From afbf138ed97932c9a3d370482cf5db040cf0ca6e Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Jan 15 2013 16:54:07 +0000 Subject: Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy Conflicts: selinux-policy.spec --- diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf index 858f1eb..0fc3d2f 100644 --- a/modules-mls-contrib.conf +++ b/modules-mls-contrib.conf @@ -290,7 +290,7 @@ comsat = module # # ConsoleKit is a system daemon for tracking what users are logged # -consolekit = module +#consolekit = module # Layer: services # Module: corosync diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 78f2ed6..edd3768 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -395,7 +395,7 @@ condor = module # # ConsoleKit is a system daemon for tracking what users are logged # -consolekit = module +#consolekit = module # Layer: services # Module: corosync @@ -440,11 +440,10 @@ cpufreqselector = module cron = module # Layer: services -# Module: ctdb +# Module: ctdbd # # Cluster Daemon # - ctdb = module # Layer: services @@ -732,7 +731,7 @@ glance = module # # policy for glusterd service # -glusterfs = module +glusterd = module # Layer: services # Module: gnomeclock @@ -942,7 +941,7 @@ ktalk = module # # Layer 2 Tunnelling Protocol Daemon # -l2tpd = module +l2tp = module # Layer: services # Module: ldap @@ -1140,6 +1139,13 @@ munin = module # mysql = module +# Layer: contrib +# Module: mythtv +# +# Policy for Mythtv (Web Server) +# +mythtv = module + # Layer: services # Module: nagios # diff --git a/modules-targeted.conf b/modules-targeted.conf index 7110e91..227ecab 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -390,7 +390,7 @@ clock = module # # ConsoleKit is a system daemon for tracking what users are logged # -consolekit = module +#consolekit = module # Layer: admin # Module: consoletype diff --git a/permissivedomains.te b/permissivedomains.te index 9d026f3..fb6ceb6 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -1 +1,17 @@ policy_module(permissivedomains,19) + +optional_policy(` + gen_require(` + type systemd_localed_t; + ') + + permissive systemd_localed_t; +') + +optional_policy(` + gen_require(` + type httpd_mythtv_script_t; + ') + + permissive httpd_mythtv_script_t; +') diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 901141a..2ecf31a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1,5 +1,5 @@ diff --git a/Makefile b/Makefile -index 39a3d40..f69289d 100644 +index 85d4cfb..b51cf37 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -110364,7 +110364,7 @@ index 4705ab6..11a1ae6 100644 +gen_tunable(selinuxuser_tcp_server,false) + diff --git a/policy/mcs b/policy/mcs -index f477c7f..ff7369c 100644 +index 216b3d1..552c23a 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -110374,47 +110374,13 @@ index f477c7f..ff7369c 100644 # # Define sensitivities # -@@ -69,28 +71,48 @@ gen_levels(1,mcs_num_cats) - # - /proc/pid operations are not constrained. - - mlsconstrain file { read ioctl lock execute execute_no_trans } -- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); -+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or -+ (( t1 != mcsuntrustedproc ) and (t2 == domain))); - - mlsconstrain file { write setattr append unlink link rename } -- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); -+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or -+ (( t1 != mcsuntrustedproc ) and (t2 == domain))); - - mlsconstrain dir { search read ioctl lock } -- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); -+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or -+ (( t1 != mcsuntrustedproc ) and (t2 == domain))); - - mlsconstrain dir { write setattr append unlink link rename add_name remove_name } -- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); -+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or -+ (( t1 != mcsuntrustedproc ) and (t2 == domain))); -+ -+mlsconstrain fifo_file { open } -+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or -+ (( t1 != mcsuntrustedproc ) and ( t2 == domain ))); -+ -+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } -+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or -+ (( t1 != mcsuntrustedproc ) and (t2 == domain))); -+ -+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } -+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or -+ (( t1 != mcsuntrustedproc ) and (t2 == domain))); - +@@ -99,14 +101,18 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or -+ ( t1 != mcsuntrustedproc )); ++ ( t1 != mcs_constrained_type )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } @@ -110430,38 +110396,28 @@ index f477c7f..ff7369c 100644 mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); -@@ -101,6 +123,9 @@ mlsconstrain process { ptrace } - mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 == mcskillall )); - -+mlsconstrain process { signal } -+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); -+ - # - # MCS policy for SELinux-enabled databases - # -@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind -+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network node which is acting as the object +mlsconstrain { node } { recvfrom sendto } -+ (( l1 dom l2 ) or (t1 != mcsuntrustedproc)); ++ (( l1 dom l2 ) or (t1 != mcs_constrained_type)); + +mlsconstrain { packet peer } { recv } + (( l1 dom l2 ) or -+ ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc))); ++ ((t1 != mcs_constrained_type) and (t2 != mcs_constrained_type))); + +# the netif ingress/egress ops, the ingress permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network interface which is acting as the object +mlsconstrain { netif } { egress ingress } -+ (( l1 dom l2 ) or (t1 != mcsuntrustedproc)); ++ (( l1 dom l2 ) or (t1 != mcs_constrained_type)); + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls @@ -110513,7 +110469,7 @@ index 7a6f06f..bf04b0a 100644 -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index a778bb1..5e914db 100644 +index cc8df9d..5e914db 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -110541,7 +110497,7 @@ index a778bb1..5e914db 100644 ######################################## ## ## Execute bootloader interactively and do -@@ -38,11 +56,21 @@ interface(`bootloader_domtrans',` +@@ -38,30 +56,21 @@ interface(`bootloader_domtrans',` # interface(`bootloader_run',` gen_require(` @@ -110555,9 +110511,26 @@ index a778bb1..5e914db 100644 + bootloader_domtrans($1) - roleattribute $2 bootloader_roles; -+ +-') + +-######################################## +-## +-## Execute bootloader in the caller domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`bootloader_exec',` +- gen_require(` +- type bootloader_exec_t; +- ') + role $2 types bootloader_t; -+ + +- corecmd_search_bin($1) +- can_exec($1, bootloader_exec_t) + ifdef(`distro_redhat',` + # for mke2fs + mount_run(bootloader_t, $2) @@ -110565,7 +110538,7 @@ index a778bb1..5e914db 100644 ') ######################################## -@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',` +@@ -119,7 +128,7 @@ interface(`bootloader_rw_tmp_files',` ') files_search_tmp($1) @@ -110574,7 +110547,7 @@ index a778bb1..5e914db 100644 ') ######################################## -@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',` +@@ -141,3 +150,22 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ') @@ -110598,10 +110571,10 @@ index a778bb1..5e914db 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index ab0439a..57890fe 100644 +index e3dbbb8..15f25f0 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te -@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) +@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2) # Declarations # @@ -110779,7 +110752,7 @@ index ab0439a..57890fe 100644 ') optional_policy(` -- nscd_socket_use(bootloader_t) +- nscd_use(bootloader_t) + rpm_rw_pipes(bootloader_t) ') @@ -111023,10 +110996,10 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index e0791b9..db9ddf7 100644 +index 8128de8..0880523 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te -@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0) +@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2) ## ##

@@ -111039,14 +111012,7 @@ index e0791b9..db9ddf7 100644 type netutils_t; type netutils_exec_t; -@@ -35,12 +35,13 @@ init_system_domain(traceroute_t, traceroute_exec_t) - # Perform network administration operations and have raw access to the network. - allow netutils_t self:capability { net_admin net_raw setuid setgid }; - dontaudit netutils_t self:capability sys_tty_config; --allow netutils_t self:process signal_perms; -+allow netutils_t self:process { setcap signal_perms }; - allow netutils_t self:netlink_route_socket create_netlink_socket_perms; - allow netutils_t self:packet_socket create_socket_perms; +@@ -42,6 +42,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; allow netutils_t self:tcp_socket create_stream_socket_perms; allow netutils_t self:socket create_socket_perms; @@ -111054,9 +111020,9 @@ index e0791b9..db9ddf7 100644 manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) -@@ -48,8 +49,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) - +@@ -50,8 +51,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) + kernel_read_network_state(netutils_t) kernel_read_all_sysctls(netutils_t) +kernel_read_network_state(netutils_t) +kernel_request_load_module(netutils_t) @@ -111065,7 +111031,7 @@ index e0791b9..db9ddf7 100644 corenet_all_recvfrom_netlabel(netutils_t) corenet_tcp_sendrecv_generic_if(netutils_t) corenet_raw_sendrecv_generic_if(netutils_t) -@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t) +@@ -66,6 +68,9 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) @@ -111075,7 +111041,7 @@ index e0791b9..db9ddf7 100644 fs_getattr_xattr_fs(netutils_t) -@@ -80,10 +85,9 @@ auth_use_nsswitch(netutils_t) +@@ -82,10 +87,9 @@ auth_use_nsswitch(netutils_t) logging_send_syslog_msg(netutils_t) @@ -111087,7 +111053,7 @@ index e0791b9..db9ddf7 100644 userdom_use_all_users_fds(netutils_t) optional_policy(` -@@ -104,13 +108,14 @@ optional_policy(` +@@ -106,13 +110,14 @@ optional_policy(` # allow ping_t self:capability { setuid net_raw }; @@ -111105,7 +111071,7 @@ index e0791b9..db9ddf7 100644 corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_generic_if(ping_t) corenet_raw_sendrecv_generic_if(ping_t) -@@ -120,6 +125,7 @@ corenet_raw_bind_generic_node(ping_t) +@@ -122,6 +127,7 @@ corenet_raw_bind_generic_node(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) @@ -111113,7 +111079,7 @@ index e0791b9..db9ddf7 100644 domain_use_interactive_fds(ping_t) -@@ -130,11 +136,9 @@ kernel_read_system_state(ping_t) +@@ -132,11 +138,9 @@ kernel_read_system_state(ping_t) auth_use_nsswitch(ping_t) @@ -111127,7 +111093,7 @@ index e0791b9..db9ddf7 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -145,11 +149,25 @@ ifdef(`hide_broken_symptoms',` +@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -111153,7 +111119,7 @@ index e0791b9..db9ddf7 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -157,6 +175,15 @@ optional_policy(` +@@ -159,6 +177,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -111169,7 +111135,7 @@ index e0791b9..db9ddf7 100644 ######################################## # # Traceroute local policy -@@ -170,7 +197,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -111177,7 +111143,7 @@ index e0791b9..db9ddf7 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -194,6 +220,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -111185,7 +111151,7 @@ index e0791b9..db9ddf7 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -202,11 +229,17 @@ auth_use_nsswitch(traceroute_t) +@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -111568,7 +111534,7 @@ index f82f0ce..204bdc8 100644 /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 98b8b2d..41f4994 100644 +index 99e3903..7270808 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` @@ -111662,7 +111628,7 @@ index 98b8b2d..41f4994 100644 ') ######################################## -@@ -156,11 +176,35 @@ interface(`usermanage_kill_passwd',` +@@ -174,11 +194,35 @@ interface(`usermanage_check_exec_passwd',` # interface(`usermanage_run_passwd',` gen_require(` @@ -111700,7 +111666,7 @@ index 98b8b2d..41f4994 100644 ') ######################################## -@@ -203,11 +247,20 @@ interface(`usermanage_domtrans_admin_passwd',` +@@ -221,11 +265,20 @@ interface(`usermanage_domtrans_admin_passwd',` # interface(`usermanage_run_admin_passwd',` gen_require(` @@ -111723,7 +111689,7 @@ index 98b8b2d..41f4994 100644 ') ######################################## -@@ -245,10 +298,6 @@ interface(`usermanage_domtrans_useradd',` +@@ -263,10 +316,6 @@ interface(`usermanage_domtrans_useradd',` corecmd_search_bin($1) domtrans_pattern($1, useradd_exec_t, useradd_t) @@ -111734,7 +111700,7 @@ index 98b8b2d..41f4994 100644 ') ######################################## -@@ -270,11 +319,38 @@ interface(`usermanage_domtrans_useradd',` +@@ -306,11 +355,38 @@ interface(`usermanage_check_exec_useradd',` # interface(`usermanage_run_useradd',` gen_require(` @@ -111776,10 +111742,10 @@ index 98b8b2d..41f4994 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 673180c..82cfc6e 100644 +index d555767..2f68b4d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0) +@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) # Declarations # @@ -112416,7 +112382,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..e2c87b3 100644 +index 644d4d7..0c58f76 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -112439,7 +112405,7 @@ index db981df..e2c87b3 100644 /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -71,10 +73,18 @@ ifdef(`distro_redhat',` +@@ -69,6 +71,13 @@ ifdef(`distro_redhat',` /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112451,14 +112417,17 @@ index db981df..e2c87b3 100644 +/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) + /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) +@@ -79,6 +88,7 @@ ifdef(`distro_redhat',` + ') + /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) +/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -97,8 +107,6 @@ ifdef(`distro_redhat',` +@@ -101,8 +111,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -112467,7 +112436,7 @@ index db981df..e2c87b3 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,10 +138,11 @@ ifdef(`distro_debian',` +@@ -134,10 +142,11 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -112480,7 +112449,7 @@ index db981df..e2c87b3 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -147,7 +156,7 @@ ifdef(`distro_gentoo',` +@@ -151,7 +160,7 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -112489,7 +112458,7 @@ index db981df..e2c87b3 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -163,6 +172,7 @@ ifdef(`distro_gentoo',` +@@ -167,6 +176,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112497,7 +112466,7 @@ index db981df..e2c87b3 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -174,53 +184,80 @@ ifdef(`distro_gentoo',` +@@ -178,33 +188,49 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -112555,16 +112524,10 @@ index db981df..e2c87b3 100644 +/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) --/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) --/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/mailman.*/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) + /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -215,18 +241,28 @@ ifdef(`distro_gentoo',` + /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112598,7 +112561,7 @@ index db981df..e2c87b3 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -235,10 +272,15 @@ ifdef(`distro_gentoo',` +@@ -241,10 +277,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -112614,21 +112577,20 @@ index db981df..e2c87b3 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -251,11 +293,17 @@ ifdef(`distro_gentoo',` +@@ -257,10 +298,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) --/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) -+/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) @@ -112636,7 +112598,7 @@ index db981df..e2c87b3 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,10 +319,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +324,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -112652,7 +112614,7 @@ index db981df..e2c87b3 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -289,16 +342,21 @@ ifdef(`distro_gentoo',` +@@ -294,16 +347,21 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -112676,7 +112638,7 @@ index db981df..e2c87b3 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +372,12 @@ ifdef(`distro_redhat', ` +@@ -321,8 +379,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -112689,7 +112651,7 @@ index db981df..e2c87b3 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +387,11 @@ ifdef(`distro_redhat', ` +@@ -332,9 +394,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -112701,7 +112663,7 @@ index db981df..e2c87b3 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +440,15 @@ ifdef(`distro_suse', ` +@@ -383,11 +447,15 @@ ifdef(`distro_suse', ` # # /var # @@ -112718,7 +112680,7 @@ index db981df..e2c87b3 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +458,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +465,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -112918,7 +112880,7 @@ index 9e9263a..87d577e 100644 + filetrans_pattern($1, bin_t, $2, $3, $4) +') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index 1dd0427..6d6f456 100644 +index 43090a0..a784e8e 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -13,7 +13,8 @@ attribute exec_type; @@ -114385,10 +114347,10 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..72c5a3b 100644 +index 4edc40d..ae311f6 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in -@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0) +@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) # Declarations # @@ -114442,7 +114404,7 @@ index fe2ee5e..72c5a3b 100644 # type netlabel_peer_t; sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) -+mcs_untrusted_proc(netlabel_peer_t) ++mcs_constrained(netlabel_peer_t) # # port_t is the default type of INET port numbers. @@ -114459,79 +114421,57 @@ index fe2ee5e..72c5a3b 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; - type server_packet_t, packet_type, server_packet_type; - - network_port(afs_bos, udp,7007,s0) -+network_port(afs_client, udp,7001,s0) - network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) - network_port(afs_ka, udp,7004,s0) - network_port(afs_pt, udp,7002,s0) - network_port(afs_vl, udp,7003,s0) - network_port(agentx, udp,705,s0, tcp,705,s0) -+network_port(ajaxterm, tcp,8022,s0) - network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,10 +107,9 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) -network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) +network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) -+network_port(apertus_ldp, tcp,539,s0, udp,539,s0) + network_port(apertus_ldp, tcp,539,s0, udp,539,s0) +-network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) - network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) - network_port(boinc, tcp,31416,s0) -+network_port(boinc_client_ctrl, tcp,1043,s0) - network_port(biff) # no defined portcon - network_port(certmaster, tcp,51235,s0) - network_port(chronyd, udp,323,s0) - network_port(clamd, tcp,3310,s0) - network_port(clockspeed, udp,4041,s0) - network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) -+network_port(cma, tcp,1050,s0, udp,1050,s0) - network_port(cobbler, tcp,25151,s0) -+network_port(commplex, tcp,5001,s0, udp,5001,s0) +@@ -107,7 +129,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) -+network_port(condor, tcp, 9618,s0, udp, 9618,s0) -+network_port(couchdb, tcp,5984,s0, udp,5984,s0) -+network_port(ctdb, tcp,4379,s0, udp,4379,s0) + network_port(condor, tcp,9618,s0, udp,9618,s0) + network_port(couchdb, tcp,5984,s0, udp,5984,s0) +-network_port(cslistener, tcp,9000,s0, udp,9000,s0) + network_port(ctdb, tcp,4379,s0, udp,4397,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) - network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -119,18 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) +-network_port(dns, tcp,53,s0, udp,53,s0) +network_port(dogtag, tcp,7390,s0) - network_port(dns, udp,53,s0, tcp,53,s0) ++network_port(dns, udp,53,s0, tcp,53,s0) +network_port(dnssec, tcp,8955,s0) +network_port(echo, tcp,7,s0, udp,7,s0) + network_port(efs, tcp,520,s0) + network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0) network_port(epmap, tcp,135,s0, udp,135,s0) -+network_port(epmd, tcp,4369,s0, udp,4369,s0) -+network_port(festival, tcp,1314,s0) + network_port(epmd, tcp,4369,s0, udp,4369,s0) network_port(fingerd, tcp,79,s0) -+network_port(firebird, tcp,3050,s0, udp,3050,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) -+network_port(fprot, tcp,10200,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) + network_port(gds_db, tcp,3050,s0, udp,3050,s0) network_port(giftd, tcp,1213,s0) network_port(git, tcp,9418,s0, udp,9418,s0) +network_port(glance, tcp,9292,s0, udp,9292,s0) network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) -@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0) - network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +165,51 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) --network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) + network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy -+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) +network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) @@ -114539,8 +114479,8 @@ index fe2ee5e..72c5a3b 100644 -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) +network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) -+network_port(interwise, tcp,7778,s0, udp,7778,s0) -+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) + network_port(interwise, tcp,7778,s0, udp,7778,s0) + network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) @@ -114551,22 +114491,24 @@ index fe2ee5e..72c5a3b 100644 network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) +-network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0) -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) -network_port(kismet, tcp,2501,s0) +network_port(jabber_router, tcp,5347,s0) +network_port(jacorb, tcp,3528,s0, tcp,3529,s0) -+network_port(jboss_debug, tcp,8787,s0) ++network_port(jboss_debug, tcp,8787,s0, udp,8787,s0) +network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0) +network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) -+network_port(keystone, tcp,5000,s0, udp,5000,s0, tcp, 35357,s0, udp, 35357,s0) ++network_port(keystone, tcp, 35357,s0, udp, 35357,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) +-network_port(l2tp, tcp,1701,s0, udp,1701,s0) -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) +network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0) network_port(lirc, tcp,8765,s0) @@ -114581,46 +114523,44 @@ index fe2ee5e..72c5a3b 100644 network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mongod, tcp,27017,s0) network_port(monopd, tcp,1234,s0) -+network_port(movaz_ssc, tcp,5252,s0) + network_port(mountd, tcp,20048,s0, udp,20048,s0) + network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) network_port(mpd, tcp,6600,s0) +-network_port(msgsrvr, tcp,8787,s0, udp,8787,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) - network_port(munin, tcp,4949,s0, udp,4949,s0) -+network_port(mxi, tcp,8005, s0, udp, 8005,s0) - network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) - network_port(mysqlmanagerd, tcp,2273,s0) + network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) +@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +-network_port(nfs, tcp,2049,s0, udp,2049,s0) +-network_port(nfsrdma, tcp,20049,s0, udp,20049,s0) +network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0) network_port(nmbd, udp,137,s0, udp,138,s0) +network_port(nodejs_debug, tcp,5858,s0, udp,5858,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) --network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) +network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) + network_port(oa_system, tcp,8022,s0, udp,8022,s0) +-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) + network_port(openhpid, tcp,4743,s0, udp,4743,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -+network_port(openhpid, tcp,4743,s0, udp,4743,s0) -+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0) - network_port(pegasus_http, tcp,5988,s0) +@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) -+network_port(piranha, tcp,3636,s0) +network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0) +network_port(pki_ra, tcp,12888-12889,s0) +network_port(pki_tps, tcp,7888-7889,s0) + network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) - network_port(postfix_policyd, tcp,10031,s0) - network_port(postgresql, tcp,5432,s0) - network_port(postgrey, tcp,60000,s0) -+network_port(pptp, tcp, 1723,s0, udp, 1723, s0) - network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,14 +252,16 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -114638,73 +114578,53 @@ index fe2ee5e..72c5a3b 100644 network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) - network_port(rlogind, tcp,513,s0) --network_port(rndc, tcp,953,s0) --network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) -+network_port(rndc, tcp,953,s0, tcp,8953,s0) -+network_port(router, udp,520-521,s0, tcp,521,s0) - network_port(rsh, tcp,514,s0) - network_port(rsync, tcp,873,s0, udp,873,s0) +@@ -233,19 +273,20 @@ network_port(rsync, tcp,873,s0, udp,873,s0) + network_port(rtsp, tcp,554,s0, udp,554,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) -+network_port(sametime, tcp,1533,s0, udp,1533,s0) + network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) network_port(sieve, tcp,4190,s0) network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) --network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) --network_port(socks) # no defined portcon +-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0) +network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) -+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon + network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) -network_port(spamd, tcp,783,s0) +network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0) network_port(speech, tcp,8036,s0) -network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +-network_port(ssdp, tcp,1900,s0, udp,1900,s0) +network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(ssdp, tcp,1900,s0, udp, 1900, s0) network_port(ssh, tcp,22,s0) -+network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0) -+network_port(svn, tcp,3690,s0, udp,3690,s0) network_port(stunnel) # no defined portcon - network_port(swat, tcp,901,s0) --network_port(syslogd, udp,514,s0) -+network_port(sype, tcp,9911,s0, udp,9911,s0) -+network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0) - network_port(tcs, tcp, 30003, s0) - network_port(telnetd, tcp,23,s0) + network_port(svn, tcp,3690,s0, udp,3690,s0) +@@ -259,6 +300,7 @@ network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) --network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) -+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0) -+network_port(tor_socks, tcp,9050,s0) + network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) network_port(traceroute, udp,64000-64010,s0) +network_port(tram, tcp, 4567, s0) network_port(transproxy, tcp,8081,s0) + network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) - network_port(utcpserver) # no defined portcon -@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0) - network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) + network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) -network_port(vnc, tcp,5900,s0) +network_port(vnc, tcp,5900-5983,s0, tcp,5985-5999,s0) network_port(wccp, udp,2048,s0) -+network_port(websm, tcp,9090,s0, udp,9090,s0) - network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) -+network_port(winshadow, tcp, 3261, s0, udp, 3261,s0) -+network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0) - network_port(xdmcp, udp,177,s0, tcp,177,s0) - network_port(xen, tcp,8002,s0) - network_port(xfs, tcp,7100,s0) -@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0) - network_port(zookeeper_election, tcp,3888,s0) - network_port(zookeeper_leader, tcp,2888,s0) - network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) -+network_port(zented, tcp,1229,s0, udp,1229,s0) - network_port(zope, tcp,8021,s0) - + network_port(websm, tcp,9090,s0, udp,9090,s0) +-network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0) ++network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) + network_port(winshadow, tcp,3161,s0, udp,3261,s0) + network_port(wsdapi, tcp,5357,s0, udp,5357,s0) + network_port(wsicopy, tcp,3378,s0, udp,3378,s0) +@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -114723,7 +114643,7 @@ index fe2ee5e..72c5a3b 100644 ######################################## # -@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +388,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -114775,16 +114695,17 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 02b7ac1..b30f7b8 100644 +index b31c054..3a628fe 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -15,14 +15,17 @@ +@@ -15,15 +15,17 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) +/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) +-/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_device_t,s0) /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -114797,26 +114718,22 @@ index 02b7ac1..b30f7b8 100644 /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -57,8 +60,11 @@ - /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) - /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) +@@ -61,7 +63,8 @@ + /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +-/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) +/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) ++/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -125,13 +131,15 @@ ifdef(`distro_suse', ` - /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) +@@ -129,12 +132,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) --/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) -+/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) + /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) +/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:modem_device_t,s0) - /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -114826,7 +114743,7 @@ index 02b7ac1..b30f7b8 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -195,12 +203,22 @@ ifdef(`distro_debian',` +@@ -198,12 +203,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -114852,7 +114769,7 @@ index 02b7ac1..b30f7b8 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index d820975..a8b5aa9 100644 +index 76f285e..f7e9534 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -115166,7 +115083,33 @@ index d820975..a8b5aa9 100644 ## Delete all block device files. ##

