrans_cgclear',` +@@ -26,9 +26,9 @@ interface(`cgroup_domtrans_cgclear',` + ## CG config parser. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`cgroup_domtrans_cgconfig',` +@@ -65,9 +65,9 @@ interface(`cgroup_initrc_domtrans_cgconfig',` + ## CG rules engine daemon. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`cgroup_domtrans_cgred',` +@@ -182,10 +182,10 @@ interface(`cgroup_admin',` + + admin_pattern($1, cgconfig_etc_t) + admin_pattern($1, cgrules_etc_t) +- files_search_etc($1) ++ files_list_etc($1) + + admin_pattern($1, cgred_var_run_t) +- files_search_pids($1) ++ files_list_pids($1) + + cgroup_initrc_domtrans_cgconfig($1) + domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index 8ca2333..63a18fc 100644 --- a/policy/modules/services/cgroup.te @@ -14370,7 +15333,7 @@ index 8ca2333..63a18fc 100644 allow cgconfig_t cgconfig_etc_t:file read_file_perms; diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..5a98145 100644 +index 9a0da94..2ede737 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -14383,7 +15346,7 @@ index 9a0da94..5a98145 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# @@ -14463,16 +15426,37 @@ index 9a0da94..5a98145 100644 #################################### ## ## All of the rules required to administrate -@@ -77,6 +153,7 @@ interface(`chronyd_admin',` +@@ -75,9 +151,9 @@ interface(`chronyd_read_log',` + # + interface(`chronyd_admin',` gen_require(` - type chronyd_t, chronyd_var_log_t; - type chronyd_var_run_t, chronyd_var_lib_t; -+ type chronyd_tmpfs_t; - type chronyd_initrc_exec_t, chronyd_keys_t; +- type chronyd_t, chronyd_var_log_t; +- type chronyd_var_run_t, chronyd_var_lib_t; +- type chronyd_initrc_exec_t, chronyd_keys_t; ++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; ++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; ++ type chronyd_keys_t; ') -@@ -100,6 +177,5 @@ interface(`chronyd_admin',` - files_search_pids($1) + allow $1 chronyd_t:process { ptrace signal_perms }; +@@ -88,18 +164,17 @@ interface(`chronyd_admin',` + role_transition $2 chronyd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, chronyd_keys_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, chronyd_var_log_t) + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, chronyd_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) admin_pattern($1, chronyd_var_run_t) - files_search_tmp($1) @@ -14512,10 +15496,47 @@ index fa82327..7f4ca47 100644 corenet_udp_bind_ntp_port(chronyd_t) # bind to udp/323 corenet_udp_bind_chronyd_port(chronyd_t) +diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if +index 1f11572..01b02f3 100644 +--- a/policy/modules/services/clamav.if ++++ b/policy/modules/services/clamav.if +@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` + type clamd_t, clamd_var_run_t; + ') + ++ files_search_pids($1) + stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) + ') + +@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',` + interface(`clamav_admin',` + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; +- type clamd_var_log_t, clamd_var_lib_t; +- type clamd_var_run_t, clamscan_t, clamscan_tmp_t; +- type clamd_initrc_exec_t; ++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; ++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; + type freshclam_t, freshclam_var_log_t; + ') + diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index 8c36027..16598a4 100644 +index 8c36027..f9af97c 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te +@@ -1,9 +1,9 @@ + policy_module(clamav, 1.8.1) + + ## +-##

+-## Allow clamd to use JIT compiler +-##

++##

++## Allow clamd to use JIT compiler ++##

+ ## + gen_tunable(clamd_use_jit, false) + @@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) @@ -14540,18 +15561,21 @@ index 8c36027..16598a4 100644 tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; +-', ` + allow clamscan_t self:process execmem; - ', ` ++',` dontaudit clamd_t self:process execmem; + dontaudit clamscan_t self:process execmem; ') ######################################## -@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +182,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) + # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) - allow freshclam_t freshclam_var_log_t:dir setattr; +-allow freshclam_t freshclam_var_log_t:dir setattr; -allow freshclam_t clamd_var_log_t:dir search_dir_perms; ++allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms; +read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) @@ -14572,15 +15596,29 @@ index 8c36027..16598a4 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +218,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) +-optional_policy(` +- cron_system_entry(freshclam_t, freshclam_exec_t) +-') +userdom_stream_connect(freshclam_t) -+ - optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) + + tunable_policy(`clamd_use_jit',` + allow freshclam_t self:process execmem; +-', ` ++',` + dontaudit freshclam_t self:process execmem; ') + ++optional_policy(` ++ cron_system_entry(freshclam_t, freshclam_exec_t) ++') ++ + ######################################## + # + # clamscam local policy @@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t) @@ -14589,6 +15627,43 @@ index 8c36027..16598a4 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) +diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if +index c0a66a4..e438c5f 100644 +--- a/policy/modules/services/clogd.if ++++ b/policy/modules/services/clogd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run clogd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`clogd_domtrans',` +diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te +index 6077339..d10acd2 100644 +--- a/policy/modules/services/clogd.te ++++ b/policy/modules/services/clogd.te +@@ -23,7 +23,6 @@ files_pid_file(clogd_var_run_t) + + allow clogd_t self:capability { net_admin mknod }; + allow clogd_t self:process signal; +- + allow clogd_t self:sem create_sem_perms; + allow clogd_t self:shm create_shm_perms; + allow clogd_t self:netlink_socket create_socket_perms; +@@ -36,7 +35,7 @@ fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) + # pid files + manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) + manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +-files_pid_filetrans(clogd_t, clogd_var_run_t, { file }) ++files_pid_filetrans(clogd_t, clogd_var_run_t, file) + + dev_read_lvm_control(clogd_t) + dev_manage_generic_blk_files(clogd_t) diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc new file mode 100644 index 0000000..e500fa5 @@ -14603,11 +15678,10 @@ index 0000000..e500fa5 +/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if new file mode 100644 -index 0000000..d5b410f +index 0000000..756ac91 --- /dev/null +++ b/policy/modules/services/cmirrord.if -@@ -0,0 +1,118 @@ -+ +@@ -0,0 +1,113 @@ +## policy for cmirrord + +######################################## @@ -14615,9 +15689,9 @@ index 0000000..d5b410f +## Execute a domain transition to run cmirrord. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`cmirrord_domtrans',` @@ -14667,26 +15741,25 @@ index 0000000..d5b410f + +####################################### +## -+## Read and write to cmirrord shared memory. ++## Read and write to cmirrord shared memory. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# +interface(`cmirrord_rw_shm',` -+ gen_require(` -+ type cmirrord_t; -+ type cmirrord_tmpfs_t; -+ ') ++ gen_require(` ++ type cmirrord_t, cmirrord_tmpfs_t; ++ ') + -+ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; -+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; ++ allow $1 cmirrord_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -+ fs_search_tmpfs($1) ++ fs_search_tmpfs($1) +') + +######################################## @@ -14708,9 +15781,7 @@ index 0000000..d5b410f +# +interface(`cmirrord_admin',` + gen_require(` -+ type cmirrord_t; -+ type cmirrord_initrc_exec_t; -+ type cmirrord_var_run_t; ++ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') + + allow $1 cmirrord_t:process { ptrace signal_perms }; @@ -14721,17 +15792,16 @@ index 0000000..d5b410f + role_transition $2 cmirrord_initrc_exec_t system_r; + allow $2 system_r; + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, cmirrord_var_run_t) -+ +') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te new file mode 100644 -index 0000000..bb7d429 +index 0000000..a2c7134 --- /dev/null +++ b/policy/modules/services/cmirrord.te -@@ -0,0 +1,55 @@ -+policy_module(cmirrord,1.0.0) +@@ -0,0 +1,53 @@ ++policy_module(cmirrord, 1.0.0) + +######################################## +# @@ -14759,9 +15829,7 @@ index 0000000..bb7d429 +allow cmirrord_t self:capability { net_admin kill }; +dontaudit cmirrord_t self:capability sys_tty_config; +allow cmirrord_t self:process signal; -+ +allow cmirrord_t self:fifo_file rw_fifo_file_perms; -+ +allow cmirrord_t self:sem create_sem_perms; +allow cmirrord_t self:shm create_shm_perms; +allow cmirrord_t self:netlink_socket create_socket_perms; @@ -14773,7 +15841,7 @@ index 0000000..bb7d429 + +manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) +manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file }) ++files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) + +domain_use_interactive_fds(cmirrord_t) + @@ -14784,7 +15852,7 @@ index 0000000..bb7d429 +miscfiles_read_localization(cmirrord_t) + +optional_policy(` -+ corosync_stream_connect(cmirrord_t) ++ corosync_stream_connect(cmirrord_t) +') diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc index 1cf6c4e..90c60df 100644 @@ -14829,9 +15897,40 @@ index 1cf6c4e..90c60df 100644 -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if -index 293e08d..b2198bb 100644 +index 293e08d..e3787fb 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if +@@ -1,12 +1,12 @@ + ## Cobbler installation server. + ## + ##

+-## Cobbler is a Linux installation server that allows for +-## rapid setup of network installation environments. It +-## glues together and automates many associated Linux +-## tasks so you do not have to hop between lots of various +-## commands and applications when rolling out new systems, +-## and, in some cases, changing existing ones. ++## Cobbler is a Linux installation server that allows for ++## rapid setup of network installation environments. It ++## glues together and automates many associated Linux ++## tasks so you do not have to hop between lots of various ++## commands and applications when rolling out new systems, ++## and, in some cases, changing existing ones. + ##

+ ## + +@@ -15,9 +15,9 @@ + ## Execute a domain transition to run cobblerd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`cobblerd_domtrans',` @@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',` ') @@ -14922,7 +16021,7 @@ index 293e08d..b2198bb 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -14939,13 +16038,13 @@ index 293e08d..b2198bb 100644 ## All of the rules required to administrate ## an cobblerd environment ## -@@ -162,10 +186,13 @@ interface(`cobblerd_admin',` +@@ -161,25 +185,34 @@ interface(`cobbler_manage_lib_files',` + interface(`cobblerd_admin',` gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t; -+ type httpd_cobbler_content_t; -+ type httpd_cobbler_content_ra_t; -+ type httpd_cobbler_content_rw_t; +- type cobbler_etc_t, cobblerd_initrc_exec_t; ++ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; ++ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; ') - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; @@ -14953,13 +16052,18 @@ index 293e08d..b2198bb 100644 + allow $1 cobblerd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cobblerd_t) - files_search_etc($1) +- files_search_etc($1) ++ files_list_etc($1) admin_pattern($1, cobbler_etc_t) -@@ -176,10 +203,18 @@ interface(`cobblerd_admin',` - logging_search_logs($1) + + files_list_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + +- logging_search_logs($1) ++ logging_list_logs($1) admin_pattern($1, cobbler_var_log_t) -+ apache_search_sys_content($1) ++ apache_list_sys_content($1) + admin_pattern($1, httpd_cobbler_content_t) + admin_pattern($1, httpd_cobbler_content_ra_t) admin_pattern($1, httpd_cobbler_content_rw_t) @@ -14975,38 +16079,49 @@ index 293e08d..b2198bb 100644 + ') ') diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te -index 0258b48..6a6d7d7 100644 +index 0258b48..c4d678b 100644 --- a/policy/modules/services/cobbler.te +++ b/policy/modules/services/cobbler.te -@@ -12,6 +12,28 @@ policy_module(cobbler, 1.1.0) - ##

+@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) + # + + ## +-##

+-## Allow Cobbler to modify public files +-## used for public file transfer services. +-##

++##

++## Allow Cobbler to modify public files ++## used for public file transfer services. ++##

## gen_tunable(cobbler_anon_write, false) -+ + +## -+##

-+## Allow Cobbler to connect to the -+## network using TCP. -+##

++##

++## Allow Cobbler to connect to the ++## network using TCP. ++##

+## +gen_tunable(cobbler_can_network_connect, false) + +## -+##

-+## Allow Cobbler to access cifs file systems. -+##

++##

++## Allow Cobbler to access cifs file systems. ++##

+## +gen_tunable(cobbler_use_cifs, false) + +## -+##

-+## Allow Cobbler to access nfs file systems. -+##

++##

++## Allow Cobbler to access nfs file systems. ++##

+## +gen_tunable(cobbler_use_nfs, false) - ++ type cobblerd_t; type cobblerd_exec_t; + init_daemon_domain(cobblerd_t, cobblerd_exec_t) @@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t) type cobbler_var_log_t; logging_log_file(cobbler_var_log_t) @@ -15186,9 +16301,21 @@ index 0258b48..6a6d7d7 100644 ######################################## diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if -index 42c6bd7..51afa67 100644 +index 42c6bd7..53b10e3 100644 --- a/policy/modules/services/consolekit.if +++ b/policy/modules/services/consolekit.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run consolekit. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`consolekit_domtrans',` @@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',` files_search_pids($1) read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) @@ -15213,7 +16340,7 @@ index 42c6bd7..51afa67 100644 + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index daf151d..cc2058b 100644 +index daf151d..16c0746 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t) @@ -15248,19 +16375,18 @@ index daf151d..cc2058b 100644 dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` -@@ -99,16 +109,21 @@ optional_policy(` +@@ -99,6 +109,10 @@ optional_policy(` ') optional_policy(` -- policykit_dbus_chat(consolekit_t) + networkmanager_append_log(consolekit_t) +') + +optional_policy(` -+ policykit_dbus_chat(consolekit_t) + policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) - policykit_read_reload(consolekit_t) +@@ -106,9 +120,10 @@ optional_policy(` ') optional_policy(` @@ -15293,7 +16419,7 @@ index 3a6d7eb..2098ee9 100644 /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if -index 5220c9d..05f7296 100644 +index 5220c9d..a2e6830 100644 --- a/policy/modules/services/corosync.if +++ b/policy/modules/services/corosync.if @@ -18,6 +18,25 @@ interface(`corosync_domtrans',` @@ -15302,28 +16428,28 @@ index 5220c9d..05f7296 100644 +###################################### +## -+## Execute corosync in the caller domain. ++## Execute corosync in the caller domain. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`corosync_exec',` -+ gen_require(` -+ type corosync_exec_t; -+ ') ++ gen_require(` ++ type corosync_exec_t; ++ ') + -+ corecmd_search_bin($1) -+ can_exec($1, corosync_exec_t) ++ corecmd_search_bin($1) ++ can_exec($1, corosync_exec_t) +') + ####################################### ## ## Allow the specified domain to read corosync's log files. diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 7d2cf85..ed9dd2f 100644 +index 7d2cf85..c3620a0 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t) @@ -15365,7 +16491,7 @@ index 7d2cf85..ed9dd2f 100644 auth_use_nsswitch(corosync_t) -@@ -83,19 +88,36 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +88,32 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -15373,10 +16499,6 @@ index 7d2cf85..ed9dd2f 100644 userdom_rw_user_tmpfs_files(corosync_t) optional_policy(` -+ gen_require(` -+ attribute unconfined_services; -+ ') -+ + fs_manage_tmpfs_files(corosync_t) + init_manage_script_status_files(corosync_t) +') @@ -15406,6 +16528,55 @@ index 7d2cf85..ed9dd2f 100644 ') optional_policy(` +diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if +index 9971337..f081899 100644 +--- a/policy/modules/services/courier.if ++++ b/policy/modules/services/courier.if +@@ -138,6 +138,7 @@ interface(`courier_read_config',` + type courier_etc_t; + ') + ++ files_search_etc($1) + read_files_pattern($1, courier_etc_t, courier_etc_t) + ') + +@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',` + type courier_spool_t; + ') + ++ files_search_spool($1) + manage_dirs_pattern($1, courier_spool_t, courier_spool_t) + ') + +@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',` + type courier_spool_t; + ') + ++ files_search_spool($1) + manage_files_pattern($1, courier_spool_t, courier_spool_t) + ') + +@@ -194,6 +197,7 @@ interface(`courier_read_spool',` + type courier_spool_t; + ') + ++ files_search_spool($1) + read_files_pattern($1, courier_spool_t, courier_spool_t) + ') + +diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te +index 37f4810..cc93958 100644 +--- a/policy/modules/services/courier.te ++++ b/policy/modules/services/courier.te +@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; + allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; + + # inherits file handle - should it? +-allow courier_pop_t courier_var_lib_t:file { read write }; ++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; + + miscfiles_read_localization(courier_pop_t) + diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 2eefc08..3e8ad69 100644 --- a/policy/modules/services/cron.fc @@ -15428,7 +16599,7 @@ index 2eefc08..3e8ad69 100644 + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..9822074 100644 +index 35241ed..b6402c9 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -12,6 +12,11 @@ @@ -15458,6 +16629,15 @@ index 35241ed..9822074 100644 # create files in /var/spool/cron manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) +@@ -43,7 +52,7 @@ template(`cron_common_crontab_template',` + files_list_spool($1_t) + + # crontab signals crond by updating the mtime on the spooldir +- allow $1_t cron_spool_t:dir setattr; ++ allow $1_t cron_spool_t:dir setattr_dir_perms; + + kernel_read_system_state($1_t) + @@ -62,6 +71,7 @@ template(`cron_common_crontab_template',` logging_send_syslog_msg($1_t) @@ -15474,16 +16654,20 @@ index 35241ed..9822074 100644 tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -106,6 +117,8 @@ template(`cron_common_crontab_template',` +@@ -102,10 +113,12 @@ template(`cron_common_crontab_template',` + ## User domain for the role + ## + ## ++## + # interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; -+ type user_cron_spool_t; -+ type crond_t; ++ type user_cron_spool_t, crond_t; ') role $1 types { cronjob_t crontab_t }; -@@ -116,6 +129,13 @@ interface(`cron_role',` +@@ -116,9 +129,16 @@ interface(`cron_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) @@ -15496,8 +16680,27 @@ index 35241ed..9822074 100644 + # crontab shows up in user ps ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; -@@ -154,27 +174,14 @@ interface(`cron_role',` +- allow $2 crontab_t:process signal; ++ allow $2 crontab_t:process { ptrace signal_perms }; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) +@@ -132,9 +152,8 @@ interface(`cron_role',` + ') + + dbus_stub(cronjob_t) +- + allow cronjob_t $2:dbus send_msg; +- ') ++ ') + ') + + ######################################## +@@ -151,29 +170,18 @@ interface(`cron_role',` + ## User domain for the role + ## + ## ++## # interface(`cron_unconfined_role',` gen_require(` @@ -15510,7 +16713,7 @@ index 35241ed..9822074 100644 # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) - +- - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - @@ -15523,10 +16726,58 @@ index 35241ed..9822074 100644 - #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) -- ++ allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; + optional_policy(` gen_require(` - class dbus send_msg; +@@ -181,9 +189,8 @@ interface(`cron_unconfined_role',` + ') + + dbus_stub(unconfined_cronjob_t) +- + allow unconfined_cronjob_t $2:dbus send_msg; +- ') ++ ') + ') + + ######################################## +@@ -200,6 +207,7 @@ interface(`cron_unconfined_role',` + ## User domain for the role + ## + ## ++## + # + interface(`cron_admin_role',` + gen_require(` +@@ -220,7 +228,7 @@ interface(`cron_admin_role',` + + # crontab shows up in user ps + ps_process_pattern($2, admin_crontab_t) +- allow $2 admin_crontab_t:process signal; ++ allow $2 admin_crontab_t:process { ptrace signal_perms }; + + # Run helper programs as the user domain + #corecmd_bin_domtrans(admin_crontab_t, $2) +@@ -234,9 +242,8 @@ interface(`cron_admin_role',` + ') + + dbus_stub(admin_cronjob_t) +- + allow cronjob_t $2:dbus send_msg; +- ') ++ ') + ') + + ######################################## +@@ -304,7 +311,7 @@ interface(`cron_exec',` + + ######################################## + ## +-## Execute crond server in the nscd domain. ++## Execute crond server in the crond domain. + ## + ## + ## @@ -408,7 +415,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -15572,7 +16823,24 @@ index 35241ed..9822074 100644 ') ######################################## -@@ -554,7 +597,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -481,6 +524,7 @@ interface(`cron_manage_pid_files',` + type crond_var_run_t; + ') + ++ files_search_pids($1) + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) + ') + +@@ -536,7 +580,7 @@ interface(`cron_write_system_job_pipes',` + type system_cronjob_t; + ') + +- allow $1 system_cronjob_t:file write; ++ allow $1 system_cronjob_t:fifo_file write; + ') + + ######################################## +@@ -554,7 +598,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -15581,7 +16849,7 @@ index 35241ed..9822074 100644 ') ######################################## -@@ -587,11 +630,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -587,11 +631,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -15597,7 +16865,7 @@ index 35241ed..9822074 100644 ') ######################################## -@@ -627,7 +673,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +674,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -15623,8 +16891,8 @@ index 35241ed..9822074 100644 + type system_cronjob_var_lib_t; + ') + -+ -+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## @@ -15642,13 +16910,40 @@ index 35241ed..9822074 100644 + type system_cronjob_var_lib_t; + ') + -+ -+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..45f5a6f 100644 +index f35b243..2a7f7f4 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te +@@ -10,18 +10,18 @@ gen_require(` + # + + ## +-##

+-## Allow system cron jobs to relabel filesystem +-## for restoring file contexts. +-##

++##

++## Allow system cron jobs to relabel filesystem ++## for restoring file contexts. ++##

+ ## + gen_tunable(cron_can_relabel, false) + + ## +-##

+-## Enable extra rules in the cron domain +-## to support fcron. +-##

++##

++## Enable extra rules in the cron domain ++## to support fcron. ++##

+ ## + gen_tunable(fcron_crond, false) + @@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t) type crond_tmp_t; @@ -15678,7 +16973,18 @@ index f35b243..45f5a6f 100644 type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) -@@ -108,6 +113,14 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon +@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t) + type system_cronjob_tmp_t alias system_crond_tmp_t; + files_tmp_file(system_cronjob_tmp_t) + +-ifdef(`enable_mcs',` +- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) +-') +- + type unconfined_cronjob_t; + domain_type(unconfined_cronjob_t) + domain_cron_exemption_target(unconfined_cronjob_t) +@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) @@ -15690,9 +16996,31 @@ index f35b243..45f5a6f 100644 + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) ++ ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ++') ######################################## # +@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t) + # + + # Allow our crontab domain to unlink a user cron spool file. +-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; ++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; + + # Manipulate other users crontab. + selinux_get_fs_mount(admin_crontab_t) +@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t) + selinux_compute_relabel_context(admin_crontab_t) + selinux_compute_user_contexts(admin_crontab_t) + +-tunable_policy(`fcron_crond', ` ++tunable_policy(`fcron_crond',` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u + allow admin_crontab_t self:process setfscreate; @@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', ` allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; @@ -15732,27 +17060,40 @@ index f35b243..45f5a6f 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -240,8 +259,17 @@ ifdef(`distro_redhat', ` +@@ -232,7 +251,7 @@ ifdef(`distro_debian',` + ') + ') + +-ifdef(`distro_redhat', ` ++ifdef(`distro_redhat',` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. + optional_policy(` +@@ -240,16 +259,39 @@ ifdef(`distro_redhat', ` ') ') -tunable_policy(`fcron_crond', ` -- allow crond_t system_cron_spool_t:file manage_file_perms; +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(crond_t) +') + -+optional_policy(` ++tunable_policy(`fcron_crond',` + allow crond_t system_cron_spool_t:file manage_file_perms; + ') + + optional_policy(` + apache_search_sys_content(crond_t) +') + +optional_policy(` -+ djbdns_search_tinydns_keys(crond_t) -+ djbdns_link_tinydns_keys(crond_t) - ') - - optional_policy(` -@@ -250,6 +278,20 @@ optional_policy(` ++ djbdns_search_tinydns_keys(crond_t) ++ djbdns_link_tinydns_keys(crond_t) ++') ++ ++optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) ') optional_policy(` @@ -15765,10 +17106,6 @@ index f35b243..45f5a6f 100644 + mono_domtrans(crond_t) +') + -+tunable_policy(`fcron_crond', ` -+ allow crond_t system_cron_spool_t:file manage_file_perms; -+') -+ +optional_policy(` amanda_search_var_lib(crond_t) ') @@ -15806,7 +17143,7 @@ index f35b243..45f5a6f 100644 # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron -allow system_cronjob_t cron_var_lib_t:file manage_file_perms; -+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto }; ++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) +allow system_cronjob_t cron_var_run_t:file manage_file_perms; @@ -15859,9 +17196,12 @@ index f35b243..45f5a6f 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -410,6 +474,8 @@ seutil_read_config(system_cronjob_t) +@@ -408,8 +472,10 @@ miscfiles_manage_man_pages(system_cronjob_t) - ifdef(`distro_redhat', ` + seutil_read_config(system_cronjob_t) + +-ifdef(`distro_redhat', ` ++ifdef(`distro_redhat',` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + allow crond_t system_cron_spool_t:file manage_file_perms; + @@ -15948,7 +17288,7 @@ index f35b243..45f5a6f 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,7 +682,10 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -590,9 +682,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -15957,8 +17297,11 @@ index f35b243..45f5a6f 100644 +read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +allow crond_t user_cron_spool_t:file manage_lnk_file_perms; - tunable_policy(`fcron_crond', ` +-tunable_policy(`fcron_crond', ` ++tunable_policy(`fcron_crond',` allow crond_t user_cron_spool_t:file manage_file_perms; + ') + diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc index 1b492ed..286ec9e 100644 --- a/policy/modules/services/cups.fc @@ -15974,7 +17317,7 @@ index 1b492ed..286ec9e 100644 + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if -index 305ddf4..fb3454a 100644 +index 305ddf4..777091a 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',` @@ -15990,21 +17333,23 @@ index 305ddf4..fb3454a 100644 read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) ') -@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',` +@@ -314,11 +316,10 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -+ type cupsd_etc_t, cupsd_log_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t; - type ptal_var_run_t, hplip_var_run_t; - type cupsd_initrc_exec_t; -+ type hplip_etc_t; +- type cupsd_config_var_run_t, cupsd_lpd_var_run_t; +- type cupsd_var_run_t, ptal_etc_t; +- type ptal_var_run_t, hplip_var_run_t; +- type cupsd_initrc_exec_t; ++ type cupsd_etc_t, cupsd_log_t, hplip_etc_t; ++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t; ++ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t; ++ type ptal_var_run_t; ') allow $1 cupsd_t:process { ptrace signal_perms }; -@@ -341,15 +344,14 @@ interface(`cups_admin',` +@@ -341,15 +342,14 @@ interface(`cups_admin',` admin_pattern($1, cupsd_lpd_var_run_t) @@ -16023,7 +17368,7 @@ index 305ddf4..fb3454a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..11e74af 100644 +index 0f28095..b3ab30f 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -16050,10 +17395,12 @@ index 0f28095..11e74af 100644 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) -@@ -147,10 +150,11 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -146,11 +149,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) - allow cupsd_t cupsd_var_run_t:dir setattr; +-allow cupsd_t cupsd_var_run_t:dir setattr; ++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; +manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) @@ -16063,6 +17410,15 @@ index 0f28095..11e74af 100644 allow cupsd_t hplip_t:process { signal sigkill }; +@@ -159,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + allow cupsd_t hplip_var_run_t:file read_file_perms; + + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) +-allow cupsd_t ptal_var_run_t : sock_file setattr; ++allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; + + kernel_read_system_state(cupsd_t) + kernel_read_network_state(cupsd_t) @@ -297,8 +301,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16104,7 +17460,7 @@ index 0f28095..11e74af 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -587,13 +599,19 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,14 +599,16 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -16118,22 +17474,98 @@ index 0f28095..11e74af 100644 lpd_manage_spool(cups_pdf_t) +- + tunable_policy(`use_nfs_home_dirs',` + fs_search_auto_mountpoints(cups_pdf_t) + fs_manage_nfs_dirs(cups_pdf_t) +@@ -606,6 +620,10 @@ tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(cups_pdf_t) + ') + +optional_policy(` + gnome_read_config(cups_pdf_t) +') ++ + ######################################## + # + # HPLIP local policy +@@ -639,7 +657,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) + manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - tunable_policy(`use_nfs_home_dirs',` - fs_search_auto_mountpoints(cups_pdf_t) + manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) +-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) ++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) + + manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) + files_pid_filetrans(hplip_t, hplip_var_run_t, file) +diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if +index c43ff4c..5bf3e60 100644 +--- a/policy/modules/services/cvs.if ++++ b/policy/modules/services/cvs.if +@@ -58,9 +58,8 @@ interface(`cvs_exec',` + # + interface(`cvs_admin',` + gen_require(` +- type cvs_t, cvs_tmp_t; ++ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; + type cvs_data_t, cvs_var_run_t; +- type cvs_initrc_exec_t; + ') + + allow $1 cvs_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te -index 88e7e97..9e8d14b 100644 +index 88e7e97..e18dc0b 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te +@@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0) + # + + ## +-##

