From a9d343329b0f4ec5e8a6eb7e25f8487e62cab135 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jan 26 2012 18:26:12 +0000 Subject: * Thu Jan 26 2012 Miroslav Grepl 3.10.0-80 - Add zabbix_can_network boolean - Add httpd_can_connect_zabbix boolean - Prepare file context labeling for usrmove functions - Allow system cronjobs to read kernel network state - Add support for selinux_avcstat munin plugin - Treat hearbeat with corosync policy - Allow corosync to read and write to qpidd shared mem - mozilla_plugin is trying to run pulseaudio - Fixes for new sshd patch for running priv sep domains as the users c - Turn off dontaudit rules when turning on allow_ypbind - udev now reads /etc/modules.d directory --- diff --git a/policy-F16.patch b/policy-F16.patch index c731329..b727329 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -2137,10 +2137,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..deed25f +index 0000000..a6bd793 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,20 @@ +@@ -0,0 +1,27 @@ +policy_module(permissivedomains,17) + + @@ -2161,6 +2161,13 @@ index 0000000..deed25f + permissive zoneminder_t; +') + ++optional_policy(` ++ gen_require(` ++ type selinux_munin_plugin_t; ++ ') ++ ++ permssive selinux_munin_plugin_t; ++') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -8218,7 +8225,7 @@ index fbb5c5a..ffeec16 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..04159de 100644 +index 2e9318b..194857d 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -8409,7 +8416,8 @@ index 2e9318b..04159de 100644 userdom_dontaudit_use_user_terminals(mozilla_plugin_t) userdom_manage_user_tmp_sockets(mozilla_plugin_t) userdom_manage_user_tmp_dirs(mozilla_plugin_t) - userdom_read_user_tmp_files(mozilla_plugin_t) +-userdom_read_user_tmp_files(mozilla_plugin_t) ++userdom_rw_inherited_user_tmp_files(mozilla_plugin_t) userdom_read_user_tmp_symlinks(mozilla_plugin_t) +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) @@ -26166,10 +26174,10 @@ index 6480167..2ad693a 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..6b7400b 100644 +index 3136c6a..1aa2421 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,136 +18,218 @@ policy_module(apache, 2.2.1) +@@ -18,136 +18,226 @@ policy_module(apache, 2.2.1) # Declarations # @@ -26284,17 +26292,25 @@ index 3136c6a..6b7400b 100644 ## gen_tunable(httpd_can_sendmail, false) - ## --##

--## Allow Apache to communicate with avahi service via dbus --##

++ ++## ++##

++## Allow http daemon to connect to zabbix ++##

++##
++gen_tunable(httpd_can_connect_zabbix, false) ++ ++## +##

+## Allow http daemon to check spam +##

+##
+gen_tunable(httpd_can_check_spam, false) + -+## + ## +-##

+-## Allow Apache to communicate with avahi service via dbus +-##

+##

+## Allow Apache to communicate with avahi service via dbus +##

@@ -26444,7 +26460,7 @@ index 3136c6a..6b7400b 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -166,7 +248,7 @@ files_type(httpd_cache_t) +@@ -166,7 +256,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26453,7 +26469,7 @@ index 3136c6a..6b7400b 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +259,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +267,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26463,7 +26479,7 @@ index 3136c6a..6b7400b 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +301,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +309,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26486,7 +26502,7 @@ index 3136c6a..6b7400b 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +325,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +333,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26497,7 +26513,7 @@ index 3136c6a..6b7400b 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +336,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +344,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26505,7 +26521,7 @@ index 3136c6a..6b7400b 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +358,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +366,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26529,7 +26545,7 @@ index 3136c6a..6b7400b 100644 ######################################## # # Apache server local policy -@@ -281,11 +394,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +402,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26543,7 +26559,7 @@ index 3136c6a..6b7400b 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +444,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +452,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26554,7 +26570,7 @@ index 3136c6a..6b7400b 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +471,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +479,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26564,7 +26580,7 @@ index 3136c6a..6b7400b 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +484,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +492,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26581,7 +26597,7 @@ index 3136c6a..6b7400b 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +501,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +509,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26597,7 +26613,7 @@ index 3136c6a..6b7400b 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +514,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +522,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26605,7 +26621,7 @@ index 3136c6a..6b7400b 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +526,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +534,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26709,7 +26725,7 @@ index 3136c6a..6b7400b 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +633,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +641,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -26732,6 +26748,10 @@ index 3136c6a..6b7400b 100644 + corenet_tcp_connect_ldap_port(httpd_t) +') + ++tunable_policy(`httpd_can_connect_zabbix',` ++ corenet_tcp_connect_zabbix_port(httpd_t) ++') ++ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) + corenet_tcp_bind_all_ephemeral_ports(httpd_t) @@ -26763,7 +26783,7 @@ index 3136c6a..6b7400b 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +687,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +699,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26780,7 +26800,7 @@ index 