## -@@ -1663,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',` +@@ -1560,25 +1726,6 @@ interface(`dev_relabel_autofs_dev',` + + ######################################## + ## +-## Read and write cachefiles character +-## device nodes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dev_rw_cachefiles',` +- gen_require(` +- type device_t, cachefiles_device_t; +- ') +- +- rw_chr_files_pattern($1, device_t, cachefiles_device_t) +-') +- +-######################################## +-## + ## Read and write the PCMCIA card manager device. + ## + ## +@@ -1682,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',` ######################################## ## @@ -115193,7 +115136,7 @@ index d820975..a8b5aa9 100644 ## Get the attributes of the CPU ## microcode and id interfaces. ## -@@ -1772,6 +1958,24 @@ interface(`dev_rw_crypto',` +@@ -1791,6 +1958,24 @@ interface(`dev_rw_crypto',` rw_chr_files_pattern($1, device_t, crypt_device_t) ') @@ -115218,7 +115161,7 @@ index d820975..a8b5aa9 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -2383,7 +2587,7 @@ interface(`dev_filetrans_lirc',` +@@ -2402,7 +2587,7 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -115227,7 +115170,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -2391,17 +2595,17 @@ interface(`dev_filetrans_lirc',` +@@ -2410,17 +2595,17 @@ interface(`dev_filetrans_lirc',` ## ## # @@ -115249,7 +115192,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -2409,17 +2613,17 @@ interface(`dev_getattr_lvm_control',` +@@ -2428,17 +2613,17 @@ interface(`dev_getattr_lvm_control',` ## ## # @@ -115271,7 +115214,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -2427,17 +2631,17 @@ interface(`dev_read_lvm_control',` +@@ -2446,17 +2631,17 @@ interface(`dev_read_lvm_control',` ## ## # @@ -115293,7 +115236,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -2445,17 +2649,17 @@ interface(`dev_rw_lvm_control',` +@@ -2464,17 +2649,17 @@ interface(`dev_rw_lvm_control',` ## ## # @@ -115315,7 +115258,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -2463,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',` +@@ -2482,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',` ## ## # @@ -115360,7 +115303,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -2499,62 +2703,53 @@ interface(`dev_dontaudit_getattr_memory_dev',` +@@ -2518,44 +2703,134 @@ interface(`dev_dontaudit_getattr_memory_dev',` ## ## # @@ -115412,36 +115355,27 @@ index d820975..a8b5aa9 100644 ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`dev_write_raw_memory',` ++## ++## ++# +interface(`dev_dontaudit_rw_lvm_control',` - gen_require(` -- type device_t, memory_device_t; -- attribute memory_raw_write; ++ gen_require(` + type lvm_control_t; - ') - -- write_chr_files_pattern($1, device_t, memory_device_t) -- -- allow $1 self:capability sys_rawio; -- typeattribute $1 memory_raw_write; ++ ') ++ + dontaudit $1 lvm_control_t:chr_file rw_file_perms; - ') - - ######################################## - ## --## Read and execute raw memory devices (e.g. /dev/mem). ++') ++ ++######################################## ++## +## Delete the lvm control device. - ## - ## - ## -@@ -2562,7 +2757,106 @@ interface(`dev_write_raw_memory',` - ## - ## - # --interface(`dev_rx_raw_memory',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_delete_lvm_control_dev',` + gen_require(` + type device_t, lvm_control_t; @@ -115516,36 +115450,10 @@ index d820975..a8b5aa9 100644 +## +## +## Domain allowed access. -+## -+## -+# -+interface(`dev_write_raw_memory',` -+ gen_require(` -+ type device_t, memory_device_t; -+ attribute memory_raw_write; -+ ') -+ -+ write_chr_files_pattern($1, device_t, memory_device_t) -+ -+ allow $1 self:capability sys_rawio; -+ typeattribute $1 memory_raw_write; -+') -+ -+######################################## -+## -+## Read and execute raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rx_raw_memory',` - gen_require(` - type device_t, memory_device_t; - ') -@@ -2706,7 +3000,7 @@ interface(`dev_write_misc',` + ## + ## + # +@@ -2725,7 +3000,7 @@ interface(`dev_write_misc',` ## ## ## @@ -115554,7 +115462,7 @@ index d820975..a8b5aa9 100644 ## ## # -@@ -2956,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2975,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',` type mtrr_device_t; ') @@ -115565,7 +115473,7 @@ index d820975..a8b5aa9 100644 ') ######################################## -@@ -3125,6 +3419,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3419,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -115608,7 +115516,7 @@ index d820975..a8b5aa9 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3235,7 +3565,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -115635,7 +115543,7 @@ index d820975..a8b5aa9 100644 ## ## ## -@@ -3243,12 +3591,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',` ## ## # @@ -115652,7 +115560,7 @@ index d820975..a8b5aa9 100644 ') ######################################## -@@ -3836,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -115695,7 +115603,7 @@ index d820975..a8b5aa9 100644 ## Search the sysfs directories. ## ## -@@ -3885,6 +4270,7 @@ interface(`dev_list_sysfs',` +@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -115703,7 +115611,7 @@ index d820975..a8b5aa9 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3927,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -115724,7 +115632,7 @@ index d820975..a8b5aa9 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; + ') + @@ -115743,7 +115651,7 @@ index d820975..a8b5aa9 100644 +## +# +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -115757,7 +115665,7 @@ index d820975..a8b5aa9 100644 ######################################## ## ## Read hardware state information. -@@ -3997,6 +4409,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -115820,7 +115728,7 @@ index d820975..a8b5aa9 100644 ## Read and write the TPM device. ## ## -@@ -4094,6 +4562,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -115846,32 +115754,7 @@ index d820975..a8b5aa9 100644 ## Getattr generic the USB devices. ## ## -@@ -4128,6 +4615,24 @@ interface(`dev_setattr_generic_usb_dev',` - setattr_chr_files_pattern($1, device_t, usb_device_t) - ') - -+###################################### -+## -+## Allow relabeling (to and from) of generic usb device -+## -+## -+## -+## Domain allowed to relabel. -+## -+## -+# -+interface(`dev_relabel_generic_usb_dev',` -+ gen_require(` -+ type usb_device_t; -+ ') -+ -+ relabel_dirs_pattern($1, usb_device_t, usb_device_t) -+') -+ - ######################################## - ## - ## Read generic the USB devices. -@@ -4520,6 +5025,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -115896,7 +115779,7 @@ index d820975..a8b5aa9 100644 ## Read and write VMWare devices. ## ## -@@ -4725,6 +5248,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -115923,7 +115806,7 @@ index d820975..a8b5aa9 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4814,3 +5357,917 @@ interface(`dev_unconfined',` +@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -116842,7 +116725,7 @@ index d820975..a8b5aa9 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 06eda45..ed26516 100644 +index 6529bd9..cfec99c 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -116859,7 +116742,17 @@ index 06eda45..ed26516 100644 # # Type for /dev/agpgart -@@ -62,6 +63,9 @@ dev_node(cpu_device_t) +@@ -43,9 +44,6 @@ type cardmgr_dev_t; + dev_node(cardmgr_dev_t) + files_tmp_file(cardmgr_dev_t) + +-type cachefiles_device_t; +-dev_node(cachefiles_device_t) +- + # + # clock_device_t is the type of + # /dev/rtc. +@@ -65,6 +63,9 @@ dev_node(cpu_device_t) type crash_device_t; dev_node(crash_device_t) @@ -116869,7 +116762,7 @@ index 06eda45..ed26516 100644 # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) -@@ -108,6 +112,7 @@ dev_node(ksm_device_t) +@@ -111,6 +112,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -116877,26 +116770,17 @@ index 06eda45..ed26516 100644 # # Type for /dev/lirc -@@ -118,9 +123,18 @@ dev_node(lirc_device_t) - # - # Type for /dev/mapper/control - # -+type loop_control_device_t; -+dev_node(loop_control_device_t) -+ +@@ -118,6 +120,9 @@ dev_node(kvm_device_t) + type lirc_device_t; + dev_node(lirc_device_t) + +# +# Type for /dev/mapper/control +# - type lvm_control_t; - dev_node(lvm_control_t) + type loop_control_device_t; + dev_node(loop_control_device_t) -+type mei_device_t; -+dev_node(mei_device_t) -+ - # - # memory_device_t is the type of /dev/kmem, - # /dev/mem and /dev/port. -@@ -218,6 +232,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +232,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -116907,7 +116791,7 @@ index 06eda45..ed26516 100644 # # Type for /dev/tpm # -@@ -265,6 +283,7 @@ dev_node(v4l_device_t) +@@ -274,6 +283,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -116915,7 +116799,7 @@ index 06eda45..ed26516 100644 # Type for vmware devices. type vmware_device_t; -@@ -310,5 +329,5 @@ files_associate_tmp(device_node) +@@ -319,5 +329,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -117063,7 +116947,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..09a61e6 100644 +index cf04cb5..7219a2a 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -117189,7 +117073,7 @@ index cf04cb5..09a61e6 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -117299,6 +117183,10 @@ index cf04cb5..09a61e6 100644 +') + +optional_policy(` ++ postgresql_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + postfix_filetrans_named_content(unconfined_domain_type) +') + @@ -117469,7 +117357,7 @@ index cf04cb5..09a61e6 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 8796ca3..cb02728 100644 +index c2c6e05..d0e6d1c 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -117549,7 +117437,7 @@ index 8796ca3..cb02728 100644 - ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) @@ -117686,9 +117574,9 @@ index 8796ca3..cb02728 100644 /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) - /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /var/lost\+found/.* <> -@@ -256,6 +272,7 @@ ifndef(`distro_redhat',` + /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /var/log/lost\+found/.* <> +@@ -262,6 +278,7 @@ ifndef(`distro_redhat',` /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) @@ -117696,14 +117584,14 @@ index 8796ca3..cb02728 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -264,3 +281,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +287,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..360fbbd 100644 +index 64ff4d7..e9ebe7b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -117909,7 +117797,32 @@ index e1e814d..360fbbd 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1182,24 +1327,6 @@ interface(`files_list_all',` + + ######################################## + ## +-## Create all files as is. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`files_create_all_files_as',` +- gen_require(` +- attribute file_type; +- ') +- +- allow $1 file_type:kernel_service create_files_as; +-') +- +-######################################## +-## + ## Do not audit attempts to search the + ## contents of any directories on extended + ## attribute filesystems. +@@ -1673,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -117934,7 +117847,7 @@ index e1e814d..360fbbd 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -117959,50 +117872,48 @@ index e1e814d..360fbbd 100644 ## List the contents of the root directory. ## ## -@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2037,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## +-## Associate to root file system. +## Set attributes of the root directory. -+## + ## +-## +## -+## + ## +-## Type of the file to associate. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_associate_rootfs',` +interface(`files_setattr_root_dirs',` -+ gen_require(` -+ type root_t; -+ ') -+ + gen_require(` + type root_t; + ') + +- allow $1 root_t:filesystem associate; + allow $1 root_t:dir setattr_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Relabel to and from rootfs file system. +## Relabel a rootfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_rootfs',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 root_t:filesystem relabel_file_perms; -+') -+ -+######################################## -+## - ## Unmount a rootfs filesystem. ## ## -@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',` + ## +@@ -1905,7 +2068,7 @@ interface(`files_relabel_rootfs',` + type root_t; + ') + +- allow $1 root_t:filesystem { relabelto relabelfrom }; ++ allow $1 root_t:filesystem relabel_file_perms; + ') + + ######################################## +@@ -1928,6 +2091,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -118027,7 +117938,7 @@ index e1e814d..360fbbd 100644 ## Get attributes of the /boot directory. ## ## -@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2808,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -118052,7 +117963,7 @@ index e1e814d..360fbbd 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +2897,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -118060,7 +117971,7 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +2906,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -118069,7 +117980,7 @@ index e1e814d..360fbbd 100644 ## ## # -@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +2962,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -118087,7 +117998,7 @@ index e1e814d..360fbbd 100644 + type etc_t; + ') + -+ dontaudit $1 etc_t:file_class_set audit_access; ++ dontaudit $1 etc_t:dir_file_class_set audit_access; +') + +######################################## @@ -118095,7 +118006,7 @@ index e1e814d..360fbbd 100644 ## Delete system configuration files in /etc. ## ## -@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +2999,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -118120,7 +118031,7 @@ index e1e814d..360fbbd 100644 ## Execute generic files in /etc. ## ## -@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3182,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -118128,7 +118039,7 @@ index e1e814d..360fbbd 100644 -## -## -## --## Domain allowed access. +-## Domain to not audit. -## -## -# @@ -118145,7 +118056,7 @@ index e1e814d..360fbbd 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3222,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -118156,7 +118067,7 @@ index e1e814d..360fbbd 100644 ## ## ## -@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3230,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -118168,48 +118079,56 @@ index e1e814d..360fbbd 100644 - dontaudit $1 etc_runtime_t:file { getattr read }; + dontaudit $1 etc_runtime_t:file setattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write +-## etc runtime files. +## Do not audit attempts to write etc_runtime files -+## -+## -+## + ## + ## + ## +@@ -3042,15 +3258,35 @@ interface(`files_dontaudit_write_etc_runtime_files',` + + ######################################## + ## +-## Read and write files in /etc that are dynamically ++## Do not audit attempts to read files ++## in /etc that are dynamically + ## created on boot, such as mtab. + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## + ## + ## +-## +# -+interface(`files_dontaudit_write_etc_runtime_files',` ++interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` + type etc_runtime_t; + ') + -+ dontaudit $1 etc_runtime_t:file write; ++ dontaudit $1 etc_runtime_t:file { getattr read }; +') + +######################################## +## -+## Do not audit attempts to read files -+## in /etc that are dynamically ++## Read and write files in /etc that are dynamically +## created on boot, such as mtab. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## -+# -+interface(`files_dontaudit_read_etc_runtime_files',` -+ gen_require(` -+ type etc_runtime_t; -+ ') -+ -+ dontaudit $1 etc_runtime_t:file { getattr read }; - ') - - ######################################## -@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',` ++## + # + interface(`files_rw_etc_runtime_files',` + gen_require(` +@@ -3059,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -118217,7 +118136,7 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -118225,7 +118144,7 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -3059,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -118251,7 +118170,7 @@ index e1e814d..360fbbd 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3135,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -118277,7 +118196,7 @@ index e1e814d..360fbbd 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3382,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -118303,7 +118222,7 @@ index e1e814d..360fbbd 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3723,20 +4091,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4091,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -118343,11 +118262,11 @@ index e1e814d..360fbbd 100644 ') - - dontaudit $1 mnt_t:dir list_dir_perms; -+ dontaudit $1 mnt_t:file_class_set audit_access; ++ dontaudit $1 mnt_t:dir_file_class_set audit_access; ') ######################################## -@@ -4126,6 +4512,133 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4512,133 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -118481,7 +118400,7 @@ index e1e814d..360fbbd 100644 ######################################## ## ## Allow the specified type to associate -@@ -4148,6 +4661,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +4661,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -118508,7 +118427,7 @@ index e1e814d..360fbbd 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4161,6 +4694,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +4694,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -118516,7 +118435,29 @@ index e1e814d..360fbbd 100644 allow $1 tmp_t:dir getattr; ') -@@ -4171,7 +4705,7 @@ interface(`files_getattr_tmp_dirs',` + ######################################## + ## ++## Do not audit attempts to check the ++## access on tmp files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_access_check_tmp',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 tmp_t:dir_file_class_set audit_access; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the + ## attributes of the tmp directory (/tmp). ## ## ## @@ -118525,7 +118466,7 @@ index e1e814d..360fbbd 100644 ## ## # -@@ -4198,6 +4732,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +4751,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -118533,7 +118474,7 @@ index e1e814d..360fbbd 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4234,6 +4769,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +4788,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -118541,7 +118482,7 @@ index e1e814d..360fbbd 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4243,7 +4779,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +4798,7 @@ interface(`files_list_tmp',` ## ## ## @@ -118550,7 +118491,7 @@ index e1e814d..360fbbd 100644 ## ## # -@@ -4255,6 +4791,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +4810,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -118576,7 +118517,7 @@ index e1e814d..360fbbd 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4270,6 +4825,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +4844,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -118584,7 +118525,7 @@ index e1e814d..360fbbd 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4311,6 +4867,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +4886,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -118617,7 +118558,7 @@ index e1e814d..360fbbd 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4365,7 +4947,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,7 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -118626,7 +118567,7 @@ index e1e814d..360fbbd 100644 ## ## ## -@@ -4373,17 +4955,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,17 +4974,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -118648,7 +118589,7 @@ index e1e814d..360fbbd 100644 ## ## ## -@@ -4391,59 +4973,53 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4464,59 +4992,53 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -118719,7 +118660,7 @@ index e1e814d..360fbbd 100644 ## ## ## -@@ -4451,54 +5027,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,53 +5046,131 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -118781,7 +118722,6 @@ index e1e814d..360fbbd 100644 ') - dontaudit $1 tmpfile:sock_file getattr; --') + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) +') @@ -118863,11 +118803,10 @@ index e1e814d..360fbbd 100644 + ') + + dontaudit $1 tmpfile:sock_file getattr; -+') + ') ######################################## - ## -@@ -4573,6 +5227,16 @@ interface(`files_purge_tmp',` +@@ -4646,6 +5246,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -118884,7 +118823,7 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -5150,6 +5814,24 @@ interface(`files_list_var',` +@@ -5223,6 +5833,24 @@ interface(`files_list_var',` ######################################## ## @@ -118909,7 +118848,7 @@ index e1e814d..360fbbd 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5505,6 +6187,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6206,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -118935,7 +118874,7 @@ index e1e814d..360fbbd 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,7 +6251,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6270,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -118944,7 +118883,7 @@ index e1e814d..360fbbd 100644 ## ## ## -@@ -5558,12 +6259,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6278,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -118960,7 +118899,7 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -5581,6 +6283,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6302,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -118968,7 +118907,7 @@ index e1e814d..360fbbd 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5607,7 +6310,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6329,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -118996,7 +118935,7 @@ index e1e814d..360fbbd 100644 ## ## ## -@@ -5615,13 +6337,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6356,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -119013,7 +118952,7 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -5640,7 +6361,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6380,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -119022,7 +118961,7 @@ index e1e814d..360fbbd 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5673,7 +6394,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6413,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -119030,7 +118969,7 @@ index e1e814d..360fbbd 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5701,8 +6421,7 @@ interface(`files_getattr_generic_locks',` +@@ -5774,8 +6440,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -119040,7 +118979,7 @@ index e1e814d..360fbbd 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5718,13 +6437,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6456,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -119058,17 +118997,18 @@ index e1e814d..360fbbd 100644 ') ######################################## -@@ -5743,8 +6461,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6480,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) + files_search_locks($1) manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5786,8 +6503,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6522,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -119078,7 +119018,7 @@ index e1e814d..360fbbd 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6525,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6544,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -119088,7 +119028,7 @@ index e1e814d..360fbbd 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5847,8 +6562,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6581,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -119098,7 +119038,7 @@ index e1e814d..360fbbd 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5911,6 +6625,43 @@ interface(`files_search_pids',` +@@ -5985,6 +6644,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -119142,7 +119082,7 @@ index e1e814d..360fbbd 100644 ######################################## ## ## Do not audit attempts to search -@@ -5933,6 +6684,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6703,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -119168,7 +119108,7 @@ index e1e814d..360fbbd 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6048,7 +6818,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +6837,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -119176,7 +119116,7 @@ index e1e814d..360fbbd 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6157,30 +6926,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +6945,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -119205,40 +119145,45 @@ index e1e814d..360fbbd 100644 ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. +-## Delete all process IDs. +## Delete all pid sockets ## ## ## -@@ -6188,43 +6952,35 @@ interface(`files_read_all_pids',` + ## Domain allowed access. ## ## +-## # --interface(`files_mounton_all_poly_members',` +-interface(`files_delete_all_pids',` +interface(`files_delete_all_pid_sockets',` gen_require(` -- attribute polymember; -+ attribute pidfile; + attribute pidfile; +- type var_t, var_run_t; ') -- allow $1 polymember:dir mounton; +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 pidfile:sock_file delete_sock_file_perms; ') ######################################## ## --## Delete all process IDs. +-## Delete all process ID directories. +## Create all pid sockets ## ## ## - ## Domain allowed access. +@@ -6287,42 +6989,35 @@ interface(`files_delete_all_pids',` ## ## --## # --interface(`files_delete_all_pids',` +-interface(`files_delete_all_pid_dirs',` +interface(`files_create_all_pid_sockets',` gen_require(` attribute pidfile; @@ -119247,109 +119192,106 @@ index e1e814d..360fbbd 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +- delete_dirs_pattern($1, pidfile, pidfile) + allow $1 pidfile:sock_file create_sock_file_perms; ') ######################################## ## --## Delete all process ID directories. +-## Create, read, write and delete all +-## var_run (pid) content +## Create all pid named pipes ## ## ## -@@ -6232,21 +6988,17 @@ interface(`files_delete_all_pids',` +-## Domain alloed access. ++## Domain allowed access. ## ## # --interface(`files_delete_all_pid_dirs',` +-interface(`files_manage_all_pids',` +interface(`files_create_all_pid_pipes',` gen_require(` attribute pidfile; -- type var_t, var_run_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 pidfile:fifo_file create_fifo_file_perms; ') ######################################## ## --## Search the contents of generic spool --## directories (/var/spool). +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all pid named pipes ## ## ## -@@ -6254,56 +7006,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -6330,18 +7025,18 @@ interface(`files_manage_all_pids',` ## ## # --interface(`files_search_spool',` +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_pid_pipes',` gen_require(` -- type var_t, var_spool_t; +- attribute polymember; + attribute pidfile; ') -- search_dirs_pattern($1, var_t, var_spool_t) +- allow $1 polymember:dir mounton; + allow $1 pidfile:fifo_file delete_fifo_file_perms; ') ######################################## ## --## Do not audit attempts to search generic --## spool directories. +-## Search the contents of generic spool +-## directories (/var/spool). +## manage all pidfile directories +## in the /var/run directory. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -6349,37 +7044,40 @@ interface(`files_mounton_all_poly_members',` ## ## # --interface(`files_dontaudit_search_spool',` +-interface(`files_search_spool',` +interface(`files_manage_all_pid_dirs',` gen_require(` -- type var_spool_t; +- type var_t, var_spool_t; + attribute pidfile; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; +- search_dirs_pattern($1, var_t, var_spool_t) + manage_dirs_pattern($1,pidfile,pidfile) ') + ######################################## ## --## List the contents of generic spool --## (/var/spool) directories. +-## Do not audit attempts to search generic +-## spool directories. +## Read all process ID files. ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## +## # --interface(`files_list_spool',` +-interface(`files_dontaudit_search_spool',` +interface(`files_read_all_pids',` gen_require(` -- type var_t, var_spool_t; +- type var_spool_t; + attribute pidfile; + type var_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) +- dontaudit $1 var_spool_t:dir search_dir_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) @@ -119357,60 +119299,64 @@ index e1e814d..360fbbd 100644 ######################################## ## --## Create, read, write, and delete generic --## spool directories (/var/spool). +-## List the contents of generic spool +-## (/var/spool) directories. +## Relable all pid files ## ## ## -@@ -6311,18 +7066,17 @@ interface(`files_list_spool',` +@@ -6387,18 +7085,17 @@ interface(`files_dontaudit_search_spool',` ## ## # --interface(`files_manage_generic_spool_dirs',` +-interface(`files_list_spool',` +interface(`files_relabel_all_pid_files',` gen_require(` - type var_t, var_spool_t; + attribute pidfile; ') -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) +- list_dirs_pattern($1, var_t, var_spool_t) + relabel_files_pattern($1, pidfile, pidfile) ') ######################################## ## --## Read generic spool files. +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Execute generic programs in /var/run in the caller domain. ## ## ## -@@ -6330,9 +7084,273 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6406,18 +7103,18 @@ interface(`files_list_spool',` ## ## # --interface(`files_read_generic_spool',` +-interface(`files_manage_generic_spool_dirs',` +interface(`files_exec_generic_pid_files',` gen_require(` - type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6425,7 +7122,252 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_manage_all_pids',` + gen_require(` + attribute pidfile; @@ -119657,12 +119603,10 @@ index e1e814d..360fbbd 100644 +## +# +interface(`files_read_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; + gen_require(` + type var_t, var_spool_t; ') - - list_dirs_pattern($1, var_t, var_spool_t) -@@ -6467,3 +7485,457 @@ interface(`files_unconfined',` +@@ -6562,3 +7504,459 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -119918,7 +119862,7 @@ index e1e814d..360fbbd 100644 +######################################## +## +## Do not audit attempts to check the -+## write access on all files ++## access on all files +## +## +## @@ -119931,7 +119875,7 @@ index e1e814d..360fbbd 100644 + attribute file_type; + ') + -+ dontaudit $1 file_type:file_class_set audit_access; ++ dontaudit $1 file_type:dir_file_class_set audit_access; +') + +######################################## @@ -119986,6 +119930,7 @@ index e1e814d..360fbbd 100644 + type mnt_t; + type usr_t; + type var_t; ++ type tmp_t; + ') + + files_pid_filetrans($1, mnt_t, dir, "media") @@ -120008,6 +119953,7 @@ index e1e814d..360fbbd 100644 + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") ++ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") +') + +######################################## @@ -120121,10 +120067,10 @@ index e1e814d..360fbbd 100644 +') + diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 52ef84e..45cb0bc 100644 +index 148d87a..822f6be 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te -@@ -5,12 +5,16 @@ policy_module(files, 1.17.0) +@@ -5,12 +5,16 @@ policy_module(files, 1.17.5) # Declarations # @@ -120332,7 +120278,7 @@ index cda5588..91d1e25 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..aa86bf7 100644 +index 8416beb..c0c1175 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -120614,33 +120560,7 @@ index 7c6b791..aa86bf7 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',` - - ######################################## - ## -+## Allow changing of the label of a -+## tmpfs filesystem using the context= mount option. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_relabelfrom_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:filesystem relabelfrom; -+') -+ -+######################################## -+## - ## Search dosfs filesystem. - ## - ## -@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',` +@@ -1793,6 +1954,188 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -120829,7 +120749,7 @@ index 7c6b791..aa86bf7 100644 ######################################## ## ## Mount a FUSE filesystem. -@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2025,6 +2368,87 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -120917,7 +120837,7 @@ index 7c6b791..aa86bf7 100644 ## Get the attributes of an hugetlbfs ## filesystem. ## -@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -120942,7 +120862,7 @@ index 7c6b791..aa86bf7 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',` +@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -120956,7 +120876,7 @@ index 7c6b791..aa86bf7 100644 ## ## ## -@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -120964,165 +120884,93 @@ index 7c6b791..aa86bf7 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2510,81 +2973,137 @@ interface(`fs_dontaudit_read_nfs_files',` +@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## --## Read files on a NFS filesystem. -+## Read files on a NFS filesystem. ++## Make general progams in nfs an entrypoint for ++## the specified domain. +## +## +## -+## Domain allowed access. ++## The domain for which nfs_t is an entrypoint. +## +## +# -+interface(`fs_write_nfs_files',` ++interface(`fs_nfs_entry_type',` + gen_require(` + type nfs_t; + ') + -+ fs_search_auto_mountpoints($1) -+ allow $1 nfs_t:dir list_dir_perms; -+ write_files_pattern($1, nfs_t, nfs_t) ++ domain_entry_file($1, nfs_t) +') + +######################################## +## -+## Execute files on a NFS filesystem. + ## Append files + ## on a NFS filesystem. + ## +@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',` + + ######################################## + ## +-## dontaudit Append files ++## Do not audit attempts to append files + ## on a NFS filesystem. + ## + ## +@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',` + + ######################################## + ## ++## Read inherited files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`fs_exec_nfs_files',` ++interface(`fs_read_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:dir list_dir_perms; -+ exec_files_pattern($1, nfs_t, nfs_t) ++ allow $1 nfs_t:file read_inherited_file_perms; +') + +######################################## +## -+## Make general progams in nfs an entrypoint for -+## the specified domain. ++## Read/write inherited files on a NFS filesystem. +## +## +## -+## The domain for which nfs_t is an entrypoint. ++## Domain allowed access. +## +## +# -+interface(`fs_nfs_entry_type',` ++interface(`fs_rw_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ domain_entry_file($1, nfs_t) ++ allow $1 nfs_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Append files -+## on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_write_nfs_files',` -+interface(`fs_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- write_files_pattern($1, nfs_t, nfs_t) -+ append_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Execute files on a NFS filesystem. -+## Do not audit attempts to append files -+## on a NFS filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - ## - # --interface(`fs_exec_nfs_files',` -+interface(`fs_dontaudit_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- exec_files_pattern($1, nfs_t, nfs_t) -+ dontaudit $1 nfs_t:file append_file_perms; - ') - - ######################################## - ## --## Append files --## on a NFS filesystem. -+## Read inherited files on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_append_nfs_files',` -+interface(`fs_read_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - -- append_files_pattern($1, nfs_t, nfs_t) -+ allow $1 nfs_t:file read_inherited_file_perms; - ') - - ######################################## - ## --## dontaudit Append files --## on a NFS filesystem. -+## Read/write inherited files on a NFS filesystem. + ## Do not audit attempts to read or + ## write files on a NFS filesystem. ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## --## - # --interface(`fs_dontaudit_append_nfs_files',` -+interface(`fs_rw_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - -- dontaudit $1 nfs_t:file append_file_perms; -+ allow $1 nfs_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -121131,7 +120979,7 @@ index 7c6b791..aa86bf7 100644 ') ######################################## -@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -121140,7 +120988,7 @@ index 7c6b791..aa86bf7 100644 ## ## ## -@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',` ## ## ## @@ -121149,7 +120997,7 @@ index 7c6b791..aa86bf7 100644 ## ## # -@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -121158,7 +121006,7 @@ index 7c6b791..aa86bf7 100644 ## ## # -@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -121166,7 +121014,7 @@ index 7c6b791..aa86bf7 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -121174,7 +121022,7 @@ index 7c6b791..aa86bf7 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -121182,7 +121030,7 @@ index 7c6b791..aa86bf7 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -121207,7 +121055,7 @@ index 7c6b791..aa86bf7 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -121232,7 +121080,7 @@ index 7c6b791..aa86bf7 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -121241,7 +121089,7 @@ index 7c6b791..aa86bf7 100644 ## ## ## -@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -121250,7 +121098,7 @@ index 7c6b791..aa86bf7 100644 ## ## ## -@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -121259,7 +121107,7 @@ index 7c6b791..aa86bf7 100644 ## ## ## -@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -121284,41 +121132,131 @@ index 7c6b791..aa86bf7 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3963,6 +4539,60 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3908,7 +4465,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## -+## Relabel directory on tmpfs filesystems. +-## Mount on tmpfs directories. ++## Set the attributes of tmpfs directories. + ## + ## + ## +@@ -3916,17 +4473,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` + ## + ## + # +-interface(`fs_mounton_tmpfs',` ++interface(`fs_setattr_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir mounton; ++ allow $1 tmpfs_t:dir setattr; + ') + + ######################################## + ## +-## Set the attributes of tmpfs directories. ++## Search tmpfs directories. + ## + ## + ## +@@ -3934,17 +4491,17 @@ interface(`fs_mounton_tmpfs',` + ## + ## + # +-interface(`fs_setattr_tmpfs_dirs',` ++interface(`fs_search_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir setattr; ++ allow $1 tmpfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Search tmpfs directories. ++## List the contents of generic tmpfs directories. + ## + ## + ## +@@ -3952,17 +4509,36 @@ interface(`fs_setattr_tmpfs_dirs',` + ## + ## + # +-interface(`fs_search_tmpfs',` ++interface(`fs_list_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir search_dir_perms; ++ allow $1 tmpfs_t:dir list_dir_perms; + ') + + ######################################## + ## +-## List the contents of generic tmpfs directories. ++## Do not audit attempts to list the ++## contents of generic tmpfs directories. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`fs_relabel_tmpfs_dirs',` ++interface(`fs_dontaudit_list_tmpfs',` + gen_require(` + type tmpfs_t; + ') + -+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ++ dontaudit $1 tmpfs_t:dir list_dir_perms; +') + +######################################## +## ++## Relabel directory on tmpfs filesystems. + ## + ## + ## +@@ -3970,31 +4546,48 @@ interface(`fs_search_tmpfs',` + ## + ## + # +-interface(`fs_list_tmpfs',` ++interface(`fs_relabel_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to list the +-## contents of generic tmpfs directories. +## Relabel fifo_file on tmpfs filesystems. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_list_tmpfs',` +interface(`fs_relabel_tmpfs_fifo_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ + gen_require(` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:dir list_dir_perms; + relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) +') + @@ -121338,14 +121276,10 @@ index 7c6b791..aa86bf7 100644 + ') + + relabel_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete - ## tmpfs directories - ## -@@ -4069,7 +4699,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` + ') + + ######################################## +@@ -4105,7 +4698,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -121354,7 +121288,7 @@ index 7c6b791..aa86bf7 100644 ') ######################################## -@@ -4129,6 +4759,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4758,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -121379,7 +121313,7 @@ index 7c6b791..aa86bf7 100644 ## Read tmpfs link files. ## ## -@@ -4166,7 +4814,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +4813,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -121388,7 +121322,7 @@ index 7c6b791..aa86bf7 100644 ## ## ## -@@ -4185,6 +4833,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +4832,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -121449,7 +121383,7 @@ index 7c6b791..aa86bf7 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4242,6 +4944,43 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +4943,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -121485,7 +121419,8 @@ index 7c6b791..aa86bf7 100644 + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:file unlink; ++ allow $1 tmpfs_t:dir del_entry_dir_perms; ++ allow $1 tmpfs_t:file_class_set delete_file_perms; +') + +######################################## @@ -121493,7 +121428,7 @@ index 7c6b791..aa86bf7 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4261,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5000,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -121519,7 +121454,7 @@ index 7c6b791..aa86bf7 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4467,6 +5225,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5225,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -121528,7 +121463,7 @@ index 7c6b791..aa86bf7 100644 ') ######################################## -@@ -4513,7 +5273,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5273,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -121537,7 +121472,34 @@ index 7c6b791..aa86bf7 100644 ## Example attributes: ##

##
    -@@ -4876,3 +5636,43 @@ interface(`fs_unconfined',` +@@ -4596,6 +5320,26 @@ interface(`fs_dontaudit_getattr_all_fs',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on all filesystems. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_all_access_check',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:dir_file_class_set audit_access; ++') ++ ++ ++######################################## ++## + ## Get the quotas of all filesystems. + ## + ## +@@ -4912,3 +5656,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -121582,19 +121544,18 @@ index 7c6b791..aa86bf7 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 376bae8..36a5041 100644 +index 9e603f5..6a95769 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); +@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem - # types, and label the filesystem itself with the specified context. -@@ -52,6 +54,7 @@ type anon_inodefs_t; +@@ -53,6 +54,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -121602,7 +121563,7 @@ index 376bae8..36a5041 100644 type bdev_t; fs_type(bdev_t) -@@ -67,7 +70,7 @@ fs_type(capifs_t) +@@ -68,7 +70,7 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -121611,7 +121572,7 @@ index 376bae8..36a5041 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -88,6 +91,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +91,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -121623,7 +121584,7 @@ index 376bae8..36a5041 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +104,7 @@ type hugetlbfs_t; +@@ -97,6 +104,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -121631,7 +121592,7 @@ index 376bae8..36a5041 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -144,11 +153,6 @@ fs_type(spufs_t) +@@ -145,11 +153,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -121643,7 +121604,16 @@ index 376bae8..36a5041 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -175,6 +179,7 @@ fs_type(tmpfs_t) +@@ -167,6 +170,8 @@ type vxfs_t; + fs_noxattr_type(vxfs_t) + files_mountpoint(vxfs_t) + genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) ++genfscon odmfs / gen_context(system_u:object_r:vxfs_t,s0) ++genfscon vxclonefs / gen_context(system_u:object_r:vxfs_t,s0) + + # + # tmpfs_t is the type for tmpfs filesystems +@@ -176,6 +181,7 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -121651,7 +121621,7 @@ index 376bae8..36a5041 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -254,6 +259,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -121660,7 +121630,7 @@ index 376bae8..36a5041 100644 files_mountpoint(removable_t) # -@@ -273,6 +280,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -121677,10 +121647,10 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 4bf45cb..9f81200 100644 +index 649e458..31a14c8 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',` +@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` type kernel_t; ') @@ -121689,7 +121659,7 @@ index 4bf45cb..9f81200 100644 ') ######################################## -@@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',` +@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',` ######################################## ## @@ -121714,7 +121684,7 @@ index 4bf45cb..9f81200 100644 ## Get the attributes of the proc filesystem. ## ## -@@ -972,13 +990,10 @@ interface(`kernel_read_proc_symlinks',` +@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',` # interface(`kernel_read_system_state',` gen_require(` @@ -121730,7 +121700,7 @@ index 4bf45cb..9f81200 100644 ') ######################################## -@@ -1458,6 +1473,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -121755,7 +121725,7 @@ index 4bf45cb..9f81200 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2066,7 +2099,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -121764,7 +121734,7 @@ index 4bf45cb..9f81200 100644 ') ######################################## -@@ -2263,6 +2296,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -121790,7 +121760,7 @@ index 4bf45cb..9f81200 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2287,7 +2339,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',` ##
## ## @@ -121799,7 +121769,7 @@ index 4bf45cb..9f81200 100644 ## ## # -@@ -2469,6 +2521,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -121824,7 +121794,7 @@ index 4bf45cb..9f81200 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2506,6 +2576,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -121849,7 +121819,7 @@ index 4bf45cb..9f81200 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2613,7 +2701,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -121858,7 +121828,7 @@ index 4bf45cb..9f81200 100644 ') ######################################## -@@ -2651,6 +2739,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -121883,7 +121853,7 @@ index 4bf45cb..9f81200 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2678,6 +2784,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -121909,7 +121879,7 @@ index 4bf45cb..9f81200 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2787,6 +2912,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -121943,7 +121913,7 @@ index 4bf45cb..9f81200 100644 ######################################## ## -@@ -2942,6 +3094,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -121968,7 +121938,7 @@ index 4bf45cb..9f81200 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2956,5 +3126,318 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -121978,25 +121948,6 @@ index 4bf45cb..9f81200 100644 + +######################################## +## -+## Allow the specified domain to connect to -+## the kernel with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_stream_connect',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## +## Allow the specified domain to getattr on +## the kernel with a unix socket. +## @@ -122289,7 +122240,7 @@ index 4bf45cb..9f81200 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index ab9b6cd..ccffb0f 100644 +index 6fac350..6fc8411 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -122535,42 +122486,16 @@ index ab9b6cd..ccffb0f 100644 +read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t) +list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if -index f52faaf..6bb6529 100644 +index b08a6e8..226021d 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if -@@ -102,3 +102,49 @@ interface(`mcs_process_set_categories',` +@@ -130,3 +130,23 @@ interface(`mcs_process_set_categories',` typeattribute $1 mcssetcats; ') + +######################################## +## -+## Make specified process type MCS untrusted. -+## -+## -+##

-+## Make specified process type MCS untrusted. This -+## prevents this process from sending signals to other processes -+## with different mcs labels -+## object. -+##

-+## -+## -+## -+## The type of the process. -+## -+## -+# -+interface(`mcs_untrusted_proc',` -+ gen_require(` -+ attribute mcsuntrustedproc; -+ ') -+ -+ typeattribute $1 mcsuntrustedproc; -+') -+ -+######################################## -+## +## Make specified domain MCS trusted +## for writing to sockets at any level. +## @@ -122589,14 +122514,13 @@ index f52faaf..6bb6529 100644 + typeattribute $1 mcsnetwrite; +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te -index 0e5b661..3168d72 100644 +index 5cbeb54..8067370 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te -@@ -10,3 +10,5 @@ attribute mcsptraceall; - attribute mcssetcats; +@@ -11,3 +11,4 @@ attribute mcssetcats; attribute mcswriteall; attribute mcsreadall; -+attribute mcsuntrustedproc; + attribute mcs_constrained_type; +attribute mcsnetwrite; diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc index 7be4ddf..4d4c577 100644 @@ -123553,7 +123477,7 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 01dd2f1..3541088 100644 +index 771bce1..8b0e5e6 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -123615,32 +123539,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',` - - ######################################## - ## -+## Relabel a pty filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_relabel_pty_fs',` -+ gen_require(` -+ type devpts_t; -+ ') -+ -+ allow $1 devpts_t:filesystem relabel_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## attributes of the /dev/pts directory. - ## -@@ -462,6 +503,24 @@ interface(`term_list_ptys',` +@@ -481,6 +504,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -123665,7 +123564,7 @@ index 01dd2f1..3541088 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -601,7 +660,7 @@ interface(`term_use_generic_ptys',` +@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',` ######################################## ## @@ -123674,7 +123573,7 @@ index 01dd2f1..3541088 100644 ## write the generic pty type. This is ## generally only used in the targeted policy. ## -@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -123682,7 +123581,7 @@ index 01dd2f1..3541088 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',` +@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -123709,7 +123608,7 @@ index 01dd2f1..3541088 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -123718,7 +123617,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -893,7 +973,7 @@ interface(`term_relabel_all_ptys',` +@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) @@ -123727,7 +123626,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -123736,7 +123635,7 @@ index 01dd2f1..3541088 100644 ## ## # -@@ -1240,7 +1320,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -123785,7 +123684,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -1256,11 +1376,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -123799,7 +123698,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -1277,10 +1399,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -123812,7 +123711,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -1358,7 +1482,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -123841,7 +123740,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -1377,7 +1521,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -123850,7 +123749,7 @@ index 01dd2f1..3541088 100644 ') ######################################## -@@ -1485,7 +1629,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -123859,7 +123758,7 @@ index 01dd2f1..3541088 100644 ## ## # -@@ -1493,3 +1637,436 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -124297,7 +124196,7 @@ index 01dd2f1..3541088 100644 + dev_filetrans($1, tty_device_t, chr_file, "xvc9") +') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te -index 9d64659..f85e86f 100644 +index c0b88bf..a97d7cc 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -29,6 +29,7 @@ files_mountpoint(devpts_t) @@ -124417,10 +124316,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index e5aee97..ead35b9 100644 +index 5da7870..b5ab557 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,68 @@ policy_module(staff, 2.3.0) +@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) role staff_r; userdom_unpriv_user_template(staff) @@ -124489,7 +124388,7 @@ index e5aee97..ead35b9 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +79,110 @@ optional_policy(` +@@ -23,11 +79,106 @@ optional_policy(` ') optional_policy(` @@ -124594,14 +124493,10 @@ index e5aee97..ead35b9 100644 + polipo_role(staff_r, staff_t) + polipo_named_filetrans_cache_home_dirs(staff_t) + polipo_named_filetrans_config_home_files(staff_t) -+') -+ -+optional_policy(` -+ git_session_role(staff_r, staff_t) ') optional_policy(` -@@ -35,15 +190,31 @@ optional_policy(` +@@ -35,15 +186,31 @@ optional_policy(` ') optional_policy(` @@ -124635,7 +124530,7 @@ index e5aee97..ead35b9 100644 ') optional_policy(` -@@ -52,10 +223,59 @@ optional_policy(` +@@ -52,10 +219,55 @@ optional_policy(` ') optional_policy(` @@ -124657,10 +124552,6 @@ index e5aee97..ead35b9 100644 + sudo_role_template(staff, staff_r, staff_t) +') + -+#optional_policy(` -+# telepathy_dbus_session_role(staff_r, staff_t) -+#') -+ +optional_policy(` + userhelper_console_role_template(staff, staff_r, staff_t) +') @@ -124695,7 +124586,7 @@ index e5aee97..ead35b9 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +285,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +277,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124706,15 +124597,18 @@ index e5aee97..ead35b9 100644 cdrecord_role(staff_r, staff_t) ') -@@ -93,18 +309,10 @@ ifndef(`distro_redhat',` - ') +@@ -78,10 +286,6 @@ ifndef(`distro_redhat',` optional_policy(` -- gnome_role(staff_r, staff_t) -- ') + dbus_role_template(staff, staff_r, staff_t) - -- optional_policy(` - gpg_role(staff_r, staff_t) +- optional_policy(` +- gnome_role_template(staff, staff_r, staff_t) +- ') + ') + + optional_policy(` +@@ -101,10 +305,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124725,7 +124619,7 @@ index e5aee97..ead35b9 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +333,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +325,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124736,7 +124630,7 @@ index e5aee97..ead35b9 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +345,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +337,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124747,7 +124641,7 @@ index e5aee97..ead35b9 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +376,20 @@ ifndef(`distro_redhat',` +@@ -176,3 +368,20 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -124797,10 +124691,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 44c198a..72a70fc 100644 +index 88d0028..39285bc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0) +@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -124929,14 +124823,14 @@ index 44c198a..72a70fc 100644 - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) + #cron_role(sysadm_r, sysadm_t) -+') -+ -+optional_policy(` -+ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) ++ consoletype_exec(sysadm_t) ++') ++ ++optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -124956,24 +124850,21 @@ index 44c198a..72a70fc 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +201,15 @@ optional_policy(` +@@ -156,11 +201,11 @@ optional_policy(` ') optional_policy(` +- fstools_run(sysadm_t, sysadm_r) + firewalld_dbus_chat(sysadm_t) -+') -+ -+optional_policy(` - fstools_run(sysadm_t, sysadm_r) ') optional_policy(` - git_role(sysadm_r, sysadm_t) -+ git_session_role(sysadm_r, sysadm_t) ++ fstools_run(sysadm_t, sysadm_r) ') optional_policy(` -@@ -179,6 +228,13 @@ optional_policy(` +@@ -179,6 +224,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -124987,7 +124878,7 @@ index 44c198a..72a70fc 100644 ') optional_policy(` -@@ -186,15 +242,20 @@ optional_policy(` +@@ -186,15 +238,20 @@ optional_policy(` ') optional_policy(` @@ -125011,7 +124902,7 @@ index 44c198a..72a70fc 100644 ') optional_policy(` -@@ -214,22 +275,20 @@ optional_policy(` +@@ -214,22 +271,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -125040,7 +124931,7 @@ index 44c198a..72a70fc 100644 ') optional_policy(` -@@ -241,25 +300,47 @@ optional_policy(` +@@ -241,25 +296,47 @@ optional_policy(` ') optional_policy(` @@ -125088,7 +124979,7 @@ index 44c198a..72a70fc 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +351,32 @@ optional_policy(` +@@ -270,31 +347,36 @@ optional_policy(` ') optional_policy(` @@ -125098,31 +124989,35 @@ index 44c198a..72a70fc 100644 optional_policy(` - quota_run(sysadm_t, sysadm_r) -+ prelink_run(sysadm_t, sysadm_r) ++ postgresql_admin(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) -+ puppet_run_puppetca(sysadm_t, sysadm_r) ++ prelink_run(sysadm_t, sysadm_r) ') optional_policy(` - razor_role(sysadm_r, sysadm_t) -+ quota_filetrans_named_content(sysadm_t) ++ puppet_run_puppetca(sysadm_t, sysadm_r) ') optional_policy(` - rpc_domtrans_nfsd(sysadm_t) -+ raid_domtrans_mdadm(sysadm_t) ++ quota_filetrans_named_content(sysadm_t) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) -+ rpc_domtrans_nfsd(sysadm_t) ++ raid_domtrans_mdadm(sysadm_t) ') optional_policy(` - rssh_role(sysadm_r, sysadm_t) ++ rpc_domtrans_nfsd(sysadm_t) ++') ++ ++optional_policy(` + rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') @@ -125261,26 +125156,28 @@ index 44c198a..72a70fc 100644 - - optional_policy(` dbus_role_template(sysadm, sysadm_r, sysadm_t) - ') -@@ -460,6 +553,7 @@ ifndef(`distro_redhat',` + optional_policy(` +@@ -463,15 +556,75 @@ ifndef(`distro_redhat',` + ') optional_policy(` - gnome_role(sysadm_r, sysadm_t) +- gpg_role(sysadm_r, sysadm_t) ++ gnome_role(sysadm_r, sysadm_t) + gnome_filetrans_admin_home_content(sysadm_t) ') optional_policy(` -@@ -467,11 +561,66 @@ ifndef(`distro_redhat',` +- irc_role(sysadm_r, sysadm_t) ++ gpg_role(sysadm_r, sysadm_t) ') optional_policy(` -- irc_role(sysadm_r, sysadm_t) -+ java_role(sysadm_r, sysadm_t) + java_role(sysadm_r, sysadm_t) ') +-') - optional_policy(` -- java_role(sysadm_r, sysadm_t) ++ optional_policy(` + lockdev_role(sysadm_r, sysadm_t) + ') + @@ -125290,9 +125187,8 @@ index 44c198a..72a70fc 100644 + + optional_policy(` + mozilla_role(sysadm_r, sysadm_t) - ') --') - ++ ') ++ + optional_policy(` + mplayer_role(sysadm_r, sysadm_t) + ') @@ -126003,10 +125899,10 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..d609f53 +index 0000000..0b9a7bb --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,387 @@ +@@ -0,0 +1,373 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -126092,15 +125988,9 @@ index 0000000..d609f53 +init_telinit(unconfined_t) + +logging_send_syslog_msg(unconfined_t) -+logging_run_auditctl(unconfined_t, unconfined_r) + +systemd_config_all_services(unconfined_t) + -+seutil_run_loadpolicy(unconfined_t, unconfined_r) -+seutil_run_setsebool(unconfined_t, unconfined_r) -+seutil_run_setfiles(unconfined_t, unconfined_r) -+seutil_run_semanage(unconfined_t, unconfined_r) -+ +unconfined_domain_noaudit(unconfined_t) + +usermanage_run_passwd(unconfined_t, unconfined_r) @@ -126273,8 +126163,8 @@ index 0000000..d609f53 + ') + + optional_policy(` -+ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) -+ ') ++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) ++ ') + + optional_policy(` + oddjob_dbus_chat(unconfined_t) @@ -126381,14 +126271,6 @@ index 0000000..d609f53 +') + +optional_policy(` -+ webalizer_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ wine_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + xserver_run(unconfined_t, unconfined_r) + xserver_manage_home_fonts(unconfined_t) +') @@ -126405,11 +126287,11 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 9f6d4c3..07ceee0 100644 +index cdfddf4..35179f7 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ - policy_module(unprivuser, 2.3.0) + policy_module(unprivuser, 2.3.1) +## +##