+-## Allow cvs daemon to read shadow +-##

++##

++## Allow cvs daemon to read shadow ++##

+ ## + gen_tunable(allow_cvs_read_shadow, false) + +@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t) + # Local policy + # + ++allow cvs_t self:capability { setuid setgid }; + allow cvs_t self:process signal_perms; + allow cvs_t self:fifo_file rw_fifo_file_perms; + allow cvs_t self:tcp_socket connected_stream_socket_perms; + # for identd; cjp: this should probably only be inetd_child rules? + allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow cvs_t self:capability { setuid setgid }; + + manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) + manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) @@ -112,4 +112,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') +diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if +index 9d44538..7e9057e 100644 +--- a/policy/modules/services/cyphesis.if ++++ b/policy/modules/services/cyphesis.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run cyphesis. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`cyphesis_domtrans',` diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te index 346f926..1f789f8 100644 --- a/policy/modules/services/cyphesis.te @@ -16172,21 +17604,22 @@ index e182bf4..f80e725 100644 snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 39e901a..7852441 100644 +index 39e901a..74fa3d6 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if -@@ -42,8 +42,10 @@ template(`dbus_role_template',` +@@ -41,9 +41,9 @@ interface(`dbus_stub',` + template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; - -+ attribute dbusd_unconfined; - attribute session_bus_type; +- +- attribute session_bus_type; ++ attribute dbusd_unconfined, session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; + type $1_t; ') ############################## -@@ -76,7 +78,7 @@ template(`dbus_role_template',` +@@ -76,7 +76,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions @@ -16195,8 +17628,14 @@ index 39e901a..7852441 100644 allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -91,7 +93,7 @@ template(`dbus_role_template',` - allow $3 $1_dbusd_t:process { signull sigkill signal }; +@@ -88,14 +88,15 @@ template(`dbus_role_template',` + files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) +- allow $3 $1_dbusd_t:process { signull sigkill signal }; ++ ++ ps_process_pattern($3, $1_dbusd_t) ++ allow $3 $1_dbusd_t:process { ptrace signal_perms }; # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) @@ -16204,7 +17643,20 @@ index 39e901a..7852441 100644 allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -149,17 +151,25 @@ template(`dbus_role_template',` +- allow $3 $1_dbusd_t:process sigchld; + + kernel_read_system_state($1_dbusd_t) + kernel_read_kernel_sysctls($1_dbusd_t) +@@ -116,7 +117,7 @@ template(`dbus_role_template',` + + dev_read_urand($1_dbusd_t) + +- domain_use_interactive_fds($1_dbusd_t) ++ domain_use_interactive_fds($1_dbusd_t) + domain_read_all_domains_state($1_dbusd_t) + + files_read_etc_files($1_dbusd_t) +@@ -149,17 +150,25 @@ template(`dbus_role_template',` term_use_all_terms($1_dbusd_t) @@ -16214,7 +17666,8 @@ index 39e901a..7852441 100644 + userdom_manage_user_home_content_files($1_dbusd_t) + userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file }) - ifdef(`hide_broken_symptoms', ` +- ifdef(`hide_broken_symptoms', ` ++ ifdef(`hide_broken_symptoms',` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; ') @@ -16231,7 +17684,7 @@ index 39e901a..7852441 100644 xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) ') -@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',` +@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -16244,7 +17697,7 @@ index 39e901a..7852441 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -431,13 +443,26 @@ interface(`dbus_system_domain',` +@@ -431,14 +442,27 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -16260,6 +17713,7 @@ index 39e901a..7852441 100644 + userdom_dontaudit_search_admin_dir($1) userdom_read_all_users_state($1) +- ifdef(`hide_broken_symptoms', ` + optional_policy(` + rpm_script_dbus_chat($1) + ') @@ -16268,10 +17722,11 @@ index 39e901a..7852441 100644 + unconfined_dbus_send($1) + ') + - ifdef(`hide_broken_symptoms', ` ++ ifdef(`hide_broken_symptoms',` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -@@ -479,3 +504,22 @@ interface(`dbus_unconfined',` + ') +@@ -479,3 +503,22 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -16291,11 +17746,11 @@ index 39e901a..7852441 100644 + type system_dbusd_var_run_t; + ') + ++ files_search_pids($1) + delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') -+ diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index b354128..c725cae 100644 +index b354128..d9416fc 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) @@ -16320,11 +17775,10 @@ index b354128..c725cae 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,7 +144,15 @@ optional_policy(` +@@ -141,6 +144,14 @@ optional_policy(` ') optional_policy(` -- policykit_dbus_chat(system_dbusd_t) + gnome_exec_gconf(system_dbusd_t) +') + @@ -16333,10 +17787,9 @@ index b354128..c725cae 100644 +') + +optional_policy(` -+ policykit_dbus_chat(system_dbusd_t) + policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) - ') @@ -158,5 +169,12 @@ optional_policy(` # # Unconfined access to this module @@ -16351,8 +17804,91 @@ index b354128..c725cae 100644 + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') +diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if +index 784753e..bf65e7d 100644 +--- a/policy/modules/services/dcc.if ++++ b/policy/modules/services/dcc.if +@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',` + type dcc_var_t, dccifd_var_run_t, dccifd_t; + ') + +- files_search_var($1) ++ files_search_pids($1) + stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) + ') +diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if +index 0a1a61b..da508f4 100644 +--- a/policy/modules/services/ddclient.if ++++ b/policy/modules/services/ddclient.if +@@ -64,8 +64,8 @@ interface(`ddclient_run',` + interface(`ddclient_admin',` + gen_require(` + type ddclient_t, ddclient_etc_t, ddclient_log_t; +- type ddclient_var_t, ddclient_var_lib_t; +- type ddclient_var_run_t, ddclient_initrc_exec_t; ++ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t; ++ type ddclient_var_run_t; + ') + + allow $1 ddclient_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if +index 567865f..9c9e65c 100644 +--- a/policy/modules/services/denyhosts.if ++++ b/policy/modules/services/denyhosts.if +@@ -13,12 +13,12 @@ + ## Execute a domain transition to run denyhosts. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # +-interface(`denyhosts_domtrans', ` ++interface(`denyhosts_domtrans',` + gen_require(` + type denyhosts_t, denyhosts_exec_t; + ') +@@ -36,7 +36,7 @@ interface(`denyhosts_domtrans', ` + ## + ## + # +-interface(`denyhosts_initrc_domtrans', ` ++interface(`denyhosts_initrc_domtrans',` + gen_require(` + type denyhosts_initrc_exec_t; + ') +@@ -59,8 +59,9 @@ interface(`denyhosts_initrc_domtrans', ` + ## Role allowed access. + ## + ## ++## + # +-interface(`denyhosts_admin', ` ++interface(`denyhosts_admin',` + gen_require(` + type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; + type denyhosts_var_log_t, denyhosts_initrc_exec_t; +@@ -74,12 +75,12 @@ interface(`denyhosts_admin', ` + role_transition $2 denyhosts_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, denyhosts_var_lib_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, denyhosts_var_log_t) + +- files_search_locks($1) ++ files_list_locks($1) + admin_pattern($1, denyhosts_var_lock_t) + ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te -index 8ba9425..d53ee7e 100644 +index 8ba9425..b10da2c 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te @@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t) @@ -16392,13 +17928,42 @@ index 8ba9425..d53ee7e 100644 ') + +optional_policy(` -+ gnome_dontaudit_search_config(denyhosts_t) ++ gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..70cf018 100644 +index f706b99..ab2edfc 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if -@@ -165,13 +165,13 @@ interface(`devicekit_admin',` +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run devicekit. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`devicekit_domtrans',` +@@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',` + ## Domain allowed access. + ## + ## +-## +-## +-## The role to be allowed to manage the devicekit domain. +-## +-## +-## +-## +-## The type of the user terminal. +-## +-## + ## + # + interface(`devicekit_admin',` +@@ -165,21 +155,21 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -16415,8 +17980,19 @@ index f706b99..70cf018 100644 ps_process_pattern($1, devicekit_power_t) admin_pattern($1, devicekit_tmp_t) +- files_search_tmp($1) ++ files_list_tmp($1) + + admin_pattern($1, devicekit_var_lib_t) +- files_search_var_lib($1) ++ files_list_var_lib($1) + + admin_pattern($1, devicekit_var_run_t) +- files_search_pids($1) ++ files_list_pids($1) + ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..6cee08f 100644 +index f231f17..58416a0 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -16511,7 +18087,7 @@ index f231f17..6cee08f 100644 hal_domtrans_mac(devicekit_power_t) hal_manage_log(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) -@@ -280,5 +303,10 @@ optional_policy(` +@@ -280,5 +303,9 @@ optional_policy(` ') optional_policy(` @@ -16521,11 +18097,19 @@ index f231f17..6cee08f 100644 +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -+ diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if -index 5e2cea8..aa4da1d 100644 +index 5e2cea8..7e129ff 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if +@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` + ') + + sysnet_search_dhcp_state($1) +- allow $1 dhcpd_state_t:file setattr; ++ allow $1 dhcpd_state_t:file setattr_file_perms; + ') + + ######################################## @@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',` # interface(`dhcpd_admin',` @@ -16551,17 +18135,78 @@ index d4424ad..a307b51 100644 dbus_connect_system_bus(dhcpd_t) ') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te -index 0c6a473..e723266 100644 +index 0c6a473..51e2ce8 100644 --- a/policy/modules/services/djbdns.te +++ b/policy/modules/services/djbdns.te -@@ -23,6 +23,8 @@ djbdns_daemontools_domain_template(tinydns) +@@ -23,9 +23,6 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # -+files_config_file(djbdns_axfrdns_conf_t) +-daemontools_ipc_domain(djbdns_axfrdns_t) +-daemontools_read_svc(djbdns_axfrdns_t) +- + allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; + + allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; +@@ -39,6 +36,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; + + files_search_var(djbdns_axfrdns_t) + ++daemontools_ipc_domain(djbdns_axfrdns_t) ++daemontools_read_svc(djbdns_axfrdns_t) + - daemontools_ipc_domain(djbdns_axfrdns_t) - daemontools_read_svc(djbdns_axfrdns_t) + ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) + + ######################################## +diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if +index 9bd812b..c808b31 100644 +--- a/policy/modules/services/dnsmasq.if ++++ b/policy/modules/services/dnsmasq.if +@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',` + ## Read dnsmasq config files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`dnsmasq_read_config',` +@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',` + ## Write to dnsmasq config files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`dnsmasq_write_config',` +@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',` + ## + ## + # +-# + interface(`dnsmasq_delete_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + ++ files_search_pids($1) + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + ') + +@@ -169,6 +169,7 @@ interface(`dnsmasq_read_pid_files',` + type dnsmasq_var_run_t; + ') + ++ files_search_pids($1) + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index fdaeeba..a50a8a7 100644 @@ -16592,27 +18237,50 @@ index bfc880b..9a1dcba 100644 ') diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if -index e1d7dc5..09f6f30 100644 +index e1d7dc5..ee51a19 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if -@@ -93,12 +93,14 @@ interface(`dovecot_dontaudit_unlink_lib_files',` +@@ -9,13 +9,13 @@ + ## Domain allowed access. + ## + ## +-## + # + interface(`dovecot_stream_connect_auth',` + gen_require(` + type dovecot_auth_t, dovecot_var_run_t; + ') + ++ files_search_pids($1) + stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) + ') + +@@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',` + type dovecot_spool_t; + ') + ++ files_search_spool($1) + manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) + manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) + ') +@@ -93,12 +94,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',` # interface(`dovecot_admin',` gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_log_t; -+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; - type dovecot_spool_t, dovecot_var_lib_t; +- type dovecot_spool_t, dovecot_var_lib_t; - type dovecot_var_run_t; -+ type dovecot_var_run_t, dovecot_tmp_t; -+ type dovecot_var_log_t; - - type dovecot_cert_t, dovecot_passwd_t; - type dovecot_initrc_exec_t; -+ type dovecot_keytab_t; +- +- type dovecot_cert_t, dovecot_passwd_t; +- type dovecot_initrc_exec_t; ++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; ++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; ++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; ++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') allow $1 dovecot_t:process { ptrace signal_perms }; -@@ -112,8 +114,11 @@ interface(`dovecot_admin',` +@@ -112,8 +111,11 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) @@ -16626,7 +18294,7 @@ index e1d7dc5..09f6f30 100644 files_list_spool($1) admin_pattern($1, dovecot_spool_t) -@@ -121,6 +126,9 @@ interface(`dovecot_admin',` +@@ -121,6 +123,9 @@ interface(`dovecot_admin',` files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) @@ -16637,7 +18305,7 @@ index e1d7dc5..09f6f30 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..64bc566 100644 +index cbe14e4..aff2296 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -16695,8 +18363,8 @@ index cbe14e4..64bc566 100644 ') optional_policy(` -+ postfix_manage_private_sockets(dovecot_t) -+ postfix_search_spool(dovecot_t) ++ postfix_manage_private_sockets(dovecot_t) ++ postfix_search_spool(dovecot_t) +') + +optional_policy(` @@ -16763,9 +18431,21 @@ index 298f066..c2570df 100644 /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if -index 6bef7f8..1685c5d 100644 +index 6bef7f8..464669c 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run exim. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`exim_domtrans',` @@ -20,6 +20,24 @@ interface(`exim_domtrans',` ######################################## @@ -16774,11 +18454,11 @@ index 6bef7f8..1685c5d 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`exim_initrc_domtrans', ` ++interface(`exim_initrc_domtrans',` + gen_require(` + type exim_initrc_exec_t; + ') @@ -16791,6 +18471,18 @@ index 6bef7f8..1685c5d 100644 ## Do not audit attempts to read, ## exim tmp files ## +@@ -101,9 +119,9 @@ interface(`exim_read_log',` + ## exim log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`exim_append_log',` @@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',` manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) @@ -16812,10 +18504,10 @@ index 6bef7f8..1685c5d 100644 +## +## +# -+interface(`exim_admin', ` ++interface(`exim_admin',` + gen_require(` -+ type exim_t, exim_initrc_exec_t, exim_log_t; -+ type exim_tmp_t, exim_spool_t, exim_var_run_t; ++ type exim_t, exim_initrc_exec_t, exim_log_t; ++ type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') + + allow $1 exim_t:process { ptrace signal_perms }; @@ -16826,22 +18518,57 @@ index 6bef7f8..1685c5d 100644 + role_transition $2 exim_initrc_exec_t system_r; + allow $2 system_r; + -+ logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, exim_log_t) + -+ files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, exim_tmp_t) + -+ files_search_spool($1) ++ files_list_spool($1) + admin_pattern($1, exim_spool_t) + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..6c819a3 100644 +index f28f64b..18c3c33 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te +@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) + # + + ## +-##

+-## Allow exim to connect to databases (postgres, mysql) +-##

++##

++## Allow exim to connect to databases (postgres, mysql) ++##

+ ## + gen_tunable(exim_can_connect_db, false) + + ## +-##

+-## Allow exim to read unprivileged user files. +-##

++##

++## Allow exim to read unprivileged user files. ++##

+ ## + gen_tunable(exim_read_user_files, false) + + ## +-##

+-## Allow exim to create, read, write, and delete +-## unprivileged user files. +-##

++##

++## Allow exim to create, read, write, and delete ++## unprivileged user files. ++##

+ ## + gen_tunable(exim_manage_user_files, false) + @@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t) application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -16856,7 +18583,7 @@ index f28f64b..6c819a3 100644 ') optional_policy(` -+ nagios_search_spool(exim_t) ++ nagios_search_spool(exim_t) +') + +optional_policy(` @@ -16872,9 +18599,33 @@ index f28f64b..6c819a3 100644 optional_policy(` diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if -index f590a1f..e4261f5 100644 +index f590a1f..87f6bfb 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run fail2ban. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`fail2ban_domtrans',` +@@ -102,9 +102,9 @@ interface(`fail2ban_read_log',` + ## fail2ban log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`fail2ban_append_log',` @@ -138,6 +138,26 @@ interface(`fail2ban_read_pid_files',` ######################################## @@ -16902,15 +18653,35 @@ index f590a1f..e4261f5 100644 ## All of the rules required to administrate ## an fail2ban environment ## +@@ -155,8 +175,8 @@ interface(`fail2ban_read_pid_files',` + # + interface(`fail2ban_admin',` + gen_require(` +- type fail2ban_t, fail2ban_log_t; +- type fail2ban_var_run_t, fail2ban_initrc_exec_t; ++ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; ++ type fail2ban_var_run_t; + ') + + allow $1 fail2ban_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..fd30b02 100644 +index 2a69e5e..7c5bf19 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te +@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; + allow fail2ban_t self:tcp_socket create_stream_socket_perms; + + # log files +-allow fail2ban_t fail2ban_log_t:dir setattr; ++allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms; + manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) + logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) + @@ -94,5 +94,9 @@ optional_policy(` ') optional_policy(` -+ gnome_dontaudit_search_config(fail2ban_t) ++ gnome_dontaudit_search_config(fail2ban_t) +') + +optional_policy(` @@ -16928,6 +18699,27 @@ index 6537214..7d64c0a 100644 ps_process_pattern($1, fetchmail_t) files_list_etc($1) +diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if +index ebad8c4..c02062c 100644 +--- a/policy/modules/services/fprintd.if ++++ b/policy/modules/services/fprintd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run fprintd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`fprintd_domtrans',` +@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',` + allow $1 fprintd_t:dbus send_msg; + allow fprintd_t $1:dbus send_msg; + ') +- diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te index 7df52c7..899feaf 100644 --- a/policy/modules/services/fprintd.te @@ -16959,33 +18751,164 @@ index 69dcd2a..a9a9116 100644 /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) +diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if +index bc27421..26cc64b 100644 +--- a/policy/modules/services/ftp.if ++++ b/policy/modules/services/ftp.if +@@ -53,25 +53,6 @@ interface(`ftp_read_config',` + + ######################################## + ## +-## Execute FTP daemon entry point programs. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`ftp_check_exec',` +- gen_require(` +- type ftpd_exec_t; +- ') +- +- corecmd_search_bin($1) +- allow $1 ftpd_exec_t:file { getattr execute }; +-') +- +-######################################## +-## + ## Read FTP transfer logs + ## + ## +@@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',` + interface(`ftp_admin',` + gen_require(` + type ftpd_t, ftpdctl_t, ftpd_tmp_t; +- type ftpd_etc_t, ftpd_lock_t; ++ type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t; + type ftpd_var_run_t, xferlog_t; +- type ftpd_initrc_exec_t; + ') + + allow $1 ftpd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..34a0014 100644 +index 8a74a83..2284f4e 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te -@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) +@@ -6,70 +6,85 @@ policy_module(ftp, 1.12.0) + # ## - ##

-+## Allow ftp servers to use connect to mysql database -+##

+-##

+-## Allow ftp servers to upload files, used for public file +-## transfer services. Directories must be labeled +-## public_content_rw_t. +-##

++##

++## Allow ftp servers to upload files, used for public file ++## transfer services. Directories must be labeled ++## public_content_rw_t. ++##

+ ## + gen_tunable(allow_ftpd_anon_write, false) + + ## +-##

+-## Allow ftp servers to login to local users and +-## read/write all files on the system, governed by DAC. +-##

++##

++## Allow ftp servers to login to local users and ++## read/write all files on the system, governed by DAC. ++##

+ ## + gen_tunable(allow_ftpd_full_access, false) + + ## +-##

+-## Allow ftp servers to use cifs +-## used for public file transfer services. +-##

++##

++## Allow ftp servers to use cifs ++## used for public file transfer services. ++##

+ ## + gen_tunable(allow_ftpd_use_cifs, false) + + ## +-##

+-## Allow ftp servers to use nfs +-## used for public file transfer services. +-##

++##

++## Allow ftp servers to use nfs ++## used for public file transfer services. ++##

+ ## + gen_tunable(allow_ftpd_use_nfs, false) + + ## +-##

+-## Allow ftp to read and write files in the user home directories +-##

++##

++## Allow ftp servers to use connect to mysql database ++##

+## +gen_tunable(ftpd_connect_db, false) + +## -+##

- ## Allow ftp to read and write files in the user home directories - ##

++##

++## Allow ftp to read and write files in the user home directories ++##

## -@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false) + gen_tunable(ftp_home_dir, false) + + ## +-##

+-## Allow anon internal-sftp to upload files, used for +-## public file transfer services. Directories must be labeled +-## public_content_rw_t. +-##

++##

++## Allow anon internal-sftp to upload files, used for ++## public file transfer services. Directories must be labeled ++## public_content_rw_t. ++##

+ ## + gen_tunable(sftpd_anon_write, false) + + ## +-##

+-## Allow sftp-internal to read and write files +-## in the user home directories +-##

++##

++## Allow sftp-internal to read and write files ++## in the user home directories ++##

+ ## + gen_tunable(sftpd_enable_homedirs, false) + + ## +-##

+-## Allow sftp-internal to login to local users and +-## read/write all files on the system, governed by DAC. +-##

++##

++## Allow sftp-internal to login to local users and ++## read/write all files on the system, governed by DAC. ++##

## gen_tunable(sftpd_full_access, false) +## -+##

-+## Allow interlnal-sftp to read and write files -+## in the user ssh home directories. -+##

++##

++## Allow interlnal-sftp to read and write files ++## in the user ssh home directories. ++##

+## +gen_tunable(sftpd_write_ssh_home, false) + @@ -17020,6 +18943,22 @@ index 8a74a83..34a0014 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +@@ -163,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file + manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) +-files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) ++files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) + + # proftpd requires the client side to bind a socket so that + # it can stat the socket to perform access control decisions, + # since getsockopt with SO_PEERCRED is not available on all + # proftpd-supported OSs +-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; ++allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; + + # Create and modify /var/log/xferlog. + manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) @@ -270,10 +288,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) @@ -17031,10 +18970,10 @@ index 8a74a83..34a0014 100644 + userdom_manage_user_home_content(ftpd_t) + userdom_manage_user_tmp_files(ftpd_t) + userdom_tmp_filetrans_user_tmp(ftpd_t, file) -+', ` -+ # Needed for permissive mode, to make sure everything gets labeled correctly -+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) -+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) ++',` ++ # Needed for permissive mode, to make sure everything gets labeled correctly ++ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) ++ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -17054,34 +18993,41 @@ index 8a74a83..34a0014 100644 +') + +tunable_policy(`ftpd_connect_db',` -+ corenet_tcp_connect_mysqld_port(ftpd_t) -+ corenet_tcp_connect_postgresql_port(ftpd_t) ++ mysql_tcp_connect(ftpd_t) ++ postgresql_tcp_connect(ftpd_t) +') + +optional_policy(` inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -362,21 +400,33 @@ userdom_use_user_terminals(ftpdctl_t) - # - # sftpd local policy - # -- - files_read_etc_files(sftpd_t) +@@ -347,10 +385,11 @@ optional_policy(` + + # Allow ftpdctl to talk to ftpd over a socket connection + stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) ++files_search_pids(ftpdctl_t) + # ftpdctl creates a socket so that the daemon can perform + # access control decisions (see comments in ftpd_t rules above) +-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; ++allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) + + # Allow ftpdctl to read config files +@@ -368,15 +407,28 @@ files_read_etc_files(sftpd_t) # allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t) + +tunable_policy(`sftpd_full_access',` -+ allow sftpd_t self:capability { dac_override dac_read_search }; -+ fs_read_noxattr_fs_files(sftpd_t) -+ auth_manage_all_files_except_shadow(sftpd_t) ++ allow sftpd_t self:capability { dac_override dac_read_search }; ++ fs_read_noxattr_fs_files(sftpd_t) ++ auth_manage_all_files_except_shadow(sftpd_t) +') + +tunable_policy(`sftpd_write_ssh_home',` -+ ssh_manage_home_files(sftpd_t) ++ ssh_manage_home_files(sftpd_t) +') tunable_policy(`sftpd_enable_homedirs',` @@ -17094,23 +19040,37 @@ index 8a74a83..34a0014 100644 - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) + userdom_read_user_home_content_files(sftpd_t) + userdom_manage_user_home_content(sftpd_t) -+', ` -+ # Needed for permissive mode, to make sure everything gets labeled correctly -+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ++',` ++ # Needed for permissive mode, to make sure everything gets labeled correctly ++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` +diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te +index 99a94de..6dbc203 100644 +--- a/policy/modules/services/gatekeeper.te ++++ b/policy/modules/services/gatekeeper.te +@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms; + allow gatekeeper_t self:tcp_socket create_stream_socket_perms; + allow gatekeeper_t self:udp_socket create_socket_perms; + +-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; ++allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms; + allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; + files_search_etc(gatekeeper_t) + diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc -index 54f0737..7ab4c92 100644 +index 54f0737..28b71f6 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc -@@ -1,3 +1,12 @@ -+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0) -+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0) +@@ -1,3 +1,13 @@ ++HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0) ++HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0) ++HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0) + -+/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) ++/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) + -+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0) ++/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) /var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -17118,18 +19078,18 @@ index 54f0737..7ab4c92 100644 +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if -index 458aac6..63742a3 100644 +index 458aac6..3780650 100644 --- a/policy/modules/services/git.if +++ b/policy/modules/services/git.if -@@ -1 +1,525 @@ +@@ -1 +1,520 @@ -## GIT revision control system +## Fast Version Control System. +## +##

-+## A really simple TCP git daemon that normally listens on -+## port DEFAULT_GIT_PORT aka 9418. It waits for a -+## connection asking for a service, and will serve that -+## service if it is enabled. ++## A really simple TCP git daemon that normally listens on ++## port DEFAULT_GIT_PORT aka 9418. It waits for a ++## connection asking for a service, and will serve that ++## service if it is enabled. +##

+## + @@ -17150,8 +19110,7 @@ index 458aac6..63742a3 100644 +# +interface(`git_session_role',` + gen_require(` -+ type git_session_t, gitd_exec_t; -+ type git_session_content_t; ++ type git_session_t, gitd_exec_t, git_session_content_t; + ') + + ######################################## @@ -17184,10 +19143,8 @@ index 458aac6..63742a3 100644 +## +# +template(`git_content_template',` -+ + gen_require(` -+ attribute git_system_content; -+ attribute git_content; ++ attribute git_system_content, git_content; + ') + + ######################################## @@ -17211,7 +19168,6 @@ index 458aac6..63742a3 100644 +## +# +template(`git_role_template',` -+ + gen_require(` + class context contains; + role system_r; @@ -17647,9 +19603,8 @@ index 458aac6..63742a3 100644 + relabel_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) +') -+ diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te -index 7382f85..cf17085 100644 +index 7382f85..8d10fc5 100644 --- a/policy/modules/services/git.te +++ b/policy/modules/services/git.te @@ -1,8 +1,192 @@ @@ -17657,23 +19612,23 @@ index 7382f85..cf17085 100644 +policy_module(git, 1.0.3) + +## -+##