3136c6a..6b7400b 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +711,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +723,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26801,7 +26821,7 @@ index 3136c6a..6b7400b 100644 ') optional_policy(` -@@ -513,7 +735,13 @@ optional_policy(` +@@ -513,7 +747,13 @@ optional_policy(` ') optional_policy(` @@ -26816,7 +26836,7 @@ index 3136c6a..6b7400b 100644 ') optional_policy(` -@@ -528,7 +756,19 @@ optional_policy(` +@@ -528,7 +768,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26837,7 +26857,7 @@ index 3136c6a..6b7400b 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +777,13 @@ optional_policy(` +@@ -537,8 +789,13 @@ optional_policy(` ') optional_policy(` @@ -26852,7 +26872,7 @@ index 3136c6a..6b7400b 100644 ') ') -@@ -556,7 +801,13 @@ optional_policy(` +@@ -556,7 +813,13 @@ optional_policy(` ') optional_policy(` @@ -26866,7 +26886,7 @@ index 3136c6a..6b7400b 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +818,7 @@ optional_policy(` +@@ -567,6 +830,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26874,7 +26894,7 @@ index 3136c6a..6b7400b 100644 ') optional_policy(` -@@ -577,6 +829,20 @@ optional_policy(` +@@ -577,6 +841,20 @@ optional_policy(` ') optional_policy(` @@ -26895,7 +26915,7 @@ index 3136c6a..6b7400b 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +857,11 @@ optional_policy(` +@@ -591,6 +869,11 @@ optional_policy(` ') optional_policy(` @@ -26907,7 +26927,7 @@ index 3136c6a..6b7400b 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +874,12 @@ optional_policy(` +@@ -603,6 +886,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26920,7 +26940,7 @@ index 3136c6a..6b7400b 100644 ######################################## # # Apache helper local policy -@@ -616,7 +893,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +905,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26933,7 +26953,7 @@ index 3136c6a..6b7400b 100644 ######################################## # -@@ -654,28 +935,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +947,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26977,7 +26997,7 @@ index 3136c6a..6b7400b 100644 ') ######################################## -@@ -685,6 +968,8 @@ optional_policy(` +@@ -685,6 +980,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26986,7 +27006,7 @@ index 3136c6a..6b7400b 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +984,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +996,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27012,7 +27032,7 @@ index 3136c6a..6b7400b 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1030,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1042,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27045,7 +27065,7 @@ index 3136c6a..6b7400b 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1077,25 @@ optional_policy(` +@@ -769,6 +1089,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27071,7 +27091,7 @@ index 3136c6a..6b7400b 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1116,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1128,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27089,7 +27109,7 @@ index 3136c6a..6b7400b 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1135,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1147,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27146,7 +27166,7 @@ index 3136c6a..6b7400b 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1186,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1198,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27177,7 +27197,7 @@ index 3136c6a..6b7400b 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1221,20 @@ optional_policy(` +@@ -842,10 +1233,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27198,7 +27218,7 @@ index 3136c6a..6b7400b 100644 ') ######################################## -@@ -891,11 +1280,135 @@ optional_policy(` +@@ -891,11 +1292,135 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -32494,20 +32514,29 @@ index e67a003..8bd4751 100644 unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc -index 3a6d7eb..3f0e601 100644 +index 3a6d7eb..6c753ff 100644 --- a/policy/modules/services/corosync.fc +++ b/policy/modules/services/corosync.fc -@@ -1,8 +1,10 @@ +@@ -1,8 +1,14 @@ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) ++ ++/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) ++/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:corosync_exec_t,s0) /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) +@@ -10,3 +16,4 @@ + + /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) + /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) ++/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index 5220c9d..db158cc 100644 --- a/policy/modules/services/corosync.if @@ -32554,7 +32583,7 @@ index 5220c9d..db158cc 100644 domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 04969e5..0f56485 100644 +index 04969e5..a603e70 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -32571,7 +32600,7 @@ index 04969e5..0f56485 100644 -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; -+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock }; ++allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock }; +allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; @@ -32601,15 +32630,20 @@ index 04969e5..0f56485 100644 corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,6 +80,7 @@ dev_read_urand(corosync_t) +@@ -73,9 +80,12 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) ++files_read_etc_files(corosync_t) +files_read_usr_files(corosync_t) auth_use_nsswitch(corosync_t) -@@ -83,19 +91,44 @@ logging_send_syslog_msg(corosync_t) ++init_domtrans_script(corosync_t) + init_read_script_state(corosync_t) + init_rw_script_tmp_files(corosync_t) + +@@ -83,21 +93,51 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -32638,13 +32672,17 @@ index 04969e5..0f56485 100644 +optional_policy(` + drbd_domtrans(corosync_t) +') - -- rhcs_rw_fenced_semaphores(corosync_t) ++ +optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) + lvm_delete_clvmd_tmpfs_files(corosync_t) +') +- rhcs_rw_fenced_semaphores(corosync_t) ++optional_policy(` ++ qpidd_rw_shm(corosync_t) ++') + - rhcs_rw_gfs_controld_semaphores(corosync_t) +optional_policy(` + rhcs_getattr_fenced(corosync_t) @@ -32658,6 +32696,9 @@ index 04969e5..0f56485 100644 ') optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) + ') ++ diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc index 01d31f1..8e2754b 100644 --- a/policy/modules/services/courier.fc @@ -33385,7 +33426,7 @@ index 35241ed..7a0913c 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..958bd54 100644 +index f7583ab..d382f40 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -33590,7 +33631,7 @@ index f7583ab..958bd54 100644 # Not sure why this is needed userdom_list_user_home_dirs(crond_t) +userdom_list_admin_dir(crond_t) -+userdom_create_all_users_keys(crond_t) ++userdom_manage_all_users_keys(crond_t) mta_send_mail(crond_t) +mta_system_content(cron_spool_t) @@ -33698,7 +33739,7 @@ index f7583ab..958bd54 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +419,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,11 +419,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -33712,8 +33753,11 @@ index f7583ab..958bd54 100644 +allow system_cronjob_t cron_spool_t:file rw_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) ++kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) + kernel_read_software_raid_state(system_cronjob_t) + +@@ -365,6 +449,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -33721,7 +33765,7 @@ index f7583ab..958bd54 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +475,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +476,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -33729,7 +33773,7 @@ index f7583ab..958bd54 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +498,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +499,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -33741,7 +33785,7 @@ index f7583ab..958bd54 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +526,8 @@ optional_policy(` +@@ -439,6 +527,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -33750,7 +33794,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -446,6 +535,14 @@ optional_policy(` +@@ -446,6 +536,14 @@ optional_policy(` ') optional_policy(` @@ -33765,7 +33809,7 @@ index f7583ab..958bd54 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,6 +553,10 @@ optional_policy(` +@@ -456,6 +554,10 @@ optional_policy(` ') optional_policy(` @@ -33776,7 +33820,7 @@ index f7583ab..958bd54 100644 lpd_list_spool(system_cronjob_t) ') -@@ -464,7 +565,9 @@ optional_policy(` +@@ -464,7 +566,9 @@ optional_policy(` ') optional_policy(` @@ -33786,7 +33830,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -472,6 +575,10 @@ optional_policy(` +@@ -472,6 +576,10 @@ optional_policy(` ') optional_policy(` @@ -33797,7 +33841,7 @@ index f7583ab..958bd54 100644 postfix_read_config(system_cronjob_t) ') -@@ -480,7 +587,7 @@ optional_policy(` +@@ -480,7 +588,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -33806,7 +33850,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -495,6 +602,7 @@ optional_policy(` +@@ -495,6 +603,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -33814,7 +33858,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -502,7 +610,13 @@ optional_policy(` +@@ -502,7 +611,13 @@ optional_policy(` ') optional_policy(` @@ -33828,7 +33872,7 @@ index f7583ab..958bd54 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +709,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +710,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -35699,19 +35743,20 @@ index 8ba9425..555058a 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc -index 418a5a0..d13814e 100644 +index 418a5a0..de67309 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc -@@ -1,3 +1,8 @@ +@@ -1,3 +1,9 @@ +/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + +/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -@@ -6,9 +11,14 @@ +@@ -6,9 +12,14 @@ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -45201,14 +45246,14 @@ index 98d28b4..1c1d012 100644 + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc -index 4d69477..4079870 100644 +index 4d69477..d3b4f39 100644 --- a/policy/modules/services/memcached.fc +++ b/policy/modules/services/memcached.fc @@ -2,4 +2,5 @@ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) -+/var/run/ipa_memcached -s gen_context(system_u:object_r:memcached_var_run_t,s0) ++/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index db4fd6f..ce07b3f 100644 @@ -47050,10 +47095,20 @@ index 64268e4..a7d94de 100644 + exim_manage_log(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc -index fd71d69..bf90863 100644 +index fd71d69..26597b2 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc -@@ -51,6 +51,7 @@ +@@ -41,6 +41,9 @@ + /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + ++# selinux plugins ++/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) ++ + # system plugins + /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +@@ -51,6 +54,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -47061,7 +47116,7 @@ index fd71d69..bf90863 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -63,6 +64,7 @@ +@@ -63,6 +67,7 @@ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) @@ -47166,7 +47221,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..171ebec 100644 +index f17583b..923fdfb 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -47178,7 +47233,7 @@ index f17583b..171ebec 100644 type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t) -@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t) +@@ -24,15 +26,16 @@ files_tmp_file(munin_tmp_t) type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t) @@ -47188,7 +47243,17 @@ index f17583b..171ebec 100644 type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) -@@ -40,7 +45,7 @@ munin_plugin_template(system) + munin_plugin_template(disk) +- + munin_plugin_template(mail) +- ++munin_plugin_template(selinux) + munin_plugin_template(services) +- + munin_plugin_template(system) + + ######################################## +@@ -40,7 +43,7 @@ munin_plugin_template(system) # Local policy # @@ -47197,7 +47262,7 @@ index f17583b..171ebec 100644 dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -71,9 +76,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -71,9 +74,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) files_search_var_lib(munin_t) @@ -47211,7 +47276,7 @@ index f17583b..171ebec 100644 kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) -@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t) +@@ -116,6 +122,7 @@ logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -47219,7 +47284,7 @@ index f17583b..171ebec 100644 sysnet_exec_ifconfig(munin_t) -@@ -145,6 +154,7 @@ optional_policy(` +@@ -145,6 +152,7 @@ optional_policy(` optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -47227,7 +47292,7 @@ index f17583b..171ebec 100644 mta_read_queue(munin_t) ') -@@ -159,6 +169,7 @@ optional_policy(` +@@ -159,6 +167,7 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -47235,20 +47300,19 @@ index f17583b..171ebec 100644 ') optional_policy(` -@@ -182,6 +193,7 @@ optional_policy(` +@@ -182,6 +191,7 @@ optional_policy(` # local policy for disk plugins # -+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; ++allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +202,13 @@ corecmd_exec_shell(disk_munin_plugin_t) - - corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) +@@ -192,13 +202,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) --files_read_etc_files(disk_munin_plugin_t) + files_read_etc_files(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) ++files_read_usr_files(disk_munin_plugin_t) -fs_getattr_all_fs(disk_munin_plugin_t) - @@ -47261,7 +47325,7 @@ index f17583b..171ebec 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +231,44 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -47292,7 +47356,19 @@ index f17583b..171ebec 100644 ') optional_policy(` -@@ -245,6 +259,8 @@ optional_policy(` + sendmail_read_log(mail_munin_plugin_t) + ') + ++################################## ++# ++# local policy for selinux plugins ++# ++ ++selinux_get_enforce_mode(selinux_munin_plugin_t) ++ ++ + ################################### + # # local policy for service plugins # @@ -47301,7 +47377,7 @@ index f17583b..171ebec 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +279,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -47316,7 +47392,7 @@ index f17583b..171ebec 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +292,10 @@ optional_policy(` +@@ -279,6 +300,10 @@ optional_policy(` ') optional_policy(` @@ -47327,7 +47403,7 @@ index f17583b..171ebec 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +303,10 @@ optional_policy(` +@@ -286,6 +311,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -47338,7 +47414,7 @@ index f17583b..171ebec 100644 ################################## # # local policy for system plugins -@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,13 +324,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -47355,7 +47431,7 @@ index f17583b..171ebec 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +341,35 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -47387,6 +47463,10 @@ index f17583b..171ebec 100644 +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) ++ ++optional_policy(` ++ nscd_socket_use(munin_plugin_domain) ++') diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index e9c0982..840e562 100644 --- a/policy/modules/services/mysql.if @@ -48517,7 +48597,7 @@ index 15448d5..62284bf 100644 +/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..d3595cf 100644 +index abe3f7f..7c7f939 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -48529,7 +48609,7 @@ index abe3f7f..d3595cf 100644 allow $1 var_yp_t:file read_file_perms; corenet_all_recvfrom_unlabeled($1) -@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',` +@@ -49,14 +49,15 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) @@ -48543,9 +48623,13 @@ index abe3f7f..d3595cf 100644 - corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_all_reserved_ports($1) corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) +- corenet_dontaudit_tcp_connect_all_ports($1) ++# Attempt to see if this is actually needed ++# corenet_dontaudit_tcp_connect_all_ports($1) corenet_sendrecv_portmap_client_packets($1) -@@ -243,25 +243,6 @@ interface(`nis_read_ypbind_pid',` + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) +@@ -243,25 +244,6 @@ interface(`nis_read_ypbind_pid',` ######################################## ## @@ -48571,7 +48655,7 @@ index abe3f7f..d3595cf 100644 ## Read ypserv configuration files. ## ## -@@ -337,6 +318,55 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -337,6 +319,55 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -48627,13 +48711,14 @@ index abe3f7f..d3595cf 100644 ## All of the rules required to administrate ## an nis environment ## -@@ -354,22 +384,28 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -354,22 +385,28 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; +- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_t, yppasswdd_t, ypserv_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; ++ type ypserv_tmp_t, ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; @@ -48662,25 +48747,39 @@ index abe3f7f..d3595cf 100644 ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) -@@ -384,6 +420,7 @@ interface(`nis_admin',` +@@ -379,18 +416,18 @@ interface(`nis_admin',` + role_transition $2 ypbind_initrc_exec_t system_r; + allow $2 system_r; +- files_list_tmp($1) +- admin_pattern($1, ypbind_tmp_t) +- files_list_pids($1) admin_pattern($1, ypbind_var_run_t) + nis_systemctl_ypbind($1) admin_pattern($1, yppasswdd_var_run_t) -@@ -393,4 +430,5 @@ interface(`nis_admin',` + files_list_etc($1) + admin_pattern($1, ypserv_conf_t) + ++ files_list_tmp($1) admin_pattern($1, ypserv_tmp_t) admin_pattern($1, ypserv_var_run_t) + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..eabed96 100644 +index 4876cae..de34d17 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te -@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) +@@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t) + type ypbind_initrc_exec_t; + init_script_file(ypbind_initrc_exec_t) + +-type ypbind_tmp_t; +-files_tmp_file(ypbind_tmp_t) +- type ypbind_var_run_t; files_pid_file(ypbind_var_run_t) @@ -48690,7 +48789,7 @@ index 4876cae..eabed96 100644 type yppasswdd_t; type yppasswdd_exec_t; init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) -@@ -37,7 +40,7 @@ type ypserv_exec_t; +@@ -37,7 +37,7 @@ type ypserv_exec_t; init_daemon_domain(ypserv_t, ypserv_exec_t) type ypserv_conf_t; @@ -48699,7 +48798,7 @@ index 4876cae..eabed96 100644 type ypserv_tmp_t; files_tmp_file(ypserv_tmp_t) -@@ -52,13 +55,17 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) +@@ -52,22 +52,22 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) @@ -48718,7 +48817,16 @@ index 4876cae..eabed96 100644 