@@ -126421,7 +126303,7 @@ index 9f6d4c3..07ceee0 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,99 @@ role user_r; +@@ -12,12 +19,96 @@ role user_r; userdom_unpriv_user_template(user) @@ -126434,6 +126316,7 @@ index 9f6d4c3..07ceee0 100644 +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + ++init_dbus_chat(user_t) +init_status(user_t) + +tunable_policy(`selinuxuser_execmod',` @@ -126515,14 +126398,10 @@ index 9f6d4c3..07ceee0 100644 + +optional_policy(` + ssh_role_template(user, user_r, user_t) -+') -+ -+optional_policy(` -+ git_session_role(user_r, user_t) ') optional_policy(` -@@ -25,6 +119,18 @@ optional_policy(` +@@ -25,6 +116,18 @@ optional_policy(` ') optional_policy(` @@ -126541,18 +126420,7 @@ index 9f6d4c3..07ceee0 100644 vlock_run(user_t, user_r) ') -@@ -66,10 +172,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- gnome_role(user_r, user_t) -- ') -- -- optional_policy(` - gpg_role(user_r, user_t) - ') - -@@ -102,10 +204,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +205,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -126563,7 +126431,7 @@ index 9f6d4c3..07ceee0 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +226,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +227,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -126571,7 +126439,7 @@ index 9f6d4c3..07ceee0 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +258,15 @@ ifndef(`distro_redhat',` +@@ -161,3 +259,15 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -126588,7 +126456,7 @@ index 9f6d4c3..07ceee0 100644 + ') +') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index a26f84f..d3cc612 100644 +index a26f84f..947af6c 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -10,6 +10,7 @@ @@ -126599,7 +126467,7 @@ index a26f84f..d3cc612 100644 /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) -@@ -28,9 +29,9 @@ ifdef(`distro_redhat', ` +@@ -28,9 +29,10 @@ ifdef(`distro_redhat', ` # /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) @@ -126608,17 +126476,18 @@ index a26f84f..d3cc612 100644 /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) -@@ -45,4 +46,4 @@ ifdef(`distro_redhat', ` +@@ -45,4 +47,4 @@ ifdef(`distro_redhat', ` /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index ecef19f..fcbc25a 100644 +index 9d2f311..c8a2637 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,7 +10,7 @@ @@ -126725,20 +126594,15 @@ index ecef19f..fcbc25a 100644 # interface(`postgresql_stream_connect',` gen_require(` -@@ -429,10 +449,8 @@ interface(`postgresql_stream_connect',` - ') +@@ -432,6 +452,7 @@ interface(`postgresql_stream_connect',` files_search_pids($1) -- allow $1 postgresql_t:unix_stream_socket connectto; -- allow $1 postgresql_var_run_t:sock_file write; -- # Some versions of postgresql put the sock file in /tmp -- allow $1 postgresql_tmp_t:sock_file write; -+ files_search_tmp($1) + files_search_tmp($1) + stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') ######################################## -@@ -515,7 +533,6 @@ interface(`postgresql_unpriv_client',` +@@ -514,7 +535,6 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; @@ -126746,7 +126610,37 @@ index ecef19f..fcbc25a 100644 tunable_policy(`sepgsql_enable_users_ddl',` allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; -@@ -564,33 +581,38 @@ interface(`postgresql_unconfined',` +@@ -547,6 +567,29 @@ interface(`postgresql_unconfined',` + + ######################################## + ##

++## Transition to postgresql named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_filetrans_named_content',` ++ gen_require(` ++ type postgresql_db_t; ++ type postgresql_log_t; ++ ') ++ ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql") ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres") ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql") ++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile") ++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log") ++') ++ ++######################################## ++## + ## All of the rules required to administrate an postgresql environment + ## + ## +@@ -563,35 +606,41 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -126793,8 +126687,11 @@ index ecef19f..fcbc25a 100644 admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) + postgresql_stream_connect($1) ++ postgresql_filetrans_named_content($1) + ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 4318f73..e4d0b31 100644 +index 346d011..d55e727 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -126815,7 +126712,7 @@ index 4318f73..e4d0b31 100644 +## Allow unprivileged users to execute DDL statement +##

## --gen_tunable(sepgsql_enable_users_ddl, true) +-gen_tunable(sepgsql_enable_users_ddl, false) +gen_tunable(postgresql_selinux_users_ddl, true) ## @@ -126831,17 +126728,14 @@ index 4318f73..e4d0b31 100644 ## Allow database admins to execute DML statement ##

## --gen_tunable(sepgsql_unconfined_dbadm, true) +-gen_tunable(sepgsql_unconfined_dbadm, false) +gen_tunable(postgresql_selinux_unconfined_dbadm, true) type postgresql_t; type postgresql_exec_t; -@@ -233,9 +240,10 @@ allow postgresql_t self:shm create_shm_perms; - allow postgresql_t self:tcp_socket create_stream_socket_perms; - allow postgresql_t self:udp_socket create_stream_socket_perms; +@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; --allow postgresql_t self:unix_stream_socket create_stream_socket_perms; -+allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow postgresql_t self:netlink_selinux_socket create_socket_perms; -tunable_policy(`sepgsql_transmit_client_label',` + @@ -126849,7 +126743,14 @@ index 4318f73..e4d0b31 100644 allow postgresql_t self:process { setsockcreate }; ') -@@ -275,7 +283,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms; +@@ -270,13 +278,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) +-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) ++postgresql_filetrans_named_content(postgresql_t) + + allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) @@ -126858,7 +126759,7 @@ index 4318f73..e4d0b31 100644 can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; -@@ -303,7 +311,6 @@ kernel_list_proc(postgresql_t) +@@ -304,7 +312,6 @@ kernel_list_proc(postgresql_t) kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) @@ -126866,7 +126767,7 @@ index 4318f73..e4d0b31 100644 corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -341,8 +348,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -342,8 +349,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -126876,7 +126777,7 @@ index 4318f73..e4d0b31 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -353,7 +359,6 @@ init_read_utmp(postgresql_t) +@@ -354,7 +360,6 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) @@ -126884,7 +126785,7 @@ index 4318f73..e4d0b31 100644 seutil_libselinux_linked(postgresql_t) seutil_read_default_contexts(postgresql_t) -@@ -366,7 +371,7 @@ optional_policy(` +@@ -367,7 +372,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') @@ -126893,7 +126794,7 @@ index 4318f73..e4d0b31 100644 allow postgresql_t self:process execmem; ') -@@ -487,7 +492,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db +@@ -488,7 +493,7 @@ allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db # Note that permission of creation/deletion are eventually controlled by # create or drop permission of individual objects within shared schemas. # So, it just allows to create/drop user specific types. @@ -126902,7 +126803,7 @@ index 4318f73..e4d0b31 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -535,7 +540,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +541,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -126911,7 +126812,7 @@ index 4318f73..e4d0b31 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -588,3 +593,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +594,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -126930,10 +126831,10 @@ index 4318f73..e4d0b31 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..022c7db 100644 +index 76d9f66..c61ed66 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,9 +1,23 @@ +@@ -1,4 +1,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + @@ -126948,16 +126849,8 @@ index 078bcd7..022c7db 100644 +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) - /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) - /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) - /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) -+/etc/ssh/ssh_host_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0) -+/etc/ssh/ssh_host_dsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0) -+/etc/ssh/ssh_host_rsa_key.pub -- gen_context(system_u:object_r:sshd_key_t,s0) - - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) -@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) +@@ -12,5 +23,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -127601,19 +127494,19 @@ index fe0c682..2b21421 100644 + allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl }; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..3354b8f 100644 +index 5fc0391..129ae69 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) +@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3) # ## -##

-## allow host key based authentication -##

-+##

-+## allow host key based authentication -+##

++##

++## allow host key based authentication ++##

## -gen_tunable(allow_ssh_keysign, false) +gen_tunable(ssh_keysign, false) @@ -127817,7 +127710,7 @@ index b17e27a..3354b8f 100644 ') optional_policy(` -@@ -195,28 +218,24 @@ optional_policy(` +@@ -195,6 +218,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -127825,32 +127718,15 @@ index b17e27a..3354b8f 100644 ############################## # # ssh_keysign_t local policy - # - --tunable_policy(`allow_ssh_keysign',` -+tunable_policy(`ssh_keysign',` - allow ssh_keysign_t self:capability { setgid setuid }; - allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +230,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; + allow ssh_keysign_t sshd_key_t:file { getattr read }; -- allow ssh_keysign_t sshd_key_t:file { getattr read }; -+ allow ssh_keysign_t sshd_key_t:file read_file_perms; + dev_read_urand(ssh_keysign_t) ++dev_read_rand(ssh_keysign_t) -+ dev_read_rand(ssh_keysign_t) - dev_read_urand(ssh_keysign_t) + files_read_etc_files(ssh_keysign_t) - files_read_etc_files(ssh_keysign_t) - ') - --optional_policy(` -- tunable_policy(`allow_ssh_keysign',` -- nscd_socket_use(ssh_keysign_t) -- ') --') -- - ################################# - # - # sshd local policy -@@ -227,33 +246,50 @@ optional_policy(` +@@ -223,33 +248,50 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -127910,7 +127786,7 @@ index b17e27a..3354b8f 100644 ') optional_policy(` -@@ -261,11 +297,24 @@ optional_policy(` +@@ -257,11 +299,24 @@ optional_policy(` ') optional_policy(` @@ -127936,7 +127812,7 @@ index b17e27a..3354b8f 100644 ') optional_policy(` -@@ -273,6 +322,10 @@ optional_policy(` +@@ -269,6 +324,10 @@ optional_policy(` ') optional_policy(` @@ -127947,7 +127823,7 @@ index b17e27a..3354b8f 100644 rpm_use_script_fds(sshd_t) ') -@@ -283,6 +336,28 @@ optional_policy(` +@@ -279,6 +338,28 @@ optional_policy(` ') optional_policy(` @@ -127976,7 +127852,7 @@ index b17e27a..3354b8f 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -290,6 +365,29 @@ optional_policy(` +@@ -286,6 +367,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -128006,7 +127882,7 @@ index b17e27a..3354b8f 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +396,26 @@ optional_policy(` +@@ -294,19 +398,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -128034,21 +127910,20 @@ index b17e27a..3354b8f 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +432,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +434,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) - --optional_policy(` -- nscd_socket_use(ssh_keygen_t) ++ +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(ssh_keygen_t) + fs_manage_nfs_dirs(ssh_keygen_t) - ') ++') optional_policy(` -@@ -339,3 +446,121 @@ optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) +@@ -331,3 +448,124 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -128082,6 +127957,7 @@ index b17e27a..3354b8f 100644 +# +# chroot_user_t local policy +# ++allow chroot_user_t self:fifo_file rw_fifo_file_perms; +allow chroot_user_t self:unix_dgram_socket create_socket_perms; + +corecmd_exec_shell(chroot_user_t) @@ -128089,6 +127965,8 @@ index b17e27a..3354b8f 100644 +term_search_ptys(chroot_user_t) +term_use_ptmx(chroot_user_t) + ++fs_getattr_all_fs(chroot_user_t) ++ +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) +userdom_read_user_home_content_symlinks(chroot_user_t) @@ -128171,7 +128049,7 @@ index b17e27a..3354b8f 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..ba6be42 100644 +index d1f64a0..c92d1e2 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -128210,9 +128088,9 @@ index fc86b7c..ba6be42 100644 # # /dev -@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) - - /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) +@@ -22,13 +44,20 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) +/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) @@ -128225,11 +128103,14 @@ index fc86b7c..ba6be42 100644 /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) +-/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) +/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) + ++/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +75,30 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -128248,11 +128129,13 @@ index fc86b7c..ba6be42 100644 # +/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) --/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++ /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -128260,10 +128143,13 @@ index fc86b7c..ba6be42 100644 +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) + + /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -90,24 +121,47 @@ ifndef(`distro_debian',` - /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +@@ -92,25 +125,49 @@ ifndef(`distro_debian',` + /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -128276,12 +128162,12 @@ index fc86b7c..ba6be42 100644 -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) --/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) -+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -128289,10 +128175,11 @@ index fc86b7c..ba6be42 100644 + +/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -128316,7 +128203,7 @@ index fc86b7c..ba6be42 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..a75282a 100644 +index 6bf0ecc..6c7c743 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -128756,7 +128643,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -724,11 +838,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -765,11 +879,31 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -128790,7 +128677,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -752,6 +886,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +927,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -128816,7 +128703,7 @@ index 130ced9..a75282a 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +959,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -128843,7 +128730,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1017,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -128871,7 +128758,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1059,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -128896,7 +128783,7 @@ index 130ced9..a75282a 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1105,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1146,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -128924,7 +128811,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -916,7 +1143,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1184,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -128933,7 +128820,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -963,6 +1190,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1231,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -128979,7 +128866,7 @@ index 130ced9..a75282a 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1242,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1283,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -128988,7 +128875,7 @@ index 130ced9..a75282a 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1304,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1345,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -129031,7 +128918,7 @@ index 130ced9..a75282a 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1354,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1395,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -129040,7 +128927,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -1070,8 +1372,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1413,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -129052,7 +128939,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -1185,6 +1489,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1530,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -129079,7 +128966,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -1210,7 +1534,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1575,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -129088,7 +128975,7 @@ index 130ced9..a75282a 100644 ## ## ## -@@ -1220,13 +1544,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1585,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -129113,7 +129000,7 @@ index 130ced9..a75282a 100644 ') ######################################## -@@ -1243,10 +1577,541 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1618,541 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -129658,7 +129545,7 @@ index 130ced9..a75282a 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..9f53f97 100644 +index 2696452..4a06941 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -131108,7 +130995,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index f416ce9..4d4ec55 100644 +index 3efd5b6..7c0ea2d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -131292,24 +131179,25 @@ index f416ce9..4d4ec55 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -395,13 +431,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -395,6 +431,8 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` -- pcscd_read_pub_files($1) + pcscd_manage_pub_files($1) + pcscd_manage_pub_pipes($1) + pcscd_read_pid_files($1) pcscd_stream_connect($1) ') - +@@ -402,6 +440,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') ++ + auth_domtrans_upd_passwd($1) ') ######################################## -@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +488,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -131335,7 +131223,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +526,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -131343,7 +131231,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +722,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -131354,7 +131242,7 @@ index f416ce9..4d4ec55 100644 ') ####################################### -@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +825,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -131406,7 +131294,7 @@ index f416ce9..4d4ec55 100644 ') ####################################### -@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',` +@@ -826,7 +931,7 @@ interface(`auth_rw_lastlog',` ######################################## ## @@ -131415,7 +131303,7 @@ index f416ce9..4d4ec55 100644 ## ## ## -@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +939,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -131446,7 +131334,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +974,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -131465,7 +131353,7 @@ index f416ce9..4d4ec55 100644 ## ## ## -@@ -875,13 +993,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +995,33 @@ interface(`auth_signal_pam',` ## ## # @@ -131503,7 +131391,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1099,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -131537,7 +131425,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1201,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -131548,7 +131436,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1341,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -131556,7 +131444,7 @@ index f416ce9..4d4ec55 100644 ') ####################################### -@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1742,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -131582,7 +131470,7 @@ index f416ce9..4d4ec55 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1911,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -131608,7 +131496,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1935,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -131625,7 +131513,7 @@ index f416ce9..4d4ec55 100644 ') ######################################## -@@ -1755,3 +1923,199 @@ interface(`auth_unconfined',` +@@ -1805,3 +1975,199 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -131826,10 +131714,10 @@ index f416ce9..4d4ec55 100644 + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index f145ccb..499ee40 100644 +index 104037e..eceffb2 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0) +@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) # Declarations # @@ -132063,7 +131951,7 @@ index f145ccb..499ee40 100644 ') optional_policy(` -- nscd_socket_use(utempter_t) +- nscd_use(utempter_t) + xserver_use_xdm_fds(utempter_t) + xserver_rw_xdm_pipes(utempter_t) +') @@ -132112,15 +132000,6 @@ index f145ccb..499ee40 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -447,7 +485,7 @@ optional_policy(` - ') - - optional_policy(` -- nscd_socket_use(nsswitch_domain) -+ nscd_use(nsswitch_domain) - ') - - optional_policy(` @@ -456,6 +494,7 @@ optional_policy(` optional_policy(` @@ -132272,38 +132151,8 @@ index c5e05ca..c9ddbee 100644 +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + -diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if -index e2f6d93..c78ccc6 100644 ---- a/policy/modules/system/clock.if -+++ b/policy/modules/system/clock.if -@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',` - - ######################################## - ## -+## Read clock drift adjustments. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clock_read_adjtime',` -+ gen_require(` -+ type adjtime_t; -+ ') -+ -+ allow $1 adjtime_t:file read_file_perms; -+ files_list_etc($1) -+') -+ -+######################################## -+## - ## Read and write clock drift adjustments. - ## - ## diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te -index b9ed25b..91e25b5 100644 +index 3694bfe..7fcd27a 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t) @@ -132333,7 +132182,7 @@ index b9ed25b..91e25b5 100644 ') optional_policy(` -- nscd_socket_use(hwclock_t) +- nscd_use(hwclock_t) -') - -optional_policy(` @@ -132616,7 +132465,7 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fd100fc..3e61328 100644 +index fc38c9c..dce2d4e 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t) @@ -132662,7 +132511,7 @@ index fd100fc..3e61328 100644 ') optional_policy(` -- nscd_socket_use(getty_t) +- nscd_use(getty_t) -') - -optional_policy(` @@ -132760,7 +132609,7 @@ index 40eb10c..2a0a32c 100644 corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te -index b2e41cc..6a37dca 100644 +index bb5c4a6..7ebb938 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) @@ -132807,7 +132656,7 @@ index b2e41cc..6a37dca 100644 -') - -optional_policy(` -- nscd_socket_use(hotplug_t) +- nscd_use(hotplug_t) -') - -optional_policy(` @@ -132815,18 +132664,20 @@ index b2e41cc..6a37dca 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index d2e40b8..3ba2e4c 100644 +index 9a4d3a7..b7b205c 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -2,6 +2,7 @@ +@@ -1,6 +1,9 @@ + # # /etc # - /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/machine-id -- gen_context(system_u:object_r:machineid_t,s0) - ++ /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) -@@ -31,6 +32,11 @@ ifdef(`distro_gentoo', ` + +@@ -29,6 +32,11 @@ ifdef(`distro_gentoo', ` # # /sbin # @@ -132838,7 +132689,7 @@ index d2e40b8..3ba2e4c 100644 /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) # because nowadays, /sbin/init is often a symlink to /sbin/upstart /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) -@@ -48,11 +54,23 @@ ifdef(`distro_gentoo', ` +@@ -42,11 +50,23 @@ ifdef(`distro_gentoo', ` # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -132862,7 +132713,7 @@ index d2e40b8..3ba2e4c 100644 # # /var -@@ -61,6 +79,7 @@ ifdef(`distro_gentoo', ` +@@ -55,6 +75,7 @@ ifdef(`distro_gentoo', ` /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) @@ -132870,13 +132721,13 @@ index d2e40b8..3ba2e4c 100644 ifdef(`distro_debian',` /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) -@@ -79,3 +98,4 @@ ifdef(`distro_suse', ` +@@ -73,3 +94,4 @@ ifdef(`distro_suse', ` /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..95c1bd8 100644 +index 24e7804..386109d 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -106,6 +106,8 @@ interface(`init_domain',` @@ -132955,7 +132806,7 @@ index d26fe81..95c1bd8 100644 + ') - optional_policy(` -- nscd_socket_use($1) +- nscd_use($1) - ') + typeattribute $1 initrc_domain; ') @@ -133055,8 +132906,8 @@ index d26fe81..95c1bd8 100644 + ######################################## ## - ## Execute init (/sbin/init) with a domain transition. -@@ -442,7 +457,6 @@ interface(`init_domtrans',` + ## Mark the file type as a daemon run dir, allowing initrc_t +@@ -469,7 +484,6 @@ interface(`init_domtrans',` ## Domain allowed access. ## ## @@ -133064,7 +132915,7 @@ index d26fe81..95c1bd8 100644 # interface(`init_exec',` gen_require(` -@@ -451,6 +465,48 @@ interface(`init_exec',` +@@ -478,6 +492,48 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -133113,7 +132964,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -539,6 +595,24 @@ interface(`init_sigchld',` +@@ -566,6 +622,24 @@ interface(`init_sigchld',` ######################################## ## @@ -133138,7 +132989,7 @@ index d26fe81..95c1bd8 100644 ## Connect to init with a unix socket. ## ## -@@ -549,10 +623,66 @@ interface(`init_sigchld',` +@@ -576,10 +650,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -133207,7 +133058,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -716,22 +846,23 @@ interface(`init_write_initctl',` +@@ -743,22 +873,23 @@ interface(`init_write_initctl',` interface(`init_telinit',` gen_require(` type initctl_t; @@ -133240,7 +133091,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -760,7 +891,7 @@ interface(`init_rw_initctl',` +@@ -787,7 +918,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -133249,7 +133100,7 @@ index d26fe81..95c1bd8 100644 ## ## # -@@ -803,11 +934,12 @@ interface(`init_script_file_entry_type',` +@@ -830,11 +961,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -133264,7 +133115,7 @@ index d26fe81..95c1bd8 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -818,11 +950,11 @@ interface(`init_spec_domtrans_script',` +@@ -845,11 +977,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -133278,7 +133129,7 @@ index d26fe81..95c1bd8 100644 ') ') -@@ -838,19 +970,41 @@ interface(`init_spec_domtrans_script',` +@@ -865,19 +997,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -133324,7 +133175,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -906,9 +1060,14 @@ interface(`init_script_file_domtrans',` +@@ -933,9 +1087,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -133339,7 +133190,7 @@ index d26fe81..95c1bd8 100644 files_search_etc($1) ') -@@ -999,7 +1158,9 @@ interface(`init_ptrace',` +@@ -1026,7 +1185,9 @@ interface(`init_ptrace',` type init_t; ') @@ -133350,7 +133201,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -1098,6 +1259,25 @@ interface(`init_getattr_all_script_files',` +@@ -1125,6 +1286,25 @@ interface(`init_getattr_all_script_files',` ######################################## ## @@ -133376,7 +133227,7 @@ index d26fe81..95c1bd8 100644 ## Read all init script files. ## ## -@@ -1117,6 +1297,24 @@ interface(`init_read_all_script_files',` +@@ -1144,6 +1324,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -133401,7 +133252,7 @@ index d26fe81..95c1bd8 100644 ## Dontaudit read all init script files. ## ## -@@ -1168,12 +1366,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1393,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -133415,7 +133266,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -1413,6 +1606,27 @@ interface(`init_dbus_send_script',` +@@ -1440,6 +1633,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -133443,7 +133294,7 @@ index d26fe81..95c1bd8 100644 ## init scripts over dbus. ## ## -@@ -1499,6 +1713,25 @@ interface(`init_getattr_script_status_files',` +@@ -1526,6 +1740,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -133469,7 +133320,7 @@ index d26fe81..95c1bd8 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1557,6 +1790,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1584,6 +1817,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -133494,7 +133345,7 @@ index d26fe81..95c1bd8 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1629,6 +1880,43 @@ interface(`init_read_utmp',` +@@ -1656,6 +1907,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -133538,7 +133389,7 @@ index d26fe81..95c1bd8 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1717,7 +2005,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1744,7 +2032,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -133547,7 +133398,7 @@ index d26fe81..95c1bd8 100644 ') ######################################## -@@ -1758,7 +2046,134 @@ interface(`init_pid_filetrans_utmp',` +@@ -1785,7 +2073,134 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -133683,7 +133534,7 @@ index d26fe81..95c1bd8 100644 ## ## Allow the specified domain to connect to daemon with a tcp socket ## -@@ -1792,3 +2207,283 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2234,283 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -133968,7 +133819,7 @@ index d26fe81..95c1bd8 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..fe91700 100644 +index dd3be8d..682e5fc 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -133998,7 +133849,7 @@ index 4a88fa1..fe91700 100644 # used for direct running of init scripts # by admin domains -@@ -25,19 +39,28 @@ attribute direct_init_entry; +@@ -25,9 +39,17 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; @@ -134014,6 +133865,9 @@ index 4a88fa1..fe91700 100644 +# Mark process types as initrc domain +attribute initrc_domain; + # Mark file type as a daemon run directory + attribute daemonrundir; +@@ -35,12 +57,13 @@ attribute daemonrundir; # # init_t is the domain of the init process. # @@ -134028,7 +133882,7 @@ index 4a88fa1..fe91700 100644 # # init_var_run_t is the type for /var/run/shutdown.pid. -@@ -46,6 +69,15 @@ type init_var_run_t; +@@ -49,6 +72,15 @@ type init_var_run_t; files_pid_file(init_var_run_t) # @@ -134044,7 +133898,7 @@ index 4a88fa1..fe91700 100644 # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -@@ -54,7 +86,7 @@ type initctl_t; +@@ -57,7 +89,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) @@ -134053,7 +133907,7 @@ index 4a88fa1..fe91700 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -63,6 +95,8 @@ role system_r types initrc_t; +@@ -66,6 +98,8 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -134062,7 +133916,7 @@ index 4a88fa1..fe91700 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -95,7 +129,8 @@ ifdef(`enable_mls',` +@@ -98,7 +132,8 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -134072,7 +133926,7 @@ index 4a88fa1..fe91700 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -107,12 +142,32 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -110,12 +145,32 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -134111,7 +133965,7 @@ index 4a88fa1..fe91700 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,28 +180,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -134126,6 +133980,7 @@ index 4a88fa1..fe91700 100644 # Early devtmpfs dev_rw_generic_chr_files(init_t) +dev_filetrans_all_named_dev(init_t) ++dev_write_watchdog(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -134151,7 +134006,7 @@ index 4a88fa1..fe91700 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t) +@@ -155,6 +221,8 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -134160,7 +134015,7 @@ index 4a88fa1..fe91700 100644 mcs_process_set_categories(init_t) mcs_killall(init_t) -@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t) +@@ -162,22 +230,41 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -134204,7 +134059,7 @@ index 4a88fa1..fe91700 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -183,29 +269,176 @@ ifdef(`distro_gentoo',` +@@ -186,29 +273,176 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -134375,7 +134230,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -- nscd_socket_use(init_t) +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -134389,7 +134244,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -213,6 +446,27 @@ optional_policy(` +@@ -216,6 +450,27 @@ optional_policy(` ') optional_policy(` @@ -134417,7 +134272,7 @@ index 4a88fa1..fe91700 100644 unconfined_domain(init_t) ') -@@ -222,8 +476,9 @@ optional_policy(` +@@ -225,8 +480,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -134429,7 +134284,7 @@ index 4a88fa1..fe91700 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -251,12 +506,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -134446,7 +134301,7 @@ index 4a88fa1..fe91700 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -272,23 +531,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -134489,7 +134344,7 @@ index 4a88fa1..fe91700 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -296,9 +568,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -134501,7 +134356,7 @@ index 4a88fa1..fe91700 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -306,8 +580,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -134512,7 +134367,7 @@ index 4a88fa1..fe91700 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -315,17 +591,16 @@ dev_manage_generic_files(initrc_t) +@@ -321,17 +598,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -134532,7 +134387,7 @@ index 4a88fa1..fe91700 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -333,6 +608,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -134540,7 +134395,7 @@ index 4a88fa1..fe91700 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -340,8 +616,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,8 +623,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -134552,7 +134407,7 @@ index 4a88fa1..fe91700 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -357,8 +635,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -134566,7 +134421,7 @@ index 4a88fa1..fe91700 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -368,9 +650,13 @@ fs_mount_all_fs(initrc_t) +@@ -374,9 +657,13 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -134581,7 +134436,7 @@ index 4a88fa1..fe91700 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -380,6 +666,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +673,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -134589,7 +134444,7 @@ index 4a88fa1..fe91700 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,6 +678,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +685,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -134597,7 +134452,7 @@ index 4a88fa1..fe91700 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -409,20 +697,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +704,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -134621,7 +134476,7 @@ index 4a88fa1..fe91700 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -476,6 +762,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -134632,7 +134487,7 @@ index 4a88fa1..fe91700 100644 alsa_read_lib(initrc_t) ') -@@ -496,7 +786,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +796,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -134641,7 +134496,7 @@ index 4a88fa1..fe91700 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -511,6 +801,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +811,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -134649,7 +134504,7 @@ index 4a88fa1..fe91700 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -531,6 +822,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +832,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -134657,7 +134512,7 @@ index 4a88fa1..fe91700 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -540,8 +832,40 @@ ifdef(`distro_redhat',` +@@ -549,8 +842,40 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -134698,7 +134553,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -549,14 +873,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +883,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -134730,7 +134585,7 @@ index 4a88fa1..fe91700 100644 ') ') -@@ -567,6 +908,39 @@ ifdef(`distro_suse',` +@@ -576,6 +918,39 @@ ifdef(`distro_suse',` ') ') @@ -134770,7 +134625,7 @@ index 4a88fa1..fe91700 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +953,8 @@ optional_policy(` +@@ -588,6 +963,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -134779,7 +134634,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -600,6 +976,7 @@ optional_policy(` +@@ -609,6 +986,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -134787,7 +134642,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -612,6 +989,17 @@ optional_policy(` +@@ -625,6 +1003,17 @@ optional_policy(` ') optional_policy(` @@ -134805,7 +134660,7 @@ index 4a88fa1..fe91700 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -628,9 +1016,13 @@ optional_policy(` +@@ -641,9 +1030,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -134819,7 +134674,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -655,6 +1047,10 @@ optional_policy(` +@@ -668,6 +1061,10 @@ optional_policy(` ') optional_policy(` @@ -134830,7 +134685,7 @@ index 4a88fa1..fe91700 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -672,6 +1068,15 @@ optional_policy(` +@@ -685,6 +1082,15 @@ optional_policy(` ') optional_policy(` @@ -134846,7 +134701,7 @@ index 4a88fa1..fe91700 100644 inn_exec_config(initrc_t) ') -@@ -712,6 +1117,7 @@ optional_policy(` +@@ -725,6 +1131,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -134854,7 +134709,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -729,7 +1135,14 @@ optional_policy(` +@@ -742,7 +1149,14 @@ optional_policy(` ') optional_policy(` @@ -134869,7 +134724,7 @@ index 4a88fa1..fe91700 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -752,6 +1165,10 @@ optional_policy(` +@@ -765,6 +1179,10 @@ optional_policy(` ') optional_policy(` @@ -134880,7 +134735,7 @@ index 4a88fa1..fe91700 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -761,10 +1178,20 @@ optional_policy(` +@@ -774,10 +1192,20 @@ optional_policy(` ') optional_policy(` @@ -134901,7 +134756,7 @@ index 4a88fa1..fe91700 100644 quota_manage_flags(initrc_t) ') -@@ -773,6 +1200,10 @@ optional_policy(` +@@ -786,6 +1214,10 @@ optional_policy(` ') optional_policy(` @@ -134912,7 +134767,7 @@ index 4a88fa1..fe91700 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -794,8 +1225,6 @@ optional_policy(` +@@ -807,8 +1239,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -134921,7 +134776,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -804,6 +1233,10 @@ optional_policy(` +@@ -817,6 +1247,10 @@ optional_policy(` ') optional_policy(` @@ -134932,7 +134787,7 @@ index 4a88fa1..fe91700 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -813,10 +1246,12 @@ optional_policy(` +@@ -826,10 +1260,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -134945,24 +134800,15 @@ index 4a88fa1..fe91700 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -828,8 +1263,6 @@ optional_policy(` - ') - - optional_policy(` -- udev_rw_db(initrc_t) -- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev") - udev_manage_pid_files(initrc_t) - udev_manage_pid_dirs(initrc_t) - udev_manage_rules_files(initrc_t) -@@ -840,12 +1273,30 @@ optional_policy(` +@@ -856,12 +1292,31 @@ optional_policy(` ') optional_policy(` -- virt_stream_connect(initrc_t) -- virt_manage_svirt_cache(initrc_t) + virt_manage_pid_dirs(initrc_t) + virt_manage_cache(initrc_t) + virt_manage_lib_files(initrc_t) + virt_stream_connect(initrc_t) +- virt_manage_virt_cache(initrc_t) +') + +# Cron jobs used to start and stop services @@ -134987,7 +134833,7 @@ index 4a88fa1..fe91700 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -855,6 +1306,18 @@ optional_policy(` +@@ -871,6 +1326,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -135006,7 +134852,7 @@ index 4a88fa1..fe91700 100644 ') optional_policy(` -@@ -870,6 +1333,10 @@ optional_policy(` +@@ -886,6 +1353,10 @@ optional_policy(` ') optional_policy(` @@ -135017,7 +134863,7 @@ index 4a88fa1..fe91700 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1347,185 @@ optional_policy(` +@@ -896,3 +1367,185 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -135203,22 +135049,6 @@ index 4a88fa1..fe91700 100644 + allow daemon direct_run_init:process sigchld; + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') -diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index ec85acb..662e79b 100644 ---- a/policy/modules/system/ipsec.fc -+++ b/policy/modules/system/ipsec.fc -@@ -27,11 +27,6 @@ - /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - --/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) --/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) --/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) --/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) -- - /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) - /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 0d4c8d3..9d66bf7 100644 --- a/policy/modules/system/ipsec.if @@ -135256,7 +135086,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index a30840c..77206a0 100644 +index 9e54bf9..ed744d2 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,13 +73,15 @@ role system_r types setkey_t; @@ -135276,15 +135106,7 @@ index a30840c..77206a0 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -113,6 +115,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; - allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; - - kernel_read_kernel_sysctls(ipsec_t) -+kernel_read_net_sysctls(ipsec_t) - kernel_list_proc(ipsec_t) - kernel_read_proc_symlinks(ipsec_t) - # allow pluto to access /proc/net/ipsec_eroute; -@@ -127,20 +130,21 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +130,21 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -135313,7 +135135,7 @@ index a30840c..77206a0 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,6 +160,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -135322,7 +135144,7 @@ index a30840c..77206a0 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -164,11 +170,13 @@ auth_use_nsswitch(ipsec_t) +@@ -165,11 +170,13 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -135337,7 +135159,7 @@ index a30840c..77206a0 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,9 +194,9 @@ optional_policy(` +@@ -187,9 +194,9 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -135350,7 +135172,7 @@ index a30840c..77206a0 100644 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -135367,7 +135189,7 @@ index a30840c..77206a0 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -135376,7 +135198,7 @@ index a30840c..77206a0 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -135388,7 +135210,7 @@ index a30840c..77206a0 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -289,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -135410,7 +135232,7 @@ index a30840c..77206a0 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -369,13 +391,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +391,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -135430,7 +135252,7 @@ index a30840c..77206a0 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -400,10 +421,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +421,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -135443,7 +135265,7 @@ index a30840c..77206a0 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -437,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -135456,7 +135278,7 @@ index a30840c..77206a0 100644 +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 14cffd2..5effebe 100644 +index 1b93eb7..5effebe 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,7 +1,8 @@ @@ -135471,13 +135293,14 @@ index 14cffd2..5effebe 100644 /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -@@ -14,7 +15,13 @@ +@@ -14,8 +15,13 @@ /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +-/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -135559,10 +135382,10 @@ index c42fbc3..7071460 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 0646ee7..da1337a 100644 +index 5dfa44b..16d64ad 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.0) +@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.1) # Declarations # @@ -135697,7 +135520,7 @@ index 0646ee7..da1337a 100644 ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index ef8bbaf..a21d5fe 100644 +index 73bb3c0..e6fa600 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -135762,8 +135585,8 @@ index ef8bbaf..a21d5fe 100644 +/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -140,6 +149,8 @@ ifdef(`distro_redhat',` + /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +@@ -141,6 +150,8 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -135772,7 +135595,7 @@ index ef8bbaf..a21d5fe 100644 /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -147,12 +158,11 @@ ifdef(`distro_redhat',` +@@ -148,12 +159,11 @@ ifdef(`distro_redhat',` /usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -135788,7 +135611,7 @@ index ef8bbaf..a21d5fe 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -181,11 +191,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +192,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -135802,14 +135625,13 @@ index ef8bbaf..a21d5fe 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -240,14 +252,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +253,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -135818,7 +135640,7 @@ index ef8bbaf..a21d5fe 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +277,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +278,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -135849,7 +135671,7 @@ index ef8bbaf..a21d5fe 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +306,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +307,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -136171,7 +135993,7 @@ index 808ba93..7b506f2 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index ad01883..a003fa8 100644 +index 23a645e..1982e9c 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -136356,7 +136178,7 @@ index 0e3c2a9..40adf5a 100644 +') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 9fd5be7..7e2a02e 100644 +index c04ac46..b123de6 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -136416,7 +136238,7 @@ index 9fd5be7..7e2a02e 100644 dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -117,16 +123,19 @@ term_relabel_unallocated_ttys(local_login_t) +@@ -117,16 +123,18 @@ term_relabel_unallocated_ttys(local_login_t) term_relabel_all_ttys(local_login_t) term_setattr_all_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t) @@ -136426,7 +136248,6 @@ index 9fd5be7..7e2a02e 100644 auth_rw_login_records(local_login_t) auth_rw_faillog(local_login_t) -auth_manage_pam_pid(local_login_t) -+#auth_manage_pam_pid(local_login_t) auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) +auth_use_nsswitch(local_login_t) @@ -136438,7 +136259,7 @@ index 9fd5be7..7e2a02e 100644 userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) -@@ -141,19 +150,19 @@ ifdef(`distro_ubuntu',` +@@ -141,19 +149,19 @@ ifdef(`distro_ubuntu',` ') ') @@ -136466,7 +136287,7 @@ index 9fd5be7..7e2a02e 100644 ') optional_policy(` -@@ -177,14 +186,6 @@ optional_policy(` +@@ -177,14 +185,6 @@ optional_policy(` ') optional_policy(` @@ -136474,14 +136295,14 @@ index 9fd5be7..7e2a02e 100644 -') - -optional_policy(` -- nscd_socket_use(local_login_t) +- nscd_use(local_login_t) -') - -optional_policy(` unconfined_shell_domtrans(local_login_t) ') -@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,6 +215,7 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -136489,7 +136310,7 @@ index 9fd5be7..7e2a02e 100644 kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) -@@ -223,13 +225,16 @@ fs_rw_tmpfs_chr_files(sulogin_t) +@@ -223,13 +224,16 @@ fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) @@ -136506,7 +136327,7 @@ index 9fd5be7..7e2a02e 100644 seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -@@ -238,14 +243,24 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -238,14 +242,24 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -136533,7 +136354,7 @@ index 9fd5be7..7e2a02e 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -136543,10 +136364,10 @@ index 9fd5be7..7e2a02e 100644 -') - -optional_policy(` -- nscd_socket_use(sulogin_t) +- nscd_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..70248c6 100644 +index b50c5fe..286351e 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -2,10 +2,13 @@ @@ -136588,22 +136409,16 @@ index 02f4c97..70248c6 100644 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) + /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) - /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -34,11 +50,10 @@ ifdef(`distro_suse', ` - - /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) - /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) --/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) -+#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) +@@ -38,13 +54,14 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) -/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -46,6 +61,8 @@ ifdef(`distro_suse', ` + /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) @@ -136612,7 +136427,7 @@ index 02f4c97..70248c6 100644 ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -@@ -54,6 +71,7 @@ ifndef(`distro_gentoo',` +@@ -53,6 +70,7 @@ ifndef(`distro_gentoo',` ifdef(`distro_redhat',` /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) @@ -136620,7 +136435,7 @@ index 02f4c97..70248c6 100644 ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -@@ -66,11 +84,16 @@ ifdef(`distro_redhat',` +@@ -65,11 +83,16 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -136639,7 +136454,7 @@ index 02f4c97..70248c6 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..3638d50 100644 +index 4e94884..23894f4 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -136827,7 +136642,7 @@ index 321bb13..3638d50 100644 ') ######################################## -@@ -739,7 +864,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -136854,7 +136669,7 @@ index 321bb13..3638d50 100644 ') ######################################## -@@ -822,7 +965,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -136863,7 +136678,7 @@ index 321bb13..3638d50 100644 ') ######################################## -@@ -848,6 +991,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -136908,7 +136723,7 @@ index 321bb13..3638d50 100644 ## Write generic log files. ## ## -@@ -868,6 +1049,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -136933,7 +136748,7 @@ index 321bb13..3638d50 100644 ## Dontaudit Write generic log files. ## ## -@@ -947,11 +1146,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -136951,7 +136766,7 @@ index 321bb13..3638d50 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -967,6 +1171,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -136985,7 +136800,7 @@ index 321bb13..3638d50 100644 ') ######################################## -@@ -995,10 +1226,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -137003,7 +136818,7 @@ index 321bb13..3638d50 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1020,6 +1256,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -137012,7 +136827,7 @@ index 321bb13..3638d50 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1048,3 +1286,29 @@ interface(`logging_admin',` +@@ -1085,3 +1323,29 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -137043,10 +136858,10 @@ index 321bb13..3638d50 100644 + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 0034021..c62bd95 100644 +index 39ea221..37275c3 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0) +@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) # # Declarations # @@ -137324,8 +137139,8 @@ index 0034021..c62bd95 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -441,14 +511,18 @@ files_dontaudit_search_isid_type_dirs(syslogd_t) - files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +512,18 @@ files_read_kernel_symbol_table(syslogd_t) + files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) +fs_rw_tmpfs_files(syslogd_t) @@ -137343,7 +137158,7 @@ index 0034021..c62bd95 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -460,11 +534,11 @@ init_use_fds(syslogd_t) +@@ -461,11 +535,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -137357,7 +137172,7 @@ index 0034021..c62bd95 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -493,15 +567,36 @@ optional_policy(` +@@ -502,15 +576,36 @@ optional_policy(` ') optional_policy(` @@ -137394,7 +137209,7 @@ index 0034021..c62bd95 100644 ') optional_policy(` -@@ -512,3 +607,24 @@ optional_policy(` +@@ -521,3 +616,24 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -137639,7 +137454,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index f8eeecd..0d42470 100644 +index e8c59a5..66465b0 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -137717,18 +137532,15 @@ index f8eeecd..0d42470 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,8 +200,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,6 +200,7 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files +manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) --files_lock_filetrans(lvm_t, lvm_lock_t, file) -+files_lock_filetrans(lvm_t, lvm_lock_t, { file dir }) - - manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) - manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -200,8 +210,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) + create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) + files_lock_filetrans(lvm_t, lvm_lock_t, file) +@@ -202,8 +212,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -137739,7 +137551,7 @@ index f8eeecd..0d42470 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -213,11 +224,13 @@ files_search_mnt(lvm_t) +@@ -215,11 +226,13 @@ files_search_mnt(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) @@ -137753,7 +137565,7 @@ index f8eeecd..0d42470 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -228,11 +241,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -137768,7 +137580,7 @@ index f8eeecd..0d42470 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -244,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -137776,7 +137588,7 @@ index f8eeecd..0d42470 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,17 +269,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -137799,7 +137611,7 @@ index f8eeecd..0d42470 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -283,7 +303,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -137808,7 +137620,7 @@ index f8eeecd..0d42470 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -291,15 +311,20 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -137830,7 +137642,7 @@ index f8eeecd..0d42470 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -311,6 +336,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +338,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -137842,7 +137654,7 @@ index f8eeecd..0d42470 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,14 +361,26 @@ optional_policy(` +@@ -333,14 +363,26 @@ optional_policy(` ') optional_policy(` @@ -137870,7 +137682,7 @@ index f8eeecd..0d42470 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index fe3427d..2410a4e 100644 +index 9fe8e01..6c86d76 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,8 +9,9 @@ ifdef(`distro_gentoo',` @@ -137883,9 +137695,9 @@ index fe3427d..2410a4e 100644 +/etc/localtime gen_context(system_u:object_r:locale_t,s0) +/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) - -@@ -36,11 +37,6 @@ ifdef(`distro_redhat',` +@@ -37,11 +38,6 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -137896,12 +137708,12 @@ index fe3427d..2410a4e 100644 - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -75,8 +71,9 @@ ifdef(`distro_redhat',` + /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) +@@ -77,8 +73,9 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) --/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) + +/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0) @@ -137909,7 +137721,7 @@ index fe3427d..2410a4e 100644 /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 926ba65..9cac7b3 100644 +index fc28bc3..01b8523 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -137962,9 +137774,9 @@ index 926ba65..9cac7b3 100644 ') @@ -531,6 +550,10 @@ interface(`miscfiles_read_man_pages',` - allow $1 man_t:dir list_dir_perms; - read_files_pattern($1, man_t, man_t) - read_lnk_files_pattern($1, man_t, man_t) + allow $1 { man_cache_t man_t }:dir list_dir_perms; + read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + + optional_policy(` + mandb_read_cache_files($1) @@ -137972,11 +137784,10 @@ index 926ba65..9cac7b3 100644 ') ######################################## -@@ -557,6 +580,11 @@ interface(`miscfiles_delete_man_pages',` - delete_dirs_pattern($1, man_t, man_t) - delete_files_pattern($1, man_t, man_t) - delete_lnk_files_pattern($1, man_t, man_t) -+ +@@ -554,6 +577,10 @@ interface(`miscfiles_delete_man_pages',` + delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + optional_policy(` + mandb_setattr_cache_dirs($1) + mandb_delete_cache($1) @@ -137984,7 +137795,7 @@ index 926ba65..9cac7b3 100644 ') ######################################## -@@ -582,6 +610,30 @@ interface(`miscfiles_manage_man_pages',` +@@ -622,6 +649,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -138015,7 +137826,7 @@ index 926ba65..9cac7b3 100644 ## Read public files used for file ## transfer services. ## -@@ -744,8 +796,10 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +835,10 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -138028,7 +137839,7 @@ index 926ba65..9cac7b3 100644 ') ######################################## -@@ -769,3 +823,43 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +862,43 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -138073,10 +137884,10 @@ index 926ba65..9cac7b3 100644 + files_var_filetrans($1, public_content_t, dir, "ftp") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index 622fb4f..69b6fef 100644 +index d6293de..3225647 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te -@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.0) +@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2) # # Declarations # @@ -138085,15 +137896,13 @@ index 622fb4f..69b6fef 100644 # diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc -index 2410551..e5026a9 100644 +index 9933677..b155a0d 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc -@@ -20,3 +20,15 @@ ifdef(`distro_gentoo',` - /sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) - /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) +@@ -23,3 +23,13 @@ ifdef(`distro_gentoo',` /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) -+ -+/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) + + /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) + +/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) +/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) @@ -138105,7 +137914,7 @@ index 2410551..e5026a9 100644 + +/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 350c450..2debedc 100644 +index 7449974..6375786 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -138162,7 +137971,7 @@ index 350c450..2debedc 100644 ## Read the configuration options used when ## loading modules. ## -@@ -307,11 +345,18 @@ interface(`modutils_domtrans_update_mods',` +@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',` # interface(`modutils_run_update_mods',` gen_require(` @@ -138183,7 +137992,7 @@ index 350c450..2debedc 100644 ') ######################################## -@@ -332,3 +377,25 @@ interface(`modutils_exec_update_mods',` +@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') @@ -138210,10 +138019,10 @@ index 350c450..2debedc 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index b4ff2f7..0db04d2 100644 +index 7a49e28..7857f24 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te -@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.0) +@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3) # Declarations # @@ -138427,7 +138236,7 @@ index b4ff2f7..0db04d2 100644 ') optional_policy(` -- nscd_socket_use(insmod_t) +- nscd_use(insmod_t) + mount_domtrans(insmod_t) ') @@ -138786,10 +138595,10 @@ index 4584457..300c3f7 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 63931f6..041c38f 100644 +index 6a50270..bd42591 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0) +@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) ## Allow the mount command to mount any directory or file. ##