-+## Allow Git daemon system to search home directories. -+##

++##

++## Allow Git daemon system to search home directories. ++##

+## +gen_tunable(git_system_enable_homedirs, false) + +## -+##

-+## Allow Git daemon system to access cifs file systems. -+##

++##

++## Allow Git daemon system to access cifs file systems. ++##

+## +gen_tunable(git_system_use_cifs, false) + +## -+##

-+## Allow Git daemon system to access nfs file systems. -+##

++##

++## Allow Git daemon system to access nfs file systems. ++##

+## +gen_tunable(git_system_use_nfs, false) + @@ -17687,6 +19642,7 @@ index 7382f85..cf17085 100644 +attribute git_content; + +type gitd_exec_t; ++application_executable_file(gitd_exec_t) + +######################################## +# @@ -17707,10 +19663,10 @@ index 7382f85..cf17085 100644 +# + +## -+##

-+## Allow Git daemon session to bind -+## tcp sockets to all unreserved ports. -+##

++##

++## Allow Git daemon session to bind ++## tcp sockets to all unreserved ports. ++##

+## +gen_tunable(git_session_bind_all_unreserved_ports, false) + @@ -17775,37 +19731,35 @@ index 7382f85..cf17085 100644 +read_files_pattern(git_system_t, git_content, git_content) +files_search_var_lib(git_system_t) + -+tunable_policy(`git_system_enable_homedirs', ` ++tunable_policy(`git_system_enable_homedirs',` + userdom_search_user_home_dirs(git_system_t) +') + -+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` ++tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +') + -+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` ++tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',` + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +') + -+tunable_policy(`git_system_use_cifs', ` ++tunable_policy(`git_system_use_cifs',` + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) +') + -+tunable_policy(`git_system_use_nfs', ` ++tunable_policy(`git_system_use_nfs',` + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) +') - - ######################################## - # --# Declarations ++ ++######################################## ++# +# Git daemon session repository private policy. - # - --apache_content_template(git) ++# ++ +allow git_session_t self:tcp_socket { accept listen }; + +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) @@ -17814,17 +19768,17 @@ index 7382f85..cf17085 100644 + +userdom_use_user_terminals(git_session_t) + -+tunable_policy(`git_session_bind_all_unreserved_ports', ` ++tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(git_session_t) + corenet_sendrecv_generic_server_packets(git_session_t) +') + -+tunable_policy(`use_nfs_home_dirs', ` ++tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(git_session_t) + fs_read_nfs_files(git_session_t) +') + -+tunable_policy(`use_samba_home_dirs', ` ++tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(git_session_t) + fs_read_cifs_files(git_session_t) +') @@ -17839,15 +19793,16 @@ index 7382f85..cf17085 100644 + git_read_all_content_files(httpd_git_script_t) + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +') -+ -+######################################## -+# + + ######################################## + # +-# Declarations +# Git-shell private policy. -+# -+ + # + +-apache_content_template(git) +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) -+ diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc index 462de63..a8ce02e 100644 --- a/policy/modules/services/gnomeclock.fc @@ -17858,9 +19813,21 @@ index 462de63..a8ce02e 100644 +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if -index 671d8fd..da0e844 100644 +index 671d8fd..b1f8f93 100644 --- a/policy/modules/services/gnomeclock.if +++ b/policy/modules/services/gnomeclock.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run gnomeclock. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`gnomeclock_domtrans',` @@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',` allow $1 gnomeclock_t:dbus send_msg; allow gnomeclock_t $1:dbus send_msg; @@ -17873,7 +19840,7 @@ index 671d8fd..da0e844 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -17886,6 +19853,46 @@ index 671d8fd..da0e844 100644 + dontaudit $1 gnomeclock_t:dbus send_msg; + dontaudit gnomeclock_t $1:dbus send_msg; +') +diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if +index 7d97298..d6b2959 100644 +--- a/policy/modules/services/gpm.if ++++ b/policy/modules/services/gpm.if +@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',` + type gpmctl_t, gpm_t; + ') + +- allow $1 gpmctl_t:sock_file rw_sock_file_perms; +- allow $1 gpm_t:unix_stream_socket connectto; ++ dev_list_all_dev_nodes($1) ++ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) + ') + + ######################################## +@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',` + ') + + dev_list_all_dev_nodes($1) +- allow $1 gpmctl_t:sock_file getattr; ++ allow $1 gpmctl_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',` + type gpmctl_t; + ') + +- dontaudit $1 gpmctl_t:sock_file getattr; ++ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',` + ') + + dev_list_all_dev_nodes($1) +- allow $1 gpmctl_t:sock_file setattr; ++ allow $1 gpmctl_t:sock_file setattr_sock_file_perms; + ') diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te index 03742d8..7b9c543 100644 --- a/policy/modules/services/gpsd.te @@ -17902,10 +19909,35 @@ index 03742d8..7b9c543 100644 ') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if -index 7cf6763..0d50d0d 100644 +index 7cf6763..26de57a 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if -@@ -51,6 +51,7 @@ interface(`hal_read_state',` +@@ -20,24 +20,6 @@ interface(`hal_domtrans',` + + ######################################## + ## +-## Get the attributes of a hal process. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`hal_getattr',` +- gen_require(` +- type hald_t; +- ') +- +- allow $1 hald_t:process getattr; +-') +- +-######################################## +-## + ## Read hal system state + ## + ## +@@ -51,6 +33,7 @@ interface(`hal_read_state',` type hald_t; ') @@ -17913,11 +19945,47 @@ index 7cf6763..0d50d0d 100644 ps_process_pattern($1, hald_t) ') -@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',` +@@ -87,7 +70,7 @@ interface(`hal_use_fds',` + type hald_t; + ') + +- allow $1 hald_t:fd use; ++ allow $1 hald_t:fd use; + ') + + ######################################## +@@ -105,7 +88,7 @@ interface(`hal_dontaudit_use_fds',` + type hald_t; + ') + +- dontaudit $1 hald_t:fd use; ++ dontaudit $1 hald_t:fd use; + ') + + ######################################## +@@ -124,7 +107,7 @@ interface(`hal_rw_pipes',` + type hald_t; + ') + +- allow $1 hald_t:fifo_file rw_fifo_file_perms; ++ allow $1 hald_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -143,7 +126,7 @@ interface(`hal_dontaudit_rw_pipes',` + type hald_t; + ') + +- dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -377,6 +360,25 @@ interface(`hal_read_pid_files',` ######################################## ## -+## Do not audit attempts to read ++## Do not audit attempts to read +## hald PID files. +## +## @@ -17939,7 +20007,7 @@ index 7cf6763..0d50d0d 100644 ## Read/Write hald PID files. ## ## -@@ -431,3 +451,27 @@ interface(`hal_manage_pid_files',` +@@ -431,3 +433,25 @@ interface(`hal_manage_pid_files',` files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') @@ -17956,19 +20024,17 @@ index 7cf6763..0d50d0d 100644 +# +interface(`hal_dontaudit_leaks',` + gen_require(` -+ type hald_log_t; -+ type hald_t; -+ type hald_var_run_t; ++ type hald_log_t, hald_t, hald_var_run_t; + ') + -+ dontaudit $1 hald_t:fd use; ++ dontaudit $1 hald_t:fd use; + dontaudit $1 hald_log_t:file rw_inherited_file_perms; -+ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit hald_t $1:socket_class_set { read write }; + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..e72b063 100644 +index 24c6253..ae0b05b 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -18019,7 +20085,17 @@ index 24c6253..e72b063 100644 optional_policy(` alsa_domtrans(hald_t) -@@ -268,6 +278,10 @@ optional_policy(` +@@ -252,8 +262,7 @@ optional_policy(` + ') + + optional_policy(` +- dbus_system_bus_client(hald_t) +- dbus_connect_system_bus(hald_t) ++ dbus_system_domain(hald_t, hald_exec_t) + + init_dbus_chat_script(hald_t) + +@@ -268,6 +277,10 @@ optional_policy(` ') optional_policy(` @@ -18030,18 +20106,27 @@ index 24c6253..e72b063 100644 gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -318,6 +332,10 @@ optional_policy(` +@@ -302,7 +315,7 @@ optional_policy(` + ') + + optional_policy(` +- policykit_dbus_chat(hald_t) ++ policykit_dbus_chat(hald_t) + policykit_domtrans_auth(hald_t) + policykit_domtrans_resolve(hald_t) + policykit_read_lib(hald_t) +@@ -318,6 +331,10 @@ optional_policy(` ') optional_policy(` + shutdown_domtrans(hald_t) -+') ++') + +optional_policy(` udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +356,10 @@ optional_policy(` +@@ -338,6 +355,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -18052,7 +20137,7 @@ index 24c6253..e72b063 100644 ######################################## # # Hal acl local policy -@@ -358,6 +380,7 @@ files_search_var_lib(hald_acl_t) +@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -18060,11 +20145,20 @@ index 24c6253..e72b063 100644 corecmd_exec_bin(hald_acl_t) -@@ -470,6 +493,10 @@ files_read_usr_files(hald_keymap_t) +@@ -388,7 +410,7 @@ logging_send_syslog_msg(hald_acl_t) + miscfiles_read_localization(hald_acl_t) + + optional_policy(` +- policykit_dbus_chat(hald_acl_t) ++ policykit_dbus_chat(hald_acl_t) + policykit_domtrans_auth(hald_acl_t) + policykit_read_lib(hald_acl_t) + policykit_read_reload(hald_acl_t) +@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) -+# This is caused by a bug in hald and PolicyKit. ++# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) + @@ -18072,22 +20166,57 @@ index 24c6253..e72b063 100644 # # Local hald dccm policy diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if -index 87b4531..777b036 100644 +index 87b4531..db2d189 100644 --- a/policy/modules/services/hddtemp.if +++ b/policy/modules/services/hddtemp.if -@@ -70,8 +70,4 @@ interface(`hddtemp_admin',` +@@ -69,9 +69,5 @@ interface(`hddtemp_admin',` + allow $2 system_r; admin_pattern($1, hddtemp_etc_t) - files_search_etc($1) +- files_search_etc($1) - - allow $1 hddtemp_t:dir list_dir_perms; - read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) - kernel_search_proc($1) ++ files_list_etc($1) ') +diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te +index 267bb4c..1647fc4 100644 +--- a/policy/modules/services/hddtemp.te ++++ b/policy/modules/services/hddtemp.te +@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t) + logging_send_syslog_msg(hddtemp_t) + + miscfiles_read_localization(hddtemp_t) +- diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if -index ecab47a..3aa86f3 100644 +index ecab47a..40affd8 100644 --- a/policy/modules/services/icecast.if +++ b/policy/modules/services/icecast.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run icecast. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`icecast_domtrans',` +@@ -118,9 +118,9 @@ interface(`icecast_read_log',` + ## icecast log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`icecast_append_log',` @@ -173,6 +173,7 @@ interface(`icecast_admin',` type icecast_t, icecast_initrc_exec_t; ') @@ -18096,8 +20225,16 @@ index ecab47a..3aa86f3 100644 ps_process_pattern($1, icecast_t) # Allow icecast_t to restart the apache service +@@ -182,7 +183,5 @@ interface(`icecast_admin',` + allow $2 system_r; + + icecast_manage_pid_files($1) +- + icecast_manage_log($1) +- + ') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te -index f368bf3..80befb0 100644 +index f368bf3..6bf7cc3 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te @@ -5,6 +5,14 @@ policy_module(icecast, 1.0.1) @@ -18105,16 +20242,25 @@ index f368bf3..80befb0 100644 # +## -+##

-+## Allow icecast to connect to all ports, not just -+## sound ports. -+##

++##

++## Allow icecast to connect to all ports, not just ++## sound ports. ++##

+## +gen_tunable(icecast_connect_any, false) + type icecast_t; type icecast_exec_t; init_daemon_domain(icecast_t, icecast_exec_t) +@@ -31,7 +39,7 @@ allow icecast_t self:tcp_socket create_stream_socket_perms; + + manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t) + manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t) +-logging_log_filetrans(icecast_t, icecast_log_t, { file dir } ) ++logging_log_filetrans(icecast_t, icecast_log_t, { file dir }) + + manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) + manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) @@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) kernel_read_system_state(icecast_t) @@ -18129,11 +20275,114 @@ index f368bf3..80befb0 100644 # Init script handling domain_use_interactive_fds(icecast_t) +diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if +index dfb4232..7665429 100644 +--- a/policy/modules/services/ifplugd.if ++++ b/policy/modules/services/ifplugd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run ifplugd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ifplugd_domtrans',` +@@ -113,8 +113,8 @@ interface(`ifplugd_read_pid_files',` + # + interface(`ifplugd_admin',` + gen_require(` +- type ifplugd_t, ifplugd_etc_t; +- type ifplugd_var_run_t, ifplugd_initrc_exec_t; ++ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; ++ type ifplugd_initrc_exec_t; + ') + + allow $1 ifplugd_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if +index df48e5e..6985546 100644 +--- a/policy/modules/services/inetd.if ++++ b/policy/modules/services/inetd.if +@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',` + ## + # + interface(`inetd_tcp_service_domain',` +- + gen_require(` + type inetd_t; + ') +diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if +index ebc9e0d..2f3d8dc 100644 +--- a/policy/modules/services/inn.if ++++ b/policy/modules/services/inn.if +@@ -93,6 +93,7 @@ interface(`inn_read_config',` + type innd_etc_t; + ') + ++ files_search_etc($1) + allow $1 innd_etc_t:dir list_dir_perms; + allow $1 innd_etc_t:file read_file_perms; + allow $1 innd_etc_t:lnk_file read_lnk_file_perms; +@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',` + type innd_var_lib_t; + ') + ++ files_search_var_lib($1) + allow $1 innd_var_lib_t:dir list_dir_perms; + allow $1 innd_var_lib_t:file read_file_perms; + allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms; +@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',` + type news_spool_t; + ') + ++ files_search_spool($1) + allow $1 news_spool_t:dir list_dir_perms; + allow $1 news_spool_t:file read_file_perms; + allow $1 news_spool_t:lnk_file read_lnk_file_perms; +@@ -195,8 +198,8 @@ interface(`inn_domtrans',` + interface(`inn_admin',` + gen_require(` + type innd_t, innd_etc_t, innd_log_t; +- type news_spool_t, innd_var_lib_t; +- type innd_var_run_t, innd_initrc_exec_t; ++ type news_spool_t, innd_var_lib_t, innd_var_run_t; ++ type innd_initrc_exec_t; + ') + + allow $1 innd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te -index 9fab1dc..05119f7 100644 +index 9fab1dc..dc7dd01 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te -@@ -56,7 +56,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) +@@ -4,6 +4,7 @@ policy_module(inn, 1.9.0) + # + # Declarations + # ++ + type innd_t; + type innd_exec_t; + init_daemon_domain(innd_t, innd_exec_t) +@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t) + # + # Local policy + # ++ + allow innd_t self:capability { dac_override kill setgid setuid }; + dontaudit innd_t self:capability sys_tty_config; + allow innd_t self:process { setsched signal_perms }; +@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) + can_exec(innd_t, innd_exec_t) + + manage_files_pattern(innd_t, innd_log_t, innd_log_t) +-allow innd_t innd_log_t:dir setattr; ++allow innd_t innd_log_t:dir setattr_dir_perms; + logging_log_filetrans(innd_t, innd_log_t, file) + + manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +@@ -56,7 +58,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -18142,7 +20391,7 @@ index 9fab1dc..05119f7 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -105,6 +105,7 @@ sysnet_read_config(innd_t) +@@ -105,6 +107,7 @@ sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -18170,139 +20419,132 @@ index 4c9acec..908eb91 100644 /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if -index 9878499..f17e629 100644 +index 9878499..9167dc9 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if -@@ -1,17 +1,96 @@ +@@ -1,8 +1,82 @@ ## Jabber instant messaging server -######################################## +####################################### - ## --## Connect to jabber over a TCP socket (Deprecated) -+## Execute a domain transition to run jabberd services - ## - ## --## --## Domain allowed access. --## +## -+## Domain allowed to transition. ++## Execute a domain transition to run jabberd services +## ++## ++## ++## Domain allowed to transition. ++## +## +# +interface(`jabber_domtrans_jabberd',` -+ gen_require(` -+ type jabberd_t, jabberd_exec_t; -+ ') ++ gen_require(` ++ type jabberd_t, jabberd_exec_t; ++ ') + -+ domtrans_pattern($1, jabberd_exec_t, jabberd_t) ++ domtrans_pattern($1, jabberd_exec_t, jabberd_t) +') + +###################################### +## -+## Execute a domain transition to run jabberd router service ++## Execute a domain transition to run jabberd router service +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed to transition. ++## +## +# +interface(`jabber_domtrans_jabberd_router',` -+ gen_require(` -+ type jabberd_router_t, jabberd_router_exec_t; -+ ') ++ gen_require(` ++ type jabberd_router_t, jabberd_router_exec_t; ++ ') + -+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t) ++ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t) +') + +####################################### +## -+## Read jabberd lib files. ++## Read jabberd lib files. +## +## -+## -+## Domain allowed access. -+## - ## - # --interface(`jabber_tcp_connect',` -- refpolicywarn(`$0($*) has been deprecated.') ++## ++## Domain allowed access. ++## ++## ++# +interface(`jabberd_read_lib_files',` -+ gen_require(` -+ type jabberd_var_lib_t; -+ ') ++ gen_require(` ++ type jabberd_var_lib_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) +') + +####################################### -+## -+## Dontaudit inherited read jabberd lib files. + ## +-## Connect to jabber over a TCP socket (Deprecated) ++## Dontaudit inherited read jabberd lib files. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain to not audit. ++## +## +# +interface(`jabberd_dontaudit_read_lib_files',` -+ gen_require(` -+ type jabberd_var_lib_t; -+ ') ++ gen_require(` ++ type jabberd_var_lib_t; ++ ') + -+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms; ++ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms; +') + +####################################### +## -+## Create, read, write, and delete -+## jabberd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# ++## Create, read, write, and delete ++## jabberd lib files. + ## + ## + ## +@@ -10,8 +84,13 @@ + ## + ## + # +-interface(`jabber_tcp_connect',` +- refpolicywarn(`$0($*) has been deprecated.') +interface(`jabberd_manage_lib_files',` -+ gen_require(` -+ type jabberd_var_lib_t; -+ ') ++ gen_require(` ++ type jabberd_var_lib_t; ++ ') + -+ files_search_var_lib($1) -+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) ') ######################################## -@@ -35,11 +114,15 @@ interface(`jabber_admin',` +@@ -34,12 +113,15 @@ interface(`jabber_tcp_connect',` + interface(`jabber_admin',` gen_require(` type jabberd_t, jabberd_log_t, jabberd_var_lib_t; - type jabberd_var_run_t, jabberd_initrc_exec_t; -+ type jabberd_router_t; +- type jabberd_var_run_t, jabberd_initrc_exec_t; ++ type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t; ') allow $1 jabberd_t:process { ptrace signal_perms }; ps_process_pattern($1, jabberd_t) + allow $1 jabberd_router_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, jabberd_router_t) ++ ps_process_pattern($1, jabberd_router_t) + init_labeled_script_domtrans($1, jabberd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..975bbcd 100644 +index da2127e..5f8840f 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te -@@ -1,3 +1,4 @@ -+ - policy_module(jabber, 1.8.0) - - ######################################## -@@ -5,13 +6,19 @@ policy_module(jabber, 1.8.0) +@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0) # Declarations # @@ -18323,7 +20565,7 @@ index da2127e..975bbcd 100644 type jabberd_log_t; logging_log_file(jabberd_log_t) -@@ -21,40 +28,78 @@ files_type(jabberd_var_lib_t) +@@ -21,40 +27,78 @@ files_type(jabberd_var_lib_t) type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) @@ -18354,10 +20596,14 @@ index da2127e..975bbcd 100644 +# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd +manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t) +logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir }) -+ + +-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) +manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t) +files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file) -+ + +-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) +corenet_all_recvfrom_unlabeled(jabberd_domain) +corenet_all_recvfrom_netlabel(jabberd_domain) +corenet_tcp_sendrecv_generic_if(jabberd_domain) @@ -18379,32 +20625,28 @@ index da2127e..975bbcd 100644 +miscfiles_read_localization(jabberd_domain) + +sysnet_read_config(jabberd_domain) - --manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) --files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) ++ +###################################### +# +# Local policy for jabberd-router +# -+ + +-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; + +corenet_tcp_bind_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) - --manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) --logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) ++ +optional_policy(` -+ kerberos_use(jabberd_router_t) ++ kerberos_use(jabberd_router_t) +') + +######################################## +# +# Local policy for jabberd +# - --manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) --files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) ++ +allow jabberd_t self:capability dac_override; +dontaudit jabberd_t self:capability sys_tty_config; @@ -18426,7 +20668,7 @@ index da2127e..975bbcd 100644 corenet_tcp_bind_jabber_client_port(jabberd_t) corenet_tcp_bind_jabber_interserver_port(jabberd_t) corenet_sendrecv_jabber_client_server_packets(jabberd_t) -@@ -66,18 +111,9 @@ dev_read_rand(jabberd_t) +@@ -66,18 +110,9 @@ dev_read_rand(jabberd_t) domain_use_interactive_fds(jabberd_t) @@ -18458,10 +20700,102 @@ index 3525d24..e5db539 100644 /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if +index 604f67b..8c72504 100644 +--- a/policy/modules/services/kerberos.if ++++ b/policy/modules/services/kerberos.if +@@ -26,9 +26,9 @@ + ## Execute kadmind in the current domain + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`kerberos_exec_kadmind',` +@@ -44,9 +44,9 @@ interface(`kerberos_exec_kadmind',` + ## Execute a domain transition to run kpropd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`kerberos_domtrans_kpropd',` +@@ -69,8 +69,7 @@ interface(`kerberos_domtrans_kpropd',` + # + interface(`kerberos_use',` + gen_require(` +- type krb5_conf_t, krb5kdc_conf_t; +- type krb5_host_rcache_t; ++ type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t; + ') + + files_search_etc($1) +@@ -103,7 +102,7 @@ interface(`kerberos_use',` + corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) + +- allow $1 krb5_host_rcache_t:file getattr; ++ allow $1 krb5_host_rcache_t:file getattr_file_perms; + ') + + optional_policy(` +@@ -235,7 +234,7 @@ template(`kerberos_keytab_template',` + type $1_keytab_t; + files_type($1_keytab_t) + +- allow $2 $1_keytab_t:file read_file_perms; ++ allow $2 $1_keytab_t:file read_file_perms; + + kerberos_read_keytab($2) + kerberos_use($2) +@@ -338,9 +337,8 @@ interface(`kerberos_admin',` + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; + type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; +- type krb5kdc_principal_t, krb5kdc_tmp_t; ++ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; + type krb5kdc_var_run_t, krb5_host_rcache_t; +- type kpropd_t; + ') + + allow $1 kadmind_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te -index 8edc29b..225e33f 100644 +index 8edc29b..744e7d6 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te +@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) + # + + ## +-##