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t self:tcp_socket create_stream_socket_perms; -@@ -142,8 +149,8 @@ optional_policy(` + allow ypbind_t self:udp_socket create_socket_perms; + +-manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) +-manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) +-files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) +- + manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) + files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) + +@@ -142,8 +142,8 @@ optional_policy(` allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; @@ -48728,7 +48836,7 @@ index 4876cae..eabed96 100644 allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -@@ -211,6 +218,10 @@ optional_policy(` +@@ -211,6 +211,10 @@ optional_policy(` ') optional_policy(` @@ -48739,7 +48847,7 @@ index 4876cae..eabed96 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -224,8 +235,8 @@ optional_policy(` +@@ -224,8 +228,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; @@ -52362,42 +52470,92 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..1fbe0fa 100644 +index 46bee12..99499ef 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if -@@ -34,11 +34,13 @@ template(`postfix_domain_template',` +@@ -28,75 +28,19 @@ interface(`postfix_stub',` + ## + # + template(`postfix_domain_template',` +- type postfix_$1_t; ++ gen_require(` ++ attribute postfix_domain; ++ ') ++ ++ type postfix_$1_t, postfix_domain; + type postfix_$1_exec_t; + domain_type(postfix_$1_t) domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; -+ allow postfix_$1_t self:capability { sys_nice sys_chroot }; - dontaudit postfix_$1_t self:capability sys_tty_config; +- dontaudit postfix_$1_t self:capability sys_tty_config; - allow postfix_$1_t self:process { signal_perms setpgid }; -+ allow postfix_$1_t self:process { signal_perms setpgid setsched }; - allow postfix_$1_t self:unix_dgram_socket create_socket_perms; - allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; - allow postfix_$1_t self:unix_stream_socket connectto; -+ allow postfix_$1_t self:fifo_file rw_fifo_file_perms; - - allow postfix_master_t postfix_$1_t:process signal; - #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 -@@ -50,7 +52,7 @@ template(`postfix_domain_template',` - - can_exec(postfix_$1_t, postfix_$1_exec_t) - +- allow postfix_$1_t self:unix_dgram_socket create_socket_perms; +- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; +- allow postfix_$1_t self:unix_stream_socket connectto; +- +- allow postfix_master_t postfix_$1_t:process signal; +- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 +- allow postfix_$1_t postfix_master_t:file read; +- +- allow postfix_$1_t postfix_etc_t:dir list_dir_perms; +- read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) +- read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) +- +- can_exec(postfix_$1_t, postfix_$1_exec_t) +- - allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl }; -+ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock }; - - allow postfix_$1_t postfix_master_t:process sigchld; +- +- allow postfix_$1_t postfix_master_t:process sigchld; +- +- allow postfix_$1_t postfix_spool_t:dir list_dir_perms; +- +- allow postfix_$1_t postfix_var_run_t:file manage_file_perms; +- files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) +- +- kernel_read_system_state(postfix_$1_t) +- kernel_read_network_state(postfix_$1_t) +- kernel_read_all_sysctls(postfix_$1_t) +- +- dev_read_sysfs(postfix_$1_t) +- dev_read_rand(postfix_$1_t) +- dev_read_urand(postfix_$1_t) +- +- fs_search_auto_mountpoints(postfix_$1_t) +- fs_getattr_xattr_fs(postfix_$1_t) +- fs_rw_anon_inodefs_files(postfix_$1_t) +- +- term_dontaudit_use_console(postfix_$1_t) +- +- corecmd_exec_shell(postfix_$1_t) +- +- files_read_etc_files(postfix_$1_t) +- files_read_etc_runtime_files(postfix_$1_t) +- files_read_usr_symlinks(postfix_$1_t) +- files_search_spool(postfix_$1_t) +- files_getattr_tmp_dirs(postfix_$1_t) +- files_search_all_mountpoints(postfix_$1_t) +- +- init_dontaudit_use_fds(postfix_$1_t) +- init_sigchld(postfix_$1_t) +- + auth_use_nsswitch(postfix_$1_t) -@@ -77,6 +79,7 @@ template(`postfix_domain_template',` +- logging_send_syslog_msg(postfix_$1_t) +- +- miscfiles_read_localization(postfix_$1_t) +- miscfiles_read_generic_certs(postfix_$1_t) +- +- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) +- +- optional_policy(` +- udev_read_db(postfix_$1_t) +- ') ++ can_exec(postfix_$1_t, postfix_$1_exec_t) + ') - files_read_etc_files(postfix_$1_t) - files_read_etc_runtime_files(postfix_$1_t) -+ files_read_usr_files(postfix_$1_t) - files_read_usr_symlinks(postfix_$1_t) - files_search_spool(postfix_$1_t) - files_getattr_tmp_dirs(postfix_$1_t) -@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',` + ######################################## +@@ -115,7 +59,7 @@ template(`postfix_server_domain_template',` type postfix_$1_tmp_t; files_tmp_file(postfix_$1_tmp_t) @@ -52406,7 +52564,7 @@ index 46bee12..1fbe0fa 100644 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; -@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',` +@@ -165,6 +109,8 @@ template(`postfix_user_domain_template',` domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) @@ -52415,7 +52573,7 @@ index 46bee12..1fbe0fa 100644 ') ######################################## -@@ -215,7 +220,7 @@ interface(`postfix_config_filetrans',` +@@ -215,7 +161,7 @@ interface(`postfix_config_filetrans',` ') files_search_etc($1) @@ -52424,7 +52582,7 @@ index 46bee12..1fbe0fa 100644 ') ######################################## -@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',` +@@ -272,7 +218,8 @@ interface(`postfix_read_local_state',` type postfix_local_t; ') @@ -52434,7 +52592,7 @@ index 46bee12..1fbe0fa 100644 ') ######################################## -@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',` +@@ -290,7 +237,27 @@ interface(`postfix_read_master_state',` type postfix_master_t; ') @@ -52463,7 +52621,7 @@ index 46bee12..1fbe0fa 100644 ') ######################################## -@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',` +@@ -376,6 +343,25 @@ interface(`postfix_domtrans_master',` domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -52489,7 +52647,7 @@ index 46bee12..1fbe0fa 100644 ######################################## ## ## Execute the master postfix