## @@ -139087,11 +138896,10 @@ index 63931f6..041c38f 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -193,21 +292,121 @@ optional_policy(` - ') +@@ -194,24 +293,124 @@ optional_policy(` ') -+optional_policy(` + optional_policy(` + livecd_rw_tmp_files(mount_t) +') + @@ -139120,6 +138928,10 @@ index 63931f6..041c38f 100644 +# rpc_run_rpcd(mount_t, mount_roles) +#') + ++optional_policy(` + puppet_rw_tmp(mount_t) + ') + # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) @@ -140691,7 +140503,7 @@ index 346a7cc..1285089 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 41a1853..af08353 100644 +index 6944526..8f424e5 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` @@ -140857,30 +140669,10 @@ index 41a1853..af08353 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -561,6 +675,45 @@ interface(`sysnet_signal_ifconfig',` +@@ -580,6 +694,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## -+## Send a null signal to ifconfig. -+## -+## -+## -+## Domain allowed access.pwd -+ -+## -+## -+## -+# -+interface(`sysnet_signull_ifconfig',` -+ gen_require(` -+ type ifconfig_t; -+ ') -+ -+ allow $1 ifconfig_t:process signull; -+') -+ -+######################################## -+## +## Send a kill signal to iconfig. +## +## @@ -140903,7 +140695,7 @@ index 41a1853..af08353 100644 ## Read the DHCP configuration files. ## ## -@@ -577,6 +730,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -596,6 +729,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -140911,7 +140703,7 @@ index 41a1853..af08353 100644 ') ######################################## -@@ -662,8 +816,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -681,8 +815,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -140920,7 +140712,7 @@ index 41a1853..af08353 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -673,6 +825,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -692,6 +824,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -140929,7 +140721,7 @@ index 41a1853..af08353 100644 sysnet_read_config($1) optional_policy(` -@@ -701,8 +855,6 @@ interface(`sysnet_use_ldap',` +@@ -720,8 +854,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -140938,7 +140730,7 @@ index 41a1853..af08353 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -714,6 +866,9 @@ interface(`sysnet_use_ldap',` +@@ -733,6 +865,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -140948,7 +140740,7 @@ index 41a1853..af08353 100644 ') ######################################## -@@ -735,7 +890,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +889,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -140956,7 +140748,7 @@ index 41a1853..af08353 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -747,3 +901,73 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +900,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -141031,10 +140823,10 @@ index 41a1853..af08353 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index ed363e1..808e49e 100644 +index b7686d5..be7444c 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te -@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0) +@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.6) # Declarations # @@ -141098,7 +140890,7 @@ index ed363e1..808e49e 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -69,6 +83,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) +@@ -70,6 +84,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -141107,7 +140899,7 @@ index ed363e1..808e49e 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -90,27 +106,29 @@ kernel_rw_net_sysctls(dhcpc_t) +@@ -91,14 +107,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) @@ -141127,11 +140919,8 @@ index ed363e1..808e49e 100644 +corenet_udp_sendrecv_generic_node(dhcpc_t) corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) --corenet_tcp_bind_all_nodes(dhcpc_t) --corenet_udp_bind_all_nodes(dhcpc_t) -+corenet_tcp_bind_generic_node(dhcpc_t) -+corenet_udp_bind_generic_node(dhcpc_t) - corenet_udp_bind_dhcpc_port(dhcpc_t) + corenet_tcp_bind_all_nodes(dhcpc_t) +@@ -108,11 +123,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -141146,7 +140935,7 @@ index ed363e1..808e49e 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,15 +148,20 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -132,15 +150,20 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -141170,7 +140959,7 @@ index ed363e1..808e49e 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -153,8 +176,23 @@ ifdef(`distro_ubuntu',` +@@ -155,8 +178,23 @@ ifdef(`distro_ubuntu',` ') ') @@ -141195,23 +140984,21 @@ index ed363e1..808e49e 100644 ') optional_policy(` -@@ -169,11 +207,14 @@ optional_policy(` +@@ -170,11 +208,8 @@ optional_policy(` ') optional_policy(` - hostname_run(dhcpc_t, dhcpc_roles) +-') +- +-optional_policy(` +- hal_dontaudit_rw_dgram_sockets(dhcpc_t) + hostname_domtrans(dhcpc_t) +# hostname_run(dhcpc_t, dhcpc_roles) ') optional_policy(` - hal_dontaudit_rw_dgram_sockets(dhcpc_t) -+ hal_dontaudit_read_pid_files(dhcpc_t) -+ hal_dontaudit_write_log(dhcpc_t) - ') - - optional_policy(` -@@ -187,25 +228,41 @@ optional_policy(` +@@ -188,25 +223,41 @@ optional_policy(` # for the dhcp client to run ping to check IP addresses optional_policy(` @@ -141255,7 +141042,7 @@ index ed363e1..808e49e 100644 ') optional_policy(` -@@ -215,7 +272,11 @@ optional_policy(` +@@ -216,7 +267,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -141268,7 +141055,7 @@ index ed363e1..808e49e 100644 ') optional_policy(` -@@ -258,6 +319,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,6 +314,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -141276,7 +141063,7 @@ index ed363e1..808e49e 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,11 +338,18 @@ corenet_rw_tun_tap_dev(ifconfig_t) +@@ -277,11 +333,18 @@ corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -141295,7 +141082,7 @@ index ed363e1..808e49e 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -293,22 +362,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +357,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -141323,7 +141110,7 @@ index ed363e1..808e49e 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -317,7 +386,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +381,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -141346,22 +141133,17 @@ index ed363e1..808e49e 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -328,8 +412,14 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +407,7 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` +- hal_dontaudit_rw_pipes(ifconfig_t) +- hal_dontaudit_rw_dgram_sockets(ifconfig_t) + devicekit_dontaudit_read_pid_files(ifconfig_t) -+') -+ -+optional_policy(` - hal_dontaudit_rw_pipes(ifconfig_t) - hal_dontaudit_rw_dgram_sockets(ifconfig_t) -+ hal_dontaudit_read_pid_files(ifconfig_t) -+ hal_write_log(ifconfig_t) ') optional_policy(` -@@ -338,7 +428,15 @@ optional_policy(` +@@ -339,7 +416,15 @@ optional_policy(` ') optional_policy(` @@ -141378,7 +141160,7 @@ index ed363e1..808e49e 100644 ') optional_policy(` -@@ -359,3 +457,9 @@ optional_policy(` +@@ -360,3 +445,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -142854,7 +142636,7 @@ index 0000000..223e3f0 +init_list_pid_dirs(systemctl_domain) +init_use_fds(systemctl_domain) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 2575393..49fd32e 100644 +index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,8 @@ @@ -142877,11 +142659,13 @@ index 2575393..49fd32e 100644 ifdef(`distro_debian',` /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) -@@ -27,9 +30,23 @@ ifdef(`distro_redhat',` +@@ -27,11 +30,23 @@ ifdef(`distro_redhat',` ') /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) - +-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) +- -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -142905,7 +142689,7 @@ index 2575393..49fd32e 100644 ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 77a13a5..9a5a73f 100644 +index 0f64692..d7e8a01 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -143038,17 +142822,36 @@ index 77a13a5..9a5a73f 100644 ') ######################################## -@@ -300,6 +348,84 @@ interface(`udev_manage_pid_files',` +@@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',` + + ######################################## + ## +-## Read udev pid files. ++## Create, read, write, and delete ++## udev pid files. + ## + ## + ## +@@ -271,19 +320,44 @@ interface(`udev_manage_pid_dirs',` + ## + ## + # +-interface(`udev_read_pid_files',` ++interface(`udev_manage_pid_files',` + gen_require(` type udev_var_run_t; ') -- files_search_var_lib($1) -+ files_search_pids($1) - manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + files_search_pids($1) +- read_files_pattern($1, udev_var_run_t, udev_var_run_t) ++ manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ') -+ + +-######################################## +####################################### -+## + ## +-## Create, read, write, and delete +-## udev pid files. +## Execute udev in the udev domain, and +## allow the specified role the udev domain. +## @@ -143076,19 +142879,23 @@ index 77a13a5..9a5a73f 100644 +####################################### +## +## Allow caller to create kobject uevent socket for udev -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -291,13 +365,45 @@ interface(`udev_read_pid_files',` + ## + ## + # +-interface(`udev_manage_pid_files',` +interface(`udev_create_kobject_uevent_socket',` -+ gen_require(` + gen_require(` +- type udev_var_run_t; + type udev_t; + role system_r; -+ ') -+ + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; +') + @@ -143122,10 +142929,11 @@ index 77a13a5..9a5a73f 100644 + domtrans_pattern(udev_t, $2, $1) + + dontaudit $1 udev_t:unix_dgram_socket { read write }; -+') -+ + ') + + ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 29075b3..8d185fc 100644 +index a5ec88b..6e4726f 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -143141,10 +142949,10 @@ index 29075b3..8d185fc 100644 type udev_var_run_t; files_pid_file(udev_var_run_t) +typealias udev_var_run_t alias udev_tbl_t; + init_daemon_run_dir(udev_var_run_t, "udev") ifdef(`enable_mcs',` - kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -36,9 +34,11 @@ ifdef(`enable_mcs',` +@@ -37,9 +35,11 @@ ifdef(`enable_mcs',` # Local policy # @@ -143158,7 +142966,7 @@ index 29075b3..8d185fc 100644 allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -53,6 +53,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -143166,7 +142974,7 @@ index 29075b3..8d185fc 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,31 +63,35 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -63,31 +64,35 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -143209,7 +143017,7 @@ index 29075b3..8d185fc 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t) +@@ -98,6 +103,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -143217,7 +143025,7 @@ index 29075b3..8d185fc 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,23 +111,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -106,23 +112,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -143253,7 +143061,7 @@ index 29075b3..8d185fc 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -143,17 +157,20 @@ auth_use_nsswitch(udev_t) +@@ -144,17 +158,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -143275,7 +143083,7 @@ index 29075b3..8d185fc 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -170,6 +187,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -143284,7 +143092,7 @@ index 29075b3..8d185fc 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',` +@@ -179,16 +198,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -143303,7 +143111,7 @@ index 29075b3..8d185fc 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +228,16 @@ optional_policy(` +@@ -217,6 +229,10 @@ optional_policy(` ') optional_policy(` @@ -143314,13 +143122,15 @@ index 29075b3..8d185fc 100644 consoletype_exec(udev_t) ') +@@ -226,6 +242,7 @@ optional_policy(` + optional_policy(` cups_domtrans_config(udev_t) + cups_read_config(udev_t) ') optional_policy(` -@@ -230,10 +247,20 @@ optional_policy(` +@@ -235,10 +252,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -143341,7 +143151,7 @@ index 29075b3..8d185fc 100644 ') optional_policy(` -@@ -259,6 +286,10 @@ optional_policy(` +@@ -264,6 +291,10 @@ optional_policy(` ') optional_policy(` @@ -143352,7 +143162,7 @@ index 29075b3..8d185fc 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +304,15 @@ optional_policy(` +@@ -278,6 +309,15 @@ optional_policy(` ') optional_policy(` @@ -143368,7 +143178,7 @@ index 29075b3..8d185fc 100644 unconfined_signal(udev_t) ') -@@ -285,6 +325,7 @@ optional_policy(` +@@ -290,6 +330,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -144202,7 +144012,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..53ea674 100644 +index 3c5dba7..81b2173 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -144838,7 +144648,7 @@ index e720dcd..53ea674 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,100 +687,140 @@ template(`userdom_common_user_template',` +@@ -546,93 +687,121 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -144886,16 +144696,17 @@ index e720dcd..53ea674 100644 ') optional_policy(` +- alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") - alsa_manage_home_files($1_t) - alsa_read_rw_config($1_t) - alsa_relabel_home_files($1_t) -+ canna_stream_connect($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` @@ -144915,37 +144726,33 @@ index e720dcd..53ea674 100644 ') optional_policy(` -- evolution_dbus_chat($1_t) -- evolution_alarm_dbus_chat($1_t) -+ policykit_dbus_chat($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat_config($1_t) +- consolekit_dbus_chat($1_t) + bluetooth_dbus_chat($1_usertype) ') optional_policy(` -- hal_dbus_chat($1_t) +- cups_dbus_chat_config($1_t) + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) ') optional_policy(` -- networkmanager_dbus_chat($1_t) +- hal_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) ') -+ -+ optional_policy(` + + optional_policy(` +- networkmanager_dbus_chat($1_t) + evolution_dbus_chat($1_usertype) + evolution_alarm_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- policykit_dbus_chat($1_t) + gnome_dbus_chat_gconfdefault($1_usertype) -+ ') + ') + + optional_policy(` + hal_dbus_chat($1_usertype) @@ -144965,12 +144772,16 @@ index e720dcd..53ea674 100644 + ') + + optional_policy(` ++ policykit_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + vpn_dbus_chat($1_usertype) + ') + ') + + optional_policy(` -+ git_session_role($1_r, $1_usertype) ++ git_role($1_r, $1_t) ') optional_policy(` @@ -144990,14 +144801,15 @@ index e720dcd..53ea674 100644 ') optional_policy(` -- locate_read_lib_files($1_t) +- kerberos_manage_krb5_home_files($1_t) +- kerberos_relabel_krb5_home_files($1_t) +- kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") + lircd_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ locate_read_lib_files($1_usertype) ') + optional_policy(` +@@ -646,19 +815,17 @@ template(`userdom_common_user_template',` + # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) @@ -145012,12 +144824,16 @@ index e720dcd..53ea674 100644 ') optional_policy(` +- mysql_manage_mysqld_home_files($1_t) +- mysql_relabel_mysqld_home_files($1_t) +- mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") +- - tunable_policy(`allow_user_mysql_connect',` + tunable_policy(`selinuxuser_mysql_connect_enabled',` mysql_stream_connect($1_t) ') ') -@@ -651,40 +832,52 @@ template(`userdom_common_user_template',` +@@ -671,7 +838,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -145026,10 +144842,7 @@ index e720dcd..53ea674 100644 ') optional_policy(` -- pcscd_read_pub_files($1_t) -- pcscd_stream_connect($1_t) -+ pcscd_read_pub_files($1_usertype) -+ pcscd_stream_connect($1_usertype) +@@ -680,9 +847,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -145042,6 +144855,9 @@ index e720dcd..53ea674 100644 ') ') +@@ -693,32 +860,36 @@ template(`userdom_common_user_template',` + ') + optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) @@ -145054,35 +144870,40 @@ index e720dcd..53ea674 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t, $1_r) ++ slrnpull_search_spool($1_usertype) + ') + + optional_policy(` +- virt_home_filetrans_virt_home($1_t, dir, ".libvirt") +- virt_home_filetrans_virt_home($1_t, dir, ".virtinst") +- virt_home_filetrans_virt_content($1_t, dir, "isos") +- virt_home_filetrans_svirt_home($1_t, dir, "qemu") +- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") + thumb_role($1_r, $1_usertype) ') ') -@@ -709,17 +902,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +914,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -145121,7 +144942,7 @@ index e720dcd..53ea674 100644 userdom_change_password_template($1) -@@ -727,82 +936,100 @@ template(`userdom_login_user_template', ` +@@ -761,82 +948,100 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -145258,7 +145079,7 @@ index e720dcd..53ea674 100644 ') ') -@@ -834,6 +1061,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1073,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -145271,7 +145092,7 @@ index e720dcd..53ea674 100644 ############################## # # Local policy -@@ -874,46 +1107,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1119,91 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -145369,13 +145190,18 @@ index e720dcd..53ea674 100644 - cups_dbus_chat($1_t) + fprintd_dbus_chat($1_t) ') -+ -+ optional_policy(` + + optional_policy(` +- gnome_role_template($1, $1_r, $1_t) + realmd_dbus_chat($1_t) -+ ') -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +@@ -951,12 +1212,26 @@ template(`userdom_restricted_xwindows_user_template',` + ') + + optional_policy(` +- java_role($1_r, $1_t) + policykit_role($1_r, $1_usertype) + ') + @@ -145383,27 +145209,23 @@ index e720dcd..53ea674 100644 + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) + pulseaudio_filetrans_home_content($1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` + rtkit_scheduled($1_usertype) ') optional_policy(` setroubleshoot_dontaudit_stream_connect($1_t) -+ ') + ') + + optional_policy(` + udev_read_db($1_usertype) -+ ') -+ -+ optional_policy(` -+ wm_role_template($1, $1_r, $1_t) - ') ++ ') ') -@@ -948,27 +1253,33 @@ template(`userdom_unpriv_user_template', ` + ####################################### +@@ -990,27 +1265,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -145441,7 +145263,7 @@ index e720dcd..53ea674 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -979,54 +1290,89 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1302,56 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -145465,45 +145287,20 @@ index e720dcd..53ea674 100644 + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cdrecord_role($1_r, $1_t) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cron_role($1_r, $1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + games_rw_data($1_usertype) - ') --') - --####################################### --## --## The template for creating an administrative user. --## --## --##

--## This template creates a user domain, types, and --## rules for the user's tty, pty, home directories, --## tmp, and tmpfs files. --##

--##

--## The privileges given to administrative users are: --##

    --##
  • Raw disk access
    • --##
  • Set all sysctls
    • --##
  • All kernel ring buffer controls
    • --##
  • Create, read, write, and delete all files but shadow
    • --##
  • Manage source and binary format SELinux policy
    • --##
  • Run insmod
    • ++ ') ++ + optional_policy(` + gpg_role($1_r, $1_usertype) + ') @@ -145514,9 +145311,11 @@ index e720dcd..53ea674 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) + ') @@ -145528,43 +145327,21 @@ index e720dcd..53ea674 100644 + optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) -+ ') -+ -+ # Run pppd in pppd_t by default for user -+ optional_policy(` -+ ppp_run_cond($1_t, $1_r) -+ ') -+ -+ optional_policy(` + ') + + # Run pppd in pppd_t by default for user +@@ -1046,7 +1360,9 @@ template(`userdom_unpriv_user_template', ` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + vdagent_getattr_log($1_t) + vdagent_getattr_exec_files($1_t) + vdagent_stream_connect($1_t) -+ ') -+') -+ -+####################################### -+## -+## The template for creating an administrative user. -+## -+## -+##

    -+## This template creates a user domain, types, and -+## rules for the user's tty, pty, home directories, -+## tmp, and tmpfs files. -+##

    -+##

    -+## The privileges given to administrative users are: -+##

      -+##
    • Raw disk access
      • -+##
    • Set all sysctls
      • -+##
    • All kernel ring buffer controls
      • -+##
    • Create, read, write, and delete all files but shadow
      • -+##
    • Manage source and binary format SELinux policy
      • -+##
    • Run insmod
      • - ##
    - ##