+-## Allow confined applications to run with kerberos. +-##

++##

++## Allow confined applications to run with kerberos. ++##

+ ## + gen_tunable(allow_kerberos, false) + +@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms; + dontaudit kadmind_t krb5_conf_t:file write; + + read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) +-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr }; ++dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; + +-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr }; ++allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + + allow kadmind_t krb5kdc_principal_t:file manage_file_perms; + filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) @@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) @@ -18484,7 +20818,13 @@ index 8edc29b..225e33f 100644 miscfiles_read_localization(kadmind_t) seutil_read_file_contexts(kadmind_t) -@@ -198,8 +202,7 @@ allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; +@@ -193,13 +197,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) + read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) + dontaudit krb5kdc_t krb5kdc_conf_t:file write; + +-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; ++allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) @@ -18502,6 +20842,46 @@ index 8edc29b..225e33f 100644 miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) +diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if +index 835b16b..dd32883 100644 +--- a/policy/modules/services/kerneloops.if ++++ b/policy/modules/services/kerneloops.if +@@ -5,15 +5,14 @@ + ## Execute a domain transition to run kerneloops. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`kerneloops_domtrans',` + gen_require(` +- type kerneloops_t; +- type kerneloops_exec_t; ++ type kerneloops_t, kerneloops_exec_t; + ') + + domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) +@@ -99,8 +98,7 @@ interface(`kerneloops_manage_tmp_files',` + # + interface(`kerneloops_admin',` + gen_require(` +- type kerneloops_t, kerneloops_initrc_exec_t; +- type kerneloops_tmp_t; ++ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; + ') + + allow $1 kerneloops_t:process { ptrace signal_perms }; +@@ -111,5 +109,6 @@ interface(`kerneloops_admin',` + role_transition $2 kerneloops_initrc_exec_t system_r; + allow $2 system_r; + ++ files_list_tmp($1) + admin_pattern($1, kerneloops_tmp_t) + ') diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc index 9c0c835..8360166 100644 --- a/policy/modules/services/ksmtuned.fc @@ -18513,10 +20893,28 @@ index 9c0c835..8360166 100644 + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if -index 6fd0b4c..d17f349 100644 +index 6fd0b4c..b733e45 100644 --- a/policy/modules/services/ksmtuned.if +++ b/policy/modules/services/ksmtuned.if -@@ -60,7 +60,7 @@ interface(`ksmtuned_admin',` +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run ksmtuned. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ksmtuned_domtrans',` +@@ -55,12 +55,11 @@ interface(`ksmtuned_initrc_domtrans',` + # + interface(`ksmtuned_admin',` + gen_require(` +- type ksmtuned_t, ksmtuned_var_run_t; +- type ksmtuned_initrc_exec_t; ++ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') allow $1 ksmtuned_t:process { ptrace signal_perms }; @@ -18525,8 +20923,14 @@ index 6fd0b4c..d17f349 100644 files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) +@@ -70,5 +69,4 @@ interface(`ksmtuned_admin',` + domain_system_change_exemption($1) + role_transition $2 ksmtuned_initrc_exec_t system_r; + allow $2 system_r; +- + ') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te -index a73b7a1..ffe035c 100644 +index a73b7a1..01adbed 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -9,6 +9,9 @@ type ksmtuned_t; @@ -18550,7 +20954,7 @@ index a73b7a1..ffe035c 100644 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,15 @@ kernel_read_system_state(ksmtuned_t) +@@ -31,9 +38,14 @@ kernel_read_system_state(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) @@ -18565,7 +20969,6 @@ index a73b7a1..ffe035c 100644 +term_use_all_terms(ksmtuned_t) + miscfiles_read_localization(ksmtuned_t) -+ diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index c62f23e..335fda1 100644 --- a/policy/modules/services/ldap.fc @@ -18586,54 +20989,52 @@ index c62f23e..335fda1 100644 /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..d15f94d 100644 +index 3aa8fa7..c51c1f6 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if -@@ -1,5 +1,43 @@ +@@ -1,5 +1,41 @@ ## OpenLDAP directory server +####################################### +## -+## Execute OpenLDAP in the ldap domain. ++## Execute OpenLDAP in the ldap domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`ldap_domtrans',` -+ gen_require(` -+ type slapd_t, slapd_exec_t; -+ ') -+ -+ domtrans_pattern($1, slapd_exec_t, slapd_t) ++ gen_require(` ++ type slapd_t, slapd_exec_t; ++ ') + ++ domtrans_pattern($1, slapd_exec_t, slapd_t) +') + +####################################### +## -+## Execute OpenLDAP server in the ldap domain. ++## Execute OpenLDAP server in the ldap domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`ldap_initrc_domtrans',` -+ gen_require(` -+ type slapd_initrc_exec_t; -+ ') ++ gen_require(` ++ type slapd_initrc_exec_t; ++ ') + -+ init_labeled_script_domtrans($1, slapd_initrc_exec_t) ++ init_labeled_script_domtrans($1, slapd_initrc_exec_t) +') + -+ ######################################## ## ## Read the contents of the OpenLDAP -@@ -21,6 +59,25 @@ interface(`ldap_list_db',` +@@ -21,6 +57,25 @@ interface(`ldap_list_db',` ######################################## ## @@ -18659,7 +21060,7 @@ index 3aa8fa7..d15f94d 100644 ## Read the OpenLDAP configuration files. ## ## -@@ -69,8 +126,30 @@ interface(`ldap_stream_connect',` +@@ -69,8 +124,30 @@ interface(`ldap_stream_connect',` ') files_search_pids($1) @@ -18692,8 +21093,16 @@ index 3aa8fa7..d15f94d 100644 ') ######################################## +@@ -110,6 +187,7 @@ interface(`ldap_admin',` + + admin_pattern($1, slapd_lock_t) + ++ files_list_var_lib($1) + admin_pattern($1, slapd_replog_t) + + files_list_tmp($1) diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te -index 64fd1ff..ee5e345 100644 +index 64fd1ff..10c2d54 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -18734,7 +21143,7 @@ index 64fd1ff..ee5e345 100644 files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) +manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) -+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) ++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) + +manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) @@ -18744,6 +21153,91 @@ index 64fd1ff..ee5e345 100644 kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) +diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if +index 771e04b..81d98b3 100644 +--- a/policy/modules/services/likewise.if ++++ b/policy/modules/services/likewise.if +@@ -63,7 +63,7 @@ template(`likewise_domain_template',` + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + +- allow $1_t likewise_var_lib_t:dir setattr; ++ allow $1_t likewise_var_lib_t:dir setattr_dir_perms; + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, file) +diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te +index ae9d49f..65e6d81 100644 +--- a/policy/modules/services/likewise.te ++++ b/policy/modules/services/likewise.te +@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ + # Likewise DC location service local policy + # + +-allow netlogond_t self:capability {dac_override}; ++allow netlogond_t self:capability dac_override; + + manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) + +diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if +index 418cc81..5cfe950 100644 +--- a/policy/modules/services/lircd.if ++++ b/policy/modules/services/lircd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run lircd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`lircd_domtrans',` +@@ -16,7 +16,6 @@ interface(`lircd_domtrans',` + ') + + domain_auto_trans($1, lircd_exec_t, lircd_t) +- + ') + + ###################################### +@@ -44,9 +43,9 @@ interface(`lircd_stream_connect',` + ## Read lircd etc file + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`lircd_read_config',` +@@ -76,8 +75,8 @@ interface(`lircd_read_config',` + # + interface(`lircd_admin',` + gen_require(` +- type lircd_t, lircd_var_run_t; +- type lircd_initrc_exec_t, lircd_etc_t; ++ type lircd_t, lircd_var_run_t, lircd_etc_t; ++ type lircd_initrc_exec_t; + ') + + allow $1 lircd_t:process { ptrace signal_perms }; +@@ -88,9 +87,9 @@ interface(`lircd_admin',` + role_transition $2 lircd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, lircd_etc_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, lircd_var_run_t) + ') diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te index 6a78de1..02f6985 100644 --- a/policy/modules/services/lircd.te @@ -18775,10 +21269,27 @@ index 6a78de1..02f6985 100644 dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if -index a4f32f5..d801ec0 100644 +index a4f32f5..ea7dca0 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if -@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',` +@@ -14,6 +14,7 @@ + ## User domain for the role + ## + ## ++## + # + interface(`lpd_role',` + gen_require(` +@@ -27,7 +28,7 @@ interface(`lpd_role',` + dontaudit lpr_t $2:unix_stream_socket { read write }; + + ps_process_pattern($2, lpr_t) +- allow $2 lpr_t:process signull; ++ allow $2 lpr_t:process { ptrace signal_perms }; + + optional_policy(` + cups_read_config($2) +@@ -153,7 +154,7 @@ interface(`lpd_relabel_spool',` ') files_search_spool($1) @@ -18787,10 +21298,41 @@ index a4f32f5..d801ec0 100644 ') ######################################## +@@ -186,7 +187,7 @@ interface(`lpd_read_config',` + ## + ## + # +-template(`lpd_domtrans_lpr',` ++interface(`lpd_domtrans_lpr',` + gen_require(` + type lpr_t, lpr_exec_t; + ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te -index 93c14ca..4d31118 100644 +index 93c14ca..80671d9 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te +@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) + # + + ## +-##

+-## Use lpd server instead of cups +-##

++##

++## Use lpd server instead of cups ++##

+ ## + gen_tunable(use_lpd_server, false) + +@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) + delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) + files_search_spool(checkpc_t) + +-allow checkpc_t printconf_t:file getattr; ++allow checkpc_t printconf_t:file getattr_file_perms; + allow checkpc_t printconf_t:dir list_dir_perms; + + kernel_read_system_state(checkpc_t) @@ -145,9 +145,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) @@ -18803,6 +21345,24 @@ index 93c14ca..4d31118 100644 # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) +@@ -283,13 +284,13 @@ userdom_read_user_tmp_files(lpr_t) + + tunable_policy(`use_lpd_server',` + # lpr can run in lightweight mode, without a local print spooler. +- allow lpr_t lpd_var_run_t:dir search; +- allow lpr_t lpd_var_run_t:sock_file write; ++ allow lpr_t lpd_var_run_t:dir search_dir_perms; ++ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; + files_read_var_files(lpr_t) + + # Connect to lpd via a Unix domain socket. +- allow lpr_t printer_t:sock_file rw_sock_file_perms; +- allow lpr_t lpd_t:unix_stream_socket connectto; ++ allow lpr_t printer_t:sock_file read_sock_file_perms; ++ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) + # Send SIGHUP to lpd. + allow lpr_t lpd_t:process signal; + @@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',` ') @@ -18819,9 +21379,18 @@ index 93c14ca..4d31118 100644 fs_read_cifs_files(lpr_t) fs_read_cifs_symlinks(lpr_t) diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if -index 67c7fdd..19bcae2 100644 +index 67c7fdd..84b7626 100644 --- a/policy/modules/services/mailman.if +++ b/policy/modules/services/mailman.if +@@ -16,7 +16,7 @@ + ## + ## + # +-template(`mailman_domain_template', ` ++template(`mailman_domain_template',` + type mailman_$1_t; + domain_type(mailman_$1_t) + role system_r types mailman_$1_t; @@ -74,7 +74,7 @@ template(`mailman_domain_template', ` corecmd_exec_all_executables(mailman_$1_t) @@ -18832,9 +21401,21 @@ index 67c7fdd..19bcae2 100644 files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te -index af4d572..ac97ed9 100644 +index af4d572..96e3c80 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te +@@ -61,9 +61,9 @@ optional_policy(` + # Mailman mail local policy + # + +-allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +-allow mailman_mail_t self:process { signal signull }; + allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; ++allow mailman_mail_t self:process { signal signull }; ++allow mailman_mail_t self:unix_dgram_socket create_socket_perms; + + manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) @@ -81,6 +81,10 @@ optional_policy(` ') @@ -18854,22 +21435,43 @@ index af4d572..ac97ed9 100644 \ No newline at end of file +') diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if -index db4fd6f..ee60e59 100644 +index db4fd6f..5008a6c 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if -@@ -59,6 +59,7 @@ interface(`memcached_admin',` +@@ -5,15 +5,14 @@ + ## Execute a domain transition to run memcached. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`memcached_domtrans',` gen_require(` - type memcached_t; - type memcached_initrc_exec_t; -+ type memcached_var_run_t; +- type memcached_t; +- type memcached_exec_t; ++ type memcached_t, memcached_exec_t; + ') + + domtrans_pattern($1, memcached_exec_t, memcached_t) +@@ -57,8 +56,7 @@ interface(`memcached_read_pid_files',` + # + interface(`memcached_admin',` + gen_require(` +- type memcached_t; +- type memcached_initrc_exec_t; ++ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') allow $1 memcached_t:process { ptrace signal_perms }; -@@ -69,5 +70,6 @@ interface(`memcached_admin',` +@@ -69,5 +67,6 @@ interface(`memcached_admin',` role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; -+ files_search_pids($1) ++ files_list_pids($1) admin_pattern($1, memcached_var_run_t) ') diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc @@ -18892,7 +21494,7 @@ index 55a3e2f..613c69d 100644 /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if -index ed1af3c..a000225 100644 +index ed1af3c..d7e81f3 100644 --- a/policy/modules/services/milter.if +++ b/policy/modules/services/milter.if @@ -37,6 +37,8 @@ template(`milter_template',` @@ -18904,7 +21506,22 @@ index ed1af3c..a000225 100644 miscfiles_read_localization($1_milter_t) logging_send_syslog_msg($1_milter_t) -@@ -82,6 +84,24 @@ interface(`milter_getattr_all_sockets',` +@@ -57,7 +59,7 @@ interface(`milter_stream_connect_all',` + attribute milter_data_type, milter_domains; + ') + +- getattr_dirs_pattern($1, milter_data_type, milter_data_type) ++ files_search_pids($1) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) + ') + +@@ -76,12 +78,29 @@ interface(`milter_getattr_all_sockets',` + attribute milter_data_type; + ') + +- getattr_dirs_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) + ') ######################################## ## @@ -18929,31 +21546,31 @@ index ed1af3c..a000225 100644 ## Manage spamassassin milter state ## ## -@@ -100,3 +120,22 @@ interface(`milter_manage_spamass_state',` +@@ -100,3 +119,22 @@ interface(`milter_manage_spamass_state',` manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) ') + +####################################### +## -+## Delete dkim-milter PID files. ++## Delete dkim-milter PID files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`milter_delete_dkim_pid_files',` -+ gen_require(` -+ type dkim_milter_data_t; -+ ') ++ gen_require(` ++ type dkim_milter_data_t; ++ ') + -+ files_search_pids($1) -+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) ++ files_search_pids($1) ++ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te -index 1b6dea0..6ba48ff 100644 +index 1b6dea0..f42a489 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -9,6 +9,13 @@ policy_module(milter, 1.2.1) @@ -18970,7 +21587,7 @@ index 1b6dea0..6ba48ff 100644 # currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) -@@ -20,6 +27,23 @@ milter_template(spamass) +@@ -20,11 +27,27 @@ milter_template(spamass) type spamass_milter_state_t; files_type(spamass_milter_state_t) @@ -18980,7 +21597,6 @@ index 1b6dea0..6ba48ff 100644 +# + +allow dkim_milter_t self:capability { kill setgid setuid }; -+ +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) @@ -18994,6 +21610,35 @@ index 1b6dea0..6ba48ff 100644 ######################################## # # milter-greylist local policy +-# ensure smtp clients retry mail like real MTAs and not spamware +-# http://hcpnet.free.fr/milter-greylist/ ++# ensure smtp clients retry mail like real MTAs and not spamware ++# http://hcpnet.free.fr/milter-greylist/ + # + + # It removes any existing socket (not owned by root) whilst running as root, +@@ -52,8 +75,8 @@ mta_read_config(greylist_milter_t) + ######################################## + # + # milter-regex local policy +-# filter emails using regular expressions +-# http://www.benzedrine.cx/milter-regex.html ++# filter emails using regular expressions ++# http://www.benzedrine.cx/milter-regex.html + # + + # It removes any existing socket (not owned by root) whilst running as root +@@ -72,8 +95,8 @@ mta_read_config(regex_milter_t) + ######################################## + # + # spamass-milter local policy +-# pipe emails through SpamAssassin +-# http://savannah.nongnu.org/projects/spamass-milt/ ++# pipe emails through SpamAssassin ++# http://savannah.nongnu.org/projects/spamass-milt/ + # + + # The milter runs from /var/lib/spamass-milter diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc new file mode 100644 index 0000000..42bb2a3 @@ -19008,11 +21653,10 @@ index 0000000..42bb2a3 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 -index 0000000..5a1698c +index 0000000..d76fb11 --- /dev/null +++ b/policy/modules/services/mock.if -@@ -0,0 +1,238 @@ -+ +@@ -0,0 +1,236 @@ +## policy for mock + +######################################## @@ -19020,9 +21664,9 @@ index 0000000..5a1698c +## Execute a domain transition to run mock. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`mock_domtrans',` @@ -19033,7 +21677,6 @@ index 0000000..5a1698c + domtrans_pattern($1, mock_exec_t, mock_t) +') + -+ +######################################## +## +## Search mock lib directories. @@ -19069,7 +21712,7 @@ index 0000000..5a1698c + ') + + files_search_var_lib($1) -+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## @@ -19089,7 +21732,7 @@ index 0000000..5a1698c + ') + + files_search_var_lib($1) -+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## @@ -19108,7 +21751,7 @@ index 0000000..5a1698c + ') + + files_search_var_lib($1) -+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) ++ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################### @@ -19127,7 +21770,7 @@ index 0000000..5a1698c + ') + + files_search_var_lib($1) -+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## @@ -19146,7 +21789,7 @@ index 0000000..5a1698c + ') + + files_search_var_lib($1) -+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ++ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) +') + +######################################## @@ -19164,6 +21807,7 @@ index 0000000..5a1698c +## The role to be allowed the mock domain. +## +## ++## +# +interface(`mock_run',` + gen_require(` @@ -19188,10 +21832,11 @@ index 0000000..5a1698c +## User domain for the role +## +## ++## +# +interface(`mock_role',` + gen_require(` -+ type mock_t; ++ type mock_t; + ') + + role $1 types mock_t; @@ -19199,7 +21844,7 @@ index 0000000..5a1698c + mock_domtrans($2) + + ps_process_pattern($2, mock_t) -+ allow $2 mock_t:process signal; ++ allow $2 mock_t:process { ptrace signal_perms }; +') + +####################################### @@ -19239,23 +21884,21 @@ index 0000000..5a1698c +# +interface(`mock_admin',` + gen_require(` -+ type mock_t; -+ type mock_var_lib_t; ++ type mock_t, mock_var_lib_t; + ') + + allow $1 mock_t:process { ptrace signal_perms }; + ps_process_pattern($1, mock_t) + -+ files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, mock_var_lib_t) -+ +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..6f8fda5 +index 0000000..b05a9cd --- /dev/null +++ b/policy/modules/services/mock.te -@@ -0,0 +1,98 @@ +@@ -0,0 +1,99 @@ +policy_module(mock,1.0.0) + +######################################## @@ -19285,6 +21928,7 @@ index 0000000..6f8fda5 +# +# mock local policy +# ++ +allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill }; +dontaudit mock_t self:process { siginh noatsecure rlimitinh }; @@ -19298,14 +21942,14 @@ index 0000000..6f8fda5 + +manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t) +manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t) -+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } ) ++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file }) +can_exec(mock_t, mock_tmp_t) + +manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) +manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t) -+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } ) ++files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file }) +can_exec(mock_t, mock_var_lib_t) +allow mock_t mock_var_lib_t:dir mounton; + @@ -19354,6 +21998,22 @@ index 0000000..6f8fda5 +optional_policy(` + apache_read_sys_content_rw_files(mock_t) +') +diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if +index 3368699..7a7fc02 100644 +--- a/policy/modules/services/modemmanager.if ++++ b/policy/modules/services/modemmanager.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run modemmanager. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`modemmanager_domtrans',` diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te index b3ace16..3dd940c 100644 --- a/policy/modules/services/modemmanager.te @@ -19387,27 +22047,36 @@ index b3ace16..3dd940c 100644 udev_read_db(modemmanager_t) ') diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if -index 657a9fc..cf7968d 100644 +index 657a9fc..88e7330 100644 --- a/policy/modules/services/mojomojo.if +++ b/policy/modules/services/mojomojo.if -@@ -21,13 +21,16 @@ interface(`mojomojo_admin',` +@@ -19,18 +19,20 @@ + # + interface(`mojomojo_admin',` gen_require(` - type httpd_mojomojo_script_t; - type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; +- type httpd_mojomojo_script_t; +- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; - type httpd_mojomojo_rw_content_t; -+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t; - type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; +- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; ++ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; ++ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t; ++ type httpd_mojomojo_script_exec_t; ') allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; ps_process_pattern($1, httpd_mojomojo_script_t) +- files_search_var_lib(httpd_mojomojo_script_t) + files_list_tmp($1) + admin_pattern($1, httpd_mojomojo_tmp_t) -+ - files_search_var_lib(httpd_mojomojo_script_t) - apache_search_sys_content($1) +- apache_search_sys_content($1) ++ files_list_var_lib(httpd_mojomojo_script_t) ++ ++ apache_list_sys_content($1) + admin_pattern($1, httpd_mojomojo_script_exec_t) + admin_pattern($1, httpd_mojomojo_script_t) + admin_pattern($1, httpd_mojomojo_content_t) diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te index 83f002c..ed69996 100644 --- a/policy/modules/services/mojomojo.te @@ -19451,11 +22120,10 @@ index 0000000..564b22d +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if new file mode 100644 -index 0000000..5599d14 +index 0000000..311aaed --- /dev/null +++ b/policy/modules/services/mpd.if -@@ -0,0 +1,273 @@ -+ +@@ -0,0 +1,267 @@ +## policy for daemon for playing music + +######################################## @@ -19463,9 +22131,9 @@ index 0000000..5599d14 +## Execute a domain transition to run mpd. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`mpd_domtrans',` @@ -19476,7 +22144,6 @@ index 0000000..5599d14 + domtrans_pattern($1, mpd_exec_t, mpd_t) +') + -+ +######################################## +## +## Execute mpd server in the mpd domain. @@ -19497,79 +22164,79 @@ index 0000000..5599d14 + +####################################### +## -+## Read mpd data files. ++## Read mpd data files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`mpd_read_data_files',` -+ gen_require(` -+ type mpd_data_t; -+ ') ++ gen_require(` ++ type mpd_data_t; ++ ') + + mpd_search_lib($1) -+ read_files_pattern($1, mpd_data_t, mpd_data_t) ++ read_files_pattern($1, mpd_data_t, mpd_data_t) +') + +####################################### +## -+## Read mpd tmpfs files. ++## Read mpd tmpfs files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`mpd_read_tmpfs_files',` -+ gen_require(` -+ type mpd_tmpfs_t; -+ ') ++ gen_require(` ++ type mpd_tmpfs_t; ++ ') + + fs_search_tmpfs($1) -+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ++ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +################################### +## -+## Manage mpd tmpfs files. ++## Manage mpd tmpfs files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`mpd_manage_tmpfs_files',` -+ gen_require(` -+ type mpd_tmpfs_t; -+ ') ++ gen_require(` ++ type mpd_tmpfs_t; ++ ') + + fs_search_tmpfs($1) -+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ++ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ++ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +###################################### +## -+## Manage mpd data files. ++## Manage mpd data files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`mpd_manage_data_files',` -+ gen_require(` -+ type mpd_data_t; -+ ') ++ gen_require(` ++ type mpd_data_t; ++ ') + -+ mpd_search_lib($1) -+ manage_files_pattern($1, mpd_data_t, mpd_data_t) ++ mpd_search_lib($1) ++ manage_files_pattern($1, mpd_data_t, mpd_data_t) +') + +######################################## @@ -19607,7 +22274,7 @@ index 0000000..5599d14 + ') + + files_search_var_lib($1) -+ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) ++ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## @@ -19627,36 +22294,37 @@ index 0000000..5599d14 + ') + + files_search_var_lib($1) -+ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) ++ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +####################################### +## -+## Create an object in the root directory, with a private -+## type using a type transition. ++## Create an object in the root directory, with a private ++## type using a type transition. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +## -+## -+## The type of the object to be created. -+## ++## ++## The type of the object to be created. ++## +## +## -+## -+## The object class of the object being created. -+## ++## ++## The object class of the object being created. ++## +## +# +interface(`mpd_var_lib_filetrans',` -+ gen_require(` -+ type mpd_var_lib_t; -+ ') ++ gen_require(` ++ type mpd_var_lib_t; ++ ') + -+ filetrans_pattern($1, mpd_var_lib_t, $2, $3) ++ files_search_var_lib($1) ++ filetrans_pattern($1, mpd_var_lib_t, $2, $3) +') + +######################################## @@ -19675,7 +22343,7 @@ index 0000000..5599d14 + ') + + files_search_var_lib($1) -+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) ++ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## @@ -19697,12 +22365,8 @@ index 0000000..5599d14 +# +interface(`mpd_admin',` + gen_require(` -+ type mpd_t; -+ type mpd_initrc_exec_t; -+ type mpd_etc_t; -+ type mpd_data_t; -+ type mpd_log_t; -+ type mpd_var_lib_t; ++ type mpd_t, mpd_initrc_exec_t, mpd_etc_t; ++ type mpd_data_t, mpd_log_t, mpd_var_lib_t; + type mpd_tmpfs_t; + ') + @@ -19715,26 +22379,25 @@ index 0000000..5599d14 + allow $2 system_r; + + admin_pattern($1, mpd_etc_t) -+ files_search_etc($1) ++ files_list_etc($1) + -+ files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, mpd_var_lib_t) -+ -+ mpd_search_lib($1) ++ + admin_pattern($1, mpd_data_t) + + admin_pattern($1, mpd_log_t) + -+ fs_search_tmpfs($1) ++ fs_list_tmpfs($1) + admin_pattern($1, mpd_tmpfs_t) +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 -index 0000000..71464f6 +index 0000000..84bc8bb --- /dev/null +++ b/policy/modules/services/mpd.te -@@ -0,0 +1,111 @@ -+policy_module(mpd,1.0.0) +@@ -0,0 +1,110 @@ ++policy_module(mpd, 1.0.0) + +######################################## +# @@ -19777,7 +22440,6 @@ index 0000000..71464f6 +#cjp: dac_override bug in mpd relating to mpd.log file +allow mpd_t self:capability { dac_override kill setgid setuid }; +allow mpd_t self:process { getsched setsched setrlimit signal signull }; -+ +allow mpd_t self:fifo_file rw_fifo_file_perms; +allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow mpd_t self:tcp_socket create_stream_socket_perms; @@ -19838,12 +22500,12 @@ index 0000000..71464f6 + +optional_policy(` + pulseaudio_exec(mpd_t) -+ pulseaudio_stream_connect(mpd_t) -+ pulseaudio_signull(mpd_t) ++ pulseaudio_stream_connect(mpd_t) ++ pulseaudio_signull(mpd_t) +') + +optional_policy(` -+ udev_read_db(mpd_t) ++ udev_read_db(mpd_t) +') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc index 256166a..c526ce8 100644 @@ -19867,10 +22529,38 @@ index 256166a..c526ce8 100644 /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..a9ebda2 100644 +index 343cee3..2f948ad 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if -@@ -220,6 +220,25 @@ interface(`mta_agent_executable',` +@@ -37,9 +37,9 @@ interface(`mta_stub',` + ## is the prefix for user_t). + ## + ## ++## + # + template(`mta_base_mail_template',` +- + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; +@@ -158,6 +158,7 @@ template(`mta_base_mail_template',` + ## User domain for the role + ## + ## ++## + # + interface(`mta_role',` + gen_require(` +@@ -169,7 +170,7 @@ interface(`mta_role',` + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, sendmail_exec_t, user_mail_t) +- allow $2 sendmail_exec_t:lnk_file { getattr read }; ++ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; + + allow mta_user_agent $2:fd use; + allow mta_user_agent $2:process sigchld; +@@ -220,6 +221,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -19879,23 +22569,31 @@ index 343cee3..a9ebda2 100644 +## Dontaudit read and write an leaked file descriptors +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# +interface(`mta_dontaudit_leaks_system_mail',` -+ gen_require(` -+ type system_mail_t; -+ ') ++ gen_require(` ++ type system_mail_t; ++ ') + -+ dontaudit $1 system_mail_t:fifo_file write; -+ dontaudit $1 system_mail_t:tcp_socket { read write }; ++ dontaudit $1 system_mail_t:fifo_file write; ++ dontaudit $1 system_mail_t:tcp_socket { read write }; +') + ######################################## ## ## Make the specified type by a system MTA. +@@ -306,7 +326,6 @@ interface(`mta_mailserver_sender',` + interface(`mta_mailserver_delivery',` + gen_require(` + attribute mailserver_delivery; +- type mail_spool_t; + ') + + typeattribute $1 mailserver_delivery; @@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',` ') @@ -19909,18 +22607,29 @@ index 343cee3..a9ebda2 100644 ') ######################################## -@@ -362,6 +375,10 @@ interface(`mta_send_mail',` +@@ -350,9 +363,8 @@ interface(`mta_mailserver_user_agent',` + # + interface(`mta_send_mail',` + gen_require(` +- attribute mta_user_agent; ++ attribute mta_user_agent, mta_exec_type; + type system_mail_t; +- attribute mta_exec_type; + ') + + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; +@@ -362,6 +374,10 @@ interface(`mta_send_mail',` allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; + -+ ifdef(`hide_broken_symptoms', ` ++ ifdef(`hide_broken_symptoms',` + dontaudit system_mail_t $1:socket_class_set { read write }; + ') ') ######################################## -@@ -391,12 +408,15 @@ interface(`mta_send_mail',` +@@ -391,12 +407,15 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -19938,7 +22647,15 @@ index 343cee3..a9ebda2 100644 ') ######################################## -@@ -420,6 +440,25 @@ interface(`mta_signal_system_mail',` +@@ -409,7 +428,6 @@ interface(`mta_sendmail_domtrans',` + ## + ## + # +-# + interface(`mta_signal_system_mail',` + gen_require(` + type system_mail_t; +@@ -420,6 +438,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -19950,7 +22667,6 @@ index 343cee3..a9ebda2 100644 +## +## +# -+# +interface(`mta_kill_system_mail',` + gen_require(` + type system_mail_t; @@ -19964,26 +22680,57 @@ index 343cee3..a9ebda2 100644 ## Execute sendmail in the caller domain. ## ## -@@ -474,7 +513,8 @@ interface(`mta_write_config',` +@@ -474,7 +510,8 @@ interface(`mta_write_config',` type etc_mail_t; ') - write_files_pattern($1, etc_mail_t, etc_mail_t) + manage_files_pattern($1, etc_mail_t, etc_mail_t) -+ allow $1 etc_mail_t:file setattr; ++ allow $1 etc_mail_t:file setattr_file_perms; ') ######################################## -@@ -698,7 +738,7 @@ interface(`mta_rw_spool',` +@@ -552,7 +589,7 @@ interface(`mta_rw_aliases',` + ') + + files_search_etc($1) +- allow $1 etc_aliases_t:file { rw_file_perms setattr }; ++ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; + ') + + ####################################### +@@ -646,8 +683,8 @@ interface(`mta_dontaudit_getattr_spool_files',` + + files_dontaudit_search_spool($1) + dontaudit $1 mail_spool_t:dir search_dir_perms; +- dontaudit $1 mail_spool_t:lnk_file read; +- dontaudit $1 mail_spool_t:file getattr; ++ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 mail_spool_t:file getattr_file_perms; + ') + + ####################################### +@@ -697,8 +734,8 @@ interface(`mta_rw_spool',` + files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file setattr; +- allow $1 mail_spool_t:file setattr; - rw_files_pattern($1, mail_spool_t, mail_spool_t) ++ allow $1 mail_spool_t:file setattr_file_perms; + manage_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -899,3 +939,43 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -838,7 +875,7 @@ interface(`mta_dontaudit_rw_queue',` + ') + + dontaudit $1 mqueue_spool_t:dir search_dir_perms; +- dontaudit $1 mqueue_spool_t:file { getattr read write }; ++ dontaudit $1 mqueue_spool_t:file rw_file_perms; + ') + + ######################################## +@@ -899,3 +936,50 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -20005,30 +22752,37 @@ index 343cee3..a9ebda2 100644 +## +# +interface(`mta_filetrans_aliases',` ++ gen_require(` ++ type etc_aliases_t; ++ ') ++ + filetrans_pattern($1, $2, etc_aliases_t, file) +') + +###################################### +## -+## ALlow domain to read mail content in the homedir ++## ALlow domain to read mail content in the homedir +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`mta_read_home',` -+ gen_require(` -+ type mail_home_t; -+ ') ++ gen_require(` ++ type mail_home_t; ++ ') + -+ userdom_search_user_home_dirs($1) -+ userdom_search_admin_dir($1) -+ read_files_pattern($1, mail_home_t, mail_home_t) ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, mail_home_t, mail_home_t) ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..f99b9fc 100644 +index 64268e4..36e64e9 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -20075,7 +22829,7 @@ index 64268e4..f99b9fc 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,6 +82,12 @@ optional_policy(` +@@ -92,17 +82,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -20088,7 +22842,12 @@ index 64268e4..f99b9fc 100644 ') optional_policy(` -@@ -103,6 +99,11 @@ optional_policy(` + arpwatch_manage_tmp_files(system_mail_t) + +- ifdef(`hide_broken_symptoms', ` ++ ifdef(`hide_broken_symptoms',` + arpwatch_dontaudit_rw_packet_sockets(system_mail_t) + ') ') optional_policy(` @@ -20164,6 +22923,15 @@ index 64268e4..f99b9fc 100644 smartmon_read_tmp_files(system_mail_t) ') +@@ -199,7 +194,7 @@ optional_policy(` + arpwatch_search_data(mailserver_delivery) + arpwatch_manage_tmp_files(mta_user_agent) + +- ifdef(`hide_broken_symptoms', ` ++ ifdef(`hide_broken_symptoms',` + arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) + ') + @@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -20191,7 +22959,7 @@ index 64268e4..f99b9fc 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +293,44 @@ optional_policy(` +@@ -292,3 +293,42 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -20216,8 +22984,6 @@ index 64268e4..f99b9fc 100644 +kernel_read_network_state(user_mail_domain) +kernel_request_load_module(user_mail_domain) + -+ -+ +optional_policy(` + # postfix needs this for newaliases + files_getattr_tmp_dirs(user_mail_domain) @@ -20249,7 +23015,7 @@ index fd71d69..bad9920 100644 /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if -index c358d8f..dda8ca9 100644 +index c358d8f..92c9dca 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -13,10 +13,11 @@ @@ -20266,12 +23032,11 @@ index c358d8f..dda8ca9 100644 type $1_munin_plugin_exec_t; typealias $1_munin_plugin_t alias munin_$1_plugin_t; typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; -@@ -36,17 +37,8 @@ template(`munin_plugin_template',` +@@ -36,17 +37,7 @@ template(`munin_plugin_template',` # automatic transition rules from munin domain # to specific munin plugin domain domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) -+ allow munin_t $1_munin_plugin_t:process signal; - +- - allow $1_munin_plugin_t munin_exec_t:file read_file_perms; - allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms; - @@ -20282,10 +23047,11 @@ index c358d8f..dda8ca9 100644 - corecmd_exec_bin($1_munin_plugin_t) - - miscfiles_read_localization($1_munin_plugin_t) ++ allow munin_t $1_munin_plugin_t:process signal; ') ######################################## -@@ -65,9 +57,8 @@ interface(`munin_stream_connect',` +@@ -65,9 +56,8 @@ interface(`munin_stream_connect',` type munin_var_run_t, munin_t; ') @@ -20296,33 +23062,48 @@ index c358d8f..dda8ca9 100644 ') ####################################### -@@ -92,6 +83,24 @@ interface(`munin_read_config',` +@@ -88,10 +78,28 @@ interface(`munin_read_config',` + + allow $1 munin_etc_t:dir list_dir_perms; + allow $1 munin_etc_t:file read_file_perms; +- allow $1 munin_etc_t:lnk_file { getattr read }; ++ allow $1 munin_etc_t:lnk_file read_lnk_file_perms; files_search_etc($1) ') +###################################### +## -+## dontaudit read and write an leaked file descriptors ++## dontaudit read and write an leaked file descriptors +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# +interface(`munin_dontaudit_leaks',` -+ gen_require(` -+ type munin_t; -+ ') ++ gen_require(` ++ type munin_t; ++ ') + -+ dontaudit $1 munin_t:tcp_socket { read write }; ++ dontaudit $1 munin_t:tcp_socket { read write }; +') + ####################################### ## ## Append to the munin log. +@@ -172,8 +180,7 @@ interface(`munin_admin',` + gen_require(` + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; +- type httpd_munin_content_t; +- type munin_initrc_exec_t; ++ type httpd_munin_content_t, munin_initrc_exec_t; + ') + + allow $1 munin_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..13d365d 100644 +index f17583b..6f8b0fd 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -20395,7 +23176,7 @@ index f17583b..13d365d 100644 # local policy for disk plugins # -+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; ++allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -20503,7 +23284,7 @@ index f17583b..13d365d 100644 + +miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..b81e257 100644 +index e9c0982..4d3b208 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -73,6 +73,7 @@ interface(`mysql_stream_connect',` @@ -20514,11 +23295,65 @@ index e9c0982..b81e257 100644 stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') +@@ -252,7 +253,7 @@ interface(`mysql_write_log',` + ') + + logging_search_logs($1) +- allow $1 mysqld_log_t:file { write_file_perms setattr }; ++ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; + ') + + ###################################### +@@ -329,10 +330,9 @@ interface(`mysql_search_pid_files',` + # + interface(`mysql_admin',` + gen_require(` +- type mysqld_t, mysqld_var_run_t; +- type mysqld_tmp_t, mysqld_db_t; +- type mysqld_etc_t, mysqld_log_t; +- type mysqld_initrc_exec_t; ++ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; ++ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; ++ type mysqld_etc_t; + ') + + allow $1 mysqld_t:process { ptrace signal_perms }; +@@ -343,13 +343,17 @@ interface(`mysql_admin',` + role_transition $2 mysqld_initrc_exec_t system_r; + allow $2 system_r; + ++ files_list_pids($1) + admin_pattern($1, mysqld_var_run_t) + + admin_pattern($1, mysqld_db_t) + ++ files_list_etc($1) + admin_pattern($1, mysqld_etc_t) + ++ logging_list_logs($1) + admin_pattern($1, mysqld_log_t) + ++ files_list_tmp($1) + admin_pattern($1, mysqld_tmp_t) + ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..b370d53 100644 +index 0a0d63c..086df22 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te -@@ -64,6 +64,7 @@ allow mysqld_t self:udp_socket create_socket_perms; +@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) + # + + ## +-##