program in the -@@ -404,7 +449,6 @@ interface(`postfix_exec_master',` +@@ -404,7 +390,6 @@ interface(`postfix_exec_master',` ## Domain allowed access. ## ## @@ -52497,7 +52655,7 @@ index 46bee12..1fbe0fa 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',` +@@ -416,6 +401,24 @@ interface(`postfix_stream_connect_master',` ######################################## ## @@ -52522,7 +52680,7 @@ index 46bee12..1fbe0fa 100644 ## Execute the master postdrop in the ## postfix_postdrop domain. ## -@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',` +@@ -462,7 +465,7 @@ interface(`postfix_domtrans_postqueue',` ## ## # @@ -52531,7 +52689,7 @@ index 46bee12..1fbe0fa 100644 gen_require(` type postfix_postqueue_exec_t; ') -@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',` +@@ -529,6 +532,25 @@ interface(`postfix_domtrans_smtp',` ######################################## ## @@ -52557,7 +52715,7 @@ index 46bee12..1fbe0fa 100644 ## Search postfix mail spool directories. ## ## -@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',` +@@ -539,10 +561,10 @@ interface(`postfix_domtrans_smtp',` # interface(`postfix_search_spool',` gen_require(` @@ -52570,7 +52728,7 @@ index 46bee12..1fbe0fa 100644 files_search_spool($1) ') -@@ -558,10 +639,10 @@ interface(`postfix_search_spool',` +@@ -558,10 +580,10 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -52583,7 +52741,7 @@ index 46bee12..1fbe0fa 100644 files_search_spool($1) ') -@@ -577,11 +658,11 @@ interface(`postfix_list_spool',` +@@ -577,11 +599,11 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -52597,7 +52755,7 @@ index 46bee12..1fbe0fa 100644 ') ######################################## -@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',` +@@ -596,11 +618,11 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -52611,7 +52769,7 @@ index 46bee12..1fbe0fa 100644 ') ######################################## -@@ -621,3 +702,154 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +643,154 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -52767,10 +52925,10 @@ index 46bee12..1fbe0fa 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..dda5b86 100644 +index a32c4b3..e92a85d 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te -@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) +@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.1) # Declarations # @@ -52781,11 +52939,12 @@ index a32c4b3..dda5b86 100644 +##
+gen_tunable(allow_postfix_local_write_mail_spool, true) + ++attribute postfix_domain; +attribute postfix_spool_type; attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -12,8 +20,8 @@ attribute postfix_user_domtrans; +@@ -12,8 +21,8 @@ attribute postfix_user_domtrans; postfix_server_domain_template(bounce) @@ -52796,7 +52955,7 @@ index a32c4b3..dda5b86 100644 postfix_server_domain_template(cleanup) -@@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t; +@@ -41,6 +50,9 @@ typealias postfix_master_t alias postfix_t; # generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) @@ -52806,7 +52965,7 @@ index a32c4b3..dda5b86 100644 postfix_server_domain_template(pickup) postfix_server_domain_template(pipe) -@@ -49,6 +60,7 @@ postfix_user_domain_template(postdrop) +@@ -49,6 +61,7 @@ postfix_user_domain_template(postdrop) mta_mailserver_user_agent(postfix_postdrop_t) postfix_user_domain_template(postqueue) @@ -52814,7 +52973,7 @@ index a32c4b3..dda5b86 100644 type postfix_private_t; files_type(postfix_private_t) -@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t) +@@ -65,14 +78,14 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) @@ -52835,7 +52994,7 @@ index a32c4b3..dda5b86 100644 type postfix_public_t; files_type(postfix_public_t) -@@ -94,23 +106,24 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -94,23 +107,24 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -52865,7 +53024,7 @@ index a32c4b3..dda5b86 100644 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -@@ -130,7 +143,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; @@ -52874,7 +53033,7 @@ index a32c4b3..dda5b86 100644 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -@@ -138,6 +151,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ +@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -52882,7 +53041,7 @@ index a32c4b3..dda5b86 100644 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) kernel_read_all_sysctls(postfix_master_t) -@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -52892,7 +53051,7 @@ index a32c4b3..dda5b86 100644 corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t) +@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -52903,7 +53062,7 @@ index a32c4b3..dda5b86 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -52922,7 +53081,7 @@ index a32c4b3..dda5b86 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, +@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -52940,7 +53099,7 @@ index a32c4b3..dda5b86 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,7 +294,6 @@ optional_policy(` +@@ -264,7 +295,6 @@ optional_policy(` # Postfix local local policy # @@ -52948,7 +53107,7 @@ index a32c4b3..dda5b86 100644 allow postfix_local_t self:process { setsched setrlimit }; # connect to master process -@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -52957,7 +53116,7 @@ index a32c4b3..dda5b86 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -52976,7 +53135,7 @@ index a32c4b3..dda5b86 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +333,10 @@ optional_policy(` +@@ -297,6 +334,10 @@ optional_policy(` ') optional_policy(` @@ -52987,7 +53146,7 @@ index a32c4b3..dda5b86 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +344,22 @@ optional_policy(` +@@ -304,9 +345,22 @@ optional_policy(` ') optional_policy(` @@ -53010,7 +53169,7 @@ index a32c4b3..dda5b86 100644 ######################################## # # Postfix map local policy -@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -53036,7 +53195,7 @@ index a32c4b3..dda5b86 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -53045,7 +53204,7 @@ index a32c4b3..dda5b86 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +481,7 @@ optional_policy(` +@@ -420,6 +482,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -53053,7 +53212,7 @@ index a32c4b3..dda5b86 100644 ') optional_policy(` -@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -53071,7 +53230,7 @@ index a32c4b3..dda5b86 