    - ##     -@@ -1040,7 +1386,7 @@ template(`userdom_unpriv_user_template', ` + ') + ') + +@@ -1082,7 +1398,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -145573,7 +145350,7 @@ index e720dcd..53ea674 100644 ') ############################## -@@ -1067,6 +1413,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1425,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -145581,7 +145358,7 @@ index e720dcd..53ea674 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1075,6 +1422,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1434,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -145591,7 +145368,7 @@ index e720dcd..53ea674 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1439,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1451,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -145599,7 +145376,7 @@ index e720dcd..53ea674 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,10 +1457,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1469,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -145614,7 +145391,7 @@ index e720dcd..53ea674 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1120,29 +1475,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1487,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -145657,7 +145434,7 @@ index e720dcd..53ea674 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1152,6 +1516,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1528,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -145666,7 +145443,7 @@ index e720dcd..53ea674 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1159,13 +1525,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1537,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -145685,7 +145462,7 @@ index e720dcd..53ea674 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1581,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1593,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -145694,7 +145471,7 @@ index e720dcd..53ea674 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1223,8 +1595,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1607,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -145706,7 +145483,7 @@ index e720dcd..53ea674 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1235,29 +1609,31 @@ template(`userdom_security_admin_template',` +@@ -1277,35 +1621,37 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -145735,27 +145512,37 @@ index e720dcd..53ea674 100644 - optional_policy(` - dmesg_exec($1) -- ') -- -- optional_policy(` -- ipsec_run_setkey($1, $2) + optional_policy(` + ipsec_run_setkey($1,$2) ') optional_policy(` -- netlabel_run_mgmt($1, $2) +- ipsec_run_setkey($1, $2) + netlabel_run_mgmt($1,$2) ') optional_policy(` -@@ -1317,12 +1693,15 @@ interface(`userdom_user_application_domain',` - interface(`userdom_user_home_content',` +- netlabel_run_mgmt($1, $2) ++ samhain_run($1, $2) + ') +- +- optional_policy(` +- samhain_run($1, $2) +- ') +-') ++') + + ######################################## + ## +@@ -1360,14 +1706,17 @@ interface(`userdom_user_home_content',` gen_require(` + attribute user_home_content_type; type user_home_t; + attribute user_home_type; ') + typeattribute $1 user_home_content_type; + allow $1 user_home_t:filesystem associate; files_type($1) - files_poly_member($1) @@ -145766,7 +145553,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -1363,6 +1742,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1757,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -145818,7 +145605,7 @@ index e720dcd..53ea674 100644 ## ## ## Domain allowed access. -@@ -1467,11 +1891,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1906,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -145850,7 +145637,7 @@ index e720dcd..53ea674 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1513,6 +1957,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1972,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -145865,7 +145652,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -1528,9 +1980,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +1995,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -145877,7 +145664,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -1587,6 +2041,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2056,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -145920,7 +145707,7 @@ index e720dcd..53ea674 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1666,6 +2156,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2171,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -145929,7 +145716,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -1680,10 +2172,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1744,10 +2206,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -145944,51 +145731,80 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -1726,6 +2220,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1772,7 +2236,7 @@ interface(`userdom_manage_user_home_content_dirs',` + + ######################################## + ## +-## Delete all user home content directories. ++## Delete directories in a user home subdirectory. + ## + ## + ## +@@ -1780,19 +2244,17 @@ interface(`userdom_manage_user_home_content_dirs',` + ## + ## + # +-interface(`userdom_delete_all_user_home_content_dirs',` ++interface(`userdom_delete_user_home_content_dirs',` + gen_require(` +- attribute user_home_content_type; +- type user_home_dir_t; ++ type user_home_t; + ') + +- userdom_search_user_home_dirs($1) +- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) ++ allow $1 user_home_t:dir delete_dir_perms; + ') ######################################## ## +-## Delete directories in a user home subdirectory. +## Delete all directories in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1800,31 +2262,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` + ## + ## + # +-interface(`userdom_delete_user_home_content_dirs',` +interface(`userdom_delete_all_user_home_content_dirs',` -+ gen_require(` + gen_require(` +- type user_home_t; + attribute user_home_type; -+ ') -+ + ') + +- allow $1 user_home_t:dir delete_dir_perms; + allow $1 user_home_type:dir delete_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set attributes of all user home content directories. +## Set the attributes of user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`userdom_setattr_all_user_home_content_dirs',` +interface(`userdom_setattr_user_home_content_files',` -+ gen_require(` + gen_require(` +- attribute user_home_content_type; + type user_home_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 user_home_content_type:dir setattr_dir_perms; + allow $1 user_home_t:file setattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to set the - ## attributes of user home files. - ## -@@ -1745,6 +2276,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` + ') + + ######################################## +@@ -1848,6 +2310,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -146014,7 +145830,7 @@ index e720dcd..53ea674 100644 ## Mmap user home files. ## ## -@@ -1775,14 +2325,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2359,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -146052,7 +145868,7 @@ index e720dcd..53ea674 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1793,11 +2365,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2399,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -146070,80 +145886,86 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -1856,25 +2431,25 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1941,7 +2447,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## --## Do not audit attempts to write user home files. +-## Delete all user home content files. ++## Delete files in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file delete_file_perms; ++') ++ ++######################################## ++## +## Delete all files in a user home subdirectory. ## ## ## --## Domain to not audit. -+## Domain allowed access. - ## - ## +@@ -1951,17 +2475,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # --interface(`userdom_dontaudit_relabel_user_home_content_files',` -+interface(`userdom_delete_all_user_home_content_files',` + interface(`userdom_delete_all_user_home_content_files',` gen_require(` -- type user_home_t; +- attribute user_home_content_type; +- type user_home_dir_t; + attribute user_home_type; ') -- dontaudit $1 user_home_t:file relabel_file_perms; +- userdom_search_user_home_content($1) +- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type) + allow $1 user_home_type:file delete_file_perms; ') ######################################## ## --## Read user home subdirectory symbolic links. +-## Delete files in a user home subdirectory. +## Delete sock files in a user home subdirectory. ## ## ## -@@ -1882,46 +2457,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` +@@ -1969,12 +2491,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # --interface(`userdom_read_user_home_content_symlinks',` +-interface(`userdom_delete_user_home_content_files',` +interface(`userdom_delete_user_home_content_sock_files',` gen_require(` -- type user_home_dir_t, user_home_t; -+ type user_home_t; + type user_home_t; ') -- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) +- allow $1 user_home_t:file delete_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; - ') - - ######################################## - ## --## Execute user home files. ++') ++ ++######################################## ++## +## Delete all sock files in a user home subdirectory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`userdom_exec_user_home_content_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_delete_all_user_home_content_sock_files',` - gen_require(` -- type user_home_dir_t, user_home_t; ++ gen_require(` + attribute user_home_type; - ') - -- files_search_home($1) -- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ ') ++ + allow $1 user_home_type:sock_file delete_file_perms; +') - -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1) ++ +######################################## +## +## Delete all files in a user home subdirectory. @@ -146157,137 +145979,97 @@ index e720dcd..53ea674 100644 +interface(`userdom_delete_all_user_home_content',` + gen_require(` + attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:dir_file_class_set delete_file_perms; + ') + + ######################################## +@@ -2010,8 +2568,7 @@ interface(`userdom_read_user_home_content_symlinks',` + type user_home_dir_t, user_home_t; + ') + +- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- files_search_home($1) ++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2027,20 +2584,14 @@ interface(`userdom_read_user_home_content_symlinks',` + # + interface(`userdom_exec_user_home_content_files',` + gen_require(` +- type user_home_dir_t, user_home_t; ++ type user_home_dir_t; ++ attribute user_home_type; ') + files_search_home($1) +- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files($1) +- ') +- - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) -- ') -+ allow $1 user_home_type:dir_file_class_set delete_file_perms; - ') ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; + ') +-') ######################################## ## --## Do not audit attempts to execute user home files. -+## Do not audit attempts to write user home files. +@@ -2123,7 +2674,7 @@ interface(`userdom_manage_user_home_content_symlinks',` + + ######################################## + ## +-## Delete all user home content symbolic links. ++## Delete symbolic links in a user home directory. ## ## ## -@@ -1929,18 +2511,17 @@ interface(`userdom_exec_user_home_content_files',` +@@ -2131,19 +2682,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # --interface(`userdom_dontaudit_exec_user_home_content_files',` -+interface(`userdom_dontaudit_relabel_user_home_content_files',` +-interface(`userdom_delete_all_user_home_content_symlinks',` ++interface(`userdom_delete_user_home_content_symlinks',` gen_require(` - type user_home_t; +- attribute user_home_content_type; +- type user_home_dir_t; ++ type user_home_t; ') -- dontaudit $1 user_home_t:file exec_file_perms; -+ dontaudit $1 user_home_t:file relabel_file_perms; +- userdom_search_user_home_dirs($1) +- delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) ++ allow $1 user_home_t:lnk_file delete_lnk_file_perms; ') ######################################## ## --## Create, read, write, and delete files --## in a user home subdirectory. -+## Read user home subdirectory symbolic links. +-## Delete symbolic links in a user home directory. ++## Delete all symbolic links in a user home directory. ## ## ## -@@ -1948,7 +2529,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',` +@@ -2151,12 +2700,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # --interface(`userdom_manage_user_home_content_files',` -+interface(`userdom_read_user_home_content_symlinks',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## Execute user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_exec_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t; -+ attribute user_home_type; -+ ') -+ -+ files_search_home($1) -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ dontaudit $1 user_home_type:sock_file execute; -+ ') -+ -+######################################## -+## -+## Do not audit attempts to execute user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_exec_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file exec_file_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete files -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_user_home_content_files',` +-interface(`userdom_delete_user_home_content_symlinks',` ++interface(`userdom_delete_all_user_home_content_symlinks',` gen_require(` - type user_home_dir_t, user_home_t; +- type user_home_t; ++ attribute user_home_type; ') -@@ -2018,6 +2658,24 @@ interface(`userdom_delete_user_home_content_symlinks',` - ######################################## - ## -+## Delete all symbolic links in a user home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_all_user_home_content_symlinks',` -+ gen_require(` -+ attribute user_home_type; -+ ') -+ +- allow $1 user_home_t:lnk_file delete_lnk_file_perms; + allow $1 user_home_type:lnk_file delete_lnk_file_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete named pipes - ## in a user home subdirectory. - ## -@@ -2250,11 +2908,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` + ') + + ######################################## +@@ -2393,11 +2942,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -146302,7 +146084,7 @@ index e720dcd..53ea674 100644 files_search_tmp($1) ') -@@ -2274,7 +2932,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2966,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -146311,7 +146093,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -2521,6 +3179,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3213,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -146337,7 +146119,7 @@ index e720dcd..53ea674 100644 ######################################## ## ## Read user tmpfs files. -@@ -2537,13 +3214,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3248,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -146353,7 +146135,7 @@ index e720dcd..53ea674 100644 ## ## ## -@@ -2564,7 +3242,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3276,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -146362,7 +146144,7 @@ index e720dcd..53ea674 100644 ## ## ## -@@ -2572,14 +3250,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3284,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -146376,28 +146158,78 @@ index e720dcd..53ea674 100644 - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmpfs_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of a user domain tty. +## Execute user tmpfs files. + ## + ## + ## +@@ -2735,35 +3302,53 @@ interface(`userdom_manage_user_tmpfs_files',` + ## + ## + # +-interface(`userdom_getattr_user_ttys',` ++interface(`userdom_execute_user_tmpfs_files',` + gen_require(` +- type user_tty_device_t; ++ type user_tmpfs_t; + ') + +- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++ allow $1 user_tmpfs_t:file execute; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of a user domain tty. ++## Get the attributes of a user domain tty. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`userdom_dontaudit_getattr_user_ttys',` ++interface(`userdom_getattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; + ') + + ######################################## + ## +-## Set the attributes of a user domain tty. ++## Do not audit attempts to get the attributes of a user domain tty. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_execute_user_tmpfs_files',` ++interface(`userdom_dontaudit_getattr_user_ttys',` + gen_require(` -+ type user_tmpfs_t; ++ type user_tty_device_t; + ') + -+ allow $1 user_tmpfs_t:file execute; - ') - - ######################################## -@@ -2674,6 +3368,24 @@ interface(`userdom_use_user_ttys',` ++ dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of a user domain tty. + ## + ## + ## +@@ -2817,6 +3402,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -146422,7 +146254,7 @@ index e720dcd..53ea674 100644 ## Read and write a user domain pty. ## ## -@@ -2692,22 +3404,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3438,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -146465,7 +146297,7 @@ index e720dcd..53ea674 100644 ## ## ## -@@ -2716,14 +3440,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3474,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -146503,7 +146335,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -2742,8 +3485,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3519,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -146533,7 +146365,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -2815,69 +3577,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3611,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -146634,7 +146466,7 @@ index e720dcd..53ea674 100644 ## ## ## -@@ -2885,12 +3646,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3680,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -146649,7 +146481,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -2954,7 +3715,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3749,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -146658,7 +146490,7 @@ index e720dcd..53ea674 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,29 +3731,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3765,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -146692,7 +146524,7 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -3074,7 +3819,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3853,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -146701,151 +146533,56 @@ index e720dcd..53ea674 100644 ') ######################################## -@@ -3129,12 +3874,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3908,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Do not audit attempts to use user ttys. ++') ++ ++######################################## ++## +## Do not audit attempts to write users +## temporary files. - ## - ## - ## -@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',` - ## - ## - # --interface(`userdom_dontaudit_use_user_ttys',` -+interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` -- type user_tty_device_t; -+ type user_tmp_t; - ') - -- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; -+ dontaudit $1 user_tmp_t:file write; - ') - - ######################################## - ## --## Read the process state of all user domains. -+## Do not audit attempts to read/write users -+## temporary fifo files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_dontaudit_rw_user_tmp_pipes',` - gen_require(` -- attribute userdomain; -+ type user_tmp_t; - ') - -- read_files_pattern($1, userdomain, userdomain) -- kernel_search_proc($1) -+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Allow domain to read/write inherited users -+## fifo files. - ## - ## - ## -@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',` - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_rw_inherited_user_pipes',` - gen_require(` - attribute userdomain; - ') - -- allow $1 userdomain:process getattr; -+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains -+## Do not audit attempts to use user ttys. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`userdom_use_all_users_fds',` -+interface(`userdom_dontaudit_use_user_ttys',` - gen_require(` -- attribute userdomain; -+ type user_tty_device_t; - ') - -- allow $1 userdomain:fd use; -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to inherit the file --## descriptors from any user domains. -+## Read the process state of all user domains. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. +## +## +# -+interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ read_files_pattern($1, userdomain, userdomain) -+ read_lnk_files_pattern($1,userdomain,userdomain) -+ kernel_search_proc($1) ++ dontaudit $1 user_tmp_t:file write; +') + +######################################## +## -+## Get the attributes of all user domains. ++## Do not audit attempts to read/write users ++## temporary fifo files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_getattr_all_users',` ++interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` -+ attribute userdomain; ++ type user_tmp_t; + ') + -+ allow $1 userdomain:process getattr; ++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Inherit the file descriptors from all user domains ++## Allow domain to read/write inherited users ++## fifo files. +## +## +## @@ -146853,26 +146590,33 @@ index e720dcd..53ea674 100644 +## +## +# -+interface(`userdom_use_all_users_fds',` ++interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; + ') + -+ allow $1 userdomain:fd use; -+') -+ -+######################################## -+## -+## Do not audit attempts to inherit the file -+## descriptors from any user domains. -+## -+## -+## -+## Domain to not audit. - ## - ## - # -@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',` ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -3290,7 +3983,7 @@ interface(`userdom_dontaudit_use_user_ttys',` + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## +@@ -3309,6 +4002,7 @@ interface(`userdom_read_all_users_state',` + ') + + read_files_pattern($1, userdomain, userdomain) ++ read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) + ') + +@@ -3385,6 +4079,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -146915,7 +146659,7 @@ index e720dcd..53ea674 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4135,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -146940,7 +146684,7 @@ index e720dcd..53ea674 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4153,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4187,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -148307,10 +148051,10 @@ index e720dcd..53ea674 100644 + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 6a4bd85..4f23ca8 100644 +index e2b538b..d4d6ea9 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te -@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0) +@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) ## ##

    @@ -148370,9 +148114,9 @@ index 6a4bd85..4f23ca8 100644 # all user domains attribute userdomain; -@@ -59,6 +53,22 @@ attribute unpriv_userdomain; - attribute untrusted_content_type; - attribute untrusted_content_tmp_type; +@@ -58,6 +52,22 @@ attribute unpriv_userdomain; + + attribute user_home_content_type; +attribute userdom_home_reader_type; +attribute userdom_home_manager_type; @@ -148393,7 +148137,7 @@ index 6a4bd85..4f23ca8 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +81,122 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +80,124 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -148518,6 +148262,8 @@ index 6a4bd85..4f23ca8 100644 + fs_manage_ecryptfs_files(userdom_home_manager_type) + fs_manage_ecryptfs_files(userdom_home_manager_type) +') ++# vi /etc/mtab can cause an avc trying to relabel to self. ++dontaudit userdomain self:file relabelto; diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..101086d 100644 --- a/policy/support/misc_patterns.spt diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 1b100a3..f2b1c82 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,57 +1,77 @@ diff --git a/abrt.fc b/abrt.fc -index 1bd5812..ad5baf5 100644 +index e4f84de..ad5baf5 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,20 +1,37 @@ - /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) - /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) - --/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +@@ -1,30 +1,37 @@ +-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) ++/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) ++/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) + +-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) +-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) - --/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) --/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++ +/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) - - /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) + -+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) ++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) - /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) +-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) --/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) +-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++ +/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) - - /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) - /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++ ++/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) - /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -+ +-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) ++/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) +# ABRT retrace server +/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) -+ + +-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -+ + +-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +# cjp: new version +/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 0b827c5..cce58bb 100644 +index 058d908..cce58bb 100644 --- a/abrt.if +++ b/abrt.if -@@ -2,6 +2,28 @@ - - ###################################### - ##

    +@@ -1,4 +1,26 @@ +-## Automated bug-reporting tool. ++## ABRT - automated bug-reporting tool ++ ++###################################### ++## +## Creates types and rules for a basic +## ABRT daemon domain. +## @@ -71,12 +91,27 @@ index 0b827c5..cce58bb 100644 + + kernel_read_system_state($1_t) +') -+ -+###################################### -+## - ## Execute abrt in the abrt domain. + + ###################################### + ## +@@ -40,7 +62,7 @@ interface(`abrt_exec',` + + ######################################## + ## +-## Send null signals to abrt. ++## Send a null signal to abrt. + ## + ## + ## +@@ -58,7 +80,7 @@ interface(`abrt_signull',` + + ######################################## + ## +-## Read process state of abrt. ++## Allow the domain to read abrt state files in /proc. ## ## + ## @@ -71,12 +93,13 @@ interface(`abrt_read_state',` type abrt_t; ') @@ -92,12 +127,49 @@ index 0b827c5..cce58bb 100644 ## ## ## -@@ -160,8 +183,26 @@ interface(`abrt_run_helper',` +@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',` + + ##################################### + ## +-## Execute abrt-helper in the abrt +-## helper domain. ++## Execute abrt-helper in the abrt-helper domain. + ## + ## + ## +@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',` + type abrt_helper_t, abrt_helper_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) + ') ######################################## ## --## Send and receive messages from --## abrt over dbus. +-## Execute abrt helper in the abrt +-## helper domain, and allow the +-## specified role the abrt helper domain. ++## Execute abrt helper in the abrt_helper domain, and ++## allow the specified role the abrt_helper domain. + ## + ## + ## +@@ -154,17 +174,54 @@ interface(`abrt_domtrans_helper',` + # + interface(`abrt_run_helper',` + gen_require(` +- attribute_role abrt_helper_roles; ++ type abrt_helper_t; + ') + + abrt_domtrans_helper($1) +- roleattribute $2 abrt_helper_roles; ++ role $2 types abrt_helper_t; ++') ++ ++######################################## ++## +## Read abrt cache +## +## @@ -118,14 +190,13 @@ index 0b827c5..cce58bb 100644 +######################################## +## +## Append abrt cache - ## - ## - ## -@@ -169,12 +210,52 @@ interface(`abrt_run_helper',` - ## - ## - # --interface(`abrt_cache_manage',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`abrt_append_cache',` + gen_require(` + type abrt_var_cache_t; @@ -133,18 +204,23 @@ index 0b827c5..cce58bb 100644 + + + allow $1 abrt_var_cache_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## abrt cache files. +## Read/Write inherited abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -172,15 +229,18 @@ interface(`abrt_run_helper',` + ## + ## + # +-interface(`abrt_cache_manage',` +- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') +- abrt_manage_cache($1) +interface(`abrt_rw_inherited_cache',` + gen_require(` + type abrt_var_cache_t; @@ -152,30 +228,53 @@ index 0b827c5..cce58bb 100644 + + + allow $1 abrt_var_cache_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## abrt cache content. +## Manage abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_manage_cache',` - gen_require(` + ## + ## + ## +@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',` type abrt_var_cache_t; ') +- files_search_var($1) manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - ') + manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) +@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',` #################################### -@@ -253,6 +334,47 @@ interface(`abrt_manage_pid_files',` + ## +-## Read abrt configuration files. ++## Read abrt configuration file. + ## + ## + ## +@@ -220,7 +279,7 @@ interface(`abrt_read_config',` + + ###################################### + ## +-## Read abrt log files. ++## Read abrt logs. + ## + ## + ## +@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',` + + ###################################### + ## +-## Create, read, write, and delete +-## abrt PID files. ++## Create, read, write, and delete abrt PID files. + ## + ## + ## +@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -222,22 +321,45 @@ index 0b827c5..cce58bb 100644 + ##################################### ## - ## All of the rules required to administrate -@@ -276,28 +398,135 @@ interface(`abrt_admin',` - type abrt_var_cache_t, abrt_var_log_t; - type abrt_var_run_t, abrt_tmp_t; - type abrt_initrc_exec_t; +-## All of the rules required to +-## administrate an abrt environment, ++## All of the rules required to administrate ++## an abrt environment + ## + ## + ## +@@ -288,39 +387,146 @@ interface(`abrt_manage_pid_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the abrt domain. + ## + ## + ## + # + interface(`abrt_admin',` + gen_require(` +- attribute abrt_domain; +- type abrt_t, abrt_etc_t, abrt_initrc_exec_t; +- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; +- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t; ++ type abrt_t, abrt_etc_t; ++ type abrt_var_cache_t, abrt_var_log_t; ++ type abrt_var_run_t, abrt_tmp_t; ++ type abrt_initrc_exec_t; + type abrt_unit_file_t; ') -- allow $1 abrt_t:process { ptrace signal_perms }; +- allow $1 abrt_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, abrt_domain) + allow $1 abrt_t:process { signal_perms }; - ps_process_pattern($1, abrt_t) - ++ ps_process_pattern($1, abrt_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 abrt_t:process ptrace; + ') -+ + init_labeled_script_domtrans($1, abrt_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 abrt_initrc_exec_t system_r; @@ -252,8 +374,9 @@ index 0b827c5..cce58bb 100644 admin_pattern($1, abrt_var_log_t) - files_search_var($1) +- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) + files_list_var($1) - admin_pattern($1, abrt_var_cache_t) ++ admin_pattern($1, abrt_var_cache_t) - files_search_pids($1) + files_list_pids($1) @@ -366,33 +489,51 @@ index 0b827c5..cce58bb 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..864d511 100644 +index cc43d25..6d98338 100644 --- a/abrt.te +++ b/abrt.te -@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0) - # Declarations +@@ -1,4 +1,4 @@ +-policy_module(abrt, 1.3.4) ++policy_module(abrt, 1.2.0) + + ######################################## + # +@@ -6,129 +6,141 @@ policy_module(abrt, 1.3.4) # --type abrt_t; --type abrt_exec_t; -+## + ## +-##

    +-## Determine whether ABRT can modify +-## public files used for public file +-## transfer services. +-##

    +##

    +## Allow ABRT to modify public files +## used for public file transfer services. +##

    -+##     -+gen_tunable(abrt_anon_write, false) -+ -+## + ## + gen_tunable(abrt_anon_write, false) + + ## +-##

    +-## Determine whether ABRT can run in +-## the abrt_handle_event_t domain to +-## handle ABRT event scripts. +-##

    +##

    +## Allow ABRT to run in abrt_handle_event_t domain +## to handle ABRT event scripts +##