+-## Allow mysqld to connect to all ports +-##

++##

++## Allow mysqld to connect to all ports ++##

+ ## + gen_tunable(mysql_connect_any, false) + +@@ -64,11 +64,12 @@ allow mysqld_t self:udp_socket create_socket_perms; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -20526,6 +23361,12 @@ index 0a0d63c..b370d53 100644 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) + allow mysqld_t mysqld_etc_t:file read_file_perms; +-allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; ++allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; + allow mysqld_t mysqld_etc_t:dir list_dir_perms; + + allow mysqld_t mysqld_log_t:file manage_file_perms; @@ -78,9 +79,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -20538,15 +23379,25 @@ index 0a0d63c..b370d53 100644 kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) -@@ -156,6 +158,7 @@ optional_policy(` +@@ -127,8 +129,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + userdom_read_user_home_content_files(mysqld_t) + + ifdef(`distro_redhat',` +- # because Fedora has the sock_file in the database directory +- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; ++ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) + ') + + tunable_policy(`mysql_connect_any',` +@@ -155,6 +156,7 @@ optional_policy(` + allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; - allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; +allow mysqld_safe_t self:process { setsched getsched setrlimit }; + allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - -@@ -175,6 +178,7 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,6 +177,7 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -20555,10 +23406,38 @@ index 0a0d63c..b370d53 100644 files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if -index 8581040..e3c8272 100644 +index 8581040..89e1edf 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if -@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',` +@@ -12,10 +12,8 @@ + ## + # + template(`nagios_plugin_template',` +- + gen_require(` +- type nagios_t, nrpe_t; +- type nagios_log_t; ++ type nagios_t, nrpe_t, nagios_log_t; + ') + + type nagios_$1_plugin_t; +@@ -26,6 +24,7 @@ template(`nagios_plugin_template',` + allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; + + domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) ++ allow nrpe_t nagios_$1_plugin_t:process { signal sigkill }; + + # needed by command.cfg + domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) +@@ -49,7 +48,6 @@ template(`nagios_plugin_template',` + ## Domain to not audit. + ## + ## +-## + # + interface(`nagios_dontaudit_rw_pipes',` + gen_require(` +@@ -159,6 +157,26 @@ interface(`nagios_read_tmp_files',` ######################################## ## @@ -20585,8 +23464,23 @@ index 8581040..e3c8272 100644 ## Execute the nagios NRPE with ## a domain transition. ## +@@ -195,11 +213,9 @@ interface(`nagios_domtrans_nrpe',` + # + interface(`nagios_admin',` + gen_require(` +- type nagios_t, nrpe_t; +- type nagios_tmp_t, nagios_log_t; +- type nagios_etc_t, nrpe_etc_t; +- type nagios_spool_t, nagios_var_run_t; +- type nagios_initrc_exec_t; ++ type nagios_t, nrpe_t, nagios_initrc_exec_t; ++ type nagios_tmp_t, nagios_log_t, nagios_var_run_t; ++ type nagios_etc_t, nrpe_etc_t, nagios_spool_t; + ') + + allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index da5b33d..1029389 100644 +index da5b33d..61a3920 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) @@ -20617,7 +23511,31 @@ index da5b33d..1029389 100644 netutils_kill_ping(nagios_t) ') -@@ -340,6 +338,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -143,6 +141,7 @@ optional_policy(` + # + # Nagios CGI local policy + # ++ + optional_policy(` + apache_content_template(nagios) + typealias httpd_nagios_script_t alias nagios_cgi_t; +@@ -270,7 +269,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) + # + + allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; +- + allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; + allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; + allow nagios_mail_plugin_t self:udp_socket create_socket_perms; +@@ -323,7 +321,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + + allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; + allow nagios_services_plugin_t self:process { signal sigkill }; +- + allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; + allow nagios_services_plugin_t self:udp_socket create_socket_perms; + +@@ -340,6 +337,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -20642,19 +23560,33 @@ index 386543b..d15cc4b 100644 /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if -index 2324d9e..1a1bfe4 100644 +index 2324d9e..8069487 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if -@@ -137,6 +137,27 @@ interface(`networkmanager_dbus_chat',` +@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` + ## Allow caller to relabel tun_socket + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`networkmanager_attach_tun_iface',` +@@ -137,6 +137,28 @@ interface(`networkmanager_dbus_chat',` ######################################## ## -+## Send and receive messages from -+## NetworkManager over dbus. ++## Do not audit attempts to send and ++## receive messages from NetworkManager ++## over dbus. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -20673,7 +23605,7 @@ index 2324d9e..1a1bfe4 100644 ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +212,50 @@ interface(`networkmanager_read_pid_files',` +@@ -191,3 +213,50 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -20685,12 +23617,12 @@ index 2324d9e..1a1bfe4 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +## +## -+## The role to be allowed the NetworkManager domain. ++## Role allowed access. +## +## +## @@ -20845,9 +23777,18 @@ index 15448d5..0c97dab 100644 /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..c42c268 100644 +index abe3f7f..995a6cb 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if +@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` + allow $1 self:udp_socket create_socket_perms; + + allow $1 var_yp_t:dir list_dir_perms; +- allow $1 var_yp_t:lnk_file { getattr read }; ++ allow $1 var_yp_t:lnk_file read_lnk_file_perms; + allow $1 var_yp_t:file read_file_perms; + + corenet_all_recvfrom_unlabeled($1) @@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) @@ -20864,14 +23805,96 @@ index abe3f7f..c42c268 100644 corenet_tcp_connect_generic_port($1) corenet_dontaudit_tcp_connect_all_ports($1) corenet_sendrecv_portmap_client_packets($1) -diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if -index 85188dc..ded2734 100644 ---- a/policy/modules/services/nscd.if -+++ b/policy/modules/services/nscd.if -@@ -121,6 +121,24 @@ interface(`nscd_socket_use',` +@@ -243,25 +243,6 @@ interface(`nis_read_ypbind_pid',` ######################################## ## +-## Delete ypbind pid files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`nis_delete_ypbind_pid',` +- gen_require(` +- type ypbind_t; +- ') +- +- # TODO: add delete pid from dir call to files +- allow $1 ypbind_t:file unlink; +-') +- +-######################################## +-## + ## Read ypserv configuration files. + ## + ## +@@ -354,10 +335,10 @@ interface(`nis_initrc_domtrans_ypbind',` + # + interface(`nis_admin',` + gen_require(` +- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; ++ type ypbind_t, yppasswdd_t, ypserv_t; + type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; +- type ypbind_initrc_exec_t, nis_initrc_exec_t; ++ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; + ') + + allow $1 ypbind_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te +index 4876cae..5f2ba87 100644 +--- a/policy/modules/services/nis.te ++++ b/policy/modules/services/nis.te +@@ -55,10 +55,11 @@ files_pid_file(ypxfr_var_run_t) + ######################################## + # + # ypbind local policy ++# + + dontaudit ypbind_t self:capability { net_admin sys_tty_config }; +-allow ypbind_t self:fifo_file rw_fifo_file_perms; + allow ypbind_t self:process signal_perms; ++allow ypbind_t self:fifo_file rw_fifo_file_perms; + allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; + allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; + allow ypbind_t self:tcp_socket create_stream_socket_perms; +@@ -142,8 +143,8 @@ optional_policy(` + + allow yppasswdd_t self:capability dac_override; + dontaudit yppasswdd_t self:capability sys_tty_config; +-allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:process { getsched setfscreate signal_perms }; ++allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:unix_dgram_socket create_socket_perms; + allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; + allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; +@@ -224,8 +225,8 @@ optional_policy(` + # + + dontaudit ypserv_t self:capability sys_tty_config; +-allow ypserv_t self:fifo_file rw_fifo_file_perms; + allow ypserv_t self:process signal_perms; ++allow ypserv_t self:fifo_file rw_fifo_file_perms; + allow ypserv_t self:unix_dgram_socket create_socket_perms; + allow ypserv_t self:unix_stream_socket create_stream_socket_perms; + allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if +index 85188dc..99cefb8 100644 +--- a/policy/modules/services/nscd.if ++++ b/policy/modules/services/nscd.if +@@ -116,7 +116,25 @@ interface(`nscd_socket_use',` + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) +- dontaudit $1 nscd_var_run_t:file { getattr read }; ++ dontaudit $1 nscd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## +## Use nscd services +## +## @@ -20886,14 +23909,28 @@ index 85188dc..ded2734 100644 + ',` + nscd_socket_use($1) + ') -+') + ') + + ######################################## +@@ -146,11 +164,14 @@ interface(`nscd_shm_use',` + # nscd_socket_domain macro. need to investigate + # if they are all actually required + allow $1 self:unix_stream_socket create_stream_socket_perms; +- allow $1 nscd_t:unix_stream_socket connectto; +- allow $1 nscd_var_run_t:sock_file rw_file_perms; + -+######################################## -+## - ## Use NSCD services by mapping the database from - ## an inherited NSCD file descriptor. - ## -@@ -168,7 +186,7 @@ interface(`nscd_dontaudit_search_pid',` ++ # dg: This may not be required. ++ allow $1 nscd_var_run_t:sock_file read_sock_file_perms; ++ ++ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + files_search_pids($1) + allow $1 nscd_t:nscd { getpwd getgrp gethost }; +- dontaudit $1 nscd_var_run_t:file { getattr read }; ++ dontaudit $1 nscd_var_run_t:file read_file_perms; + ') + + ######################################## +@@ -168,7 +189,7 @@ interface(`nscd_dontaudit_search_pid',` type nscd_var_run_t; ') @@ -20902,8 +23939,16 @@ index 85188dc..ded2734 100644 ') ######################################## +@@ -224,6 +245,7 @@ interface(`nscd_unconfined',` + ## Role allowed access. + ## + ## ++## + # + interface(`nscd_run',` + gen_require(` diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te -index 7936e09..6a174f5 100644 +index 7936e09..6b54db7 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,9 +1,16 @@ @@ -20915,9 +23960,9 @@ index 7936e09..6a174f5 100644 ') +## -+##