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -53082,7 +53241,7 @@ index a32c4b3..dda5b86 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -53095,7 +53254,7 @@ index a32c4b3..dda5b86 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -53106,16 +53265,16 @@ index a32c4b3..dda5b86 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +632,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; -+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +641,14 @@ optional_policy(` +@@ -565,6 +642,14 @@ optional_policy(` ') optional_policy(` @@ -53130,7 +53289,7 @@ index a32c4b3..dda5b86 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +673,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -53147,7 +53306,7 @@ index a32c4b3..dda5b86 100644 ') optional_policy(` -@@ -599,6 +689,12 @@ optional_policy(` +@@ -599,6 +690,12 @@ optional_policy(` ') optional_policy(` @@ -53160,7 +53319,7 @@ index a32c4b3..dda5b86 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +707,6 @@ optional_policy(` +@@ -611,7 +708,6 @@ optional_policy(` # Postfix virtual local policy # @@ -53168,7 +53327,7 @@ index a32c4b3..dda5b86 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +725,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +726,75 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -53177,6 +53336,73 @@ index a32c4b3..dda5b86 100644 +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) ++ ++######################################## ++# ++# postfix_domain common policy ++# ++allow postfix_domain self:capability { sys_nice sys_chroot }; ++dontaudit postfix_domain self:capability sys_tty_config; ++allow postfix_domain self:process { signal_perms setpgid setsched }; ++allow postfix_domain self:unix_dgram_socket create_socket_perms; ++allow postfix_domain self:unix_stream_socket create_stream_socket_perms; ++allow postfix_domain self:unix_stream_socket connectto; ++allow postfix_domain self:fifo_file rw_fifo_file_perms; ++ ++allow postfix_master_t postfix_domain:process signal; ++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 ++allow postfix_domain postfix_master_t:file read; ++allow postfix_domain postfix_etc_t:dir list_dir_perms; ++read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t) ++read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t) ++ ++allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; ++ ++allow postfix_domain postfix_master_t:process sigchld; ++ ++allow postfix_domain postfix_spool_t:dir list_dir_perms; ++ ++allow postfix_domain postfix_var_run_t:file manage_file_perms; ++files_pid_filetrans(postfix_domain, postfix_var_run_t, file) ++ ++kernel_read_system_state(postfix_domain) ++kernel_read_network_state(postfix_domain) ++kernel_read_all_sysctls(postfix_domain) ++ ++dev_read_sysfs(postfix_domain) ++dev_read_rand(postfix_domain) ++dev_read_urand(postfix_domain) ++ ++fs_search_auto_mountpoints(postfix_domain) ++fs_getattr_xattr_fs(postfix_domain) ++fs_rw_anon_inodefs_files(postfix_domain) ++ ++term_dontaudit_use_console(postfix_domain) ++ ++corecmd_exec_shell(postfix_domain) ++ ++files_read_etc_files(postfix_domain) ++files_read_etc_runtime_files(postfix_domain) ++files_read_usr_files(postfix_domain) ++files_read_usr_symlinks(postfix_domain) ++files_search_spool(postfix_domain) ++files_getattr_tmp_dirs(postfix_domain) ++files_search_all_mountpoints(postfix_domain) ++ ++init_dontaudit_use_fds(postfix_domain) ++init_sigchld(postfix_domain) ++init_dontaudit_rw_stream_socket(postfix_domain) ++ ++logging_send_syslog_msg(postfix_domain) ++ ++miscfiles_read_localization(postfix_domain) ++miscfiles_read_generic_certs(postfix_domain) ++ ++userdom_dontaudit_use_unpriv_user_fds(postfix_domain) ++ ++optional_policy(` ++ udev_read_db(postfix_domain) ++') diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if index feae93b..b2af729 100644 --- a/policy/modules/services/postfixpolicyd.if @@ -55464,7 +55690,7 @@ index 4f94229..f3b89e4 100644 /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if -index 5a9630c..61f0099 100644 +index 5a9630c..aaaef40 100644 --- a/policy/modules/services/qpid.if +++ b/policy/modules/services/qpid.if @@ -1,4 +1,4 @@ @@ -55655,7 +55881,7 @@ index 5a9630c..61f0099 100644 # Allow qpidd_t to restart the apache service qpidd_initrc_domtrans($1) -@@ -180,7 +189,43 @@ interface(`qpidd_admin',` +@@ -180,7 +189,45 @@ interface(`qpidd_admin',` role_transition $2 qpidd_initrc_exec_t system_r; allow $2 system_r; @@ -55683,23 +55909,25 @@ index 5a9630c..61f0099 100644 + allow $1 qpidd_t:sem rw_sem_perms; +') + -+######################################## ++####################################### +## -+## Read and write to qpidd shared memory. ++## Read and write to qpidd shared memory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`qpidd_rw_shm',` + gen_require(` -+ type qpidd_t; ++ type qpidd_tmpfs_t; + ') - admin_pattern($1, qpidd_var_run_t) -+ allow $1 qpidd_t:shm rw_shm_perms; ++ qpidd_rw_shm($1) ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) ') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te index cb7ecb5..08d19e6 100644 @@ -69335,10 +69563,24 @@ index c9981d1..75a7d17 100644 init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 7f88f5f..5f1e19c 100644 +index 7f88f5f..4d704e8 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te -@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t) +@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1) + # Declarations + # + ++## ++##

++## Allow zabbix to connect to unreserved ports ++##

++##