    -+##     -+gen_tunable(abrt_handle_event, false) -+ -+attribute abrt_domain; -+ + ##     + gen_tunable(abrt_handle_event, false) + + attribute abrt_domain; + +-attribute_role abrt_helper_roles; +-roleattribute system_r abrt_helper_roles; +- +-type abrt_t, abrt_domain; +-type abrt_exec_t; +abrt_basic_types_template(abrt) init_daemon_domain(abrt_t, abrt_exec_t) @@ -402,257 +543,309 @@ index 30861ec..864d511 100644 +type abrt_unit_file_t; +systemd_unit_file(abrt_unit_file_t) + - # etc files ++# etc files type abrt_etc_t; files_config_file(abrt_etc_t) -@@ -32,10 +52,20 @@ files_type(abrt_var_cache_t) + ++# log files + type abrt_var_log_t; + logging_log_file(abrt_var_log_t) + ++# tmp files + type abrt_tmp_t; + files_tmp_file(abrt_tmp_t) + ++# var/cache files + type abrt_var_cache_t; + files_type(abrt_var_cache_t) + ++# pid files type abrt_var_run_t; files_pid_file(abrt_var_run_t) +-type abrt_dump_oops_t, abrt_domain; +-type abrt_dump_oops_exec_t; +abrt_basic_types_template(abrt_dump_oops) -+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) -+ + init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) + +-type abrt_handle_event_t, abrt_domain; +-type abrt_handle_event_exec_t; +-domain_type(abrt_handle_event_t) +-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t) +# type for abrt-handle-event to handle +# ABRT event scripts +abrt_basic_types_template(abrt_handle_event) +application_domain(abrt_handle_event_t, abrt_handle_event_exec_t) -+role system_r types abrt_handle_event_t; -+ - # type needed to allow all domains - # to handle /var/cache/abrt --type abrt_helper_t; + role system_r types abrt_handle_event_t; + +-type abrt_helper_t, abrt_domain; -type abrt_helper_exec_t; +# type needed to allow all domains +# to handle /var/cache/abrt ++# type needed to allow all domains ++# to handle /var/cache/abrt +abrt_basic_types_template(abrt_helper) application_domain(abrt_helper_t, abrt_helper_exec_t) - role system_r types abrt_helper_t; - -@@ -43,14 +73,36 @@ ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) - ') - +-role abrt_helper_roles types abrt_helper_t; ++role system_r types abrt_helper_t; + +-type abrt_retrace_coredump_t, abrt_domain; +-type abrt_retrace_coredump_exec_t; +-domain_type(abrt_retrace_coredump_t) +-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +-role system_r types abrt_retrace_coredump_t; ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ++') ++ +# +# Support for ABRT retrace server +# -+ + +-type abrt_retrace_worker_t, abrt_domain; +-type abrt_retrace_worker_exec_t; +-domain_type(abrt_retrace_worker_t) +-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) +abrt_basic_types_template(abrt_retrace_worker) +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) -+role system_r types abrt_retrace_worker_t; -+ + role system_r types abrt_retrace_worker_t; + +abrt_basic_types_template(abrt_retrace_coredump) +application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +role system_r types abrt_retrace_coredump_t; + -+type abrt_retrace_cache_t; -+files_type(abrt_retrace_cache_t) -+ -+type abrt_retrace_spool_t; + type abrt_retrace_cache_t; + files_type(abrt_retrace_cache_t) + + type abrt_retrace_spool_t; +-files_type(abrt_retrace_spool_t) +files_spool_file(abrt_retrace_spool_t) -+ + +-type abrt_watch_log_t, abrt_domain; +-type abrt_watch_log_exec_t; +# Support abrt-watch log +abrt_basic_types_template(abrt_watch_log) -+init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) -+ + init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) + +-ifdef(`enable_mcs',` +- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) +-') +- ######################################## # - # abrt local policy +-# Local policy ++# abrt local policy # --allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; -+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; + allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; dontaudit abrt_t self:capability sys_rawio; --allow abrt_t self:process { signal signull setsched getsched }; -+allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; - + allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; ++ allow abrt_t self:fifo_file rw_fifo_file_perms; - allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +111,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; - allow abrt_t self:netlink_route_socket r_netlink_socket_perms; - - # abrt etc files +-allow abrt_t self:tcp_socket { accept listen }; ++allow abrt_t self:tcp_socket create_stream_socket_perms; ++allow abrt_t self:udp_socket create_socket_perms; ++allow abrt_t self:unix_dgram_socket create_socket_perms; ++allow abrt_t self:netlink_route_socket r_netlink_socket_perms; + +-allow abrt_t abrt_etc_t:dir list_dir_perms; ++# abrt etc files +list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - # log file -@@ -68,7 +121,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) - # abrt tmp files ++# log file + manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) + logging_log_filetrans(abrt_t, abrt_var_log_t, file) + ++# abrt tmp files manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) -+manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) + manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) +can_exec(abrt_t, abrt_tmp_t) - # abrt var/cache files ++# abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +137,12 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) + files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) + ++# abrt pid files + manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) --files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) -+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) -+ -+kernel_read_ring_buffer(abrt_t) -+kernel_request_load_module(abrt_t) + files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) +-can_exec(abrt_t, abrt_tmp_t) +- kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) ++kernel_read_network_state(abrt_t) + kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) - corecmd_exec_bin(abrt_t) -@@ -93,7 +150,6 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) -corenet_all_recvfrom_unlabeled(abrt_t) corenet_tcp_sendrecv_generic_if(abrt_t) corenet_tcp_sendrecv_generic_node(abrt_t) - corenet_tcp_sendrecv_generic_port(abrt_t) -@@ -104,6 +160,8 @@ corenet_tcp_connect_all_ports(abrt_t) - corenet_sendrecv_http_client_packets(abrt_t) +-corenet_tcp_sendrecv_all_ports(abrt_t) ++corenet_tcp_sendrecv_generic_port(abrt_t) + corenet_tcp_bind_generic_node(abrt_t) +- +-corenet_sendrecv_all_client_packets(abrt_t) + corenet_tcp_connect_http_port(abrt_t) + corenet_tcp_connect_ftp_port(abrt_t) + corenet_tcp_connect_all_ports(abrt_t) ++corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) -+dev_getattr_all_blk_files(abrt_t) -+dev_read_rand(abrt_t) - dev_read_urand(abrt_t) - dev_rw_sysfs(abrt_t) - dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t) - domain_signull_all_domains(abrt_t) - - files_getattr_all_files(abrt_t) --files_read_etc_files(abrt_t) -+files_read_config_files(abrt_t) -+files_read_etc_runtime_files(abrt_t) + dev_getattr_all_blk_files(abrt_t) +@@ -163,29 +173,35 @@ files_getattr_all_files(abrt_t) + files_read_config_files(abrt_t) + files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) - files_read_var_lib_files(abrt_t) ++files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +180,9 @@ files_read_generic_tmp_files(abrt_t) ++files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) - files_dontaudit_list_default(abrt_t) ++files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) -+files_dontaudit_read_all_symlinks(abrt_t) -+files_dontaudit_getattr_all_sockets(abrt_t) -+files_list_mnt(abrt_t) + files_dontaudit_read_all_symlinks(abrt_t) + files_dontaudit_getattr_all_sockets(abrt_t) + files_list_mnt(abrt_t) - fs_list_inotifyfs(abrt_t) ++fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +193,37 @@ fs_read_nfs_files(abrt_t) + fs_getattr_all_dirs(abrt_t) +-fs_list_inotifyfs(abrt_t) + fs_read_fusefs_files(abrt_t) + fs_read_noxattr_fs_files(abrt_t) + fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) --sysnet_read_config(abrt_t) +-auth_use_nsswitch(abrt_t) - logging_read_generic_logs(abrt_t) - logging_send_syslog_msg(abrt_t) ++logging_send_syslog_msg(abrt_t) +auth_use_nsswitch(abrt_t) + - miscfiles_read_generic_certs(abrt_t) --miscfiles_read_localization(abrt_t) -+miscfiles_read_public_files(abrt_t) ++miscfiles_read_generic_certs(abrt_t) + miscfiles_read_public_files(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) -+ -+tunable_policy(`abrt_anon_write',` -+ miscfiles_manage_public_files(abrt_t) -+') -+ -+optional_policy(` -+ apache_list_modules(abrt_t) + + tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +@@ -193,15 +209,11 @@ tunable_policy(`abrt_anon_write',` + + optional_policy(` + apache_list_modules(abrt_t) +- apache_read_module_files(abrt_t) + apache_read_modules(abrt_t) -+') + ') optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) +- +- optional_policy(` +- policykit_dbus_chat(abrt_t) +- ') + ') + + optional_policy(` +@@ -209,6 +221,12 @@ optional_policy(` ') optional_policy(` -- nis_use_ypbind(abrt_t) -+ dmesg_domtrans(abrt_t) ++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) ++ mozilla_plugin_read_rw_files(abrt_t) +') + +optional_policy(` -+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) -+ mozilla_plugin_read_rw_files(abrt_t) ++ policykit_dbus_chat(abrt_t) + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) +@@ -220,6 +238,7 @@ optional_policy(` + corecmd_exec_all_executables(abrt_t) ') ++# to install debuginfo packages optional_policy(` -@@ -167,6 +244,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) - rpm_manage_cache(abrt_t) -+ rpm_manage_log(abrt_t) - rpm_manage_pid_files(abrt_t) - rpm_read_db(abrt_t) +@@ -230,6 +249,7 @@ optional_policy(` rpm_signull(abrt_t) -@@ -178,9 +256,36 @@ optional_policy(` ') ++# to run mailx plugin optional_policy(` -+ sosreport_domtrans(abrt_t) -+ sosreport_read_tmp_files(abrt_t) -+ sosreport_delete_tmp_files(abrt_t) -+') -+ -+optional_policy(` - sssd_stream_connect(abrt_t) + sendmail_domtrans(abrt_t) + ') +@@ -240,9 +260,17 @@ optional_policy(` + sosreport_delete_tmp_files(abrt_t) ') +optional_policy(` -+ xserver_read_log(abrt_t) ++ sssd_stream_connect(abrt_t) +') + -+####################################### -+# -+# abrt-handle-event local policy -+# -+ -+allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -+ -+tunable_policy(`abrt_handle_event',` -+ domtrans_pattern(abrt_t, abrt_handle_event_exec_t, abrt_handle_event_t) -+',` -+ can_exec(abrt_t, abrt_handle_event_exec_t) ++optional_policy(` ++ xserver_read_log(abrt_t) +') + + ####################################### + # +-# Handle-event local policy ++# abrt-handle-event local policy + # + + allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; +@@ -253,9 +281,13 @@ tunable_policy(`abrt_handle_event',` + can_exec(abrt_t, abrt_handle_event_exec_t) + ') + +optional_policy(` + unconfined_domain(abrt_handle_event_t) +') + ######################################## # - # abrt--helper local policy -@@ -200,9 +305,11 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) - read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) - read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +-# Helper local policy ++# abrt--helper local policy + # + + allow abrt_helper_t self:capability { chown setgid sys_nice }; +@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t) -+corecmd_read_all_executables(abrt_helper_t) -+ domain_read_all_domains_state(abrt_helper_t) --files_read_etc_files(abrt_helper_t) +files_dontaudit_all_non_security_leaks(abrt_helper_t) - ++ fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -211,12 +318,11 @@ auth_use_nsswitch(abrt_helper_t) - logging_send_syslog_msg(abrt_helper_t) + auth_use_nsswitch(abrt_helper_t) --miscfiles_read_localization(abrt_helper_t) -- ++logging_send_syslog_msg(abrt_helper_t) ++ term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) --ifdef(`hide_broken_symptoms', ` -+ifdef(`hide_broken_symptoms',` + ifdef(`hide_broken_symptoms',` + domain_dontaudit_leaks(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +330,149 @@ ifdef(`hide_broken_symptoms', ` +@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -660,7 +853,7 @@ index 30861ec..864d511 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') - ') ++') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -670,188 +863,130 @@ index 30861ec..864d511 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; -+') -+ -+####################################### -+# + ') + + ####################################### + # +-# Retrace coredump policy +# abrt retrace coredump policy -+# -+ -+allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -+ -+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) -+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) -+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t) -+ -+list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -+ -+corecmd_exec_bin(abrt_retrace_coredump_t) -+corecmd_exec_shell(abrt_retrace_coredump_t) -+ -+dev_read_urand(abrt_retrace_coredump_t) -+ -+files_read_usr_files(abrt_retrace_coredump_t) -+ + # + + allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; +@@ -316,8 +367,11 @@ dev_read_urand(abrt_retrace_coredump_t) + + files_read_usr_files(abrt_retrace_coredump_t) + +logging_send_syslog_msg(abrt_retrace_coredump_t) + -+sysnet_dns_name_resolve(abrt_retrace_coredump_t) -+ + sysnet_dns_name_resolve(abrt_retrace_coredump_t) + +# to install debuginfo packages -+optional_policy(` -+ rpm_exec(abrt_retrace_coredump_t) -+ rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -+ rpm_manage_cache(abrt_retrace_coredump_t) -+ rpm_manage_log(abrt_retrace_coredump_t) -+ rpm_manage_pid_files(abrt_retrace_coredump_t) -+ rpm_read_db(abrt_retrace_coredump_t) -+ rpm_signull(abrt_retrace_coredump_t) -+') -+ -+####################################### -+# + optional_policy(` + rpm_exec(abrt_retrace_coredump_t) + rpm_dontaudit_manage_db(abrt_retrace_coredump_t) +@@ -330,10 +384,11 @@ optional_policy(` + + ####################################### + # +-# Retrace worker policy +# abrt retrace worker policy -+# -+ + # + +-allow abrt_retrace_worker_t self:capability setuid; +allow abrt_retrace_worker_t self:capability { setuid }; + -+allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; -+ -+domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -+allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl; -+ -+manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -+manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -+manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t) -+ -+allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms; -+ -+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) -+ -+corecmd_exec_bin(abrt_retrace_worker_t) -+corecmd_exec_shell(abrt_retrace_worker_t) -+ -+dev_read_urand(abrt_retrace_worker_t) -+ -+files_read_usr_files(abrt_retrace_worker_t) -+ + allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; + + domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) +@@ -354,16 +409,22 @@ dev_read_urand(abrt_retrace_worker_t) + + files_read_usr_files(abrt_retrace_worker_t) + +logging_send_syslog_msg(abrt_retrace_worker_t) + -+sysnet_dns_name_resolve(abrt_retrace_worker_t) -+ + sysnet_dns_name_resolve(abrt_retrace_worker_t) + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) +') + -+######################################## -+# + ######################################## + # +-# Dump oops local policy +# abrt_dump_oops local policy -+# -+ -+allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; + # + + allow abrt_dump_oops_t self:capability dac_override; + allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; +-allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_search_spool(abrt_dump_oops_t) -+manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -+manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -+manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -+files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) -+ -+read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) -+read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) -+ -+read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) -+ + + files_search_spool(abrt_dump_oops_t) + manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -376,6 +437,7 @@ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) + + read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) + +kernel_read_debugfs(abrt_dump_oops_t) -+kernel_read_kernel_sysctls(abrt_dump_oops_t) -+kernel_read_ring_buffer(abrt_dump_oops_t) -+ -+domain_use_interactive_fds(abrt_dump_oops_t) -+ -+fs_list_inotifyfs(abrt_dump_oops_t) -+ -+logging_read_generic_logs(abrt_dump_oops_t) + kernel_read_kernel_sysctls(abrt_dump_oops_t) + kernel_read_ring_buffer(abrt_dump_oops_t) + +@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) + fs_list_inotifyfs(abrt_dump_oops_t) + + logging_read_generic_logs(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) -+ -+####################################### -+# + + ####################################### + # +-# Watch log local policy +# abrt_watch_log local policy -+# -+ -+allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; + # + + allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; +-allow abrt_watch_log_t self:unix_stream_socket { accept listen }; +allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms; -+ -+read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -+ -+domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) -+ -+corecmd_exec_bin(abrt_watch_log_t) -+ -+logging_read_all_logs(abrt_watch_log_t) + + read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) + +@@ -400,16 +463,15 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) + corecmd_exec_bin(abrt_watch_log_t) + + logging_read_all_logs(abrt_watch_log_t) +logging_send_syslog_msg(abrt_watch_log_t) + +optional_policy(` + unconfined_domain(abrt_watch_log_t) +') -+ -+####################################### -+# + + ####################################### + # +-# Global local policy +# Local policy for all abrt domain -+# -+ -+files_read_etc_files(abrt_domain) + # + +-kernel_read_system_state(abrt_domain) +- + files_read_etc_files(abrt_domain) +- +-logging_send_syslog_msg(abrt_domain) +- +-miscfiles_read_localization(abrt_domain) diff --git a/accountsd.fc b/accountsd.fc -index 1adca53..18e0e41 100644 +index f9d8d7a..0682710 100644 --- a/accountsd.fc +++ b/accountsd.fc @@ -1,3 +1,5 @@ +/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0) + - /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) + /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) diff --git a/accountsd.if b/accountsd.if -index c0f858d..4a3dab6 100644 +index bd5ec9a..a5ed692 100644 --- a/accountsd.if +++ b/accountsd.if -@@ -5,9 +5,9 @@ - ## Execute a domain transition to run accountsd. - ##     - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`accountsd_domtrans',` -@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',` - ##     - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # -@@ -93,6 +93,7 @@ interface(`accountsd_read_lib_files',` - ') - - files_search_var_lib($1) -+ allow $1 accountsd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - ') - -@@ -118,28 +119,54 @@ interface(`accountsd_manage_lib_files',` - - ######################################## - ## --## All of the rules required to administrate --## an accountsd environment -+## Execute accountsd server in the accountsd domain. +@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',` ## ## ## @@ -893,7 +1028,7 @@ index c0f858d..4a3dab6 100644 + type accountsd_unit_file_t; ') -- allow $1 accountsd_t:process { ptrace signal_perms getattr }; +- allow $1 accountsd_t:process { ptrace signal_perms }; + allow $1 accountsd_t:process signal_perms; ps_process_pattern($1, accountsd_t) @@ -908,11 +1043,12 @@ index c0f858d..4a3dab6 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 1632f10..074ebc9 100644 +index 313b33f..ea8883f 100644 --- a/accountsd.te +++ b/accountsd.te -@@ -1,5 +1,9 @@ - policy_module(accountsd, 1.0.0) +@@ -4,6 +4,10 @@ gen_require(` + class passwd all_passwd_perms; + ') +gen_require(` + class passwd { passwd chfn chsh rootok crontab }; @@ -921,7 +1057,7 @@ index 1632f10..074ebc9 100644 ######################################## # # Declarations -@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0) +@@ -11,11 +15,15 @@ gen_require(` type accountsd_t; type accountsd_exec_t; @@ -937,34 +1073,24 @@ index 1632f10..074ebc9 100644 + ######################################## # - # accountsd local policy - # - --allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; -+allow accountsd_t self:capability { chown dac_override setuid setgid }; -+allow accountsd_t self:process signal; - allow accountsd_t self:fifo_file rw_fifo_file_perms; -+allow accountsd_t self:passwd { rootok passwd chfn chsh }; - - manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) + # Local policy +@@ -30,6 +38,7 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) - files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) + files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir) +kernel_read_system_state(accountsd_t) kernel_read_kernel_sysctls(accountsd_t) + kernel_read_system_state(accountsd_t) - corecmd_exec_bin(accountsd_t) - -+dev_read_sysfs(accountsd_t) -+ - files_read_usr_files(accountsd_t) - files_read_mnt_files(accountsd_t) +@@ -42,13 +51,15 @@ files_read_usr_files(accountsd_t) + fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) +fs_getattr_xattr_fs(accountsd_t) fs_read_noxattr_fs_files(accountsd_t) auth_use_nsswitch(accountsd_t) + auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) +auth_read_login_records(accountsd_t) @@ -973,9 +1099,9 @@ index 1632f10..074ebc9 100644 logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) -@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t) - +@@ -62,6 +73,11 @@ usermanage_domtrans_passwd(accountsd_t) optional_policy(` + consolekit_dbus_chat(accountsd_t) consolekit_read_log(accountsd_t) + consolekit_dbus_chat(accountsd_t) +') @@ -985,26 +1111,22 @@ index 1632f10..074ebc9 100644 ') optional_policy(` - policykit_dbus_chat(accountsd_t) - ') -+ -+optional_policy(` -+ xserver_read_xdm_tmp_files(accountsd_t) +@@ -70,4 +86,7 @@ optional_policy(` + + optional_policy(` + xserver_read_xdm_tmp_files(accountsd_t) + xserver_read_state_xdm(accountsd_t) + xserver_dbus_chat_xdm(accountsd_t) + xserver_manage_xdm_etc_files(accountsd_t) -+') + ') diff --git a/acct.if b/acct.if -index e66c296..993a1e9 100644 +index 81280d0..bc4038b 100644 --- a/acct.if +++ b/acct.if -@@ -78,3 +78,21 @@ interface(`acct_manage_data',` - manage_files_pattern($1, acct_data_t, acct_data_t) - manage_lnk_files_pattern($1, acct_data_t, acct_data_t) - ') -+ -+######################################## -+## +@@ -83,6 +83,24 @@ interface(`acct_manage_data',` + + ######################################## + ## +## Dontaudit Attempts to list acct_data directory +## +## @@ -1020,19 +1142,34 @@ index e66c296..993a1e9 100644 + + dontaudit $1 acct_data_t:dir list_dir_perms; +') ++ ++####################################### ++## + ## All of the rules required to + ## administrate an acct environment. + ## +@@ -103,9 +121,13 @@ interface(`acct_admin',` + type acct_t, acct_initrc_exec_t, acct_data_t; + ') + +- allow $1 acct_t:process { ptrace signal_perms }; ++ allow $1 acct_t:process { signal_perms }; + ps_process_pattern($1, acct_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 acct_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, acct_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 acct_initrc_exec_t system_r; diff --git a/acct.te b/acct.te -index 63ef90e..31f524e 100644 +index 1a1c91a..7a449cc 100644 --- a/acct.te +++ b/acct.te -@@ -49,20 +49,19 @@ corecmd_exec_shell(acct_t) - - domain_use_interactive_fds(acct_t) +@@ -53,14 +53,15 @@ files_list_usr(acct_t) --files_read_etc_files(acct_t) - files_read_etc_runtime_files(acct_t) - files_list_usr(acct_t) - # for nscd - files_dontaudit_search_pids(acct_t) + auth_use_nsswitch(acct_t) +auth_use_nsswitch(acct_t) + @@ -1044,14 +1181,15 @@ index 63ef90e..31f524e 100644 -miscfiles_read_localization(acct_t) - - userdom_dontaudit_use_unpriv_user_fds(acct_t) ++userdom_dontaudit_use_unpriv_user_fds(acct_t) userdom_dontaudit_search_user_home_dirs(acct_t) + userdom_dontaudit_use_unpriv_user_fds(acct_t) diff --git a/ada.te b/ada.te -index 39c75fb..057d8b1 100644 +index 8b5ad06..8ce8f26 100644 --- a/ada.te +++ b/ada.te -@@ -17,7 +17,7 @@ role system_r types ada_t; +@@ -20,7 +20,7 @@ role ada_roles types ada_t; allow ada_t self:process { execstack execmem }; @@ -1061,15 +1199,15 @@ index 39c75fb..057d8b1 100644 optional_policy(` unconfined_domain(ada_t) diff --git a/afs.if b/afs.if -index 8559cdc..641044e 100644 +index 3b41be6..0b18812 100644 --- a/afs.if +++ b/afs.if -@@ -97,8 +97,12 @@ interface(`afs_admin',` - type afs_t, afs_initrc_exec_t; +@@ -100,8 +100,12 @@ interface(`afs_admin',` + type afs_logfile_t, afs_cache_t, afs_files_t; ') -- allow $1 afs_t:process { ptrace signal_perms getattr }; -- read_files_pattern($1, afs_t, afs_t) +- allow $1 afs_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, afs_domain) + allow $1 afs_t:process signal_perms; + ps_process_pattern($1, afs_t) + @@ -1077,36 +1215,34 @@ index 8559cdc..641044e 100644 + allow $1 afs_t:process ptrace; + ') - # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index a496fde..8170a8c 100644 +index 6690cdf..7fefcf5 100644 --- a/afs.te +++ b/afs.te -@@ -71,6 +71,7 @@ role system_r types afs_vlserver_t; - # - - allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; -+dontaudit afs_t self:capability dac_override; - allow afs_t self:process { setsched signal }; - allow afs_t self:udp_socket create_socket_perms; - allow afs_t self:fifo_file rw_file_perms; -@@ -82,7 +83,6 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) +@@ -83,6 +83,15 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) --corenet_all_recvfrom_unlabeled(afs_t) - corenet_all_recvfrom_netlabel(afs_t) - corenet_tcp_sendrecv_generic_if(afs_t) - corenet_udp_sendrecv_generic_if(afs_t) -@@ -103,10 +103,12 @@ fs_read_nfs_symlinks(afs_t) ++corenet_all_recvfrom_netlabel(afs_t) ++corenet_tcp_sendrecv_generic_if(afs_t) ++corenet_udp_sendrecv_generic_if(afs_t) ++corenet_tcp_sendrecv_generic_node(afs_t) ++corenet_udp_sendrecv_generic_node(afs_t) ++corenet_tcp_sendrecv_all_ports(afs_t) ++corenet_udp_sendrecv_all_ports(afs_t) ++corenet_udp_bind_generic_node(afs_t) ++ + files_mounton_mnt(afs_t) + files_read_usr_files(afs_t) + files_rw_etc_runtime_files(afs_t) +@@ -93,6 +102,12 @@ fs_read_nfs_symlinks(afs_t) logging_send_syslog_msg(afs_t) --miscfiles_read_localization(afs_t) -- - sysnet_dns_name_resolve(afs_t) - ++sysnet_dns_name_resolve(afs_t) ++ +ifdef(`hide_broken_symptoms',` + kernel_rw_unlabeled_files(afs_t) +') @@ -1114,56 +1250,33 @@ index a496fde..8170a8c 100644 ######################################## # # AFS bossserver local policy -@@ -140,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) +@@ -125,7 +140,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) kernel_read_kernel_sysctls(afs_bosserver_t) -corenet_all_recvfrom_unlabeled(afs_bosserver_t) corenet_all_recvfrom_netlabel(afs_bosserver_t) - corenet_tcp_sendrecv_generic_if(afs_bosserver_t) corenet_udp_sendrecv_generic_if(afs_bosserver_t) -@@ -156,7 +157,6 @@ files_read_etc_files(afs_bosserver_t) - files_list_home(afs_bosserver_t) - files_read_usr_files(afs_bosserver_t) - --miscfiles_read_localization(afs_bosserver_t) - - seutil_read_config(afs_bosserver_t) - -@@ -202,7 +202,6 @@ corenet_tcp_sendrecv_generic_node(afs_fsserver_t) + corenet_udp_sendrecv_generic_node(afs_bosserver_t) +@@ -179,6 +193,9 @@ corenet_tcp_sendrecv_generic_if(afs_fsserver_t) + corenet_udp_sendrecv_generic_if(afs_fsserver_t) + corenet_tcp_sendrecv_generic_node(afs_fsserver_t) corenet_udp_sendrecv_generic_node(afs_fsserver_t) - corenet_tcp_sendrecv_all_ports(afs_fsserver_t) - corenet_udp_sendrecv_all_ports(afs_fsserver_t) --corenet_all_recvfrom_unlabeled(afs_fsserver_t) - corenet_all_recvfrom_netlabel(afs_fsserver_t) ++corenet_tcp_sendrecv_all_ports(afs_fsserver_t) ++corenet_udp_sendrecv_all_ports(afs_fsserver_t) ++corenet_all_recvfrom_netlabel(afs_fsserver_t) corenet_tcp_bind_generic_node(afs_fsserver_t) corenet_udp_bind_generic_node(afs_fsserver_t) -@@ -225,8 +224,6 @@ init_dontaudit_use_script_fds(afs_fsserver_t) - logging_send_syslog_msg(afs_fsserver_t) - --miscfiles_read_localization(afs_fsserver_t) -- - seutil_read_config(afs_fsserver_t) - - sysnet_read_config(afs_fsserver_t) -@@ -252,7 +249,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) +@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) kernel_read_kernel_sysctls(afs_kaserver_t) -corenet_all_recvfrom_unlabeled(afs_kaserver_t) corenet_all_recvfrom_netlabel(afs_kaserver_t) - corenet_tcp_sendrecv_generic_if(afs_kaserver_t) corenet_udp_sendrecv_generic_if(afs_kaserver_t) -@@ -270,7 +266,6 @@ files_read_etc_files(afs_kaserver_t) - files_list_home(afs_kaserver_t) - files_read_usr_files(afs_kaserver_t) - --miscfiles_read_localization(afs_kaserver_t) - - seutil_read_config(afs_kaserver_t) - -@@ -296,7 +291,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) + corenet_udp_sendrecv_generic_node(afs_kaserver_t) +@@ -262,7 +278,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) @@ -1171,15 +1284,16 @@ index a496fde..8170a8c 100644 corenet_all_recvfrom_netlabel(afs_ptserver_t) corenet_tcp_sendrecv_generic_if(afs_ptserver_t) corenet_udp_sendrecv_generic_if(afs_ptserver_t) -@@ -310,7 +304,6 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) - - files_read_etc_files(afs_ptserver_t) +@@ -274,6 +289,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) + corenet_udp_bind_afs_pt_port(afs_ptserver_t) + corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) --miscfiles_read_localization(afs_ptserver_t) - - sysnet_read_config(afs_ptserver_t) ++sysnet_read_config(afs_ptserver_t) ++ + userdom_dontaudit_use_user_terminals(afs_ptserver_t) -@@ -334,7 +327,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) + ######################################## +@@ -293,7 +310,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) @@ -1187,16 +1301,17 @@ index a496fde..8170a8c 100644 corenet_all_recvfrom_netlabel(afs_vlserver_t) corenet_tcp_sendrecv_generic_if(afs_vlserver_t) corenet_udp_sendrecv_generic_if(afs_vlserver_t) -@@ -348,7 +340,6 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t) - - files_read_etc_files(afs_vlserver_t) +@@ -314,8 +330,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) --miscfiles_read_localization(afs_vlserver_t) - - sysnet_read_config(afs_vlserver_t) + allow afs_domain self:udp_socket create_socket_perms; +-files_read_etc_files(afs_domain) +- +-miscfiles_read_localization(afs_domain) +- + sysnet_read_config(afs_domain) diff --git a/aiccu.if b/aiccu.if -index 184c9a8..8f77bf5 100644 +index 3b5dcb9..fbe187f 100644 --- a/aiccu.if +++ b/aiccu.if @@ -79,9 +79,13 @@ interface(`aiccu_admin',` @@ -1215,23 +1330,18 @@ index 184c9a8..8f77bf5 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 6d685ba..5a3021d 100644 +index 72c33c2..ca27918 100644 --- a/aiccu.te +++ b/aiccu.te -@@ -44,10 +44,11 @@ kernel_read_system_state(aiccu_t) - corecmd_exec_shell(aiccu_t) - - corenet_all_recvfrom_netlabel(aiccu_t) --corenet_all_recvfrom_unlabeled(aiccu_t) -+corenet_tcp_bind_generic_node(aiccu_t) +@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) + corenet_tcp_bind_generic_node(aiccu_t) corenet_tcp_sendrecv_generic_if(aiccu_t) corenet_tcp_sendrecv_generic_node(aiccu_t) - corenet_tcp_sendrecv_generic_port(aiccu_t) -+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) - corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) - corenet_tcp_bind_generic_node(aiccu_t) +- + corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) corenet_tcp_connect_sixxsconfig_port(aiccu_t) -@@ -62,9 +63,9 @@ dev_read_urand(aiccu_t) + corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) +@@ -62,9 +61,9 @@ dev_read_urand(aiccu_t) files_read_etc_files(aiccu_t) @@ -1243,21 +1353,11 @@ index 6d685ba..5a3021d 100644 optional_policy(` modutils_domtrans_insmod(aiccu_t) -diff --git a/aide.fc b/aide.fc -index 7798464..62ccdc6 100644 ---- a/aide.fc -+++ b/aide.fc -@@ -3,4 +3,4 @@ - /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) - - /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) --/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) -+/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/aide.if b/aide.if -index 838d25b..33981e0 100644 +index 01cbb67..94a4a24 100644 --- a/aide.if +++ b/aide.if -@@ -60,9 +60,13 @@ interface(`aide_admin',` +@@ -67,9 +67,13 @@ interface(`aide_admin',` type aide_t, aide_db_t, aide_log_t; ') @@ -1269,58 +1369,47 @@ index 838d25b..33981e0 100644 + allow $1 aide_t:process ptrace; + ') + - files_list_etc($1) - admin_pattern($1, aide_db_t) + aide_run($1, $2) + files_list_etc($1) diff --git a/aide.te b/aide.te -index 2509dd2..88d5615 100644 +index 4b28ab3..2cc5904 100644 --- a/aide.te +++ b/aide.te -@@ -8,6 +8,7 @@ policy_module(aide, 1.6.0) +@@ -10,6 +10,7 @@ attribute_role aide_roles; type aide_t; type aide_exec_t; application_domain(aide_t, aide_exec_t) +cron_system_entry(aide_t, aide_exec_t) + role aide_roles types aide_t; - # log files type aide_log_t; -@@ -32,6 +33,13 @@ manage_files_pattern(aide_t, aide_log_t, aide_log_t) +@@ -33,12 +34,19 @@ setattr_files_pattern(aide_t, aide_log_t, aide_log_t) logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) +files_read_boot_symlinks(aide_t) -+files_read_all_symlinks(aide_t) + files_read_all_symlinks(aide_t) +files_getattr_all_pipes(aide_t) +files_getattr_all_sockets(aide_t) ++files_read_all_symlinks(aide_t) + +mls_file_read_to_clearance(aide_t) +mls_file_write_to_clearance(aide_t) logging_send_audit_msgs(aide_t) - # AIDE can be configured to log to syslog -@@ -39,4 +47,4 @@ logging_send_syslog_msg(aide_t) - - seutil_use_newrole_fds(aide_t) + logging_send_syslog_msg(aide_t) -userdom_use_user_terminals(aide_t) +userdom_use_inherited_user_terminals(aide_t) -diff --git a/aisexec.fc b/aisexec.fc -index 7b4f4b9..9c2daa5 100644 ---- a/aisexec.fc -+++ b/aisexec.fc -@@ -4,6 +4,6 @@ - /var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) - --/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) -+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0) - - /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) + optional_policy(` + seutil_use_newrole_fds(aide_t) diff --git a/aisexec.if b/aisexec.if -index 0370dba..c2d68a4 100644 +index a2997fa..861cebd 100644 --- a/aisexec.if +++ b/aisexec.if -@@ -82,9 +82,13 @@ interface(`aisexecd_admin',` +@@ -83,9 +83,13 @@ interface(`aisexecd_admin',` type aisexec_initrc_exec_t; ') @@ -1336,18 +1425,18 @@ index 0370dba..c2d68a4 100644 domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff --git a/aisexec.te b/aisexec.te -index 50b9b48..bd0ccb4 100644 +index 196f7cf..3b5354f 100644 --- a/aisexec.te +++ b/aisexec.te -@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) +@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) kernel_read_system_state(aisexec_t) corecmd_exec_bin(aisexec_t) +corecmd_exec_shell(aisexec_t) - corenet_udp_bind_netsupport_port(aisexec_t) - corenet_tcp_bind_reserved_port(aisexec_t) -@@ -79,8 +80,6 @@ init_rw_script_tmp_files(aisexec_t) + corenet_all_recvfrom_unlabeled(aisexec_t) + corenet_all_recvfrom_netlabel(aisexec_t) +@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t) logging_send_syslog_msg(aisexec_t) @@ -1356,7 +1445,7 @@ index 50b9b48..bd0ccb4 100644 userdom_rw_unpriv_user_semaphores(aisexec_t) userdom_rw_unpriv_user_shared_mem(aisexec_t) -@@ -89,6 +88,10 @@ optional_policy(` +@@ -105,6 +104,11 @@ optional_policy(` ') optional_policy(` @@ -1364,9 +1453,10 @@ index 50b9b48..bd0ccb4 100644 +') + +optional_policy(` - # to communication with RHCS ++ # to communication with RHCS rhcs_rw_dlm_controld_semaphores(aisexec_t) + rhcs_rw_fenced_semaphores(aisexec_t) diff --git a/ajaxterm.fc b/ajaxterm.fc new file mode 100644 index 0000000..aeb1888 @@ -1477,7 +1567,7 @@ index 0000000..7abe946 +') diff --git a/ajaxterm.te b/ajaxterm.te new file mode 100644 -index 0000000..8ba128b +index 0000000..84bba98 --- /dev/null +++ b/ajaxterm.te @@ -0,0 +1,62 @@ @@ -1523,7 +1613,7 @@ index 0000000..8ba128b +corecmd_exec_bin(ajaxterm_t) + +corenet_tcp_bind_generic_node(ajaxterm_t) -+corenet_tcp_bind_ajaxterm_port(ajaxterm_t) ++corenet_tcp_bind_oa_system_port(ajaxterm_t) + +dev_read_urand(ajaxterm_t) + @@ -1544,29 +1634,22 @@ index 0000000..8ba128b +') + diff --git a/alsa.fc b/alsa.fc -index d362d9c..230a2f6 100644 +index 5de1e01..3aa9abb 100644 --- a/alsa.fc +++ b/alsa.fc -@@ -11,10 +11,14 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) - - /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) -+/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - - /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -+/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) - +@@ -19,4 +19,6 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) ++/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) + +/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0) diff --git a/alsa.if b/alsa.if -index 1392679..64e685f 100644 +index 708b743..a482fed 100644 --- a/alsa.if +++ b/alsa.if -@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',` +@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file manage_file_perms; @@ -1574,7 +1657,7 @@ index 1392679..64e685f 100644 ') ######################################## -@@ -206,3 +207,69 @@ interface(`alsa_read_lib',` +@@ -256,3 +257,69 @@ interface(`alsa_read_lib',` files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ') @@ -1645,10 +1728,10 @@ index 1392679..64e685f 100644 + ps_process_pattern($1, alsa_t) +') diff --git a/alsa.te b/alsa.te -index dc1b088..33678e4 100644 +index cda6d20..60c0649 100644 --- a/alsa.te +++ b/alsa.te -@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t) +@@ -24,6 +24,9 @@ files_type(alsa_var_lib_t) type alsa_home_t; userdom_user_home_content(alsa_home_t) @@ -1658,15 +1741,16 @@ index dc1b088..33678e4 100644 ######################################## # # Local policy -@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t) +@@ -59,6 +62,8 @@ dev_read_sound(alsa_t) + dev_read_sysfs(alsa_t) + dev_write_sound(alsa_t) - corecmd_exec_bin(alsa_t) - --files_read_etc_files(alsa_t) ++corecmd_exec_bin(alsa_t) ++ files_read_usr_files(alsa_t) + files_search_var_lib(alsa_t) - term_dontaudit_use_console(alsa_t) -@@ -72,8 +74,6 @@ init_use_fds(alsa_t) +@@ -72,8 +77,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -1676,18 +1760,18 @@ index dc1b088..33678e4 100644 userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) diff --git a/amanda.te b/amanda.te -index d8b5abe..a4f5d3a 100644 +index ed45974..ebba0d8 100644 --- a/amanda.te +++ b/amanda.te -@@ -58,7 +58,7 @@ optional_policy(` +@@ -60,7 +60,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; +allow amanda_t self:process { getsched setsched setpgid signal }; allow amanda_t self:fifo_file rw_fifo_file_perms; - allow amanda_t self:unix_stream_socket create_stream_socket_perms; - allow amanda_t self:unix_dgram_socket create_socket_perms; + allow amanda_t self:unix_stream_socket { accept listen }; + allow amanda_t self:tcp_socket { accept listen }; @@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -1696,23 +1780,15 @@ index d8b5abe..a4f5d3a 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -101,7 +102,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,7 +101,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) -corenet_all_recvfrom_unlabeled(amanda_t) corenet_all_recvfrom_netlabel(amanda_t) corenet_tcp_sendrecv_generic_if(amanda_t) - corenet_udp_sendrecv_generic_if(amanda_t) -@@ -120,7 +120,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) - dev_getattr_all_blk_files(amanda_t) - dev_getattr_all_chr_files(amanda_t) - --files_read_etc_files(amanda_t) - files_read_etc_runtime_files(amanda_t) - files_list_all(amanda_t) - files_read_all_files(amanda_t) -@@ -177,7 +176,6 @@ kernel_read_kernel_sysctls(amanda_recover_t) + corenet_tcp_sendrecv_generic_node(amanda_t) +@@ -170,7 +170,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -1720,15 +1796,7 @@ index d8b5abe..a4f5d3a 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -193,7 +191,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t) - - domain_use_interactive_fds(amanda_recover_t) - --files_read_etc_files(amanda_recover_t) - files_read_etc_runtime_files(amanda_recover_t) - files_search_tmp(amanda_recover_t) - files_search_pids(amanda_recover_t) -@@ -205,7 +202,11 @@ fstools_signal(amanda_t) +@@ -200,7 +199,11 @@ fstools_signal(amanda_t) logging_search_logs(amanda_recover_t) @@ -1743,31 +1811,23 @@ index d8b5abe..a4f5d3a 100644 + fstools_signal(amanda_t) +') diff --git a/amavis.fc b/amavis.fc -index 446ee16..2346f65 100644 +index 17689a7..8aa6849 100644 --- a/amavis.fc +++ b/amavis.fc -@@ -2,6 +2,7 @@ - /etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) - /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) - /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) - - /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) - /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) -@@ -12,7 +13,7 @@ ifdef(`distro_debian',` - - /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) --/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) -+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0) - /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) - /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) - /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) +@@ -12,8 +12,6 @@ ifdef(`distro_debian',` + /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) + ') + +-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +- + /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + + /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) diff --git a/amavis.if b/amavis.if -index e31d92a..5cb091a 100644 +index 60d4f8c..18ef077 100644 --- a/amavis.if +++ b/amavis.if -@@ -57,6 +57,7 @@ interface(`amavis_read_spool_files',` +@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',` files_search_spool($1) read_files_pattern($1, amavis_spool_t, amavis_spool_t) @@ -1775,7 +1835,7 @@ index e31d92a..5cb091a 100644 ') ######################################## -@@ -150,6 +151,26 @@ interface(`amavis_read_lib_files',` +@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',` ######################################## ## @@ -1802,16 +1862,8 @@ index e31d92a..5cb091a 100644 ## Create, read, write, and delete ## amavis lib files. ## -@@ -202,6 +223,7 @@ interface(`amavis_create_pid_files',` - type amavis_var_run_t; - ') - -+ allow $1 amavis_var_run_t:dir rw_dir_perms; - allow $1 amavis_var_run_t:file create_file_perms; - files_search_pids($1) - ') -@@ -231,9 +253,13 @@ interface(`amavis_admin',` - type amavis_initrc_exec_t; +@@ -234,9 +255,13 @@ interface(`amavis_admin',` + type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; ') - allow $1 amavis_t:process { ptrace signal_perms }; @@ -1826,24 +1878,10 @@ index e31d92a..5cb091a 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 505309b..58c37b3 100644 +index ab55ba7..3da45f7 100644 --- a/amavis.te +++ b/amavis.te -@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0) - # Declarations - # - -+## -+##

    -+## Allow amavis to use JIT compiler -+##

    -+##     -+gen_tunable(amavis_use_jit, false) -+ - type amavis_t; - type amavis_exec_t; - domain_type(amavis_t) -@@ -38,7 +45,7 @@ type amavis_quarantine_t; +@@ -39,7 +39,7 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) type amavis_spool_t; @@ -1852,19 +1890,11 @@ index 505309b..58c37b3 100644 ######################################## # -@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid }; - dontaudit amavis_t self:capability sys_tty_config; - allow amavis_t self:process { signal sigchld sigkill signull }; - allow amavis_t self:fifo_file rw_fifo_file_perms; --allow amavis_t self:unix_stream_socket create_stream_socket_perms; -+allow amavis_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow amavis_t self:unix_dgram_socket create_socket_perms; - allow amavis_t self:tcp_socket { listen accept }; - allow amavis_t self:netlink_route_socket r_netlink_socket_perms; -@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) - files_search_spool(amavis_t) +@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) + manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) + filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) - # tmp files ++# tmp files +manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) +manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) @@ -1872,127 +1902,69 @@ index 505309b..58c37b3 100644 -files_tmp_filetrans(amavis_t, amavis_tmp_t, file) +files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } ) - # var/lib files for amavis manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -98,16 +107,15 @@ manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) - files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) - - kernel_read_kernel_sysctls(amavis_t) -+kernel_read_system_state(amavis_t) - # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... - kernel_dontaudit_list_proc(amavis_t) - kernel_dontaudit_read_proc_symlinks(amavis_t) --kernel_dontaudit_read_system_state(amavis_t) - - # find perl + manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) +@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) corecmd_exec_bin(amavis_t) corecmd_exec_shell(amavis_t) -corenet_all_recvfrom_unlabeled(amavis_t) corenet_all_recvfrom_netlabel(amavis_t) corenet_tcp_sendrecv_generic_if(amavis_t) - corenet_tcp_sendrecv_generic_node(amavis_t) -@@ -125,20 +133,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) - corenet_udp_bind_generic_port(amavis_t) - corenet_dontaudit_udp_bind_all_ports(amavis_t) + corenet_udp_sendrecv_generic_if(amavis_t) +@@ -118,10 +120,12 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) + + corenet_sendrecv_razor_client_packets(amavis_t) corenet_tcp_connect_razor_port(amavis_t) +corenet_tcp_connect_agentx_port(amavis_t) dev_read_rand(amavis_t) + dev_read_sysfs(amavis_t) dev_read_urand(amavis_t) +dev_read_sysfs(amavis_t) domain_use_interactive_fds(amavis_t) -+domain_dontaudit_read_all_domains_state(amavis_t) + domain_dontaudit_read_all_domains_state(amavis_t) +@@ -141,14 +145,20 @@ init_stream_connect_script(amavis_t) --files_read_etc_files(amavis_t) - files_read_etc_runtime_files(amavis_t) - files_read_usr_files(amavis_t) - - fs_getattr_xattr_fs(amavis_t) - -+auth_use_nsswitch(amavis_t) - auth_dontaudit_read_shadow(amavis_t) - -+init_read_state(amavis_t) - # uses uptime which reads utmp - redhat bug 561383 - init_read_utmp(amavis_t) - init_stream_connect_script(amavis_t) -@@ -146,23 +158,32 @@ init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) - miscfiles_read_generic_certs(amavis_t) -miscfiles_read_localization(amavis_t) - --sysnet_dns_name_resolve(amavis_t) - sysnet_use_ldap(amavis_t) ++miscfiles_read_generic_certs(amavis_t) ++ ++sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) --# Cron handling --cron_use_fds(amavis_t) --cron_use_system_job_fds(amavis_t) --cron_rw_pipes(amavis_t) -+tunable_policy(`amavis_use_jit',` + tunable_policy(`amavis_use_jit',` +- allow amavis_t self:process execmem; + allow amavis_t self:process execmem; -+',` + ',` +- dontaudit amavis_t self:process execmem; + dontaudit amavis_t self:process execmem; +') - --mta_read_config(amavis_t) -+optional_policy(` -+ antivirus_domain_template(amavis_t) -+') - - optional_policy(` - clamav_stream_connect(amavis_t) - clamav_domtrans_clamscan(amavis_t) -+ clamav_read_state_clamd(amavis_t) -+') + +optional_policy(` -+ #Cron handling -+ cron_use_fds(amavis_t) -+ cron_use_system_job_fds(amavis_t) -+ cron_rw_pipes(amavis_t) ++ antivirus_domain_template(amavis_t) ') optional_policy(` -@@ -171,11 +192,16 @@ optional_policy(` +@@ -173,6 +183,10 @@ optional_policy(` ') optional_policy(` -+ mta_read_config(amavis_t) ++ nslcd_stream_connect(amavis_t) +') + +optional_policy(` - nslcd_stream_connect(amavis_t) - ') - - optional_policy(` postfix_read_config(amavis_t) -+ postfix_list_spool(amavis_t) - ') - - optional_policy(` -@@ -188,6 +214,12 @@ optional_policy(` + postfix_list_spool(amavis_t) ') - - optional_policy(` -+ snmp_manage_var_lib_files(amavis_t) -+ snmp_manage_var_lib_dirs(amavis_t) -+ snmp_stream_connect(amavis_t) -+') -+ -+optional_policy(` - spamassassin_exec(amavis_t) - spamassassin_exec_client(amavis_t) - spamassassin_read_lib_files(amavis_t) diff --git a/amtu.te b/amtu.te -index 057abb0..c75e9e9 100644 +index c960f92..c291650 100644 --- a/amtu.te +++ b/amtu.te -@@ -23,7 +23,7 @@ files_read_etc_files(amtu_t) +@@ -28,7 +28,7 @@ files_read_etc_files(amtu_t) logging_send_audit_msgs(amtu_t) @@ -2002,11 +1974,12 @@ index 057abb0..c75e9e9 100644 optional_policy(` nscd_dontaudit_search_pid(amtu_t) diff --git a/anaconda.te b/anaconda.te -index e81bdbd..e3a396b 100644 +index 6f1384c..e9c715d 100644 --- a/anaconda.te +++ b/anaconda.te -@@ -1,5 +1,9 @@ - policy_module(anaconda, 1.6.0) +@@ -4,6 +4,10 @@ gen_require(` + class passwd all_passwd_perms; + ') +gen_require(` + class passwd { passwd chfn chsh rootok crontab }; @@ -2015,21 +1988,7 @@ index e81bdbd..e3a396b 100644 ######################################## # # Declarations -@@ -17,27 +21,23 @@ role system_r types anaconda_t; - # - - allow anaconda_t self:process execmem; -+allow anaconda_t self:passwd { rootok passwd chfn chsh }; - - kernel_domtrans_to(anaconda_t, anaconda_exec_t) - - init_domtrans_script(anaconda_t) - --libs_domtrans_ldconfig(anaconda_t) -- - logging_send_syslog_msg(anaconda_t) - - modutils_domtrans_insmod(anaconda_t) +@@ -34,6 +38,7 @@ modutils_domtrans_insmod(anaconda_t) modutils_domtrans_depmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) @@ -2037,25 +1996,6 @@ index e81bdbd..e3a396b 100644 userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) - optional_policy(` -- kudzu_domtrans(anaconda_t) --') -- --optional_policy(` - rpm_domtrans(anaconda_t) - rpm_domtrans_script(anaconda_t) - ') -@@ -51,9 +51,6 @@ optional_policy(` - ') - - optional_policy(` -- unconfined_domain(anaconda_t) -+ unconfined_domain_noaudit(anaconda_t) - ') - --optional_policy(` -- usermanage_domtrans_admin_passwd(anaconda_t) --') diff --git a/antivirus.fc b/antivirus.fc new file mode 100644 index 0000000..e9a09f0 @@ -2132,63 +2072,93 @@ index 0000000..feabdf3 + files_getattr_all_sockets(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index fd9fa07..dcb9d6e 100644 +index 550a69e..dcb9d6e 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,20 +1,37 @@ - HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +@@ -1,161 +1,188 @@ +-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) ++HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) -+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) -+HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) - - /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) --/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) + HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) + +-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) +-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) +-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +- +-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) ++/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) - /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) - /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) ++/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) ++/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) ++/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+ + +-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) -+ + +-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) - /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -22,20 +39,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u - /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) - /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) -+ - /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) --/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) --/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) +-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) ++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) + +-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) --/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) --/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) --/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) + +-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) ++/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) @@ -2197,109 +2167,211 @@ index fd9fa07..dcb9d6e 100644 +/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) ++/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) - /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - -@@ -43,8 +65,9 @@ ifdef(`distro_suse', ` - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') ++/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) ++/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) --/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-ifdef(`distro_suse',` +-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ++ifdef(`distro_suse', ` ++/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) + ') + +-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) +-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +- +-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) +/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + - /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -54,9 +77,13 @@ ifdef(`distro_suse', ` - /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - - /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -69,35 +96,54 @@ ifdef(`distro_suse', ` - /var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) ++ ++/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) --/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) +- +-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) - - /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) ++ ++/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) --/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) +-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +- +-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - - /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) --/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -- ++ ++/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - ifdef(`distro_debian', ` - /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - ') - ++ifdef(`distro_debian', ` ++/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++') ++ +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + - /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) - - /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -@@ -109,3 +155,34 @@ ifdef(`distro_debian', ` - /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) ++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++ ++/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) +- +-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) +-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +- +-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) @@ -2330,47 +2402,74 @@ index fd9fa07..dcb9d6e 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 6480167..7b2ad39 100644 +index 83e899c..7b2ad39 100644 --- a/apache.if +++ b/apache.if -@@ -13,68 +13,55 @@ +@@ -1,9 +1,9 @@ +-## Various web servers. ++## Apache web server + + ######################################## + ## +-## Create a set of derived types for +-## httpd web content. ++## Create a set of derived types for apache ++## web content. + ## + ## + ## +@@ -13,118 +13,100 @@ # template(`apache_content_template',` gen_require(` -- attribute httpdcontent; -- attribute httpd_exec_scripts; -- attribute httpd_script_exec_type; +- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; +- attribute httpd_script_domains, httpd_htaccess_type; +- type httpd_t, httpd_suexec_t; +- ') +- +- ######################################## +- # +- # Declarations +- # +- +- ## +- ##

    +- ## Determine whether the script domain can +- ## modify public files used for public file +- ## transfer services. Directories/Files must +- ## be labeled public_content_rw_t. +- ##