-+## Allow confined applications to use nscd shared memory. -+##

++##

++## Allow confined applications to use nscd shared memory. ++##

+## +gen_tunable(nscd_use_shm, false) + @@ -20964,7 +24009,7 @@ index 7936e09..6a174f5 100644 cron_read_system_job_tmp_files(nscd_t) ') -@@ -127,3 +140,16 @@ optional_policy(` +@@ -127,3 +140,17 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -20974,6 +24019,7 @@ index 7936e09..6a174f5 100644 + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') ++ + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') @@ -20982,29 +24028,57 @@ index 7936e09..6a174f5 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if -index 23c769c..b94add1 100644 +index 23c769c..be5a5b4 100644 --- a/policy/modules/services/nslcd.if +++ b/policy/modules/services/nslcd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run nslcd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`nslcd_domtrans',` +@@ -93,8 +93,8 @@ interface(`nslcd_stream_connect',` + # + interface(`nslcd_admin',` + gen_require(` +- type nslcd_t, nslcd_initrc_exec_t; +- type nslcd_conf_t, nslcd_var_run_t; ++ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; ++ type nslcd_conf_t; + ') + + ps_process_pattern($1, nslcd_t) @@ -106,9 +106,9 @@ interface(`nslcd_admin',` role_transition $2 nslcd_initrc_exec_t system_r; allow $2 system_r; - manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) -+ files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, nslcd_conf_t) - manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) - manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..6b240d9 100644 +index e80f8c0..694b002 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if -@@ -144,7 +144,7 @@ interface(`ntp_admin',` - type ntpd_initrc_exec_t; +@@ -140,11 +140,10 @@ interface(`ntp_rw_shm',` + interface(`ntp_admin',` + gen_require(` + type ntpd_t, ntpd_tmp_t, ntpd_log_t; +- type ntpd_key_t, ntpd_var_run_t; +- type ntpd_initrc_exec_t; ++ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; ') - allow $1 ntpd_t:process { ptrace signal_perms getattr }; @@ -21030,17 +24104,35 @@ index c61adc8..b5b5992 100644 term_use_ptmx(ntpd_t) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if -index 79a225c..b1384ad 100644 +index 79a225c..cbb2bce 100644 --- a/policy/modules/services/nx.if +++ b/policy/modules/services/nx.if -@@ -35,6 +35,7 @@ interface(`nx_read_home_files',` +@@ -33,8 +33,10 @@ interface(`nx_read_home_files',` + type nx_server_home_ssh_t, nx_server_var_lib_t; + ') ++ files_search_var_lib($1) allow $1 nx_server_var_lib_t:dir search_dir_perms; read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) ') ######################################## +@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',` + type nx_server_var_lib_t; + ') + ++ files_search_var_lib($1) + allow $1 nx_server_var_lib_t:dir search_dir_perms; + ') + +@@ -81,5 +84,6 @@ interface(`nx_var_lib_filetrans',` + type nx_server_var_lib_t; + ') + ++ files_search_var_lib($1) + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) + ') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index ebb9582..c1825de 100644 --- a/policy/modules/services/nx.te @@ -21076,30 +24168,42 @@ index bdf8c89..5ee1598 100644 /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if -index bd76ec2..ca33ae3 100644 +index bd76ec2..ca6517b 100644 --- a/policy/modules/services/oddjob.if +++ b/policy/modules/services/oddjob.if +@@ -9,9 +9,9 @@ + ## Execute a domain transition to run oddjob. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`oddjob_domtrans',` @@ -22,6 +22,25 @@ interface(`oddjob_domtrans',` domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') +##################################### +## -+## Do not audit attempts to read and write -+## oddjob fifo file. ++## Do not audit attempts to read and write ++## oddjob fifo file. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain to not audit. ++## +## +# +interface(`oddjob_dontaudit_rw_fifo_file',` -+ gen_require(` -+ type shutdown_t; -+ ') ++ gen_require(` ++ type oddjob_t; ++ ') + -+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; +') + ######################################## @@ -21119,20 +24223,20 @@ index bd76ec2..ca33ae3 100644 +###################################### +## -+## Send a SIGCHLD signal to oddjob. ++## Send a SIGCHLD signal to oddjob. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`oddjob_sigchld',` -+ gen_require(` -+ type oddjob_t; -+ ') ++ gen_require(` ++ type oddjob_t; ++ ') + -+ allow $1 oddjob_t:process sigchld; ++ allow $1 oddjob_t:process sigchld; +') + ######################################## @@ -21153,6 +24257,75 @@ index cadfc63..ef6919f 100644 +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) +diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if +index bb4fae5..b1b5e51 100644 +--- a/policy/modules/services/oident.if ++++ b/policy/modules/services/oident.if +@@ -18,7 +18,7 @@ + ## + ## + # +-interface(`oident_read_user_content', ` ++interface(`oident_read_user_content',` + gen_require(` + type oidentd_home_t; + ') +@@ -38,7 +38,7 @@ interface(`oident_read_user_content', ` + ## + ## + # +-interface(`oident_manage_user_content', ` ++interface(`oident_manage_user_content',` + gen_require(` + type oidentd_home_t; + ') +@@ -58,7 +58,7 @@ interface(`oident_manage_user_content', ` + ## + ## + # +-interface(`oident_relabel_user_content', ` ++interface(`oident_relabel_user_content',` + gen_require(` + type oidentd_home_t; + ') +@@ -66,3 +66,37 @@ interface(`oident_relabel_user_content', ` + allow $1 oidentd_home_t:file relabel_file_perms; + userdom_search_user_home_dirs($1) + ') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an oident environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`oident_admin',` ++ gen_require(` ++ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; ++ ') ++ ++ allow $1 oidentd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, oidentd_t) ++ ++ init_labeled_script_domtrans($1, oidentd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 oidentd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_etc($1) ++ admin_pattern($1, oidentd_config_t) ++') diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te index 0a244b1..9097656 100644 --- a/policy/modules/services/oident.te @@ -21165,6 +24338,34 @@ index 0a244b1..9097656 100644 logging_send_syslog_msg(oidentd_t) +diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if +index 9d0a67b..9197ef0 100644 +--- a/policy/modules/services/openct.if ++++ b/policy/modules/services/openct.if +@@ -23,9 +23,9 @@ interface(`openct_signull',` + ## Execute openct in the caller domain. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`openct_exec',` +@@ -42,9 +42,9 @@ interface(`openct_exec',` + ## Execute a domain transition to run openct. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`openct_domtrans',` diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 8b550f4..ba7c06b 100644 --- a/policy/modules/services/openvpn.te @@ -21242,17 +24443,31 @@ index 8b550f4..ba7c06b 100644 + unconfined_attach_tun_iface(openvpn_t) +') diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if -index 8ac407e..4452d3b 100644 +index 8ac407e..8235fb6 100644 --- a/policy/modules/services/pads.if +++ b/policy/modules/services/pads.if +@@ -25,10 +25,10 @@ + ## + ## + # +-interface(`pads_admin', ` ++interface(`pads_admin',` + gen_require(` +- type pads_t, pads_config_t; +- type pads_var_run_t, pads_initrc_exec_t; ++ type pads_t, pads_config_t, pads_initrc_exec_t; ++ type pads_var_run_t; + ') + + allow $1 pads_t:process { ptrace signal_perms }; @@ -39,6 +39,9 @@ interface(`pads_admin', ` role_transition $2 pads_initrc_exec_t system_r; allow $2 system_r; -+ files_search_pids($1) ++ files_list_pids($1) admin_pattern($1, pads_var_run_t) + -+ files_search_etc($1) ++ files_list_etc($1) admin_pattern($1, pads_config_t) ') diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc @@ -21269,27 +24484,26 @@ index 0000000..8d00972 +/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if new file mode 100644 -index 0000000..7ca90f6 +index 0000000..66f9799 --- /dev/null +++ b/policy/modules/services/passenger.if -@@ -0,0 +1,69 @@ +@@ -0,0 +1,67 @@ +## Passenger policy + +###################################### +## -+## Execute passenger in the passenger domain. ++## Execute passenger in the passenger domain. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed to transition. ++## +## +# +interface(`passenger_domtrans',` -+ gen_require(` -+ type passenger_t; -+ type passenger_exec_t; -+ ') ++ gen_require(` ++ type passenger_t, passenger_exec_t; ++ ') + + allow $1 self:capability { fowner fsetid }; + @@ -21302,46 +24516,45 @@ index 0000000..7ca90f6 + +###################################### +## -+## Manage passenger var_run content. ++## Manage passenger var_run content. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`passenger_manage_pid_content',` -+ gen_require(` -+ type passenger_var_run_t; -+ ') ++ gen_require(` ++ type passenger_var_run_t; ++ ') + -+ files_search_pids($1) ++ files_search_pids($1) + manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) -+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) + manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) + manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) +') + +######################################## +## -+## Read passenger lib files ++## Read passenger lib files +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`passenger_read_lib_files',` -+ gen_require(` -+ type passenger_var_lib_t; -+ ') ++ gen_require(` ++ type passenger_var_lib_t; ++ ') + + files_search_var_lib($1) -+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) -+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) +') -+ diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te new file mode 100644 index 0000000..9cb0d1c @@ -21416,6 +24629,22 @@ index 0000000..9cb0d1c + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) +') +diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if +index 1c2a091..ea5ae69 100644 +--- a/policy/modules/services/pcscd.if ++++ b/policy/modules/services/pcscd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run pcscd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`pcscd_domtrans',` diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index 3185114..e2e2f67 100644 --- a/policy/modules/services/pegasus.te @@ -21501,6 +24730,41 @@ index 3185114..e2e2f67 100644 + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') +diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if +index 8688aae..1bfd8d2 100644 +--- a/policy/modules/services/pingd.if ++++ b/policy/modules/services/pingd.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run pingd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`pingd_domtrans',` +@@ -55,7 +55,6 @@ interface(`pingd_manage_config',` + files_search_etc($1) + manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) + manage_files_pattern($1, pingd_etc_t, pingd_etc_t) +- + ') + + ####################################### +@@ -77,8 +76,8 @@ interface(`pingd_manage_config',` + # + interface(`pingd_admin',` + gen_require(` +- type pingd_t, pingd_etc_t; +- type pingd_initrc_exec_t, pingd_modules_t; ++ type pingd_t, pingd_etc_t, pingd_modules_t; ++ type pingd_initrc_exec_t; + ') + + allow $1 pingd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc new file mode 100644 index 0000000..2c7e06f @@ -21535,51 +24799,49 @@ index 0000000..2c7e06f + diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if new file mode 100644 -index 0000000..8ecd276 +index 0000000..6403c17 --- /dev/null +++ b/policy/modules/services/piranha.if -@@ -0,0 +1,175 @@ -+ +@@ -0,0 +1,173 @@ +## policy for piranha + +####################################### +## -+## Creates types and rules for a basic -+## cluster init daemon domain. ++## Creates types and rules for a basic ++## cluster init daemon domain. +## +## -+## -+## Prefix for the domain. -+## ++## ++## Prefix for the domain. ++## +## +# +template(`piranha_domain_template',` -+ -+ gen_require(` -+ attribute piranha_domain; -+ ') ++ gen_require(` ++ attribute piranha_domain; ++ ') + + ############################## -+ # -+ # piranha_$1_t declarations -+ # ++ # ++ # piranha_$1_t declarations ++ # + + type piranha_$1_t, piranha_domain; + type piranha_$1_exec_t; + init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) + + # pid files -+ type piranha_$1_var_run_t; -+ files_pid_file(piranha_$1_var_run_t) ++ type piranha_$1_var_run_t; ++ files_pid_file(piranha_$1_var_run_t) + + ############################## -+ # -+ # piranha_$1_t local policy -+ # ++ # ++ # piranha_$1_t local policy ++ # + -+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) ++ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) -+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { file }) ++ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) +') + +######################################## @@ -21587,9 +24849,9 @@ index 0000000..8ecd276 +## Execute a domain transition to run fos. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`piranha_domtrans_fos',` @@ -21602,56 +24864,56 @@ index 0000000..8ecd276 + +####################################### +## -+## Execute a domain transition to run lvsd. ++## Execute a domain transition to run lvsd. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed to transition. ++## +## +# +interface(`piranha_domtrans_lvs',` -+ gen_require(` -+ type piranha_lvs_t, piranha_lvs_exec_t; -+ ') ++ gen_require(` ++ type piranha_lvs_t, piranha_lvs_exec_t; ++ ') + -+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) ++ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) +') + +####################################### +## -+## Execute a domain transition to run pulse. ++## Execute a domain transition to run pulse. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed to transition. ++## +## +# +interface(`piranha_domtrans_pulse',` -+ gen_require(` -+ type piranha_pulse_t, piranha_pulse_exec_t; -+ ') ++ gen_require(` ++ type piranha_pulse_t, piranha_pulse_exec_t; ++ ') + -+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) ++ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) +') + +####################################### +## -+## Execute pulse server in the pulse domain. ++## Execute pulse server in the pulse domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# +interface(`piranha_pulse_initrc_domtrans',` -+ gen_require(` -+ type piranha_pulse_initrc_exec_t; -+ ') ++ gen_require(` ++ type piranha_pulse_initrc_exec_t; ++ ') + -+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) ++ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) +') + +######################################## @@ -21671,7 +24933,7 @@ index 0000000..8ecd276 + ') + + logging_search_logs($1) -+ read_files_pattern($1, piranha_log_t, piranha_log_t) ++ read_files_pattern($1, piranha_log_t, piranha_log_t) +') + +######################################## @@ -21680,9 +24942,9 @@ index 0000000..8ecd276 +## piranha log files. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`piranha_append_log',` @@ -21700,7 +24962,7 @@ index 0000000..8ecd276 +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# @@ -21710,9 +24972,9 @@ index 0000000..8ecd276 + ') + + logging_search_logs($1) -+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t) -+ manage_files_pattern($1, piranha_log_t, piranha_log_t) -+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) ++ manage_dirs_pattern($1, piranha_log_t, piranha_log_t) ++ manage_files_pattern($1, piranha_log_t, piranha_log_t) ++ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 @@ -21941,10 +25203,153 @@ index 0000000..0a5f27d + +sysnet_read_config(piranha_domain) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if -index 9759ed8..fecc0dc 100644 +index 9759ed8..07dd3ff 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if -@@ -249,12 +249,14 @@ interface(`plymouthd_admin', ` +@@ -5,12 +5,12 @@ + ## Execute a domain transition to run plymouthd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # +-interface(`plymouthd_domtrans', ` ++interface(`plymouthd_domtrans',` + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') +@@ -23,12 +23,12 @@ interface(`plymouthd_domtrans', ` + ## Execute the plymoth daemon in the current domain + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # +-interface(`plymouthd_exec', ` ++interface(`plymouthd_exec',` + gen_require(` + type plymouthd_exec_t; + ') +@@ -47,7 +47,7 @@ interface(`plymouthd_exec', ` + ## + ## + # +-interface(`plymouthd_stream_connect', ` ++interface(`plymouthd_stream_connect',` + gen_require(` + type plymouthd_t; + ') +@@ -60,12 +60,12 @@ interface(`plymouthd_stream_connect', ` + ## Execute the plymoth command in the current domain + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # +-interface(`plymouthd_exec_plymouth', ` ++interface(`plymouthd_exec_plymouth',` + gen_require(` + type plymouth_exec_t; + ') +@@ -78,12 +78,12 @@ interface(`plymouthd_exec_plymouth', ` + ## Execute a domain transition to run plymouthd. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # +-interface(`plymouthd_domtrans_plymouth', ` ++interface(`plymouthd_domtrans_plymouth',` + gen_require(` + type plymouth_t, plymouth_exec_t; + ') +@@ -101,7 +101,7 @@ interface(`plymouthd_domtrans_plymouth', ` + ## + ## + # +-interface(`plymouthd_search_spool', ` ++interface(`plymouthd_search_spool',` + gen_require(` + type plymouthd_spool_t; + ') +@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', ` + ## + ## + # +-interface(`plymouthd_read_spool_files', ` ++interface(`plymouthd_read_spool_files',` + gen_require(` + type plymouthd_spool_t; + ') +@@ -140,7 +140,7 @@ interface(`plymouthd_read_spool_files', ` + ## + ## + # +-interface(`plymouthd_manage_spool_files', ` ++interface(`plymouthd_manage_spool_files',` + gen_require(` + type plymouthd_spool_t; + ') +@@ -159,7 +159,7 @@ interface(`plymouthd_manage_spool_files', ` + ## + ## + # +-interface(`plymouthd_search_lib', ` ++interface(`plymouthd_search_lib',` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -178,7 +178,7 @@ interface(`plymouthd_search_lib', ` + ## + ## + # +-interface(`plymouthd_read_lib_files', ` ++interface(`plymouthd_read_lib_files',` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -198,7 +198,7 @@ interface(`plymouthd_read_lib_files', ` + ## + ## + # +-interface(`plymouthd_manage_lib_files', ` ++interface(`plymouthd_manage_lib_files',` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -217,7 +217,7 @@ interface(`plymouthd_manage_lib_files', ` + ## + ## + # +-interface(`plymouthd_read_pid_files', ` ++interface(`plymouthd_read_pid_files',` + gen_require(` + type plymouthd_var_run_t; + ') +@@ -243,18 +243,20 @@ interface(`plymouthd_read_pid_files', ` + ## + ## + # +-interface(`plymouthd_admin', ` ++interface(`plymouthd_admin',` + gen_require(` + type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; type plymouthd_var_run_t; ') @@ -21953,12 +25358,12 @@ index 9759ed8..fecc0dc 100644 + allow $1 plymouthd_t:process { ptrace signal_perms }; + ps_process_pattern($1, plymouthd_t) -+ files_search_var_lib($1) ++ files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) admin_pattern($1, plymouthd_var_lib_t) -+ files_search_pids($1) ++ files_list_pids($1) admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te @@ -22008,10 +25413,10 @@ index 27c739c..c65d18f 100644 /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if -index 48ff1e8..29c9906 100644 +index 48ff1e8..13cdc77 100644 --- a/policy/modules/services/policykit.if +++ b/policy/modules/services/policykit.if -@@ -17,12 +17,37 @@ interface(`policykit_dbus_chat',` +@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',` class dbus send_msg; ') @@ -22023,10 +25428,11 @@ index 48ff1e8..29c9906 100644 ######################################## ## +-## Execute a domain transition to run polkit_auth. +## Send and receive messages from +## policykit over dbus. -+## -+## + ## + ## +## +## Domain allowed access. +## @@ -22045,11 +25451,26 @@ index 48ff1e8..29c9906 100644 +') + +######################################## -+## - ## Execute a domain transition to run polkit_auth. + ## +-## Domain allowed to transition. ++## Execute a domain transition to run polkit_auth. ## - ## -@@ -62,6 +87,9 @@ interface(`policykit_run_auth',` ++## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`policykit_domtrans_auth',` +@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',` + ## Role allowed access. + ## + ## ++## + # + interface(`policykit_run_auth',` + gen_require(` +@@ -62,6 +88,9 @@ interface(`policykit_run_auth',` policykit_domtrans_auth($1) role $2 types policykit_auth_t; @@ -22059,7 +25480,31 @@ index 48ff1e8..29c9906 100644 ') ######################################## -@@ -206,4 +234,47 @@ interface(`policykit_read_lib',` +@@ -69,9 +98,9 @@ interface(`policykit_run_auth',` + ## Execute a domain transition to run polkit_grant. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`policykit_domtrans_grant',` +@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',` + ## Execute a domain transition to run polkit_resolve. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`policykit_domtrans_resolve',` +@@ -206,4 +235,48 @@ interface(`policykit_read_lib',` files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) @@ -22090,14 +25535,15 @@ index 48ff1e8..29c9906 100644 + policykit_read_reload($2) + policykit_dbus_chat($2) +') ++ +######################################## +## +## Send generic signal to policy_auth +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`policykit_signal_auth',` @@ -22313,7 +25759,7 @@ index c69d047..1d9fa76 100644 /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if -index 10300a0..d91c1f5 100644 +index 10300a0..7385056 100644 --- a/policy/modules/services/portreserve.if +++ b/policy/modules/services/portreserve.if @@ -18,6 +18,24 @@ interface(`portreserve_domtrans',` @@ -22326,11 +25772,11 @@ index 10300a0..d91c1f5 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`portreserve_initrc_domtrans', ` ++interface(`portreserve_initrc_domtrans',` + gen_require(` + type portreserve_initrc_exec_t; + ') @@ -22341,7 +25787,23 @@ index 10300a0..d91c1f5 100644 ####################################### ## ## Allow the specified domain to read -@@ -64,3 +82,40 @@ interface(`portreserve_manage_config',` +@@ -29,7 +47,6 @@ interface(`portreserve_domtrans',` + ## + ## + ## +-## + # + interface(`portreserve_read_config',` + gen_require(` +@@ -52,7 +69,6 @@ interface(`portreserve_read_config',` + ## Domain allowed access. + ## + ## +-## + # + interface(`portreserve_manage_config',` + gen_require(` +@@ -64,3 +80,41 @@ interface(`portreserve_manage_config',` manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ') @@ -22361,25 +25823,26 @@ index 10300a0..d91c1f5 100644 +## Role allowed access. +## +## ++## +# -+interface(`portreserve_admin', ` ++interface(`portreserve_admin',` + gen_require(` -+ type portreserve_t, portreserve_etc_t; -+ type portreserve_initrc_exec_t, portreserve_var_run_t; ++ type portreserve_t, portreserve_etc_t, portreserve_var_run_t; ++ type portreserve_initrc_exec_t; + ') + + allow $1 portreserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, portreserve_t) -+ ++ + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 portreserve_initrc_exec_t system_r; + allow $2 system_r; + -+ files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, portreserve_etc_t) + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, portreserve_var_run_t) +') diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te @@ -22435,9 +25898,18 @@ index 55e62d2..c114a40 100644 /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..cfcbac7 100644 +index 46bee12..7391f7e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if +@@ -50,7 +50,7 @@ template(`postfix_domain_template',` + + can_exec(postfix_$1_t, postfix_$1_exec_t) + +- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl }; ++ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock }; + + allow postfix_$1_t postfix_master_t:process sigchld; + @@ -77,6 +77,7 @@ template(`postfix_domain_template',` files_read_etc_files(postfix_$1_t) @@ -22446,7 +25918,27 @@ index 46bee12..cfcbac7 100644 files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) -@@ -376,6 +377,25 @@ interface(`postfix_domtrans_master',` +@@ -272,7 +273,8 @@ interface(`postfix_read_local_state',` + type postfix_local_t; + ') + +- read_files_pattern($1, postfix_local_t, postfix_local_t) ++ kernel_search_proc($1) ++ ps_process_pattern($1, postfix_local_t) + ') + + ######################################## +@@ -290,7 +292,8 @@ interface(`postfix_read_master_state',` + type postfix_master_t; + ') + +- read_files_pattern($1, postfix_master_t, postfix_master_t) ++ kernel_search_proc($1) ++ ps_process_pattern($1, postfix_master_t) + ') + + ######################################## +@@ -376,6 +379,25 @@ interface(`postfix_domtrans_master',` domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -22461,7 +25953,7 @@ index 46bee12..cfcbac7 100644 +## +## +# -+interface(`postfix_initrc_domtrans', ` ++interface(`postfix_initrc_domtrans',` + gen_require(` + type postfix_initrc_exec_t; + ') @@ -22472,7 +25964,15 @@ index 46bee12..cfcbac7 100644 ######################################## ## ## Execute the master postfix program in the -@@ -529,6 +549,25 @@ interface(`postfix_domtrans_smtp',` +@@ -404,7 +426,6 @@ interface(`postfix_exec_master',` + ## Domain allowed access. + ## + ## +-## + # + interface(`postfix_stream_connect_master',` + gen_require(` +@@ -529,6 +550,25 @@ interface(`postfix_domtrans_smtp',` ######################################## ## @@ -22498,7 +25998,7 @@ index 46bee12..cfcbac7 100644 ## Search postfix mail spool directories. ## ## -@@ -539,10 +578,10 @@ interface(`postfix_domtrans_smtp',` +@@ -539,10 +579,10 @@ interface(`postfix_domtrans_smtp',` # interface(`postfix_search_spool',` gen_require(` @@ -22511,7 +26011,7 @@ index 46bee12..cfcbac7 100644 files_search_spool($1) ') -@@ -558,10 +597,10 @@ interface(`postfix_search_spool',` +@@ -558,10 +598,10 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -22524,7 +26024,7 @@ index 46bee12..cfcbac7 100644 files_search_spool($1) ') -@@ -577,11 +616,11 @@ interface(`postfix_list_spool',` +@@ -577,11 +617,11 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -22538,7 +26038,7 @@ index 46bee12..cfcbac7 100644 ') ######################################## -@@ -596,11 +635,11 @@ interface(`postfix_read_spool_files',` +@@ -596,11 +636,11 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -22552,7 +26052,7 @@ index 46bee12..cfcbac7 100644 ') ######################################## -@@ -621,3 +660,101 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +661,98 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -22572,19 +26072,16 @@ index 46bee12..cfcbac7 100644 +## Role allowed access. +## +## ++## +# -+interface(`postfix_admin', ` ++interface(`postfix_admin',` + gen_require(` -+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; -+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; -+ type postfix_smtpd_t; -+ + attribute postfix_spool_type; -+ ++ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; ++ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; + type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; -+ type postfix_var_run_t; -+ + type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; ++ type postfix_smtpd_t, postfix_var_run_t; + ') + + allow $1 postfix_bounce_t:process { ptrace signal_perms }; @@ -22608,9 +26105,9 @@ index 46bee12..cfcbac7 100644 + allow $1 postfix_smtpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, postfix_smtpd_t) + -+ postfix_run_map($1,$2) -+ postfix_run_postdrop($1,$2) -+ ++ postfix_run_map($1, $2) ++ postfix_run_postdrop($1, $2) ++ + postfix_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postfix_initrc_exec_t system_r; @@ -22621,12 +26118,12 @@ index 46bee12..cfcbac7 100644 + files_list_etc($1) + admin_pattern($1, postfix_etc_t) + -+ files_search_spool($1) -+ admin_pattern($1,postfix_spool_type) ++ files_list_spool($1) ++ admin_pattern($1, postfix_spool_type) + + admin_pattern($1, postfix_var_run_t) + -+ files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, postfix_map_tmp_t) + + admin_pattern($1, postfix_prng_t) @@ -22641,9 +26138,10 @@ index 46bee12..cfcbac7 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## ++## +# +interface(`postfix_run_postdrop',` + gen_require(` @@ -22653,7 +26151,6 @@ index 46bee12..cfcbac7 100644 + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; +') -+ diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 06e37d4..87043e1 100644 --- a/policy/modules/services/postfix.te @@ -22826,10 +26323,97 @@ index 06e37d4..87043e1 100644 +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) +diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if +index feae93b..d960d3f 100644 +--- a/policy/modules/services/postfixpolicyd.if ++++ b/policy/modules/services/postfixpolicyd.if +@@ -20,8 +20,7 @@ + interface(`postfixpolicyd_admin',` + gen_require(` + type postfix_policyd_t, postfix_policyd_conf_t; +- type postfix_policyd_var_run_t; +- type postfix_policyd_initrc_exec_t; ++ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; + ') + + allow $1 postfix_policyd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 539a7c9..2c6b723 100644 +index 539a7c9..4782bdb 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if +@@ -10,7 +10,7 @@ + ## + ## + ## +-## ++## + ## The type of the user domain. + ## + ## +@@ -45,14 +45,6 @@ interface(`postgresql_role',` + # Client local policy + # + +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $2 user_sepgsql_table_t:db_table { create drop setattr }; +- allow $2 user_sepgsql_table_t:db_column { create drop setattr }; +- +- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') +- + allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; +@@ -69,6 +61,14 @@ interface(`postgresql_role',` + + allow $2 sepgsql_trusted_proc_t:process transition; + type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ ++ tunable_policy(`sepgsql_enable_users_ddl',` ++ allow $2 user_sepgsql_table_t:db_table { create drop setattr }; ++ allow $2 user_sepgsql_table_t:db_column { create drop setattr }; ++ ++ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ++ ') + ') + + ######################################## +@@ -195,7 +195,7 @@ interface(`postgresql_search_db',` + type postgresql_db_t; + ') + +- allow $1 postgresql_db_t:dir search; ++ allow $1 postgresql_db_t:dir search_dir_perms; + ') + + ######################################## +@@ -207,6 +207,7 @@ interface(`postgresql_search_db',` + ## Domain allowed access. + ## + ## ++# + interface(`postgresql_manage_db',` + gen_require(` + type postgresql_db_t; +@@ -214,7 +215,7 @@ interface(`postgresql_manage_db',` + + allow $1 postgresql_db_t:dir rw_dir_perms; + allow $1 postgresql_db_t:file rw_file_perms; +- allow $1 postgresql_db_t:lnk_file { getattr read }; ++ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',` + ## Domain allowed access. + ## + ## +-## + # + interface(`postgresql_stream_connect',` + gen_require(` @@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',` ') @@ -22839,24 +26423,76 @@ index 539a7c9..2c6b723 100644 - # Some versions of postgresql put the sock file in /tmp - allow $1 postgresql_tmp_t:sock_file write; + files_search_tmp($1) -+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) ++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') ######################################## -@@ -441,10 +439,13 @@ interface(`postgresql_admin',` +@@ -361,13 +359,6 @@ interface(`postgresql_unpriv_client',` + type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + allow $1 sepgsql_trusted_proc_t:process transition; +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; +- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; +- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') +- + allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; + allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; +@@ -381,6 +372,13 @@ interface(`postgresql_unpriv_client',` + + allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; + type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; ++ ++ tunable_policy(`sepgsql_enable_users_ddl',` ++ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; ++ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; ++ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ++ ') + ') + + ######################################## +@@ -420,13 +418,10 @@ interface(`postgresql_unconfined',` + # + interface(`postgresql_admin',` + gen_require(` +- attribute sepgsql_admin_type; +- attribute sepgsql_client_type; +- +- type postgresql_t, postgresql_var_run_t; +- type postgresql_tmp_t, postgresql_db_t; +- type postgresql_etc_t, postgresql_log_t; +- type postgresql_initrc_exec_t; ++ attribute sepgsql_admin_type, sepgsql_client_type; ++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; ++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; ++ type postgresql_etc_t; + ') + + typeattribute $1 sepgsql_admin_type; +@@ -439,14 +434,19 @@ interface(`postgresql_admin',` + role_transition $2 postgresql_initrc_exec_t system_r; + allow $2 system_r; + ++ files_list_pids($1) admin_pattern($1, postgresql_var_run_t) -+ files_search_var_lib($1) ++ files_list_var_lib($1) admin_pattern($1, postgresql_db_t) -+ files_search_etc($1) ++ files_list_etc($1) admin_pattern($1, postgresql_etc_t) -+ logging_search_logs($1) ++ logging_list_logs($1) admin_pattern($1, postgresql_log_t) ++ files_list_tmp($1) admin_pattern($1, postgresql_tmp_t) + + postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 39abf57..4a85c12 100644 --- a/policy/modules/services/postgresql.te @@ -22871,28 +26507,120 @@ index 39abf57..4a85c12 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) +diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if +index ad15fde..6f55445 100644 +--- a/policy/modules/services/postgrey.if ++++ b/policy/modules/services/postgrey.if +@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',` + type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + ') + +- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t) +- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t) ++ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) + files_search_pids($1) ++ files_search_spool($1) + ') + + ######################################## +@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',` + type postgrey_spool_t; + ') + ++ files_search_spool($1) + allow $1 postgrey_spool_t:dir search_dir_perms; + ') + +@@ -57,9 +58,8 @@ interface(`postgrey_search_spool',` + # + interface(`postgrey_admin',` + gen_require(` +- type postgrey_t, postgrey_etc_t; ++ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; + type postgrey_var_lib_t, postgrey_var_run_t; +- type postgrey_initrc_exec_t; + ') + + allow $1 postgrey_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if -index b524673..f916c76 100644 +index b524673..09699d1 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if -@@ -360,7 +360,7 @@ interface(`ppp_admin',` - type pppd_initrc_exec_t; +@@ -66,7 +66,6 @@ interface(`ppp_sigchld',` + ## + ## + # +-# + interface(`ppp_kill',` + gen_require(` + type pppd_t; +@@ -180,8 +179,7 @@ interface(`ppp_run',` + ') + + ppp_domtrans($1) +- role $2 types pppd_t; +- role $2 types pptp_t; ++ role $2 types { pppd_t pptp_t }; + + optional_policy(` + ddclient_run(pppd_t, $2) +@@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',` + type pppd_var_run_t; + ') + ++ files_search_pids($1) + allow $1 pppd_var_run_t:file read_file_perms; + ') + +@@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',` + type pppd_var_run_t; + ') + ++ files_search_pids($1) + allow $1 pppd_var_run_t:file manage_file_perms; + ') + +@@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',` + interface(`ppp_admin',` + gen_require(` + type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; +- type pppd_etc_t, pppd_secret_t; +- type pppd_etc_rw_t, pppd_var_run_t; +- ++ type pppd_etc_t, pppd_secret_t, pppd_var_run_t; + type pptp_t, pptp_log_t, pptp_var_run_t; +- type pppd_initrc_exec_t; ++ type pppd_initrc_exec_t, pppd_etc_rw_t; ') - allow $1 pppd_t:process { ptrace signal_perms getattr }; + allow $1 pppd_t:process { ptrace signal_perms }; ps_process_pattern($1, pppd_t) ++ allow $1 pptp_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pptp_t) ++ ppp_initrc_domtrans($1) -@@ -386,7 +386,7 @@ interface(`ppp_admin',` + domain_system_change_exemption($1) + role_transition $2 pppd_initrc_exec_t system_r; +@@ -374,6 +375,7 @@ interface(`ppp_admin',` + logging_list_logs($1) + admin_pattern($1, pppd_log_t) + ++ files_list_locks($1) + admin_pattern($1, pppd_lock_t) + + files_list_etc($1) +@@ -386,9 +388,6 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) - allow $1 pptp_t:process { ptrace signal_perms getattr }; -+ allow $1 pptp_t:process { ptrace signal_perms }; - ps_process_pattern($1, pptp_t) - +- ps_process_pattern($1, pptp_t) +- admin_pattern($1, pptp_log_t) + + admin_pattern($1, pptp_var_run_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 2af42e7..74f07f8 100644 --- a/policy/modules/services/ppp.te @@ -22939,32 +26667,106 @@ index 2af42e7..74f07f8 100644 kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if -index 2316653..e4d8797 100644 +index 2316653..77ef768 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if -@@ -136,9 +136,16 @@ interface(`prelude_admin',` +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run prelude. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`prelude_domtrans',` +@@ -23,9 +23,9 @@ interface(`prelude_domtrans',` + ## Execute a domain transition to run prelude_audisp. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`prelude_domtrans_audisp',` +@@ -41,9 +41,9 @@ interface(`prelude_domtrans_audisp',` + ## Signal the prelude_audisp domain. + ## + ## +-## ++## + ## Domain allowed acccess. +-## ++## + ## + # + interface(`prelude_signal_audisp',` +@@ -78,9 +78,9 @@ interface(`prelude_read_spool',` + ## Manage to prelude-manager spool files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`prelude_manage_spool',` +@@ -112,13 +112,10 @@ interface(`prelude_manage_spool',` + # + interface(`prelude_admin',` + gen_require(` +- type prelude_t, prelude_spool_t; +- type prelude_var_run_t, prelude_var_lib_t; +- type prelude_audisp_t, prelude_audisp_var_run_t; +- type prelude_initrc_exec_t; +- +- type prelude_lml_t, prelude_lml_tmp_t; +- type prelude_lml_var_run_t; ++ type prelude_t, prelude_spool_t, prelude_initrc_exec_t; ++ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; ++ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; ++ type prelude_lml_t; + ') + + allow $1 prelude_t:process { ptrace signal_perms }; +@@ -135,10 +132,17 @@ interface(`prelude_admin',` + role_transition $2 prelude_initrc_exec_t system_r; allow $2 system_r; ++ files_list_spool($1) admin_pattern($1, prelude_spool_t) + -+ files_search_var_lib($1) ++ files_list_var_lib($1) admin_pattern($1, prelude_var_lib_t) + -+ files_search_pids($1) ++ files_list_pids($1) admin_pattern($1, prelude_var_run_t) admin_pattern($1, prelude_audisp_var_run_t) -+ -+ files_search_tmp($1) - admin_pattern($1, prelude_lml_tmp_t) -+ +- admin_pattern($1, prelude_lml_tmp_t) admin_pattern($1, prelude_lml_var_run_t) ++ ++ files_list_tmp($1) ++ admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if -index 1da26dc..c8f6cb5 100644 +index 1da26dc..7221526 100644 --- a/policy/modules/services/privoxy.if +++ b/policy/modules/services/privoxy.if -@@ -24,7 +24,7 @@ interface(`privoxy_admin',` - type privoxy_initrc_exec_t; +@@ -19,12 +19,11 @@ + # + interface(`privoxy_admin',` + gen_require(` +- type privoxy_t, privoxy_log_t; ++ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; + type privoxy_etc_rw_t, privoxy_var_run_t; +- type privoxy_initrc_exec_t; ') - allow $1 privoxy_t:process { ptrace signal_perms getattr }; @@ -23000,10 +26802,10 @@ index 1343621..4b36a13 100644 /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if -index b64b02f..5bfbd7b 100644 +index b64b02f..166e9c3 100644 --- a/policy/modules/services/procmail.if +++ b/policy/modules/services/procmail.if -@@ -77,3 +77,23 @@ interface(`procmail_rw_tmp_files',` +@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',` files_search_tmp($1) rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ') @@ -23023,10 +26825,9 @@ index b64b02f..5bfbd7b 100644 + type procmail_home_t; + ') + -+ userdom_search_user_home_dirs($1) ++ userdom_search_user_home_dirs($1) + read_files_pattern($1, procmail_home_t, procmail_home_t) +') -+ diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 29b9295..b558811 100644 --- a/policy/modules/services/procmail.te @@ -23080,10 +26881,27 @@ index 29b9295..b558811 100644 pyzor_signal(procmail_t) ') diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if -index bc329d1..a5ec9f5 100644 +index bc329d1..d1a3745 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if -@@ -176,6 +176,26 @@ interface(`psad_append_log',` +@@ -91,7 +91,6 @@ interface(`psad_manage_config',` + files_search_etc($1) + manage_dirs_pattern($1, psad_etc_t, psad_etc_t) + manage_files_pattern($1, psad_etc_t, psad_etc_t) +- + ') + + ######################################## +@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',` + + ######################################## + ## +-## Read psad PID files. ++## Read and write psad PID files. + ## + ## + ## +@@ -176,6 +175,26 @@ interface(`psad_append_log',` ######################################## ## @@ -23110,15 +26928,39 @@ index bc329d1..a5ec9f5 100644 ## Read and write psad fifo files. ## ## -@@ -234,7 +254,7 @@ interface(`psad_admin',` +@@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',` + interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; -- type psad_tmp_t; -+ type psad_tmp_t, psad_etc_t; +- type psad_initrc_exec_t, psad_var_lib_t; ++ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; + type psad_tmp_t; ') - allow $1 psad_t:process { ptrace signal_perms }; +@@ -245,18 +264,18 @@ interface(`psad_admin',` + role_transition $2 psad_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, psad_etc_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, psad_var_run_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, psad_var_log_t) + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, psad_var_lib_t) + +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, psad_tmp_t) + ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te index d4000e0..c23cd14 100644 --- a/policy/modules/services/psad.te @@ -23143,6 +26985,19 @@ index d4000e0..c23cd14 100644 fs_getattr_all_fs(psad_t) +diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if +index 2855a44..0456b11 100644 +--- a/policy/modules/services/puppet.if ++++ b/policy/modules/services/puppet.if +@@ -21,7 +21,7 @@ + ## + ## + # +-interface(`puppet_rw_tmp', ` ++interface(`puppet_rw_tmp',` + gen_require(` + type puppet_tmp_t; + ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te index 64c5f95..9587224 100644 --- a/policy/modules/services/puppet.te @@ -23219,10 +27074,27 @@ index d4a7750..705196e 100644 /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if -index 494f7e2..6443f30 100644 +index 494f7e2..aa3d0b4 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if -@@ -88,3 +88,50 @@ interface(`pyzor_exec',` +@@ -14,6 +14,7 @@ + ## User domain for the role + ## + ## ++## + # + interface(`pyzor_role',` + gen_require(` +@@ -28,7 +29,7 @@ interface(`pyzor_role',` + + # allow ps to show pyzor and allow the user to kill it + ps_process_pattern($2, pyzor_t) +- allow $2 pyzor_t:process signal; ++ allow $2 pyzor_t:process { ptrace signal_perms }; + ') + + ######################################## +@@ -88,3 +89,47 @@ interface(`pyzor_exec',` corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') @@ -23247,13 +27119,12 @@ index 494f7e2..6443f30 100644 +interface(`pyzor_admin',` + gen_require(` + type pyzord_t, pyzor_tmp_t, pyzord_log_t; -+ type pyzor_etc_t, pyzor_var_lib_t; -+ type pyzord_initrc_exec_t; ++ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; + ') + + allow $1 pyzord_t:process { ptrace signal_perms }; + ps_process_pattern($1, pyzord_t) -+ ++ + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pyzord_initrc_exec_t system_r; @@ -23271,8 +27142,6 @@ index 494f7e2..6443f30 100644 + files_list_var_lib($1) + admin_pattern($1, pyzor_var_lib_t) +') -+ -+ diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index cd683f9..2f03bad 100644 --- a/policy/modules/services/pyzor.te @@ -23341,6 +27210,42 @@ index cd683f9..2f03bad 100644 userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` +diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if +index a55bf44..77a25f5 100644 +--- a/policy/modules/services/qmail.if ++++ b/policy/modules/services/qmail.if +@@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',` + type qmail_inject_t, qmail_inject_exec_t; + ') + ++ corecmd_search_bin($1) + domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) + + ifdef(`distro_debian',` + files_search_usr($1) +- corecmd_search_bin($1) + ',` + files_search_var($1) +- corecmd_search_bin($1) + ') + ') + +@@ -88,14 +87,13 @@ interface(`qmail_domtrans_queue',` + type qmail_queue_t, qmail_queue_exec_t; + ') + ++ corecmd_search_bin($1) + domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) + + ifdef(`distro_debian',` + files_search_usr($1) +- corecmd_search_bin($1) + ',` + files_search_var($1) +- corecmd_search_bin($1) + ') + ') + diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 355b2a2..1b01d75 100644 --- a/policy/modules/services/qmail.te @@ -23373,11 +27278,10 @@ index 0000000..f3b89e4 +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if new file mode 100644 -index 0000000..5dbca44 +index 0000000..c403abc --- /dev/null +++ b/policy/modules/services/qpidd.if -@@ -0,0 +1,236 @@ -+ +@@ -0,0 +1,228 @@ +## policy for qpidd + +######################################## @@ -23385,9 +27289,9 @@ index 0000000..5dbca44 +## Execute a domain transition to run qpidd. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`qpidd_domtrans',` @@ -23398,7 +27302,6 @@ index 0000000..5dbca44 + domtrans_pattern($1, qpidd_exec_t, qpidd_t) +') + -+ +######################################## +## +## Execute qpidd server in the qpidd domain. @@ -23451,12 +27354,12 @@ index 0000000..5dbca44 + type qpidd_var_run_t; + ') + -+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) -+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) -+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ++ files_search_pids($1) ++ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ++ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ++ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) +') + -+ +######################################## +## +## Search qpidd lib directories. @@ -23492,7 +27395,7 @@ index 0000000..5dbca44 + ') + + files_search_var_lib($1) -+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## @@ -23512,7 +27415,7 @@ index 0000000..5dbca44 + ') + + files_search_var_lib($1) -+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + +######################################## @@ -23530,12 +27433,12 @@ index 0000000..5dbca44 + type qpidd_var_lib_t; + ') + -+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) -+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ++ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) +') + -+ +######################################## +## +## All of the rules required to administrate @@ -23555,16 +27458,11 @@ index 0000000..5dbca44 +# +interface(`qpidd_admin',` + gen_require(` -+ type qpidd_t; ++ type qpidd_t, qpidd_initrc_exec_t; + ') + + allow $1 qpidd_t:process { ptrace signal_perms }; + ps_process_pattern($1, qpidd_t) -+ -+ -+ gen_require(` -+ type qpidd_initrc_exec_t; -+ ') + + # Allow qpidd_t to restart the apache service + qpidd_initrc_domtrans($1) @@ -23575,43 +27473,42 @@ index 0000000..5dbca44 + qpidd_manage_var_run($1) + + qpidd_manage_var_lib($1) -+ +') + +##################################### +## -+## Allow read and write access to qpidd semaphores. ++## Allow read and write access to qpidd semaphores. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`qpidd_rw_semaphores',` -+ gen_require(` -+ type qpidd_t; -+ ') ++ gen_require(` ++ type qpidd_t; ++ ') + -+ allow $1 qpidd_t:sem rw_sem_perms; ++ allow $1 qpidd_t:sem rw_sem_perms; +') + +######################################## +## -+## Read and write to qpidd shared memory. ++## Read and write to qpidd shared memory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`qpidd_rw_shm',` -+ gen_require(` -+ type qpidd_t; -+ ') ++ gen_require(` ++ type qpidd_t; ++ ') + -+ allow $1 qpidd_t:shm rw_shm_perms; ++ allow $1 qpidd_t:shm rw_shm_perms; +') diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te new file mode 100644 @@ -23723,6 +27620,21 @@ index db6296a..b3f1fd3 100644 samba_read_var_files(radiusd_t) ') +diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if +index be05bff..2bd662a 100644 +--- a/policy/modules/services/radvd.if ++++ b/policy/modules/services/radvd.if +@@ -19,8 +19,8 @@ + # + interface(`radvd_admin',` + gen_require(` +- type radvd_t, radvd_etc_t; +- type radvd_var_run_t, radvd_initrc_exec_t; ++ type radvd_t, radvd_etc_t, radvd_initrc_exec_t; ++ type radvd_var_run_t; + ') + + allow $1 radvd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc index 1efba0c..71d657c 100644 --- a/policy/modules/services/razor.fc @@ -23733,10 +27645,44 @@ index 1efba0c..71d657c 100644 /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if -index f04a595..13ad2fe 100644 +index f04a595..3203212 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if -@@ -157,3 +157,44 @@ interface(`razor_domtrans',` +@@ -26,6 +26,7 @@ template(`razor_common_domain_template',` + gen_require(` + type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; + ') ++ + type $1_t; + domain_type($1_t) + domain_entry_file($1_t, razor_exec_t) +@@ -46,7 +47,7 @@ template(`razor_common_domain_template',` + # Read system config file + allow $1_t razor_etc_t:dir list_dir_perms; + allow $1_t razor_etc_t:file read_file_perms; +- allow $1_t razor_etc_t:lnk_file { getattr read }; ++ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern($1_t, razor_log_t, razor_log_t) + manage_files_pattern($1_t, razor_log_t, razor_log_t) +@@ -117,6 +118,7 @@ template(`razor_common_domain_template',` + ## User domain for the role + ## + ## ++## + # + interface(`razor_role',` + gen_require(` +@@ -130,7 +132,7 @@ interface(`razor_role',` + + # allow ps to show razor and allow the user to kill it + ps_process_pattern($2, razor_t) +- allow $2 razor_t:process signal; ++ allow $2 razor_t:process { ptrace signal_perms }; + + manage_dirs_pattern($2, razor_home_t, razor_home_t) + manage_files_pattern($2, razor_home_t, razor_home_t) +@@ -157,3 +159,43 @@ interface(`razor_domtrans',` domtrans_pattern($1, razor_exec_t, razor_t) ') @@ -23752,7 +27698,7 @@ index f04a595..13ad2fe 100644 +## +## +# -+template(`razor_manage_user_home_files',` ++interface(`razor_manage_user_home_files',` + gen_require(` + type razor_home_t; + ') @@ -23780,7 +27726,6 @@ index f04a595..13ad2fe 100644 + files_search_var_lib($1) + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') -+ diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index 340a6c0..eaa8706 100644 --- a/policy/modules/services/razor.te @@ -23880,9 +27825,21 @@ index 3c97ef0..c025d59 100644 /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if -index 7dc38d1..aaf7c85 100644 +index 7dc38d1..9c2c963 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run rgmanager. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rgmanager_domtrans',` @@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',` fs_search_tmpfs($1) manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) @@ -23890,20 +27847,20 @@ index 7dc38d1..aaf7c85 100644 + +####################################### +## -+## Allow read and write access to rgmanager semaphores. ++## Allow read and write access to rgmanager semaphores. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`rgmanager_rw_semaphores',` -+ gen_require(` -+ type rgmanager_t; -+ ') ++ gen_require(` ++ type rgmanager_t; ++ ') + -+ allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; ++ allow $1 rgmanager_t:sem rw_sem_perms; +') + +###################################### @@ -23912,9 +27869,9 @@ index 7dc38d1..aaf7c85 100644 +## an rgmanager environment +## +## -+## ++## +## Domain allowed access. -+## ++## +## +## +## @@ -23927,7 +27884,7 @@ index 7dc38d1..aaf7c85 100644 + gen_require(` + type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; -+ ') ++ ') + + allow $1 rgmanager_t:process { ptrace signal_perms }; + ps_process_pattern($1, rgmanager_t) @@ -23937,15 +27894,15 @@ index 7dc38d1..aaf7c85 100644 + role_transition $2 rgmanager_initrc_exec_t system_r; + allow $2 system_r; + -+ files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, rgmanager_tmp_t) + + admin_pattern($1, rgmanager_tmpfs_t) + -+ logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, rgmanager_var_log_t) + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te @@ -24034,19 +27991,19 @@ index c2ba53b..d862e7e 100644 /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if -index de37806..d8b97c2 100644 +index de37806..229a3c7 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if -@@ -14,6 +14,8 @@ +@@ -13,7 +13,7 @@ + # template(`rhcs_domain_template',` gen_require(` - attribute cluster_domain; -+ attribute cluster_tmpfs; -+ attribute cluster_pid; +- attribute cluster_domain; ++ attribute cluster_domain, cluster_tmpfs, cluster_pid; ') ############################## -@@ -25,13 +27,13 @@ template(`rhcs_domain_template',` +@@ -25,13 +25,13 @@ template(`rhcs_domain_template',` type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) @@ -24062,7 +28019,38 @@ index de37806..d8b97c2 100644 files_pid_file($1_var_run_t) ############################## -@@ -335,6 +337,67 @@ interface(`rhcs_rw_groupd_shm',` +@@ -51,7 +51,6 @@ template(`rhcs_domain_template',` + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) +- + ') + + ###################################### +@@ -59,9 +58,9 @@ template(`rhcs_domain_template',` + ## Execute a domain transition to run dlm_controld. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rhcs_domtrans_dlm_controld',` +@@ -169,9 +168,8 @@ interface(`rhcs_stream_connect_fenced',` + type fenced_var_run_t, fenced_t; + ') + +- allow $1 fenced_t:unix_stream_socket connectto; +- allow $1 fenced_var_run_t:sock_file { getattr write }; + files_search_pids($1) ++ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) + ') + + ##################################### +@@ -335,6 +333,65 @@ interface(`rhcs_rw_groupd_shm',` manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') @@ -24078,8 +28066,7 @@ index de37806..d8b97c2 100644 +# +interface(`rhcs_rw_cluster_shm',` + gen_require(` -+ attribute cluster_domain; -+ attribute cluster_tmpfs; ++ attribute cluster_domain, cluster_tmpfs; + ') + + allow $1 cluster_domain:shm { rw_shm_perms destroy }; @@ -24090,47 +28077,46 @@ index de37806..d8b97c2 100644 + +#################################### +## -+## Read and write access to cluster domains semaphores. ++## Read and write access to cluster domains semaphores. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`rhcs_rw_cluster_semaphores',` -+ gen_require(` ++ gen_require(` + attribute cluster_domain; -+ ') ++ ') + -+ allow $1 cluster_domain:sem { rw_sem_perms destroy }; ++ allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') + +#################################### +## -+## Connect to cluster domains over a unix domain -+## stream socket. ++## Connect to cluster domains over a unix domain ++## stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`rhcs_stream_connect_cluster',` -+ gen_require(` -+ attribute cluster_domain; -+ attribute cluster_pid; -+ ') ++ gen_require(` ++ attribute cluster_domain, cluster_pid; ++ ') + -+ files_search_pids($1) -+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ++ files_search_pids($1) ++ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) +') + ###################################### ## ## Execute a domain transition to run qdiskd. -@@ -353,3 +416,40 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -353,3 +410,41 @@ interface(`rhcs_domtrans_qdiskd',` corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) ') @@ -24150,26 +28136,27 @@ index de37806..d8b97c2 100644 + type qdiskd_tmpfs_t; + ') + ++ fs_search_tmpfs($1) + allow $1 qdiskd_tmpfs_t:file read_file_perms; +') + +###################################### +## -+## Allow domain to read cluster lib files ++## Allow domain to read cluster lib files +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`rhcs_read_cluster_lib_files',` -+ gen_require(` -+ type cluster_var_lib_t; -+ ') ++ gen_require(` ++ type cluster_var_lib_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index 93c896a..1ebc84d 100644 @@ -24289,6 +28276,17 @@ index 93c896a..1ebc84d 100644 +optional_policy(` corosync_stream_connect(cluster_domain) ') +diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if +index 96efae7..793a29f 100644 +--- a/policy/modules/services/rhgb.if ++++ b/policy/modules/services/rhgb.if +@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` + type rhgb_tmpfs_t; + ') + ++ fs_search_tmpfs($1) + allow $1 rhgb_tmpfs_t:file rw_file_perms; + ') diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc index 5b08327..ed5dc05 100644 --- a/policy/modules/services/ricci.fc @@ -24301,48 +28299,80 @@ index 5b08327..ed5dc05 100644 /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if -index f7826f9..ecc341c 100644 +index f7826f9..3128dd8 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if -@@ -18,6 +18,24 @@ interface(`ricci_domtrans',` +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run ricci. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ricci_domtrans',` +@@ -18,14 +18,32 @@ interface(`ricci_domtrans',` domtrans_pattern($1, ricci_exec_t, ricci_t) ') +####################################### +## -+## Execute ricci server in the ricci domain. ++## Execute ricci server in the ricci domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`ricci_initrc_domtrans', ` -+ gen_require(` -+ type ricci_initrc_exec_t; -+ ') ++interface(`ricci_initrc_domtrans',` ++ gen_require(` ++ type ricci_initrc_exec_t; ++ ') + -+ init_labeled_script_domtrans($1, ricci_initrc_exec_t) ++ init_labeled_script_domtrans($1, ricci_initrc_exec_t) +') + ######################################## ## ## Execute a domain transition to run ricci_modcluster. -@@ -90,8 +108,25 @@ interface(`ricci_stream_connect_modclusterd',` + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ricci_domtrans_modcluster',` +@@ -71,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` + type ricci_modcluster_t; + ') + +- dontaudit $1 ricci_modcluster_t:fifo_file { read write }; ++ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',` ') files_search_pids($1) - allow $1 ricci_modcluster_var_run_t:sock_file write; - allow $1 ricci_modclusterd_t:unix_stream_socket connectto; + stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute a domain transition to run ricci_modlog. +## Read and write to ricci_modcluserd temporary file system. -+## -+## + ## + ## +## +## Domain allowed access. +## @@ -24353,33 +28383,81 @@ index f7826f9..ecc341c 100644 + type ricci_modcluserd_tmpfs_t; + ') + ++ fs_search_tmpfs($1) + allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms; - ') - - ######################################## -@@ -165,3 +200,67 @@ interface(`ricci_domtrans_modstorage',` ++') ++ ++######################################## + ## +-## Domain allowed to transition. ++## Execute a domain transition to run ricci_modlog. + ## ++## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`ricci_domtrans_modlog',` +@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',` + ## Execute a domain transition to run ricci_modrpm. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ricci_domtrans_modrpm',` +@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',` + ## Execute a domain transition to run ricci_modservice. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ricci_domtrans_modservice',` +@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',` + ## Execute a domain transition to run ricci_modstorage. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`ricci_domtrans_modstorage',` +@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',` domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') + +#################################### +## -+## Allow the specified domain to manage ricci's lib files. ++## Allow the specified domain to manage ricci's lib files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`ricci_manage_lib_files',` -+ gen_require(` -+ type ricci_var_lib_t; -+ ') ++ gen_require(` ++ type ricci_var_lib_t; ++ ') + -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) -+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) ++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) +') + +######################################## @@ -24413,16 +28491,16 @@ index f7826f9..ecc341c 100644 + role_transition $2 ricci_initrc_exec_t system_r; + allow $2 system_r; + -+ files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, ricci_tmp_t) -+ -+ files_search_var_lib($1) ++ ++ files_list_var_lib($1) + admin_pattern($1, ricci_var_lib_t) + -+ logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, ricci_var_log_t) + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te @@ -24553,10 +28631,41 @@ index 779fa44..29a5d0d 100644 remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if -index cda37bb..b65be0c 100644 +index cda37bb..28e7576 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if -@@ -246,6 +246,26 @@ interface(`rpc_domtrans_rpcd',` +@@ -32,7 +32,11 @@ interface(`rpc_stub',` + ## + ## + # +-template(`rpc_domain_template', ` ++template(`rpc_domain_template',` ++ gen_require(` ++ type var_lib_nfs_t; ++ ') ++ + ######################################## + # + # Declarations +@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',` + type exports_t; + ') + +- dontaudit $1 exports_t:file getattr; ++ dontaudit $1 exports_t:file getattr_file_perms; + ') + + ######################################## +@@ -188,7 +192,7 @@ interface(`rpc_write_exports',` + type exports_t; + ') + +- allow $1 exports_t:file write; ++ allow $1 exports_t:file write_file_perms; + ') + + ######################################## +@@ -246,6 +250,26 @@ interface(`rpc_domtrans_rpcd',` allow rpcd_t $1:process signal; ') @@ -24583,7 +28692,25 @@ index cda37bb..b65be0c 100644 ####################################### ## ## Execute domain in rpcd domain. -@@ -414,4 +434,5 @@ interface(`rpc_manage_nfs_state_data',` +@@ -282,7 +306,7 @@ interface(`rpc_read_nfs_content',` + + allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; + allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; +- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; ++ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -375,7 +399,7 @@ interface(`rpc_search_nfs_state_data',` + ') + + files_search_var_lib($1) +- allow $1 var_lib_nfs_t:dir search; ++ allow $1 var_lib_nfs_t:dir search_dir_perms; + ') + + ######################################## +@@ -414,4 +438,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -24669,9 +28796,21 @@ index f5c47d6..5a965e9 100644 /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if -index a96249c..5a4d69d 100644 +index a96249c..0458ba7 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run rpcbind. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rpcbind_domtrans',` @@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',` ') @@ -24692,10 +28831,10 @@ index a96249c..5a4d69d 100644 role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; + -+ files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, rpcbind_var_lib_t) + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te @@ -24732,9 +28871,21 @@ index 0b405d1..49a4283 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if -index 3386f29..eefa329 100644 +index 3386f29..b28cae5 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if +@@ -109,9 +109,9 @@ interface(`rsync_exec',` + ## Read rsync config files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`rsync_read_config',` @@ -119,7 +119,7 @@ interface(`rsync_read_config',` type rsync_etc_t; ') @@ -24744,23 +28895,35 @@ index 3386f29..eefa329 100644 files_search_etc($1) ') +@@ -128,9 +128,9 @@ interface(`rsync_read_config',` + ## Write to rsync config files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`rsync_write_config',` @@ -138,6 +138,49 @@ interface(`rsync_write_config',` type rsync_etc_t; ') - allow $1 rsync_etc_t:file read_file_perms; + write_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) - ') ++ files_search_etc($1) ++') + +######################################## +## +## Manage rsync config files. +## +## -+## -+## Domain allowed. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`rsync_manage_config',` @@ -24769,8 +28932,8 @@ index 3386f29..eefa329 100644 + ') + + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) -+ files_search_etc($1) -+') + files_search_etc($1) + ') + +######################################## +## @@ -24859,9 +29022,21 @@ index 39015ae..5e7b7cf 100644 + auth_can_read_shadow_passwords(rsync_t) diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if -index 46dad1f..21079f8 100644 +index 46dad1f..d632bc0 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run rtkit_daemon. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rtkit_daemon_domtrans',` @@ -41,6 +41,27 @@ interface(`rtkit_daemon_dbus_chat',` ######################################## @@ -24871,7 +29046,7 @@ index 46dad1f..21079f8 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -24890,6 +29065,14 @@ index 46dad1f..21079f8 100644 ## Allow rtkit to control scheduling for your process ## ## +@@ -54,6 +75,7 @@ interface(`rtkit_scheduled',` + type rtkit_daemon_t; + ') + ++ kernel_search_proc($1) + ps_process_pattern(rtkit_daemon_t, $1) + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te index 6f8e268..7d64285 100644 --- a/policy/modules/services/rtkit.te @@ -24902,6 +29085,22 @@ index 6f8e268..7d64285 100644 ######################################## # +diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if +index 71ea0ea..664e68e 100644 +--- a/policy/modules/services/rwho.if ++++ b/policy/modules/services/rwho.if +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run rwho. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`rwho_domtrans',` diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te index a07b2f4..d78daf4 100644 --- a/policy/modules/services/rwho.te @@ -24929,7 +29128,7 @@ index 69a6074..73db5ba 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..84732e5 100644 +index 82cb169..9e72970 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -79,6 +79,25 @@ interface(`samba_domtrans_net',` @@ -24940,7 +29139,7 @@ index 82cb169..84732e5 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# @@ -24973,7 +29172,7 @@ index 82cb169..84732e5 100644 +## +## +# -+template(`samba_role_notrans',` ++interface(`samba_role_notrans',` + gen_require(` + type smbd_t; + ') @@ -24988,7 +29187,7 @@ index 82cb169..84732e5 100644 +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +## @@ -25010,15 +29209,42 @@ index 82cb169..84732e5 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -412,6 +476,7 @@ interface(`samba_manage_var_files',` - files_search_var($1) +@@ -327,7 +391,6 @@ interface(`samba_search_var',` + type samba_var_t; + ') + +- files_search_var($1) + files_search_var_lib($1) + allow $1 samba_var_t:dir search_dir_perms; + ') +@@ -348,7 +411,6 @@ interface(`samba_read_var_files',` + type samba_var_t; + ') + +- files_search_var($1) + files_search_var_lib($1) + read_files_pattern($1, samba_var_t, samba_var_t) + ') +@@ -388,7 +450,6 @@ interface(`samba_rw_var_files',` + type samba_var_t; + ') + +- files_search_var($1) + files_search_var_lib($1) + rw_files_pattern($1, samba_var_t, samba_var_t) + ') +@@ -409,9 +470,9 @@ interface(`samba_manage_var_files',` + type samba_var_t; + ') + +- files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## -@@ -419,15 +484,14 @@ interface(`samba_manage_var_files',` +@@ -419,15 +480,14 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## @@ -25037,7 +29263,7 @@ index 82cb169..84732e5 100644 ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -@@ -564,6 +628,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +624,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -25045,7 +29271,7 @@ index 82cb169..84732e5 100644 ') ######################################## -@@ -644,6 +709,37 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +705,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -25083,7 +29309,7 @@ index 82cb169..84732e5 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,21 +757,13 @@ interface(`samba_stream_connect_winbind',` +@@ -661,21 +753,12 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -25096,21 +29322,22 @@ index 82cb169..84732e5 100644 - type samba_etc_t, samba_share_t; - type samba_secrets_t; - -+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t; -+ type smbd_t, smbd_tmp_t, samba_secrets_t; -+ type samba_initrc_exec_t, samba_log_t, samba_var_t; -+ type samba_etc_t, samba_share_t, winbind_log_t; - type swat_var_run_t, swat_tmp_t; +- type swat_var_run_t, swat_tmp_t; - - type winbind_var_run_t, winbind_tmp_t; +- type winbind_var_run_t, winbind_tmp_t; - type winbind_log_t; - - type samba_initrc_exec_t; -+ type samba_unconfined_script_t, samba_unconfined_script_exec_t; ++ type nmbd_t, nmbd_var_run_t, smbd_var_run_t; ++ type smbd_t, smbd_tmp_t, samba_secrets_t; ++ type samba_initrc_exec_t, samba_log_t, samba_var_t; ++ type samba_etc_t, samba_share_t, winbind_log_t; ++ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; ++ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +772,9 @@ interface(`samba_admin',` +@@ -684,6 +767,9 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) @@ -25120,7 +29347,7 @@ index 82cb169..84732e5 100644 samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +800,6 @@ interface(`samba_admin',` +@@ -709,9 +795,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -25130,14 +29357,14 @@ index 82cb169..84732e5 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +815,5 @@ interface(`samba_admin',` +@@ -727,4 +810,5 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..2a5981d 100644 +index e30bb63..85203da 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -25229,15 +29456,25 @@ index e30bb63..2a5981d 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -567,6 +562,7 @@ allow smbcontrol_t smbd_t:process signal; +@@ -560,13 +555,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; + allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + allow smbcontrol_t nmbd_t:process { signal signull }; ++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) + +-allow smbcontrol_t nmbd_var_run_t:file { read lock }; +- +-allow smbcontrol_t smbd_t:process signal; +- ++allow smbcontrol_t smbd_t:process { signal signull }; ++read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) allow smbcontrol_t winbind_t:process { signal signull }; +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +672,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -25246,7 +29483,7 @@ index e30bb63..2a5981d 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +687,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -25261,7 +29498,7 @@ index e30bb63..2a5981d 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +707,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -25269,7 +29506,7 @@ index e30bb63..2a5981d 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +753,8 @@ logging_search_logs(swat_t) +@@ -754,6 +752,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -25278,7 +29515,7 @@ index e30bb63..2a5981d 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,14 +806,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -25298,7 +29535,7 @@ index e30bb63..2a5981d 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +833,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -25306,7 +29543,7 @@ index e30bb63..2a5981d 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +924,18 @@ optional_policy(` +@@ -922,6 +923,18 @@ optional_policy(` # optional_policy(` @@ -25325,7 +29562,7 @@ index e30bb63..2a5981d 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +946,12 @@ optional_policy(` +@@ -932,9 +945,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -25387,7 +29624,7 @@ index a86ec50..ef4199b 100644 /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if -index 7e94c7c..cf9fdcd 100644 +index 7e94c7c..5700fb8 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -51,10 +51,24 @@ interface(`sendmail_domtrans',` @@ -25395,7 +29632,10 @@ index 7e94c7c..cf9fdcd 100644 mta_sendmail_domtrans($1, sendmail_t) +') -+ + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_file_perms; +- allow sendmail_t $1:process sigchld; +####################################### +## +## Execute sendmail in the sendmail domain. @@ -25410,10 +29650,7 @@ index 7e94c7c..cf9fdcd 100644 + gen_require(` + type sendmail_initrc_exec_t; + ') - -- allow sendmail_t $1:fd use; -- allow sendmail_t $1:fifo_file rw_file_perms; -- allow sendmail_t $1:process sigchld; ++ + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ') @@ -25460,7 +29697,7 @@ index 7e94c7c..cf9fdcd 100644 +# +interface(`sendmail_admin',` + gen_require(` -+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; ++ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; + type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + type mail_spool_t; + ') @@ -25475,16 +29712,16 @@ index 7e94c7c..cf9fdcd 100644 + domain_system_change_exemption($1) + role_transition $2 sendmail_initrc_exec_t system_r; + -+ logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, sendmail_log_t) + -+ files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, sendmail_tmp_t) + -+ files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, sendmail_var_run_t) + -+ files_search_spool($1) ++ files_list_spool($1) + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te @@ -25554,7 +29791,7 @@ index 22dac1f..b6781d5 100644 + unconfined_domain_noaudit(unconfined_sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if -index 22dfeb4..a7fbedc 100644 +index 22dfeb4..d9f5dbc 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` @@ -25583,16 +29820,17 @@ index 22dfeb4..a7fbedc 100644 ## All of the rules required to administrate ## an setroubleshoot environment ## -@@ -117,7 +136,7 @@ interface(`setroubleshoot_dbus_chat_fixit',` +@@ -117,15 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` # interface(`setroubleshoot_admin',` gen_require(` - type setroubleshootd_t, setroubleshoot_log_t; -+ type setroubleshootd_t, setroubleshoot_var_log_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; +- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; ++ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; ++ type setroubleshoot_var_lib_t; ') -@@ -125,7 +144,7 @@ interface(`setroubleshoot_admin',` + allow $1 setroubleshootd_t:process { ptrace signal_perms }; ps_process_pattern($1, setroubleshootd_t) logging_list_logs($1) @@ -25750,7 +29988,7 @@ index 623c8fa..ac10740 100644 /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if -index 275f9fb..6aa68d8 100644 +index 275f9fb..bfdf197 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -11,12 +11,12 @@ @@ -25790,8 +30028,14 @@ index 275f9fb..6aa68d8 100644 ') ######################################## -@@ -128,7 +130,7 @@ interface(`snmp_admin',` - type snmpd_initrc_exec_t; +@@ -123,12 +125,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` + # + interface(`snmp_admin',` + gen_require(` +- type snmpd_t, snmpd_log_t; ++ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; + type snmpd_var_lib_t, snmpd_var_run_t; +- type snmpd_initrc_exec_t; ') - allow $1 snmpd_t:process { ptrace signal_perms getattr }; @@ -25832,7 +30076,7 @@ index 3d8d1b3..b5cd366 100644 auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if -index c117e8b..215f425 100644 +index c117e8b..88ebedb 100644 --- a/policy/modules/services/snort.if +++ b/policy/modules/services/snort.if @@ -5,9 +5,9 @@ @@ -25847,6 +30091,36 @@ index c117e8b..215f425 100644 ## # interface(`snort_domtrans',` +@@ -50,11 +50,11 @@ interface(`snort_admin',` + allow $2 system_r; + + admin_pattern($1, snort_etc_t) +- files_search_etc($1) ++ files_list_etc($1) + + admin_pattern($1, snort_log_t) +- logging_search_logs($1) ++ logging_list_logs($1) + + admin_pattern($1, snort_var_run_t) +- files_search_pids($1) ++ files_list_pids($1) + ') +diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if +index 93fe7bf..4a15633 100644 +--- a/policy/modules/services/soundserver.if ++++ b/policy/modules/services/soundserver.if +@@ -33,9 +33,8 @@ interface(`soundserver_tcp_connect',` + # + interface(`soundserver_admin',` + gen_require(` +- type soundd_t, soundd_etc_t; ++ type soundd_t, soundd_etc_t, soundd_initrc_exec_t; + type soundd_tmp_t, soundd_var_run_t; +- type soundd_initrc_exec_t; + ') + + allow $1 soundd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 6b3abf9..540981f 100644 --- a/policy/modules/services/spamassassin.fc @@ -26357,7 +30631,7 @@ index 9d40380..9ad4eff 100644 optional_policy(` diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if -index d2496bd..dc4f590 100644 +index d2496bd..1d0c078 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',` @@ -26377,6 +30651,16 @@ index d2496bd..dc4f590 100644 # interface(`squid_dontaudit_search_cache',` gen_require(` +@@ -207,8 +206,7 @@ interface(`squid_use',` + interface(`squid_admin',` + gen_require(` + type squid_t, squid_cache_t, squid_conf_t; +- type squid_log_t, squid_var_run_t; +- type squid_initrc_exec_t; ++ type squid_log_t, squid_var_run_t, squid_initrc_exec_t; + ') + + allow $1 squid_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 078bcd7..dd706b0 100644 --- a/policy/modules/services/ssh.fc @@ -27300,7 +31584,7 @@ index 9fa94e4..0a0074c 100644 tunable_policy(`tor_bind_all_unreserved_ports', ` diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if -index 54b8605..329f139 100644 +index 54b8605..752697f 100644 --- a/policy/modules/services/tuned.if +++ b/policy/modules/services/tuned.if @@ -5,9 +5,9 @@ @@ -27325,6 +31609,14 @@ index 54b8605..329f139 100644 ') allow $1 tuned_t:process { ptrace signal_perms }; +@@ -124,6 +123,6 @@ interface(`tuned_admin',` + role_transition $2 tuned_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, tuned_var_run_t) + ') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te index db9d2a5..b3983a9 100644 --- a/policy/modules/services/tuned.te @@ -27385,7 +31677,7 @@ index a0794bf..dd23a9c 100644 +') + diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if -index b078bf7..e3c66d8 100644 +index b078bf7..fd72fe8 100644 --- a/policy/modules/services/ulogd.if +++ b/policy/modules/services/ulogd.if @@ -5,9 +5,9 @@ @@ -27423,6 +31715,21 @@ index b078bf7..e3c66d8 100644 ') allow $1 ulogd_t:process { ptrace signal_perms }; +@@ -132,12 +131,12 @@ interface(`ulogd_admin',` + role_transition $2 ulogd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, ulogd_etc_t) + + logging_list_logs($1) + admin_pattern($1, ulogd_var_log_t) + +- files_search_usr($1) ++ files_list_usr($1) + admin_pattern($1, ulogd_modules_t) + ') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te index eeaa641..eb4d8d5 100644 --- a/policy/modules/services/ulogd.te @@ -27545,7 +31852,7 @@ index b775aaf..ec1562b 100644 # # UUX Local policy diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if -index b4d90ac..e0f819e 100644 +index b4d90ac..fe5ce10 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -21,7 +21,7 @@ interface(`varnishd_domtrans',` @@ -27563,7 +31870,7 @@ index b4d90ac..e0f819e 100644 +##################################### +## -+## Read varnish lib files. ++## Read varnish lib files. +## +## +## @@ -27588,17 +31895,20 @@ index b4d90ac..e0f819e 100644 interface(`varnishd_admin_varnishlog',` gen_require(` - type varnishlog_t; -+ type varnishlog_t, varnishlog_initrc_exec_t; - type varnishlog_var_run_t, varnishlog_log_t; +- type varnishlog_var_run_t, varnishlog_log_t; - type varnishlog_initrc_exec_t; ++ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; ++ type varnishlog_var_run_t; ') allow $1 varnishlog_t:process { ptrace signal_perms }; -@@ -146,11 +164,10 @@ interface(`varnishd_admin_varnishlog',` +@@ -145,12 +163,11 @@ interface(`varnishd_admin_varnishlog',` + role_transition $2 varnishlog_initrc_exec_t system_r; allow $2 system_r; - files_search_pids($1) +- files_search_pids($1) - admin_pattern($1, varnishlog_var_run_t) ++ files_list_pids($1) + admin_pattern($1, varnishlog_var_run_t) logging_list_logs($1) @@ -27616,9 +31926,24 @@ index b4d90ac..e0f819e 100644 type varnishd_initrc_exec_t; ') -@@ -196,5 +213,4 @@ interface(`varnishd_admin',` +@@ -185,16 +202,15 @@ interface(`varnishd_admin',` + role_transition $2 varnishd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, varnishd_var_lib_t) - files_search_tmp($1) +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, varnishd_etc_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, varnishd_var_run_t) + +- files_search_tmp($1) ++ files_list_tmp($1) admin_pattern($1, varnishd_tmp_t) - ') @@ -27758,10 +32083,10 @@ index 2124b6a..be4b00f 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..e584e21 100644 +index 7c5d8d8..dbdc0e0 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -14,13 +14,13 @@ +@@ -14,13 +14,14 @@ template(`virt_domain_template',` gen_require(` type virtd_t; @@ -27774,10 +32099,11 @@ index 7c5d8d8..e584e21 100644 domain_type($1_t) domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) ++ mcs_untrusted_proc($1_t) role system_r types $1_t; type $1_devpts_t; -@@ -35,17 +35,18 @@ template(`virt_domain_template',` +@@ -35,17 +36,18 @@ template(`virt_domain_template',` type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) @@ -27800,7 +32126,7 @@ index 7c5d8d8..e584e21 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +58,6 @@ template(`virt_domain_template',` +@@ -57,18 +59,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -27819,7 +32145,7 @@ index 7c5d8d8..e584e21 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -101,9 +90,9 @@ interface(`virt_image',` +@@ -101,9 +91,9 @@ interface(`virt_image',` ## Execute a domain transition to run virt. ## ## @@ -27831,7 +32157,7 @@ index 7c5d8d8..e584e21 100644 ## # interface(`virt_domtrans',` -@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',` +@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -27847,7 +32173,7 @@ index 7c5d8d8..e584e21 100644 ') ######################################## -@@ -185,13 +174,13 @@ interface(`virt_read_config',` +@@ -185,13 +175,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -27863,7 +32189,7 @@ index 7c5d8d8..e584e21 100644 ') ######################################## -@@ -231,6 +220,24 @@ interface(`virt_read_content',` +@@ -231,6 +221,24 @@ interface(`virt_read_content',` ######################################## ## @@ -27888,7 +32214,7 @@ index 7c5d8d8..e584e21 100644 ## Read virt PID files. ## ## -@@ -308,6 +315,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +316,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -27913,7 +32239,7 @@ index 7c5d8d8..e584e21 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +377,9 @@ interface(`virt_read_log',` +@@ -352,9 +378,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -27925,7 +32251,7 @@ index 7c5d8d8..e584e21 100644 ## # interface(`virt_append_log',` -@@ -424,6 +449,24 @@ interface(`virt_read_images',` +@@ -424,6 +450,24 @@ interface(`virt_read_images',` ######################################## ## @@ -27950,7 +32276,7 @@ index 7c5d8d8..e584e21 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +476,15 @@ interface(`virt_read_images',` +@@ -433,15 +477,15 @@ interface(`virt_read_images',` ## ## # @@ -27971,7 +32297,7 @@ index 7c5d8d8..e584e21 100644 ') ######################################## -@@ -516,3 +559,51 @@ interface(`virt_admin',` +@@ -516,3 +560,51 @@ interface(`virt_admin',` virt_manage_log($1) ') @@ -28012,7 +32338,7 @@ index 7c5d8d8..e584e21 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -28491,22 +32817,20 @@ index 0000000..7667c31 +/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if new file mode 100644 -index 0000000..85dba86 +index 0000000..14f8906 --- /dev/null +++ b/policy/modules/services/vnstatd.if -@@ -0,0 +1,150 @@ -+ +@@ -0,0 +1,144 @@ +## policy for vnstatd + -+ +######################################## +## +## Execute a domain transition to run vnstatd. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# +interface(`vnstatd_domtrans',` @@ -28517,16 +32841,14 @@ index 0000000..85dba86 + domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) +') + -+ -+ +######################################## +## +## Execute a domain transition to run vnstat. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# +interface(`vnstatd_domtrans_vnstat',` @@ -28572,7 +32894,7 @@ index 0000000..85dba86 + ') + + files_search_var_lib($1) -+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ++ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## @@ -28592,7 +32914,7 @@ index 0000000..85dba86 + ') + + files_search_var_lib($1) -+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ++ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + +######################################## @@ -28611,7 +32933,7 @@ index 0000000..85dba86 + ') + + files_search_var_lib($1) -+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) ++ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) +') + + @@ -28634,16 +32956,14 @@ index 0000000..85dba86 +# +interface(`vnstatd_admin',` + gen_require(` -+ type vnstatd_t; -+ type vnstatd_var_lib_t; ++ type vnstatd_t, vnstatd_var_lib_t; + ') + + allow $1 vnstatd_t:process { ptrace signal_perms }; + ps_process_pattern($1, vnstatd_t) + -+ files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, vnstatd_var_lib_t) -+ +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 @@ -28885,7 +33205,7 @@ index 6f1e3c7..39c2bb3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..f34a53f 100644 +index da2601a..61cc021 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -28919,7 +33239,7 @@ index da2601a..f34a53f 100644 manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) -+ allow $2 xserver_tmp_t:sock_file unlink; ++ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms; files_search_tmp($2) # Communicate via System V shared memory. @@ -28949,7 +33269,7 @@ index da2601a..f34a53f 100644 dev_rw_xserver_misc($2) dev_rw_power_management($2) -@@ -89,14 +96,14 @@ interface(`xserver_restricted_role',` +@@ -89,14 +96,15 @@ interface(`xserver_restricted_role',` dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) @@ -28960,13 +33280,14 @@ index da2601a..f34a53f 100644 miscfiles_read_fonts($2) + miscfiles_setattr_fonts_cache_dirs($2) ++ miscfiles_read_hwdata($2) xserver_common_x_domain_template(user, $2) - xserver_unconfined($2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -107,11 +114,19 @@ interface(`xserver_restricted_role',` +@@ -107,11 +115,23 @@ interface(`xserver_restricted_role',` # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) @@ -28983,10 +33304,14 @@ index da2601a..f34a53f 100644 + tunable_policy(`user_direct_dri',` + dev_rw_dri($2) + ') ++ ++ optional_policy(` ++ gnome_read_gconf_config($2) ++ ') ') ######################################## -@@ -143,13 +158,15 @@ interface(`xserver_role',` +@@ -143,13 +163,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -29004,7 +33329,7 @@ index da2601a..f34a53f 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +179,6 @@ interface(`xserver_role',` +@@ -162,7 +184,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -29012,7 +33337,7 @@ index da2601a..f34a53f 100644 ') ####################################### -@@ -197,7 +213,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +218,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -29021,7 +33346,25 @@ index da2601a..f34a53f 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +307,12 @@ interface(`xserver_user_client',` +@@ -227,7 +248,7 @@ interface(`xserver_rw_session',` + type xserver_t, xserver_tmpfs_t; + ') + +- xserver_ro_session($1,$2) ++ xserver_ro_session($1, $2) + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') +@@ -255,7 +276,7 @@ interface(`xserver_non_drawing_client',` + + allow $1 self:x_gc { create setattr }; + +- allow $1 xdm_var_run_t:dir search; ++ allow $1 xdm_var_run_t:dir search_dir_perms; + allow $1 xserver_t:unix_stream_socket connectto; + + allow $1 xextension_t:x_extension { query use }; +@@ -291,13 +312,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -29033,11 +33376,19 @@ index da2601a..f34a53f 100644 # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file { getattr read write ioctl }; +- allow $1 xdm_tmp_t:dir search; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $1 xdm_tmp_t:dir search; ++ allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -347,14 +363,19 @@ template(`xserver_common_x_domain_template',` + +@@ -342,19 +363,23 @@ interface(`xserver_user_client',` + # + template(`xserver_common_x_domain_template',` + gen_require(` +- type root_xdrawable_t; ++ type root_xdrawable_t, xdm_t, xserver_t; + type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; @@ -29055,11 +33406,10 @@ index da2601a..f34a53f 100644 + class x_screen { saver_setattr saver_hide saver_show }; + class x_pointer { get_property set_property manage }; + class x_keyboard { read manage }; -+ type xdm_t, xserver_t; ') ############################## -@@ -386,6 +407,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +411,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -29075,7 +33425,18 @@ index da2601a..f34a53f 100644 ') ####################################### -@@ -458,9 +488,9 @@ template(`xserver_user_x_domain_template',` +@@ -444,8 +478,8 @@ template(`xserver_object_types_template',` + # + template(`xserver_user_x_domain_template',` + gen_require(` +- type xdm_t, xdm_tmp_t; +- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ++ type xdm_t, xdm_tmp_t, xserver_tmpfs_t; ++ type xauth_home_t, iceauth_home_t, xserver_t; + ') + + allow $2 self:shm create_shm_perms; +@@ -458,9 +492,9 @@ template(`xserver_user_x_domain_template',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -29087,7 +33448,7 @@ index da2601a..f34a53f 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +502,25 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +506,25 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -29115,7 +33476,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -517,6 +552,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +556,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -29123,7 +33484,7 @@ index da2601a..f34a53f 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -545,6 +581,28 @@ interface(`xserver_domtrans_xauth',` +@@ -545,6 +585,28 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -29152,7 +33513,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -598,6 +656,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +660,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -29160,7 +33521,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -615,7 +674,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +678,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -29169,7 +33530,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -651,7 +710,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +714,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -29178,7 +33539,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -670,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +733,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -29187,7 +33548,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -688,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +751,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -29196,7 +33557,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -703,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +766,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -29210,7 +33571,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -724,11 +782,13 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +786,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -29219,13 +33580,13 @@ index da2601a..f34a53f 100644 ') files_search_tmp($1) +- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) -+ stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ') ######################################## -@@ -765,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +828,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -29234,7 +33595,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -805,7 +865,7 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +868,7 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -29243,7 +33604,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -897,7 +957,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +960,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -29252,7 +33613,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -916,7 +976,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +979,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -29261,7 +33622,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -963,6 +1023,44 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1026,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -29280,6 +33641,7 @@ index da2601a..f34a53f 100644 + + files_search_etc($1) + read_files_pattern($1, xdm_etc_t, xdm_etc_t) ++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## @@ -29306,7 +33668,7 @@ index da2601a..f34a53f 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1078,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -29315,7 +33677,7 @@ index da2601a..f34a53f 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1052,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1154,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -29324,7 +33686,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -1070,8 +1168,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1172,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -29336,7 +33698,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -1185,6 +1285,7 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1289,7 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -29344,7 +33706,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -1210,7 +1311,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1315,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -29353,7 +33715,7 @@ index da2601a..f34a53f 100644 ## ## ## -@@ -1220,13 +1321,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1325,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -29378,7 +33740,7 @@ index da2601a..f34a53f 100644 ') ######################################## -@@ -1243,10 +1354,331 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1358,331 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -29573,7 +33935,7 @@ index da2601a..f34a53f 100644 +## +## +# -+template(`xserver_read_user_iceauth',` ++interface(`xserver_read_user_iceauth',` + gen_require(` + type iceauth_home_t; + ') @@ -30704,7 +35066,7 @@ index 0000000..56cb5af +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 -index 0000000..78fc104 +index 0000000..4f2dde8 --- /dev/null +++ b/policy/modules/services/zarafa.if @@ -0,0 +1,102 @@ @@ -30808,7 +35170,7 @@ index 0000000..78fc104 + ') + + files_search_var_lib($1) -+ stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) ++ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 @@ -30950,7 +35312,7 @@ index 0000000..3509088 + apache_content_template(zarafa) +') diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if -index 6b87605..5860687 100644 +index 6b87605..347f754 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -38,8 +38,7 @@ interface(`zebra_stream_connect',` @@ -30963,8 +35325,18 @@ index 6b87605..5860687 100644 ') ######################################## +@@ -62,8 +61,7 @@ interface(`zebra_stream_connect',` + interface(`zebra_admin',` + gen_require(` + type zebra_t, zebra_tmp_t, zebra_log_t; +- type zebra_conf_t, zebra_var_run_t; +- type zebra_initrc_exec_t; ++ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; + ') + + allow $1 zebra_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if -index 702e768..1d24e1e 100644 +index 702e768..13f0eef 100644 --- a/policy/modules/services/zosremote.if +++ b/policy/modules/services/zosremote.if @@ -5,9 +5,9 @@ @@ -30979,6 +35351,14 @@ index 702e768..1d24e1e 100644 ## # interface(`zosremote_domtrans',` +@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',` + ## Role allowed access. + ## + ## ++## + # + interface(`zosremote_run',` + gen_require(` diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if index ac50333..108595b 100644 --- a/policy/modules/system/application.if @@ -31053,7 +35433,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..5819211 100644 +index bea0ade..c411b5e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -31192,7 +35572,33 @@ index bea0ade..5819211 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -874,6 +921,26 @@ interface(`auth_exec_pam',` +@@ -736,6 +783,25 @@ interface(`auth_rw_faillog',` + allow $1 faillog_t:file rw_file_perms; + ') + ++######################################## ++## ++## Manage the login failure log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_faillog',` ++ gen_require(` ++ type faillog_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 faillog_t:file manage_file_perms; ++') ++ + ####################################### + ## + ## Read the last logins log. +@@ -874,6 +940,26 @@ interface(`auth_exec_pam',` ######################################## ## @@ -31219,7 +35625,7 @@ index bea0ade..5819211 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -1500,6 +1567,8 @@ interface(`auth_manage_login_records',` +@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -31228,7 +35634,7 @@ index bea0ade..5819211 100644 files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1600,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -31620,7 +36026,7 @@ index 9775375..b338481 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index f6aafe7..447aaec 100644 +index f6aafe7..666a58f 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -31857,7 +36263,21 @@ index f6aafe7..447aaec 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1338,6 +1434,27 @@ interface(`init_dbus_send_script',` +@@ -1111,12 +1207,7 @@ interface(`init_read_script_state',` + ') + + kernel_search_proc($1) +- read_files_pattern($1, initrc_t, initrc_t) +- read_lnk_files_pattern($1, initrc_t, initrc_t) +- list_dirs_pattern($1, initrc_t, initrc_t) +- +- # should move this to separate interface +- allow $1 initrc_t:process getattr; ++ ps_process_pattern($1, initrc_t) + ') + + ######################################## +@@ -1338,6 +1429,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -31885,7 +36305,7 @@ index f6aafe7..447aaec 100644 ## init scripts over dbus. ## ## -@@ -1424,6 +1541,25 @@ interface(`init_getattr_script_status_files',` +@@ -1424,6 +1536,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -31911,7 +36331,7 @@ index f6aafe7..447aaec 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1637,7 +1773,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1637,7 +1768,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -31920,7 +36340,7 @@ index f6aafe7..447aaec 100644 ') ######################################## -@@ -1712,3 +1848,94 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1712,3 +1843,94 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -32016,7 +36436,7 @@ index f6aafe7..447aaec 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 698c11e..1b6733f 100644 +index 698c11e..d7abdd1 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -32340,7 +36760,15 @@ index 698c11e..1b6733f 100644 selinux_get_enforce_mode(initrc_t) -@@ -394,13 +519,14 @@ logging_read_audit_config(initrc_t) +@@ -380,6 +505,7 @@ auth_read_pam_pid(initrc_t) + auth_delete_pam_pid(initrc_t) + auth_delete_pam_console_data(initrc_t) + auth_use_nsswitch(initrc_t) ++auth_manage_faillog(initrc_t) + + libs_rw_ld_so_cache(initrc_t) + libs_exec_lib_files(initrc_t) +@@ -394,13 +520,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -32356,7 +36784,7 @@ index 698c11e..1b6733f 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +599,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +600,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -32365,7 +36793,7 @@ index 698c11e..1b6733f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +645,19 @@ ifdef(`distro_redhat',` +@@ -519,6 +646,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -32385,7 +36813,7 @@ index 698c11e..1b6733f 100644 ') optional_policy(` -@@ -526,10 +665,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +666,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -32403,7 +36831,7 @@ index 698c11e..1b6733f 100644 ') optional_policy(` -@@ -544,6 +690,35 @@ ifdef(`distro_suse',` +@@ -544,6 +691,35 @@ ifdef(`distro_suse',` ') ') @@ -32439,7 +36867,7 @@ index 698c11e..1b6733f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +731,8 @@ optional_policy(` +@@ -556,6 +732,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -32448,7 +36876,7 @@ index 698c11e..1b6733f 100644 ') optional_policy(` -@@ -572,6 +749,7 @@ optional_policy(` +@@ -572,6 +750,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -32456,7 +36884,7 @@ index 698c11e..1b6733f 100644 ') optional_policy(` -@@ -584,6 +762,11 @@ optional_policy(` +@@ -584,6 +763,11 @@ optional_policy(` ') optional_policy(` @@ -32468,7 +36896,7 @@ index 698c11e..1b6733f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,6 +783,9 @@ optional_policy(` +@@ -600,6 +784,9 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -32478,7 +36906,7 @@ index 698c11e..1b6733f 100644 optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -701,7 +887,13 @@ optional_policy(` +@@ -701,7 +888,13 @@ optional_policy(` ') optional_policy(` @@ -32492,7 +36920,7 @@ index 698c11e..1b6733f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +916,10 @@ optional_policy(` +@@ -724,6 +917,10 @@ optional_policy(` ') optional_policy(` @@ -32503,7 +36931,7 @@ index 698c11e..1b6733f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -745,6 +941,10 @@ optional_policy(` +@@ -745,6 +942,10 @@ optional_policy(` ') optional_policy(` @@ -32514,7 +36942,7 @@ index 698c11e..1b6733f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +966,6 @@ optional_policy(` +@@ -766,8 +967,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -32523,7 +36951,7 @@ index 698c11e..1b6733f 100644 ') optional_policy(` -@@ -776,14 +974,21 @@ optional_policy(` +@@ -776,14 +975,21 @@ optional_policy(` ') optional_policy(` @@ -32545,7 +36973,7 @@ index 698c11e..1b6733f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1010,19 @@ optional_policy(` +@@ -805,11 +1011,19 @@ optional_policy(` ') optional_policy(` @@ -32566,7 +36994,7 @@ index 698c11e..1b6733f 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1032,25 @@ optional_policy(` +@@ -819,6 +1033,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -32592,7 +37020,7 @@ index 698c11e..1b6733f 100644 ') optional_policy(` -@@ -844,3 +1076,55 @@ optional_policy(` +@@ -844,3 +1077,55 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -33126,6 +37554,18 @@ index 1d1c399..3ab3a47 100644 - tgtd_rw_semaphores(iscsid_t) + tgtd_manage_semaphores(iscsid_t) ') +diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if +index 4198ff5..672d323 100644 +--- a/policy/modules/system/kdump.if ++++ b/policy/modules/system/kdump.if +@@ -106,6 +106,6 @@ interface(`kdump_admin',` + role_transition $2 kdump_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, kdump_etc_t) + ') diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te index 57c645b..7682697 100644 --- a/policy/modules/system/kdump.te diff --git a/selinux-policy.spec b/selinux-policy.spec index cf315b4..61e9c1a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.5 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Wed Sep 21 2010 Dan Walsh 3.9.5-3 +- Fix up Xguest policy + * Thu Sep 16 2010 Dan Walsh 3.9.5-2 - Add vnstat policy - allow libvirt to send audit messages