++gen_tunable(zabbix_can_network, false) ++ + type zabbix_t; + type zabbix_exec_t; + init_daemon_domain(zabbix_t, zabbix_exec_t) +@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t) type zabbix_log_t; logging_log_file(zabbix_log_t) @@ -69349,7 +69591,7 @@ index 7f88f5f..5f1e19c 100644 # shared memory type zabbix_tmpfs_t; files_tmpfs_file(zabbix_tmpfs_t) -@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t) +@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t) # zabbix local policy # @@ -69379,7 +69621,7 @@ index 7f88f5f..5f1e19c 100644 # shared memory rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) @@ -69407,7 +69649,13 @@ index 7f88f5f..5f1e19c 100644 zabbix_agent_tcp_connect(zabbix_t) -@@ -74,9 +95,21 @@ optional_policy(` ++tunable_policy(`zabbix_can_network',` ++ corenet_tcp_connect_all_unreserved_ports(zabbix_t) ++ corenet_tcp_connect_all_ephemeral_ports(zabbix_t) ++') ++ + optional_policy(` + mysql_stream_connect(zabbix_t) ') optional_policy(` @@ -69429,6 +69677,11 @@ index 7f88f5f..5f1e19c 100644 ######################################## # # zabbix agent local policy +@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) + + # Network access to zabbix server + zabbix_tcp_connect(zabbix_agent_t) ++ diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc index 3defaa1..2ad2488 100644 --- a/policy/modules/services/zarafa.fc @@ -74074,13 +74327,13 @@ index f3e1b57..d7fd7fb 100644 ') diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc -index 14d9670..f28128a 100644 +index 14d9670..7742cf4 100644 --- a/policy/modules/system/iscsi.fc +++ b/policy/modules/system/iscsi.fc -@@ -1,7 +1,11 @@ +@@ -1,7 +1,12 @@ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) @@ -74089,6 +74342,7 @@ index 14d9670..f28128a 100644 + +/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index ddbd8be..65b5762 100644 --- a/policy/modules/system/iscsi.te @@ -75012,10 +75266,10 @@ index a0b379d..2291a13 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..3bdf89f 100644 +index 02f4c97..dfd853e 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -17,12 +17,27 @@ +@@ -17,12 +17,28 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -75025,6 +75279,7 @@ index 02f4c97..3bdf89f 100644 +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) + ++/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -75044,7 +75299,7 @@ index 02f4c97..3bdf89f 100644 /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,7 +53,7 @@ ifdef(`distro_suse', ` +@@ -38,7 +54,7 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -75053,7 +75308,7 @@ index 02f4c97..3bdf89f 100644 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -46,6 +61,7 @@ ifdef(`distro_suse', ` +@@ -46,6 +62,7 @@ ifdef(`distro_suse', ` /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) @@ -75061,7 +75316,7 @@ index 02f4c97..3bdf89f 100644 ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -@@ -66,6 +82,7 @@ ifdef(`distro_redhat',` +@@ -66,6 +83,7 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -75069,7 +75324,7 @@ index 02f4c97..3bdf89f 100644 /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) -@@ -73,4 +90,9 @@ ifdef(`distro_redhat',` +@@ -73,4 +91,9 @@ ifdef(`distro_redhat',` /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -80108,7 +80363,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..5ff6beb 100644 +index d88f7c3..b79d72f 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -80237,7 +80492,16 @@ index d88f7c3..5ff6beb 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -169,6 +190,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -154,6 +175,8 @@ miscfiles_read_hwdata(udev_t) + modutils_domtrans_insmod(udev_t) + # read modules.inputmap: + modutils_read_module_deps(udev_t) ++modutils_list_module_config(udev_t) ++modutils_read_module_conf(udev_t) + + seutil_read_config(udev_t) + seutil_read_default_contexts(udev_t) +@@ -169,6 +192,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -80246,7 +80510,7 @@ index d88f7c3..5ff6beb 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,8 +209,9 @@ ifdef(`distro_redhat',` +@@ -186,8 +211,9 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -80257,7 +80521,7 @@ index d88f7c3..5ff6beb 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +240,16 @@ optional_policy(` +@@ -216,11 +242,16 @@ optional_policy(` ') optional_policy(` @@ -80274,7 +80538,7 @@ index d88f7c3..5ff6beb 100644 ') optional_policy(` -@@ -230,10 +259,20 @@ optional_policy(` +@@ -230,10 +261,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -80295,7 +80559,7 @@ index d88f7c3..5ff6beb 100644 ') optional_policy(` -@@ -259,6 +298,10 @@ optional_policy(` +@@ -259,6 +300,10 @@ optional_policy(` ') optional_policy(` @@ -80306,7 +80570,7 @@ index d88f7c3..5ff6beb 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +316,11 @@ optional_policy(` +@@ -273,6 +318,11 @@ optional_policy(` ') optional_policy(` @@ -80318,7 +80582,7 @@ index d88f7c3..5ff6beb 100644 unconfined_signal(udev_t) ') -@@ -285,6 +333,7 @@ optional_policy(` +@@ -285,6 +335,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -81135,7 +81399,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..eeb5b5a 100644 +index 4b2878a..43d975f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -83472,7 +83736,7 @@ index 4b2878a..eeb5b5a 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3913,1236 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3913,1254 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -84425,6 +84689,24 @@ index 4b2878a..eeb5b5a 100644 + +######################################## +## ++## Read/write all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## +## Write all inherited users files in /tmp +## +## @@ -84710,7 +84992,7 @@ index 4b2878a..eeb5b5a 100644 + typeattribute $1 userdom_home_manager_type; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..ced52ff 100644 +index 9b4a930..0e7648c 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -84766,7 +85048,7 @@ index 9b4a930..ced52ff 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +101,110 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +101,111 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -84837,6 +85119,7 @@ index 9b4a930..ced52ff 100644 + +optional_policy(` + ssh_filetrans_home_content(userdomain) ++ ssh_rw_tcp_sockets(userdomain) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 83ada10..70224a6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 79%{?dist} +Release: 80%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jan 26 2012 Miroslav Grepl 3.10.0-80 +- Add zabbix_can_network boolean +- Add httpd_can_connect_zabbix boolean +- Prepare file context labeling for usrmove functions +- Allow system cronjobs to read kernel network state +- Add support for selinux_avcstat munin plugin +- Treat hearbeat with corosync policy +- Allow corosync to read and write to qpidd shared mem +- mozilla_plugin is trying to run pulseaudio +- Fixes for new sshd patch for running priv sep domains as the users context +- Turn off dontaudit rules when turning on allow_ypbind +- udev now reads /etc/modules.d directory + * Tue Jan 24 2012 Miroslav Grepl 3.10.0-79 - Turn on deny_ptrace boolean for the Rawhide run, so we can test this out - Cups exchanges dbus messages with init