    +- ##     +- gen_tunable(allow_httpd_$1_script_anon_write, false) +- +- type httpd_$1_content_t, httpdcontent; # customizable + attribute httpd_exec_scripts, httpd_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; ++ type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_sys_content_t; + attribute httpd_script_type, httpd_content_type; - ') -- # allow write access to public file transfer -- # services files. -- gen_tunable(allow_httpd_$1_script_anon_write, false) - - #This type is for webpages -- type httpd_$1_content_t, httpdcontent; # customizable ++ ') ++ ++ #This type is for webpages + type httpd_$1_content_t; # customizable; + typeattribute httpd_$1_content_t httpd_content_type; typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) - # This type is used for .htaccess files -- type httpd_$1_htaccess_t; # customizable; +- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; ++ # This type is used for .htaccess files + type httpd_$1_htaccess_t, httpd_content_type; # customizable; + typeattribute httpd_$1_htaccess_t httpd_content_type; files_type(httpd_$1_htaccess_t) - # Type that CGI scripts run as -- type httpd_$1_script_t; +- type httpd_$1_script_t, httpd_script_domains; ++ # Type that CGI scripts run as + type httpd_$1_script_t, httpd_script_type; domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; + kernel_read_system_state(httpd_$1_script_t) + - # This type is used for executable scripts files ++ # This type is used for executable scripts files type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) + typeattribute httpd_$1_script_exec_t httpd_content_type; @@ -2388,153 +2487,113 @@ index 6480167..7b2ad39 100644 typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) -- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) -- -- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) -- -- allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; -- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; -- -- allow httpd_$1_script_t self:fifo_file rw_file_perms; -- allow httpd_$1_script_t self:unix_stream_socket connectto; -- -- allow httpd_$1_script_t httpd_t:fifo_file write; -- # apache should set close-on-exec -- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; -- - # Allow the script process to search the cgi directory, and users directory - allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; +- ######################################## +- # +- # Policy +- # ++ # Allow the script process to search the cgi directory, and users directory ++ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; -- append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) -- logging_search_logs(httpd_$1_script_t) -- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; - read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; + +- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; +- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; +- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; ++ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -@@ -86,40 +73,6 @@ template(`apache_content_template',` +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; +- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; ++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) + + manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - -- kernel_dontaudit_search_sysctl(httpd_$1_script_t) -- kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -- -- dev_read_rand(httpd_$1_script_t) -- dev_read_urand(httpd_$1_script_t) -- -- corecmd_exec_all_executables(httpd_$1_script_t) -- -- files_exec_etc_files(httpd_$1_script_t) -- files_read_etc_files(httpd_$1_script_t) -- files_search_home(httpd_$1_script_t) -- -- libs_exec_ld_so(httpd_$1_script_t) -- libs_exec_lib_files(httpd_$1_script_t) -- -- miscfiles_read_fonts(httpd_$1_script_t) -- miscfiles_read_public_files(httpd_$1_script_t) -- -- seutil_dontaudit_search_config(httpd_$1_script_t) -- -- tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_$1_script_t httpdcontent:file entrypoint; -- -- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- can_exec(httpd_$1_script_t, httpdcontent) -- ') +- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; +- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; +- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - # Allow the web server to run scripts and serve pages ++ # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` -@@ -128,68 +81,26 @@ template(`apache_content_template',` + manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) +- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) ++ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; +- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; +- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; +- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; +- ') + allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; - read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) + create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) - read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- allow httpd_t httpd_$1_content_t:dir list_dir_perms; -- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -- -- allow httpd_t httpd_$1_content_t:dir list_dir_perms; -- read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) +- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` +- can_exec(httpd_t, httpd_$1_rw_content_t) ') tunable_policy(`httpd_enable_cgi',` allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; +- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) +- ') +- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` +- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) +- ') + domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) -+ - # privileged users run the script: - domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) +- tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; +- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; +- ') ++ # privileged users run the script: ++ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) + +- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` +- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) + allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; + - # apache runs the script: - domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -- -- allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; -- allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; -- -- allow httpd_$1_script_t self:process { setsched signal_perms }; -- allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms; -- -- allow httpd_$1_script_t httpd_t:fd use; -- allow httpd_$1_script_t httpd_t:process sigchld; -- -- kernel_read_system_state(httpd_$1_script_t) -- -- dev_read_urand(httpd_$1_script_t) -- -- fs_getattr_xattr_fs(httpd_$1_script_t) -- -- files_read_etc_runtime_files(httpd_$1_script_t) -- files_read_usr_files(httpd_$1_script_t) -- -- libs_read_lib_files(httpd_$1_script_t) -- -- miscfiles_read_localization(httpd_$1_script_t) -- ') -- -- optional_policy(` -- tunable_policy(`httpd_enable_cgi && allow_ypbind',` -- nis_use_ypbind_uncond(httpd_$1_script_t) -- ') -- ') -- -- optional_policy(` -- postgresql_unpriv_client(httpd_$1_script_t) -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_$1_script_t) -- ') -- ') -- -- optional_policy(` -- nscd_socket_use(httpd_$1_script_t) ++ # apache runs the script: ++ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) ') ') -@@ -211,9 +122,8 @@ template(`apache_content_template',` + ######################################## + ## +-## Role access for apache. ++## Role access for apache + ## + ## + ## +@@ -133,47 +115,61 @@ template(`apache_content_template',` + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # interface(`apache_role',` gen_require(` attribute httpdcontent; @@ -2546,10 +2605,34 @@ index 6480167..7b2ad39 100644 ') role $1 types httpd_user_script_t; -@@ -234,6 +144,13 @@ interface(`apache_role',` - relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) - relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) +- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; +- +- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; +- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") +- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") +- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") +- +- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") +- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") +- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") ++ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; ++ + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) @@ -2557,46 +2640,145 @@ index 6480167..7b2ad39 100644 + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + - manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) - manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -248,6 +165,9 @@ interface(`apache_role',` - relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) - ++ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) ++ ++ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) ++ + apache_exec_modules($2) + apache_filetrans_home_content($2) -+ + tunable_policy(`httpd_enable_cgi',` - # If a user starts a script by hand it gets the proper context ++ # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) -@@ -317,6 +237,25 @@ interface(`apache_domtrans',` + ') + +@@ -184,7 +180,7 @@ interface(`apache_role',` + + ######################################## + ## +-## Read user httpd script executable files. ++## Read httpd user scripts executables. + ## + ## + ## +@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',` + + ######################################## + ## +-## Read user httpd content. ++## Read user web content. + ## + ## + ## +@@ -224,7 +220,7 @@ interface(`apache_read_user_content',` + + ######################################## + ## +-## Execute httpd with a domain transition. ++## Transition to apache. + ## + ## + ## +@@ -241,27 +237,28 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') +-######################################## +###################################### -+## + ## +-## Execute httpd server in the httpd domain. +## Allow the specified domain to execute apache +## in the caller domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`apache_initrc_domtrans',` +interface(`apache_exec',` -+ gen_require(` + gen_require(` +- type httpd_initrc_exec_t; + type httpd_exec_t; -+ ') -+ + ') + +- init_labeled_script_domtrans($1, httpd_initrc_exec_t) + can_exec($1, httpd_exec_t) -+') -+ + ') + ####################################### ## - ## Send a generic signal to apache. -@@ -405,7 +344,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +-## Send generic signals to httpd. ++## Send a generic signal to apache. + ## + ## + ## +@@ -279,7 +276,7 @@ interface(`apache_signal',` + + ######################################## + ## +-## Send null signals to httpd. ++## Send a null signal to apache. + ## + ## + ## +@@ -297,7 +294,7 @@ interface(`apache_signull',` + + ######################################## + ## +-## Send child terminated signals to httpd. ++## Send a SIGCHLD signal to apache. + ## + ## + ## +@@ -315,8 +312,7 @@ interface(`apache_sigchld',` + + ######################################## + ## +-## Inherit and use file descriptors +-## from httpd. ++## Inherit and use file descriptors from Apache. + ## + ## + ## +@@ -334,8 +330,8 @@ interface(`apache_use_fds',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unnamed pipes. ++## Do not audit attempts to read and write Apache ++## unnamed pipes. + ## + ## + ## +@@ -348,13 +344,13 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -2605,72 +2787,174 @@ index 6480167..7b2ad39 100644 ') ######################################## -@@ -487,7 +426,7 @@ interface(`apache_setattr_cache_dirs',` - type httpd_cache_t; - ') + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. ++## Do not audit attempts to read and write Apache ++## unix domain stream sockets. + ## + ## + ## +@@ -372,8 +368,8 @@ interface(`apache_dontaudit_rw_stream_sockets',` -- allow $1 httpd_cache_t:dir setattr; -+ allow $1 httpd_cache_t:dir setattr_dir_perms; - ') + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd TCP sockets. ++## Do not audit attempts to read and write Apache ++## TCP sockets. + ## + ## + ## +@@ -391,8 +387,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## -@@ -531,6 +470,25 @@ interface(`apache_rw_cache_files',` + ## +-## Create, read, write, and delete +-## all httpd content. ++## Create, read, write, and delete all web content. + ## + ## + ## +@@ -417,7 +412,8 @@ interface(`apache_manage_all_content',` + ######################################## ## - ## Allow the specified domain to delete +-## Set attributes httpd cache directories. ++## Allow domain to set the attributes ++## of the APACHE cache directory. + ## + ## + ## +@@ -435,7 +431,8 @@ interface(`apache_setattr_cache_dirs',` + + ######################################## + ## +-## List httpd cache directories. ++## Allow the specified domain to list ++## Apache cache. + ## + ## + ## +@@ -453,7 +450,8 @@ interface(`apache_list_cache',` + + ######################################## + ## +-## Read and write httpd cache files. ++## Allow the specified domain to read ++## and write Apache cache files. + ## + ## + ## +@@ -471,7 +469,8 @@ interface(`apache_rw_cache_files',` + + ######################################## + ## +-## Delete httpd cache directories. ++## Allow the specified domain to delete +## Apache cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_delete_cache_dirs',` -+ gen_require(` -+ type httpd_cache_t; -+ ') -+ -+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) -+') -+ -+######################################## -+## + ## + ## + ## +@@ -489,7 +488,8 @@ interface(`apache_delete_cache_dirs',` + + ######################################## + ## +-## Delete httpd cache files. +## Allow the specified domain to delete - ## Apache cache. ++## Apache cache. ## ## -@@ -549,6 +507,26 @@ interface(`apache_delete_cache_files',` + ## +@@ -507,49 +507,51 @@ interface(`apache_delete_cache_files',` ######################################## ## +-## Read httpd configuration files. +## Allow the specified domain to search +## apache configuration dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`apache_read_config',` +interface(`apache_search_config',` -+ gen_require(` -+ type httpd_config_t; -+ ') -+ -+ files_search_etc($1) + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) +- allow $1 httpd_config_t:dir list_dir_perms; +- read_files_pattern($1, httpd_config_t, httpd_config_t) +- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) + allow $1 httpd_config_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Allow the specified domain to read - ## apache configuration files. + ') + + ######################################## + ## +-## Search httpd configuration directories. ++## Allow the specified domain to read ++## apache configuration files. ## -@@ -641,6 +619,27 @@ interface(`apache_run_helper',` + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`apache_search_config',` ++interface(`apache_read_config',` + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) +- allow $1 httpd_config_t:dir search_dir_perms; ++ allow $1 httpd_config_t:dir list_dir_perms; ++ read_files_pattern($1, httpd_config_t, httpd_config_t) ++ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) + ') ######################################## ## +-## Create, read, write, and delete +-## httpd configuration files. ++## Allow the specified domain to manage ++## apache configuration files. + ## + ## + ## +@@ -570,8 +572,8 @@ interface(`apache_manage_config',` + + ######################################## + ## +-## Execute the Apache helper program +-## with a domain transition. ++## Execute the Apache helper program with ++## a domain transition. + ## + ## + ## +@@ -608,16 +610,38 @@ interface(`apache_domtrans_helper',` + # + interface(`apache_run_helper',` + gen_require(` +- attribute_role httpd_helper_roles; ++ type httpd_helper_t; + ') + + apache_domtrans_helper($1) +- roleattribute $2 httpd_helper_roles; ++ role $2 types httpd_helper_t; ++') ++ ++######################################## ++## +## dontaudit attempts to read +## apache log files. +## @@ -2688,14 +2972,27 @@ index 6480167..7b2ad39 100644 + + dontaudit $1 httpd_log_t:file read_file_perms; + dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## - ## Allow the specified domain to read - ## apache log files. + ') + + ######################################## + ## +-## Read httpd log files. ++## Allow the specified domain to read ++## apache log files. ## -@@ -683,6 +682,25 @@ interface(`apache_append_log',` + ## + ## +@@ -639,7 +663,8 @@ interface(`apache_read_log',` + + ######################################## + ## +-## Append httpd log files. ++## Allow the specified domain to append ++## to apache log files. + ## + ## + ## +@@ -657,10 +682,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -2720,43 +3017,88 @@ index 6480167..7b2ad39 100644 + ######################################## ## - ## Do not audit attempts to append to the -@@ -699,7 +717,7 @@ interface(`apache_dontaudit_append_log',` - type httpd_log_t; - ') +-## Do not audit attempts to append +-## httpd log files. ++## Do not audit attempts to append to the ++## Apache logs. + ## + ## + ## +@@ -678,8 +722,8 @@ interface(`apache_dontaudit_append_log',` -- dontaudit $1 httpd_log_t:file { getattr append }; -+ dontaudit $1 httpd_log_t:file append_file_perms; + ######################################## + ## +-## Create, read, write, and delete +-## httpd log files. ++## Allow the specified domain to manage ++## to apache log files. + ## + ## + ## +@@ -698,47 +742,49 @@ interface(`apache_manage_log',` + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') - ######################################## -@@ -745,6 +763,25 @@ interface(`apache_dontaudit_search_modules',` +-####################################### ++######################################## + ## +-## Write apache log files. ++## Do not audit attempts to search Apache ++## module directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`apache_write_log',` ++interface(`apache_dontaudit_search_modules',` + gen_require(` +- type httpd_log_t; ++ type httpd_modules_t; + ') + +- logging_search_logs($1) +- write_files_pattern($1, httpd_log_t, httpd_log_t) ++ dontaudit $1 httpd_modules_t:dir search_dir_perms; + ') ######################################## ## +-## Do not audit attempts to search +-## httpd module directories. +## Allow the specified domain to read +## the apache module directories. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`apache_dontaudit_search_modules',` +interface(`apache_read_modules',` -+ gen_require(` -+ type httpd_modules_t; -+ ') -+ + gen_require(` + type httpd_modules_t; + ') + +- dontaudit $1 httpd_modules_t:dir search_dir_perms; + read_files_pattern($1, httpd_modules_t, httpd_modules_t) -+') -+ -+######################################## -+## - ## Allow the specified domain to list - ## the contents of the apache modules - ## directory. -@@ -761,6 +798,7 @@ interface(`apache_list_modules',` + ') + + ######################################## + ## +-## List httpd module directories. ++## Allow the specified domain to list ++## the contents of the apache modules ++## directory. + ## + ## + ## +@@ -752,11 +798,13 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -2764,20 +3106,56 @@ index 6480167..7b2ad39 100644 ') ######################################## -@@ -802,6 +840,43 @@ interface(`apache_domtrans_rotatelogs',` - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) + ## +-## Execute httpd module files. ++## Allow the specified domain to execute ++## apache modules. + ## + ## + ## +@@ -776,46 +824,63 @@ interface(`apache_exec_modules',` + + ######################################## + ## +-## Read httpd module files. ++## Execute a domain transition to run httpd_rotatelogs. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`apache_read_module_files',` ++interface(`apache_domtrans_rotatelogs',` + gen_require(` +- type httpd_modules_t; ++ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + +- libs_search_lib($1) +- read_files_pattern($1, httpd_modules_t, httpd_modules_t) ++ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') +-######################################## +####################################### -+## + ## +-## Execute a domain transition to +-## run httpd_rotatelogs. +## Execute httpd_rotatelogs in the caller domain. -+## -+## + ## + ## +-## +-## Domain allowed to transition. +-## +## +## Domain allowed to transition. +## -+## -+# + ## + # +-interface(`apache_domtrans_rotatelogs',` +interface(`apache_exec_rotatelogs',` + gen_require(` + type httpd_rotatelogs_exec_t; @@ -2797,18 +3175,26 @@ index 6480167..7b2ad39 100644 +## +# +interface(`apache_exec_sys_script',` -+ gen_require(` + gen_require(` +- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + type httpd_sys_script_exec_t; -+ ') -+ + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) + allow $1 httpd_sys_script_exec_t:dir search_dir_perms; + can_exec($1, httpd_sys_script_exec_t) -+') -+ + ') + ######################################## ## - ## Allow the specified domain to list -@@ -819,6 +894,7 @@ interface(`apache_list_sys_content',` +-## List httpd system content directories. ++## Allow the specified domain to list ++## apache system content files. + ## + ## + ## +@@ -829,13 +894,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -2816,10 +3202,28 @@ index 6480167..7b2ad39 100644 files_search_var($1) ') -@@ -846,6 +922,74 @@ interface(`apache_manage_sys_content',` + ######################################## + ## +-## Create, read, write, and delete +-## httpd system content files. ++## Allow the specified domain to manage ++## apache system content files. + ## + ## + ## +@@ -844,6 +910,7 @@ interface(`apache_list_sys_content',` + ## + ## + # ++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr + interface(`apache_manage_sys_content',` + gen_require(` + type httpd_sys_content_t; +@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') +-######################################## +###################################### +## +## Allow the specified domain to read @@ -2841,30 +3245,37 @@ index 6480167..7b2ad39 100644 +') + +###################################### -+## + ## +-## Create, read, write, and delete +-## httpd system rw content. +## Allow the specified domain to manage +## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`apache_manage_sys_rw_content',` +interface(`apache_manage_sys_content_rw',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ + gen_require(` + type httpd_sys_rw_content_t; + ') + +- apache_search_sys_content($1) + files_search_var($1) -+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+######################################## -+## + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + ') + + ######################################## + ## +-## Execute all httpd scripts in the +-## system script domain. +## Allow the specified domain to delete +## apache system content rw files. +## @@ -2888,10 +3299,19 @@ index 6480167..7b2ad39 100644 + delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + - ######################################## - ## - ## Execute all web scripts in the system -@@ -862,7 +1006,12 @@ interface(`apache_manage_sys_content',` ++######################################## ++## ++## Execute all web scripts in the system ++## script domain. + ## + ## + ## +@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',` + ## + ## + # ++# cjp: this interface specifically added to allow ++# sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -2905,19 +3325,46 @@ index 6480167..7b2ad39 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',` - ## - ## +@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',` + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd system script unix +-## domain stream sockets. ++## Do not audit attempts to read and write Apache ++## system script unix domain stream sockets. + ## + ## ## --## Role allowed access.. -+## Role allowed access. +@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',` + ######################################## + ## + ## Execute all user scripts in the user +-## script domain. Add user script domains ++## script domain. Add user script domains + ## to the specified role. + ## + ## +@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',` + ## Role allowed access. ## ## +## # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',` + + ######################################## + ## +-## Read httpd squirrelmail data files. ++## Allow the specified domain to read ++## apache squirrelmail data. + ## + ## + ## +@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -2926,7 +3373,93 @@ index 6480167..7b2ad39 100644 ') ######################################## -@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',` + ## +-## Append httpd squirrelmail data files. ++## Allow the specified domain to append ++## apache squirrelmail data. + ## + ## + ## +@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',` + + ######################################## + ## +-## Search httpd system content. ++## Search apache system content. + ## + ## + ## +@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',` + type httpd_sys_content_t; + ') + +- files_search_var($1) + allow $1 httpd_sys_content_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read httpd system content. ++## Read apache system content. + ## + ## + ## +@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',` + + ######################################## + ## +-## Search httpd system CGI directories. ++## Search apache system CGI directories. + ## + ## + ## +@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',` + + ######################################## + ## +-## Create, read, write, and delete all +-## user httpd content. ++## Create, read, write, and delete all user web content. + ## + ## + ## +@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',` + ## + # + interface(`apache_manage_all_user_content',` +- refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.') +- apache_manage_all_content($1) ++ gen_require(` ++ attribute httpd_user_content_type, httpd_user_script_exec_type; ++ ') ++ ++ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) ++ ++ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ++ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ++ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) + ') + + ######################################## + ## +-## Search system script state directories. ++## Search system script state directory. + ## + ## + ## +@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',` + + ######################################## + ## +-## Read httpd tmp files. ++## Allow the specified domain to read ++## apache tmp files. + ## + ## + ## +@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -2951,8 +3484,14 @@ index 6480167..7b2ad39 100644 + ######################################## ## - ## Dontaudit attempts to write -@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',` +-## Do not audit attempts to write +-## httpd tmp files. ++## Dontaudit attempts to write ++## apache tmp files. + ## + ## + ## +@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -2961,21 +3500,29 @@ index 6480167..7b2ad39 100644 ') ######################################## -@@ -1148,14 +1317,31 @@ interface(`apache_cgi_domain',` +@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',` + ## + ## + ##

    ++## Execute CGI in the specified domain. ++##

    ++##

    + ## This is an interface to support third party modules + ## and its use is not allowed in upstream reference + ## policy. +@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',` ######################################## ##

    --## All of the rules required to administrate an apache environment +-## All of the rules required to +-## administrate an apache environment. +## Execute httpd server in the httpd domain. - ## --## ++##     +## - ## --## Prefix of the domain. Example, user would be --## the prefix for the uder_t domain. ++## +## Domain allowed to transition. - ## - ## ++## ++## +# +interface(`apache_systemctl',` + gen_require(` @@ -2993,70 +3540,67 @@ index 6480167..7b2ad39 100644 +######################################## +## +## All of the rules required to administrate an apache environment -+## + ##     ## ## - ## Domain allowed access. -@@ -1170,19 +1356,21 @@ interface(`apache_cgi_domain',` - # +@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` -- attribute httpdcontent; -- attribute httpd_script_exec_type; -- -+ attribute httpdcontent, httpd_script_exec_type; + attribute httpdcontent, httpd_script_exec_type; +- attribute httpd_script_domains, httpd_htaccess_type; type httpd_t, httpd_config_t, httpd_log_t; -- type httpd_modules_t, httpd_lock_t; -- type httpd_var_run_t, httpd_php_tmp_t; +- type httpd_modules_t, httpd_lock_t, httpd_helper_t; +- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t; +- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; +- type httpd_initrc_exec_t, httpd_suexec_t; + type httpd_modules_t, httpd_lock_t, httpd_bool_t; + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; - type httpd_suexec_tmp_t, httpd_tmp_t; -- type httpd_initrc_exec_t; ++ type httpd_suexec_tmp_t, httpd_tmp_t; + type httpd_unit_file_t; ') -- allow $1 httpd_t:process { getattr ptrace signal_perms }; +- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; +- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) +- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) + allow $1 httpd_t:process signal_perms; - ps_process_pattern($1, httpd_t) - ++ ps_process_pattern($1, httpd_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 httpd_t:process ptrace; + ') -+ + init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; -@@ -1191,10 +1379,10 @@ interface(`apache_admin',` +@@ -1204,10 +1379,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) - files_search_etc($1) +- admin_pattern($1, { httpd_config_t httpd_keytab_t }) + files_list_etc($1) - admin_pattern($1, httpd_config_t) ++ admin_pattern($1, httpd_config_t) - logging_search_logs($1) + logging_list_logs($1) admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1393,106 @@ interface(`apache_admin',` +@@ -1218,9 +1393,106 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) -- kernel_search_proc($1) -- allow $1 httpd_t:dir list_dir_perms; -- -- read_lnk_files_pattern($1, httpd_t, httpd_t) -- - admin_pattern($1, httpdcontent) - admin_pattern($1, httpd_script_exec_type) +- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) +- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) ++ admin_pattern($1, httpdcontent) ++ admin_pattern($1, httpd_script_exec_type) + + seutil_domtrans_setfiles($1) + + files_list_tmp($1) - admin_pattern($1, httpd_tmp_t) - admin_pattern($1, httpd_php_tmp_t) - admin_pattern($1, httpd_suexec_tmp_t) ++ admin_pattern($1, httpd_tmp_t) ++ admin_pattern($1, httpd_php_tmp_t) ++ admin_pattern($1, httpd_suexec_tmp_t) + + apache_systemctl($1) + admin_pattern($1, httpd_unit_file_t) @@ -3143,7 +3687,9 @@ index 6480167..7b2ad39 100644 + type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; + type httpd_user_content_ra_t; + ') -+ + +- apache_run_all_scripts($1, $2) +- apache_run_helper($1, $2) + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") @@ -3152,101 +3698,180 @@ index 6480167..7b2ad39 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..2864927 100644 +index 1a82e29..44dae79 100644 --- a/apache.te +++ b/apache.te -@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) +@@ -1,297 +1,353 @@ +-policy_module(apache, 2.6.10) ++policy_module(apache, 2.4.0) ++ ++# ++# NOTES: ++# This policy will work with SUEXEC enabled as part of the Apache ++# configuration. However, the user CGI scripts will run under the ++# system_u:system_r:httpd_user_script_t. ++# ++# The user CGI scripts must be labeled with the httpd_user_script_exec_t ++# type, and the directory containing the scripts should also be labeled ++# with these types. This policy allows the user role to perform that ++# relabeling. If it is desired that only admin role should be able to relabel ++# the user CGI scripts, then relabel rule for user roles should be removed. ++# + + ######################################## + # # Declarations # +selinux_genbool(httpd_bool_t) + ## - ##

    - ## Allow Apache to modify public files -@@ -25,14 +27,35 @@ policy_module(apache, 2.4.0) - ## be labeled public_content_rw_t. - ##

    +-##

    +-## Determine whether httpd can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow Apache to modify public files ++## used for public file transfer services. Directories/Files must ++## be labeled public_content_rw_t. ++##

    ##     -gen_tunable(allow_httpd_anon_write, false) +gen_tunable(httpd_anon_write, false) ## - ##

    - ## Allow Apache to use mod_auth_pam - ##

    +-##

    +-## Determine whether httpd can use mod_auth_pam. +-##

    ++##

    ++## Allow Apache to use mod_auth_pam ++##

    ##     -gen_tunable(allow_httpd_mod_auth_pam, false) +gen_tunable(httpd_mod_auth_pam, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can use built in scripting. +-##

    +##

    +## Allow Apache to use mod_auth_ntlm_winbind +##

    -+##     + ##     +-gen_tunable(httpd_builtin_scripting, false) +gen_tunable(httpd_mod_auth_ntlm_winbind, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can check spam. +-##

    +##

    +## Allow httpd scripts and modules execmem/execstack +##

    -+##     + ##     +-gen_tunable(httpd_can_check_spam, false) +gen_tunable(httpd_execmem, false) -+ -+## + + ## +-##

    +-## Determine whether httpd scripts and modules +-## can connect to the network using TCP. +-##

    +##

    +## Allow httpd processes to manage IPA content +##

    +##     +gen_tunable(httpd_manage_ipa, false) - - ## - ##

    -@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false) - - ## - ##

    -+## Allow HTTPD scripts and modules to connect to cobbler over the network. ++ ++## ++##

    ++## Allow httpd to use built in scripting (usually php) +##

    +##     -+gen_tunable(httpd_can_network_connect_cobbler, false) ++gen_tunable(httpd_builtin_scripting, false) + +## +##

    ++## Allow HTTPD scripts and modules to connect to the network using TCP. ++##

    + ##     + gen_tunable(httpd_can_network_connect, false) + + ## +-##

    +-## Determine whether httpd scripts and modules +-## can connect to cobbler over the network. +-##

    ++##

    ++## Allow HTTPD scripts and modules to connect to cobbler over the network. ++##

    + ##     + gen_tunable(httpd_can_network_connect_cobbler, false) + + ## +-##

    +-## Determine whether scripts and modules can +-## connect to databases over the network. +-##

    ++##

    +## Allow HTTPD to connect to port 80 for graceful shutdown +##

    -+##     + ##     +-gen_tunable(httpd_can_network_connect_db, false) +gen_tunable(httpd_graceful_shutdown, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can connect to +-## ldap over the network. +-##

    +##

    - ## Allow HTTPD scripts and modules to connect to databases over the network. - ##

    ++## Allow HTTPD scripts and modules to connect to databases over the network. ++##

    ##     -@@ -57,12 +94,33 @@ gen_tunable(httpd_can_network_connect_db, false) +-gen_tunable(httpd_can_network_connect_ldap, false) ++gen_tunable(httpd_can_network_connect_db, false) ## - ##

    +-##

    +-## Determine whether httpd can connect +-## to memcache server over the network. +-##

    ++##

    +## Allow httpd to connect to memcache server +##

    -+##     + ##     +-gen_tunable(httpd_can_network_connect_memcache, false) +gen_tunable(httpd_can_network_memcache, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can act as a relay. +-##

    +##

    - ## Allow httpd to act as a relay - ##

    ++## Allow httpd to act as a relay ++##

    ##     gen_tunable(httpd_can_network_relay, false) ## +-##

    +-## Determine whether httpd daemon can +-## connect to zabbix over the network. +-##

    +##

    +## Allow http daemon to connect to zabbix +##

    -+##     + ##     +-gen_tunable(httpd_can_network_connect_zabbix, false) +gen_tunable(httpd_can_connect_zabbix, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can send mail. +-##

    +##

    +## Allow http daemon to check spam +##

    @@ -3254,101 +3879,233 @@ index 0833afb..2864927 100644 +gen_tunable(httpd_can_check_spam, false) + +## - ##

    - ## Allow http daemon to send mail - ##

    -@@ -93,6 +151,21 @@ gen_tunable(httpd_enable_ftp_server, false) ++##

    ++## Allow http daemon to send mail ++##

    + ##     + gen_tunable(httpd_can_sendmail, false) + + ## +-##

    +-## Determine whether httpd can communicate +-## with avahi service via dbus. +-##

    ++##

    ++## Allow Apache to communicate with avahi service via dbus ++##

    + ##     + gen_tunable(httpd_dbus_avahi, false) + + ## +-##

    +-## Determine wether httpd can use support. +-##

    ++##

    ++## Allow httpd cgi support ++##

    + ##     + gen_tunable(httpd_enable_cgi, false) + + ## +-##

    +-## Determine whether httpd can act as a +-## FTP server by listening on the ftp port. +-##

    ++##

    ++## Allow httpd to act as a FTP server by ++## listening on the ftp port. ++##

    + ##     + gen_tunable(httpd_enable_ftp_server, false) ## - ##

    +-##

    +-## Determine whether httpd can traverse +-## user home directories. +-##

    ++##

    +## Allow httpd to act as a FTP client +## connecting to the ftp port and ephemeral ports +##

    -+##     + ##     +-gen_tunable(httpd_enable_homedirs, false) +gen_tunable(httpd_can_connect_ftp, false) -+ -+## + + ## +-##

    +-## Determine whether httpd gpg can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    +##

    +## Allow httpd to connect to the ldap port +##

    -+##     + ##     +-gen_tunable(httpd_gpg_anon_write, false) +gen_tunable(httpd_can_connect_ldap, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can execute +-## its temporary content. +-##

    +##

    - ## Allow httpd to read home directories - ##

    ++## Allow httpd to read home directories ++##

    ##     -@@ -100,6 +173,27 @@ gen_tunable(httpd_enable_homedirs, false) +-gen_tunable(httpd_tmp_exec, false) ++gen_tunable(httpd_enable_homedirs, false) ## - ##

    +-##

    +-## Determine whether httpd scripts and +-## modules can use execmem and execstack. +-##

    ++##

    +## Allow httpd to read user content +##

    -+##     + ##     +-gen_tunable(httpd_execmem, false) +gen_tunable(httpd_read_user_content, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can connect +-## to port 80 for graceful shutdown. +-##

    +##

    +## Allow Apache to run in stickshift mode, not transition to passenger +##

    -+##     + ##     +-gen_tunable(httpd_graceful_shutdown, false) +gen_tunable(httpd_run_stickshift, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can +-## manage IPA content files. +-##

    +##

    +## Allow Apache to query NS records +##

    -+##     + ##     +-gen_tunable(httpd_manage_ipa, false) +gen_tunable(httpd_verify_dns, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can use mod_auth_ntlm_winbind. +-##

    +##

    - ## Allow httpd daemon to change its resource limits - ##

    ++## Allow httpd daemon to change its resource limits ++##

    + ##     +-gen_tunable(httpd_mod_auth_ntlm_winbind, false) ++gen_tunable(httpd_setrlimit, false) + + ## +-##

    +-## Determine whether httpd can read +-## generic user home content files. +-##

    ++##

    ++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ++##

    ##     -@@ -114,6 +208,13 @@ gen_tunable(httpd_ssi_exec, false) +-gen_tunable(httpd_read_user_content, false) ++gen_tunable(httpd_ssi_exec, false) ## - ##

    +-##

    +-## Determine whether httpd can change +-## its resource limits. +-##

    ++##

    +## Allow Apache to execute tmp content. +##

    -+##     + ##     +-gen_tunable(httpd_setrlimit, false) +gen_tunable(httpd_tmp_exec, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can run +-## SSI executables in the same domain +-## as system CGI scripts. +-##

    ++##

    ++## Unify HTTPD to communicate with the terminal. ++## Needed for entering the passphrase for certificates at ++## the terminal. ++##

    + ##     +-gen_tunable(httpd_ssi_exec, false) ++gen_tunable(httpd_tty_comm, false) + + ## +-##

    +-## Determine whether httpd can communicate +-## with the terminal. Needed for entering the +-## passphrase for certificates at the terminal. +-##

    +##

    - ## Unify HTTPD to communicate with the terminal. - ## Needed for entering the passphrase for certificates at - ## the terminal. -@@ -130,12 +231,26 @@ gen_tunable(httpd_unified, false) ++## Unify HTTPD handling of all content files. ++##

    + ##     +-gen_tunable(httpd_tty_comm, false) ++gen_tunable(httpd_unified, false) ## - ##

    +-##

    +-## Determine whether httpd can have full access +-## to its content types. +-##

    ++##

    +## Allow httpd to access openstack ports +##

    -+##     + ##     +-gen_tunable(httpd_unified, false) +gen_tunable(httpd_use_openstack, false) -+ -+## + + ## +-##

    +-## Determine whether httpd can use +-## cifs file systems. +-##

    +##

    - ## Allow httpd to access cifs file systems - ##

    ++## Allow httpd to access cifs file systems ++##

    ##     gen_tunable(httpd_use_cifs, false) ## -+##

    + ##

    +-## Determine whether httpd can +-## use fuse file systems. +## Allow httpd to access FUSE file systems -+##

    -+##     -+gen_tunable(httpd_use_fusefs, false) -+ -+## - ##

    - ## Allow httpd to run gpg - ##

    -@@ -149,12 +264,28 @@ gen_tunable(httpd_use_gpg, false) + ##

    + ##     + gen_tunable(httpd_use_fusefs, false) + + ## +-##

    +-## Determine whether httpd can use gpg. +-##

    ++##

    ++## Allow httpd to run gpg ++##

    + ##     + gen_tunable(httpd_use_gpg, false) + + ## +-##

    +-## Determine whether httpd can use +-## nfs file systems. +-##

    ++##

    ++## Allow httpd to access nfs file systems ++##

    ##     gen_tunable(httpd_use_nfs, false) @@ -3367,18 +4124,25 @@ index 0833afb..2864927 100644 +gen_tunable(httpd_use_oddjob, false) + attribute httpdcontent; - attribute httpd_user_content_type; +-attribute httpd_htaccess_type; ++attribute httpd_user_content_type; +attribute httpd_content_type; - # domains that can exec all users scripts +-# domains that can exec all scripts ++# domains that can exec all users scripts attribute httpd_exec_scripts; +attribute httpd_script_type; attribute httpd_script_exec_type; - attribute httpd_user_script_exec_type; ++attribute httpd_user_script_exec_type; -@@ -163,6 +294,10 @@ attribute httpd_script_domains; +-# all script domains ++# user script domains + attribute httpd_script_domains; +-attribute_role httpd_helper_roles; +-roleattribute system_r httpd_helper_roles; +- type httpd_t; type httpd_exec_t; +ifdef(`distro_redhat',` @@ -3386,18 +4150,25 @@ index 0833afb..2864927 100644 + typealias httpd_exec_t alias phpfpm_exec_t; +') init_daemon_domain(httpd_t, httpd_exec_t) - role system_r types httpd_t; ++role system_r types httpd_t; -@@ -173,7 +308,7 @@ files_type(httpd_cache_t) ++# httpd_cache_t is the type given to the /var/cache/httpd ++# directory and the files under that directory + type httpd_cache_t; + files_type(httpd_cache_t) - # httpd_config_t is the type given to the configuration files ++# httpd_config_t is the type given to the configuration files type httpd_config_t; --files_type(httpd_config_t) -+files_config_file(httpd_config_t) + files_config_file(httpd_config_t) type httpd_helper_t; type httpd_helper_exec_t; -@@ -184,10 +319,19 @@ role system_r types httpd_helper_t; +-application_domain(httpd_helper_t, httpd_helper_exec_t) +-role httpd_helper_roles types httpd_helper_t; ++domain_type(httpd_helper_t) ++domain_entry_file(httpd_helper_t, httpd_helper_exec_t) ++role system_r types httpd_helper_t; + type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -3416,11 +4187,43 @@ index 0833afb..2864927 100644 +') logging_log_file(httpd_log_t) - # httpd_modules_t is the type given to module files (libraries) -@@ -223,7 +367,21 @@ files_tmp_file(httpd_suexec_tmp_t) - - # setup the system domain for system CGI scripts ++# httpd_modules_t is the type given to module files (libraries) ++# that come with Apache /etc/httpd/modules and /usr/lib/apache + type httpd_modules_t; + files_type(httpd_modules_t) + ++type httpd_php_t; ++type httpd_php_exec_t; ++domain_type(httpd_php_t) ++domain_entry_file(httpd_php_t, httpd_php_exec_t) ++role system_r types httpd_php_t; ++ ++type httpd_php_tmp_t; ++files_tmp_file(httpd_php_tmp_t) ++ + type httpd_rotatelogs_t; + type httpd_rotatelogs_exec_t; + init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +355,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) + type httpd_squirrelmail_t; + files_type(httpd_squirrelmail_t) + +-type squirrelmail_spool_t; +-files_tmp_file(squirrelmail_spool_t) +- +-type httpd_suexec_t; ++# SUEXEC runs user scripts as their own user ID ++type httpd_suexec_t; #, daemon; + type httpd_suexec_exec_t; + domain_type(httpd_suexec_t) + domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) +@@ -311,9 +365,23 @@ role system_r types httpd_suexec_t; + type httpd_suexec_tmp_t; + files_tmp_file(httpd_suexec_tmp_t) + ++# setup the system domain for system CGI scripts apache_content_template(sys) +-corecmd_shell_entry_type(httpd_sys_script_t) -typealias httpd_sys_content_t alias ntop_http_content_t; + +optional_policy(` @@ -3440,7 +4243,7 @@ index 0833afb..2864927 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -233,6 +391,11 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -323,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -3452,15 +4255,20 @@ index 0833afb..2864927 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -240,6 +403,7 @@ userdom_user_home_content(httpd_user_ra_content_t) + userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) - typeattribute httpd_user_script_t httpd_script_domains; ++typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias httpd_unconfined_content_t; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -259,16 +423,28 @@ type httpd_var_lib_t; +@@ -343,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad + typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; + typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; + ++# for apache2 memory mapped files + type httpd_var_lib_t; files_type(httpd_var_lib_t) type httpd_var_run_t; @@ -3469,12 +4277,20 @@ index 0833afb..2864927 100644 +') files_pid_file(httpd_var_run_t) +-type httpd_passwd_t; +-type httpd_passwd_exec_t; +-domain_type(httpd_passwd_t) +-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t) +-role system_r types httpd_passwd_t; +# Removal of fastcgi, will cause problems without the following +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -+ - # File Type of squirrelmail attachments - type squirrelmail_spool_t; - files_tmp_file(squirrelmail_spool_t) + +-type httpd_gpg_t; +-domain_type(httpd_gpg_t) +-role system_r types httpd_gpg_t; ++# File Type of squirrelmail attachments ++type squirrelmail_spool_t; ++files_tmp_file(squirrelmail_spool_t) +files_spool_file(squirrelmail_spool_t) optional_policy(` @@ -3488,118 +4304,172 @@ index 0833afb..2864927 100644 + ######################################## # - # Apache server local policy -@@ -288,11 +464,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; - allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow httpd_t self:tcp_socket create_stream_socket_perms; - allow httpd_t self:udp_socket create_socket_perms; +-# Local policy ++# Apache server local policy + # + + allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; +-dontaudit httpd_t self:capability net_admin; ++dontaudit httpd_t self:capability { net_admin sys_tty_config }; + allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow httpd_t self:fd use; + allow httpd_t self:sock_file read_sock_file_perms; +@@ -378,28 +460,36 @@ allow httpd_t self:shm create_shm_perms; + allow httpd_t self:sem create_sem_perms; + allow httpd_t self:msgq create_msgq_perms; + allow httpd_t self:msg { send receive }; +-allow httpd_t self:unix_dgram_socket sendto; +-allow httpd_t self:unix_stream_socket { accept connectto listen }; +-allow httpd_t self:tcp_socket { accept listen }; ++allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow httpd_t self:tcp_socket create_stream_socket_perms; ++allow httpd_t self:udp_socket create_socket_perms; +dontaudit httpd_t self:netlink_audit_socket create_socket_perms; - # Allow httpd_t to put files in /var/cache/httpd etc ++# Allow httpd_t to put files in /var/cache/httpd etc manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +-files_var_filetrans(httpd_t, httpd_cache_t, dir) +files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) - # Allow the httpd_t to read the web servers config files ++# Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms; + read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) + ++can_exec(httpd_t, httpd_exec_t) ++ + allow httpd_t httpd_lock_t:file manage_file_perms; files_lock_filetrans(httpd_t, httpd_lock_t, file) - allow httpd_t httpd_log_t:dir setattr; -+create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) +-allow httpd_t httpd_log_t:dir setattr_dir_perms; ++allow httpd_t httpd_log_t:dir setattr; + create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) -@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; + read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) ++# cjp: need to refine create interfaces to ++# cut this back to add_name only + logging_log_filetrans(httpd_t, httpd_log_t, file) - manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) - manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -+manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) - manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) --files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) -+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) -+userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) - - manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) - manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) - manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) - fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -+manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) - manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) --files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) -+files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) - - setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - kernel_read_kernel_sysctls(httpd_t) - # for modules that want to access /proc/meminfo - kernel_read_system_state(httpd_t) -+kernel_read_network_state(httpd_t) -+kernel_search_network_sysctl(httpd_t) + allow httpd_t httpd_modules_t:dir list_dir_perms; +@@ -407,6 +497,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) --corenet_all_recvfrom_unlabeled(httpd_t) ++apache_domtrans_rotatelogs(httpd_t) ++# Apache-httpd needs to be able to send signals to the log rotate procs. + allow httpd_t httpd_rotatelogs_t:process signal_perms; + + manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +@@ -415,6 +507,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) + + allow httpd_t httpd_suexec_exec_t:file read_file_perms; + ++allow httpd_t httpd_sys_content_t:dir list_dir_perms; ++read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++ + allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; + + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -445,140 +541,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + +-can_exec(httpd_t, httpd_exec_t) +- +-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) +-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) +-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) +- + kernel_read_kernel_sysctls(httpd_t) +-kernel_read_network_state(httpd_t) ++# for modules that want to access /proc/meminfo + kernel_read_system_state(httpd_t) ++kernel_read_network_state(httpd_t) + kernel_search_network_sysctl(httpd_t) + +-corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) - corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) - corenet_tcp_sendrecv_all_ports(httpd_t) - corenet_udp_sendrecv_all_ports(httpd_t) ++corenet_udp_sendrecv_generic_if(httpd_t) + corenet_tcp_sendrecv_generic_node(httpd_t) ++corenet_udp_sendrecv_generic_node(httpd_t) ++corenet_tcp_sendrecv_all_ports(httpd_t) ++corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) +- +-corenet_sendrecv_http_server_packets(httpd_t) +corenet_udp_bind_generic_node(httpd_t) corenet_tcp_bind_http_port(httpd_t) +-corenet_tcp_sendrecv_http_port(httpd_t) +- +-corenet_sendrecv_http_cache_server_packets(httpd_t) +corenet_udp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) +-corenet_tcp_sendrecv_http_cache_port(httpd_t) +- +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) +corenet_tcp_bind_ntop_port(httpd_t) +corenet_tcp_bind_jboss_management_port(httpd_t) +corenet_tcp_bind_jboss_messaging_port(httpd_t) - corenet_sendrecv_http_server_packets(httpd_t) ++corenet_sendrecv_http_server_packets(httpd_t) +corenet_tcp_bind_puppet_port(httpd_t) - # Signal self for shutdown --corenet_tcp_connect_http_port(httpd_t) ++# Signal self for shutdown +tunable_policy(`httpd_graceful_shutdown',` + corenet_tcp_connect_http_port(httpd_t) +') dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t) + dev_read_urand(httpd_t) + dev_rw_crypto(httpd_t) +-domain_use_interactive_fds(httpd_t) +- fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) -+fs_read_iso9660_files(httpd_t) +- +-fs_getattr_all_fs(httpd_t) +-fs_read_anon_inodefs_files(httpd_t) + fs_read_iso9660_files(httpd_t) +-fs_search_auto_mountpoints(httpd_t) +fs_read_anon_inodefs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t) - - auth_use_nsswitch(httpd_t) - ++ ++auth_use_nsswitch(httpd_t) ++ +application_exec_all(httpd_t) + - # execute perl - corecmd_exec_bin(httpd_t) - corecmd_exec_shell(httpd_t) -@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t) ++# execute perl ++corecmd_exec_bin(httpd_t) ++corecmd_exec_shell(httpd_t) ++ ++domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) +files_exec_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) -+files_read_var_symlinks(httpd_t) + files_read_var_symlinks(httpd_t) files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) - # for modules that want to access /etc/mtab ++# for modules that want to access /etc/mtab files_read_etc_runtime_files(httpd_t) - # Allow httpd_t to have access to files such as nisswitch.conf --files_read_etc_files(httpd_t) - # for tomcat ++# Allow httpd_t to have access to files such as nisswitch.conf ++# for tomcat files_read_var_lib_symlinks(httpd_t) - fs_search_auto_mountpoints(httpd_sys_script_t) +-auth_use_nsswitch(httpd_t) ++fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them +manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) @@ -3620,33 +4490,38 @@ index 0833afb..2864927 100644 miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) -- --seutil_dontaudit_search_config(httpd_t) -+miscfiles_read_tetex_data(httpd_t) + miscfiles_read_tetex_data(httpd_t) +-seutil_dontaudit_search_config(httpd_t) +- userdom_use_unpriv_users_fds(httpd_t) --tunable_policy(`allow_httpd_anon_write',` +-ifdef(`TODO',` +- tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; +') -+ + +- logging_send_audit_msgs(httpd_t) +- ') +tunable_policy(`httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) ++ miscfiles_manage_public_files(httpd_t) ') --ifdef(`TODO', ` - # - # We need optionals to be able to be within booleans to make this work - # --tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) +-ifdef(`hide_broken_symptoms',` +- libs_exec_lib_files(httpd_t) ++# ++# We need optionals to be able to be within booleans to make this work ++# +tunable_policy(`httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) + logging_send_audit_msgs(httpd_t) ') -+ + +-tunable_policy(`allow_httpd_anon_write',` +- miscfiles_manage_public_files(httpd_t) +optional_policy(` + tunable_policy(`httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) @@ -3654,12 +4529,21 @@ index 0833afb..2864927 100644 ') tunable_policy(`httpd_can_network_connect',` +- corenet_sendrecv_all_client_packets(httpd_t) corenet_tcp_connect_all_ports(httpd_t) +- corenet_tcp_sendrecv_all_ports(httpd_t) ') -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_firebird_port(httpd_t) -+ corenet_tcp_connect_mssql_port(httpd_t) + tunable_policy(`httpd_can_network_connect_db',` +- corenet_sendrecv_gds_db_client_packets(httpd_t) + corenet_tcp_connect_gds_db_port(httpd_t) +- corenet_tcp_sendrecv_gds_db_port(httpd_t) +- corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) +- corenet_tcp_sendrecv_mssql_port(httpd_t) +- corenet_sendrecv_oracledb_client_packets(httpd_t) +- corenet_tcp_connect_oracledb_port(httpd_t) +- corenet_tcp_sendrecv_oracledb_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) + corenet_tcp_connect_oracle_port(httpd_t) + corenet_sendrecv_oracle_client_packets(httpd_t) @@ -3667,49 +4551,70 @@ index 0833afb..2864927 100644 + +tunable_policy(`httpd_can_network_memcache',` + corenet_tcp_connect_memcache_port(httpd_t) -+') -+ + ') + tunable_policy(`httpd_can_network_relay',` - # allow httpd to work as a relay +- corenet_sendrecv_gopher_client_packets(httpd_t) ++ # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) +- corenet_tcp_sendrecv_gopher_port(httpd_t) +- corenet_sendrecv_ftp_client_packets(httpd_t) corenet_tcp_connect_ftp_port(httpd_t) +- corenet_tcp_sendrecv_ftp_port(httpd_t) +- corenet_sendrecv_http_client_packets(httpd_t) corenet_tcp_connect_http_port(httpd_t) +- corenet_tcp_sendrecv_http_port(httpd_t) +- corenet_sendrecv_http_cache_client_packets(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) -+ corenet_tcp_connect_squid_port(httpd_t) - corenet_tcp_connect_memcache_port(httpd_t) - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) +- corenet_tcp_sendrecv_http_cache_port(httpd_t) +- corenet_sendrecv_squid_client_packets(httpd_t) + corenet_tcp_connect_squid_port(httpd_t) +- corenet_tcp_sendrecv_squid_port(httpd_t) ++ corenet_tcp_connect_memcache_port(httpd_t) ++ corenet_sendrecv_gopher_client_packets(httpd_t) ++ corenet_sendrecv_ftp_client_packets(httpd_t) ++ corenet_sendrecv_http_client_packets(httpd_t) ++ corenet_sendrecv_http_cache_client_packets(httpd_t) + corenet_sendrecv_squid_client_packets(httpd_t) + corenet_tcp_connect_all_ephemeral_ports(httpd_t) -+') -+ + ') + +-tunable_policy(`httpd_builtin_scripting',` +- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) +tunable_policy(`httpd_execmem',` + allow httpd_t self:process { execmem execstack }; + allow httpd_sys_script_t self:process { execmem execstack }; + allow httpd_suexec_t self:process { execmem execstack }; +') -+ + +- allow httpd_t httpdcontent:dir list_dir_perms; +- allow httpd_t httpdcontent:file read_file_perms; +- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) -+') -+ + ') + +-tunable_policy(`httpd_enable_cgi',` +- allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; +- allow httpd_t httpd_script_exec_type:dir list_dir_perms; +tunable_policy(`httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +708,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') +-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` +-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) +-# ') +tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` + fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) +') -+ + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) @@ -3719,9 +4624,11 @@ index 0833afb..2864927 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) +- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) - ') - +- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) ++') ++ +tunable_policy(`httpd_can_connect_ftp',` + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_all_ephemeral_ports(httpd_t) @@ -3733,15 +4640,17 @@ index 0833afb..2864927 100644 + +tunable_policy(`httpd_can_connect_zabbix',` + corenet_tcp_connect_zabbix_port(httpd_t) -+') -+ + ') + tunable_policy(`httpd_enable_ftp_server',` +- corenet_sendrecv_ftp_server_packets(httpd_t) corenet_tcp_bind_ftp_port(httpd_t) +- corenet_tcp_sendrecv_ftp_port(httpd_t) + corenet_tcp_bind_all_ephemeral_ports(httpd_t) ') -tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_t) +- userdom_search_user_home_dirs(httpd_t) +tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` + can_exec(httpd_t, httpd_tmp_t) +') @@ -3751,37 +4660,84 @@ index 0833afb..2864927 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -+ fs_list_auto_mountpoints(httpd_t) - fs_read_nfs_files(httpd_t) +@@ -619,68 +756,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) +tunable_policy(`httpd_use_nfs',` + fs_list_auto_mountpoints(httpd_t) + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) -+') -+ + ') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +- fs_list_auto_mountpoints(httpd_t) fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',` - # allow httpd to connect to mail servers + ') + +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) +-') +- +-tunable_policy(`httpd_execmem',` +- allow httpd_t self:process { execmem execstack }; +-') +- + tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_t) ++ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) - corenet_sendrecv_smtp_client_packets(httpd_t) -+ corenet_tcp_connect_pop_port(httpd_t) +- corenet_tcp_sendrecv_smtp_port(httpd_t) +- corenet_sendrecv_pop_client_packets(httpd_t) ++ corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) +- corenet_tcp_sendrecv_pop_port(httpd_t) +- + corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) -+ mta_signal_system_mail(httpd_t) -+') -+ + mta_signal_system_mail(httpd_t) + ') + +-optional_policy(` +- tunable_policy(`httpd_can_network_connect_zabbix',` +- zabbix_tcp_connect(httpd_t) +- ') +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) -+') -+ + ') + +-optional_policy(` +- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` +- spamassassin_domtrans_client(httpd_t) +- ') +-') +- +-tunable_policy(`httpd_graceful_shutdown',` +- corenet_sendrecv_http_client_packets(httpd_t) +- corenet_tcp_connect_http_port(httpd_t) +- corenet_tcp_sendrecv_http_port(httpd_t) +-') +- +-optional_policy(` +- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` +- gpg_spec_domtrans(httpd_t, httpd_gpg_t) +- ') +-') +- +-optional_policy(` +- tunable_policy(`httpd_mod_auth_ntlm_winbind',` +- samba_domtrans_winbind_helper(httpd_t) +- ') +-') +- +-tunable_policy(`httpd_read_user_content',` +- userdom_read_user_home_content_files(httpd_t) +tunable_policy(`httpd_use_fusefs',` + fs_manage_fusefs_dirs(httpd_t) + fs_manage_fusefs_files(httpd_t) @@ -3789,9 +4745,23 @@ index 0833afb..2864927 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',` - # to run correctly without this permission, so the permission - # are dontaudited here. +@@ -690,49 +797,29 @@ tunable_policy(`httpd_setrlimit',` + + tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) ++ allow httpd_sys_script_t httpd_t:fd use; ++ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; ++ allow httpd_sys_script_t httpd_t:process sigchld; + ') + +-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` +- can_exec(httpd_t, httpd_tmp_t) +-') +- ++# When the admin starts the server, the server wants to access ++# the TTY or PTY associated with the session. The httpd appears ++# to run correctly without this permission, so the permission ++# are dontaudited here. tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_t) + userdom_use_inherited_user_terminals(httpd_t) @@ -3799,8 +4769,39 @@ index 0833afb..2864927 100644 ',` userdom_dontaudit_use_user_terminals(httpd_t) + userdom_dontaudit_use_user_terminals(httpd_suexec_t) -+') -+ + ') + +-tunable_policy(`httpd_use_cifs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_cifs_dirs(httpd_t) +- fs_manage_cifs_files(httpd_t) +- fs_manage_cifs_symlinks(httpd_t) +-') +- +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) +-') +- +-tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_fusefs_dirs(httpd_t) +- fs_manage_fusefs_files(httpd_t) +- fs_read_fusefs_symlinks(httpd_t) +-') +- +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) +-') +- +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) +-') +- +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) +optional_policy(` + # Support for ABRT retrace server + # mod_wsgi @@ -3810,21 +4811,25 @@ index 0833afb..2864927 100644 ') optional_policy(` -@@ -525,6 +831,9 @@ optional_policy(` +@@ -744,12 +831,10 @@ optional_policy(` ') optional_policy(` +- clamav_domtrans_clamscan(httpd_t) +-') +- +-optional_policy(` + cobbler_list_config(httpd_t) -+ cobbler_read_config(httpd_t) -+ cobbler_read_lib_files(httpd_t) - cobbler_search_lib(httpd_t) + cobbler_read_config(httpd_t) + cobbler_read_lib_files(httpd_t) ++ cobbler_search_lib(httpd_t) ') -@@ -540,6 +849,24 @@ optional_policy(` - daemontools_service_domain(httpd_t, httpd_exec_t) + optional_policy(` +@@ -765,6 +850,24 @@ optional_policy(` ') -+optional_policy(` + optional_policy(` + # needed by FreeIPA + dirsrv_stream_connect(httpd_t) + ldap_stream_connect(httpd_t) @@ -3842,58 +4847,76 @@ index 0833afb..2864927 100644 + dirsrvadmin_domtrans_unconfined_script_t(httpd_t) +') + - optional_policy(` ++ optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +876,24 @@ optional_policy(` + tunable_policy(`httpd_dbus_avahi',` +@@ -781,34 +884,42 @@ optional_policy(` ') optional_policy(` -+ git_read_generic_system_content_files(httpd_t) -+ gitosis_read_lib_files(httpd_t) ++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` ++ gpg_domtrans_web(httpd_t) ++ ') +') + +optional_policy(` - tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` -- gpg_domtrans(httpd_t) -+ gpg_domtrans_web(httpd_t) - ') - ') - - optional_policy(` + jetty_admin(httpd_t) +') + +optional_policy(` kerberos_keytab_template(httpd, httpd_t) +- kerberos_manage_host_rcache(httpd_t) +- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23") +- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23") + kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48") ') optional_policy(` -@@ -573,7 +911,21 @@ optional_policy(` ++ # needed by FreeIPA + ldap_stream_connect(httpd_t) +- +- tunable_policy(`httpd_can_network_connect_ldap',` +- ldap_tcp_connect(httpd_t) +- ') + ') + + optional_policy(` + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) ++ # should have separate types for public and private archives + mailman_search_data(httpd_t) + mailman_read_archive(httpd_t) ') optional_policy(` +- memcached_stream_connect(httpd_t) + mediawiki_read_tmp_files(httpd_t) + mediawiki_delete_tmp_files(httpd_t) +') -+ + +- tunable_policy(`httpd_can_network_connect_memcache',` +- memcached_tcp_connect(httpd_t) +- ') +optional_policy(` + memcached_stream_connect(httpd_t) -+ -+ tunable_policy(`httpd_manage_ipa',` -+ memcached_manage_pid_files(httpd_t) -+ ') -+') -+ -+optional_policy(` - # Allow httpd to work with mysql -+ mysql_read_config(httpd_t) + + tunable_policy(`httpd_manage_ipa',` + memcached_manage_pid_files(httpd_t) +@@ -816,8 +927,10 @@ optional_policy(` + ') + + optional_policy(` ++ # Allow httpd to work with mysql + mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) ++ mysql_rw_db_sockets(httpd_t) -@@ -584,6 +936,7 @@ optional_policy(` + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_t) +@@ -826,6 +939,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3901,25 +4924,32 @@ index 0833afb..2864927 100644 ') optional_policy(` -@@ -594,6 +947,42 @@ optional_policy(` +@@ -836,20 +950,35 @@ optional_policy(` ') optional_policy(` +- pcscd_read_pid_files(httpd_t) + openshift_search_lib(httpd_t) + openshift_initrc_signull(httpd_t) + openshift_initrc_signal(httpd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- postgresql_stream_connect(httpd_t) +- postgresql_unpriv_client(httpd_t) + passenger_exec(httpd_t) + passenger_manage_pid_content(httpd_t) +') -+ + +- tunable_policy(`httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_t) +- ') +optional_policy(` + pcscd_read_pub_files(httpd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- puppet_read_lib_files(httpd_t) + pki_apache_domain_signal(httpd_t) + pki_apache_domain_signal(httpd_t) + pki_manage_apache_run(httpd_t) @@ -3934,29 +4964,35 @@ index 0833afb..2864927 100644 + +optional_policy(` + pwauth_domtrans(httpd_t) -+') + ') + + optional_policy(` +@@ -857,6 +986,16 @@ optional_policy(` + ') + + optional_policy(` ++ # Allow httpd to work with postgresql ++ postgresql_stream_connect(httpd_t) ++ postgresql_unpriv_client(httpd_t) + -+optional_policy(` -+ rpc_search_nfs_state_data(httpd_t) ++ tunable_policy(`httpd_can_network_connect_db',` ++ postgresql_tcp_connect(httpd_t) ++ ') +') + +optional_policy(` - # Allow httpd to work with postgresql - postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) -@@ -608,6 +997,11 @@ optional_policy(` + seutil_sigchld_newrole(httpd_t) + ') + +@@ -865,6 +1004,7 @@ optional_policy(` ') optional_policy(` -+ smokeping_read_lib_files(httpd_t) -+') -+ -+optional_policy(` + files_dontaudit_rw_usr_dirs(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +1014,12 @@ optional_policy(` +@@ -877,64 +1017,168 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3968,12 +5004,23 @@ index 0833afb..2864927 100644 + ######################################## # - # Apache helper local policy -@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +-# Helper local policy ++# Apache helper local policy + # + +-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) ++domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) + +-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) ++allow httpd_helper_t httpd_config_t:file read_file_perms; +-files_search_etc(httpd_helper_t) ++allow httpd_helper_t httpd_log_t:file append_file_perms; + +-logging_search_logs(httpd_helper_t) logging_send_syslog_msg(httpd_helper_t) --userdom_use_user_terminals(httpd_helper_t) +userdom_use_inherited_user_terminals(httpd_helper_t) + +tunable_policy(`httpd_verify_dns',` @@ -4008,48 +5055,68 @@ index 0833afb..2864927 100644 + ') +') + -+tunable_policy(`httpd_tty_comm',` + tunable_policy(`httpd_tty_comm',` +- userdom_use_user_terminals(httpd_helper_t) +-',` +- userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) +') - - ######################################## - # -@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t) - userdom_use_unpriv_users_fds(httpd_php_t) - - tunable_policy(`httpd_can_network_connect_db',` -- corenet_tcp_connect_mysqld_port(httpd_t) -- corenet_sendrecv_mysqld_client_packets(httpd_t) -- corenet_tcp_connect_mysqld_port(httpd_sys_script_t) -- corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) -- corenet_tcp_connect_mysqld_port(httpd_suexec_t) -- corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) -- -- corenet_tcp_connect_mssql_port(httpd_t) -- corenet_sendrecv_mssql_client_packets(httpd_t) -- corenet_tcp_connect_mssql_port(httpd_sys_script_t) -- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -- corenet_tcp_connect_mssql_port(httpd_suexec_t) -- corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_firebird_port(httpd_php_t) ++ ++######################################## ++# ++# Apache PHP script local policy ++# ++ ++allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow httpd_php_t self:fd use; ++allow httpd_php_t self:fifo_file rw_fifo_file_perms; ++allow httpd_php_t self:sock_file read_sock_file_perms; ++allow httpd_php_t self:unix_dgram_socket create_socket_perms; ++allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; ++allow httpd_php_t self:unix_dgram_socket sendto; ++allow httpd_php_t self:unix_stream_socket connectto; ++allow httpd_php_t self:shm create_shm_perms; ++allow httpd_php_t self:sem create_sem_perms; ++allow httpd_php_t self:msgq create_msgq_perms; ++allow httpd_php_t self:msg { send receive }; ++ ++domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t) ++ ++# allow php to read and append to apache logfiles ++allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms }; ++ ++manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) ++manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t) ++files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) ++ ++fs_search_auto_mountpoints(httpd_php_t) ++ ++auth_use_nsswitch(httpd_php_t) ++ ++libs_exec_lib_files(httpd_php_t) ++ ++userdom_use_unpriv_users_fds(httpd_php_t) ++ ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_gds_db_port(httpd_php_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) + corenet_tcp_connect_oracle_port(httpd_php_t) + corenet_sendrecv_oracle_client_packets(httpd_php_t) - ') - - optional_policy(` - mysql_stream_connect(httpd_php_t) ++') ++ ++optional_policy(` ++ mysql_stream_connect(httpd_php_t) + mysql_rw_db_sockets(httpd_php_t) - mysql_read_config(httpd_php_t) ++ mysql_read_config(httpd_php_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_php_t) + ') - ') - - optional_policy(` - postgresql_stream_connect(httpd_php_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(httpd_php_t) + postgresql_unpriv_client(httpd_php_t) + + tunable_policy(`httpd_can_network_connect_db',` @@ -4058,15 +5125,28 @@ index 0833afb..2864927 100644 ') ######################################## -@@ -702,6 +1140,7 @@ optional_policy(` + # +-# Suexec local policy ++# Apache suexec local policy + # allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; -+allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; - allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; +-allow httpd_suexec_t self:tcp_socket { accept listen }; +-allow httpd_suexec_t self:unix_stream_socket { accept listen }; ++allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; ++ ++domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) + + create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) ++ ++allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4080,61 +5160,100 @@ index 0833afb..2864927 100644 kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) +-corenet_all_recvfrom_unlabeled(httpd_suexec_t) +-corenet_all_recvfrom_netlabel(httpd_suexec_t) +-corenet_tcp_sendrecv_generic_if(httpd_suexec_t) +-corenet_tcp_sendrecv_generic_node(httpd_suexec_t) +- +-corecmd_exec_bin(httpd_suexec_t) +-corecmd_exec_shell(httpd_suexec_t) +- dev_read_urand(httpd_suexec_t) -+fs_read_iso9660_files(httpd_suexec_t) + fs_read_iso9660_files(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) +application_exec_all(httpd_suexec_t) + - # for shell scripts - corecmd_exec_bin(httpd_suexec_t) - corecmd_exec_shell(httpd_suexec_t) - --files_read_etc_files(httpd_suexec_t) ++# for shell scripts ++corecmd_exec_bin(httpd_suexec_t) ++corecmd_exec_shell(httpd_suexec_t) ++ files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1188,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) -miscfiles_read_localization(httpd_suexec_t) miscfiles_read_public_files(httpd_suexec_t) +-tunable_policy(`httpd_builtin_scripting',` +- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type) +- +- allow httpd_suexec_t httpdcontent:dir list_dir_perms; +- allow httpd_suexec_t httpdcontent:file read_file_perms; +- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms; +-') +corenet_all_recvfrom_netlabel(httpd_suexec_t) -+ + tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; - allow httpd_suexec_t self:udp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled(httpd_suexec_t) -- corenet_all_recvfrom_netlabel(httpd_suexec_t) - corenet_tcp_sendrecv_generic_if(httpd_suexec_t) - corenet_udp_sendrecv_generic_if(httpd_suexec_t) - corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',` ++ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_suexec_t self:udp_socket create_socket_perms; ++ ++ corenet_tcp_sendrecv_generic_if(httpd_suexec_t) ++ corenet_udp_sendrecv_generic_if(httpd_suexec_t) ++ corenet_tcp_sendrecv_generic_node(httpd_suexec_t) ++ corenet_udp_sendrecv_generic_node(httpd_suexec_t) ++ corenet_tcp_sendrecv_all_ports(httpd_suexec_t) ++ corenet_udp_sendrecv_all_ports(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) +- corenet_tcp_sendrecv_all_ports(httpd_suexec_t) ') -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_firebird_port(httpd_suexec_t) -+ corenet_tcp_connect_mssql_port(httpd_suexec_t) + tunable_policy(`httpd_can_network_connect_db',` +- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t) + corenet_tcp_connect_gds_db_port(httpd_suexec_t) +- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t) +- corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) +- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t) +- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) +- corenet_tcp_connect_oracledb_port(httpd_suexec_t) +- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_oracle_port(httpd_suexec_t) + corenet_sendrecv_oracle_client_packets(httpd_suexec_t) -+') -+ + ') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) + -+tunable_policy(`httpd_can_sendmail',` -+ mta_send_mail(httpd_suexec_t) -+') -+ + tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_suexec_t) +- corenet_tcp_connect_smtp_port(httpd_suexec_t) +- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t) +- corenet_sendrecv_pop_client_packets(httpd_suexec_t) +- corenet_tcp_connect_pop_port(httpd_suexec_t) +- corenet_tcp_sendrecv_pop_port(httpd_suexec_t) + mta_send_mail(httpd_suexec_t) +- mta_signal_system_mail(httpd_suexec_t) + ') + tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_sys_script_t httpdcontent:file entrypoint; ++ allow httpd_sys_script_t httpdcontent:file entrypoint; domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_read_cifs_files(httpd_suexec_t) +- fs_read_cifs_symlinks(httpd_suexec_t) +-') - +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_suexec_t) + manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) @@ -4142,164 +5261,372 @@ index 0833afb..2864927 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +- fs_list_auto_mountpoints(httpd_suexec_t) + fs_list_auto_mountpoints(httpd_suexec_t) fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1250,25 @@ optional_policy(` - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') +-tunable_policy(`httpd_execmem',` +- allow httpd_suexec_t self:process { execmem execstack }; +-') +- +-tunable_policy(`httpd_tmp_exec',` +- can_exec(httpd_suexec_t, httpd_suexec_tmp_t) +-') +- +-tunable_policy(`httpd_tty_comm',` +- userdom_use_user_terminals(httpd_suexec_t) +-',` +- userdom_dontaudit_use_user_terminals(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_cifs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_manage_cifs_dirs(httpd_suexec_t) +- fs_manage_cifs_files(httpd_suexec_t) +- fs_manage_cifs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` ++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(httpd_suexec_t) ++ fs_read_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) + ') + +-tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_manage_fusefs_dirs(httpd_suexec_t) +- fs_manage_fusefs_files(httpd_suexec_t) +- fs_read_fusefs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_suexec_t) +- fs_manage_nfs_dirs(httpd_suexec_t) +- fs_manage_nfs_files(httpd_suexec_t) +- fs_manage_nfs_symlinks(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_suexec_t) +optional_policy(` -+ mysql_stream_connect(httpd_suexec_t) -+ mysql_rw_db_sockets(httpd_suexec_t) -+ mysql_read_config(httpd_suexec_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ mysql_tcp_connect(httpd_suexec_t) -+ ') -+') -+ -+optional_policy(` -+ postgresql_stream_connect(httpd_suexec_t) -+ postgresql_unpriv_client(httpd_suexec_t) -+ -+ tunable_policy(`httpd_can_network_connect_db',` -+ postgresql_tcp_connect(httpd_suexec_t) -+ ') -+') ++ mailman_domtrans_cgi(httpd_suexec_t) + ') + + optional_policy(` +- mailman_domtrans_cgi(httpd_suexec_t) ++ mta_stub(httpd_suexec_t) + ++ # apache should set close-on-exec ++ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; + ') + + optional_policy(` + mysql_stream_connect(httpd_suexec_t) ++ mysql_rw_db_sockets(httpd_suexec_t) + mysql_read_config(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` +@@ -1077,172 +1272,103 @@ optional_policy(` + ') + ') + +-tunable_policy(`httpd_read_user_content',` +- userdom_read_user_home_content_files(httpd_suexec_t) +-') +- +-tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_suexec_t) +-') +- ######################################## # - # Apache system script local policy -@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +-# Common script local policy ++# Apache system script local policy + # + +-allow httpd_script_domains self:fifo_file rw_file_perms; +-allow httpd_script_domains self:unix_stream_socket connectto; +- +-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; +- +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +- +-kernel_dontaudit_search_sysctl(httpd_script_domains) +-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) ++allow httpd_sys_script_t self:process getsched; + +-corenet_all_recvfrom_unlabeled(httpd_script_domains) +-corenet_all_recvfrom_netlabel(httpd_script_domains) +-corenet_tcp_sendrecv_generic_if(httpd_script_domains) +-corenet_tcp_sendrecv_generic_node(httpd_script_domains) +- +-corecmd_exec_all_executables(httpd_script_domains) ++allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; ++allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + +-dev_read_rand(httpd_script_domains) +-dev_read_urand(httpd_script_domains) ++dontaudit httpd_sys_script_t httpd_config_t:dir search; - kernel_read_kernel_sysctls(httpd_sys_script_t) +-files_exec_etc_files(httpd_script_domains) +-files_read_etc_files(httpd_script_domains) +-files_search_home(httpd_script_domains) ++allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; +-libs_exec_ld_so(httpd_script_domains) +-libs_exec_lib_files(httpd_script_domains) ++allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; ++read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) ++read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) + +-logging_search_logs(httpd_script_domains) ++kernel_read_kernel_sysctls(httpd_sys_script_t) + +-miscfiles_read_fonts(httpd_script_domains) +-miscfiles_read_public_files(httpd_script_domains) +files_read_var_symlinks(httpd_sys_script_t) - files_search_var_lib(httpd_sys_script_t) - files_search_spool(httpd_sys_script_t) ++files_search_var_lib(httpd_sys_script_t) ++files_search_spool(httpd_sys_script_t) +-seutil_dontaudit_search_config(httpd_script_domains) +logging_inherit_append_all_logs(httpd_sys_script_t) -+ - # Should we add a boolean? - apache_domtrans_rotatelogs(httpd_sys_script_t) +-tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_script_domains httpdcontent:file entrypoint; ++# Should we add a boolean? ++apache_domtrans_rotatelogs(httpd_sys_script_t) + +- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent) +- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) +- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) +auth_use_nsswitch(httpd_sys_script_t) -+ - ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file append_file_perms; + +- can_exec(httpd_script_domains, httpdcontent) ++ifdef(`distro_redhat',` ++ allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',` - mta_send_mail(httpd_sys_script_t) + +-tunable_policy(`httpd_enable_cgi',` +- allow httpd_script_domains self:process { setsched signal_perms }; +- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms; +- +- kernel_read_system_state(httpd_script_domains) +- +- fs_getattr_all_fs(httpd_script_domains) +- +- files_read_etc_runtime_files(httpd_script_domains) +- files_read_usr_files(httpd_script_domains) +- +- libs_read_lib_files(httpd_script_domains) +- +- miscfiles_read_localization(httpd_script_domains) ++tunable_policy(`httpd_can_sendmail',` ++ mta_send_mail(httpd_sys_script_t) ') -+optional_policy(` + optional_policy(` +- tunable_policy(`httpd_enable_cgi && allow_ypbind',` +- nis_use_ypbind_uncond(httpd_script_domains) + tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` + spamassassin_domtrans_client(httpd_t) -+ ') -+') -+ + ') + ') + +-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- corenet_sendrecv_gds_db_client_packets(httpd_script_domains) +- corenet_tcp_connect_gds_db_port(httpd_script_domains) +- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains) +- corenet_sendrecv_mssql_client_packets(httpd_script_domains) +- corenet_tcp_connect_mssql_port(httpd_script_domains) +- corenet_tcp_sendrecv_mssql_port(httpd_script_domains) +- corenet_sendrecv_oracledb_client_packets(httpd_script_domains) +- corenet_tcp_connect_oracledb_port(httpd_script_domains) +- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains) +-') +- +-optional_policy(` +- mysql_read_config(httpd_script_domains) +- mysql_stream_connect(httpd_script_domains) +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_script_domains) +- ') +tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_firebird_port(httpd_sys_script_t) ++ corenet_tcp_connect_gds_db_port(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_oracle_port(httpd_sys_script_t) + corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) -+') -+ + ') + +-optional_policy(` +- postgresql_stream_connect(httpd_script_domains) +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) -+ + +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_script_domains) +- ') +-') +tunable_policy(`httpd_use_nfs',` + fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) + fs_exec_nfs_files(httpd_sys_script_t) -+ + +-optional_policy(` +- nscd_use(httpd_script_domains) + fs_list_auto_mountpoints(httpd_suexec_t) + fs_manage_nfs_dirs(httpd_suexec_t) + fs_manage_nfs_files(httpd_suexec_t) + fs_manage_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) -+') -+ + ') + +-######################################## +-# +-# System script local policy +-# +- +-allow httpd_sys_script_t self:tcp_socket { accept listen }; +- +-allow httpd_sys_script_t httpd_t:tcp_socket { read write }; +- +-dontaudit httpd_sys_script_t httpd_config_t:dir search; +corenet_all_recvfrom_netlabel(httpd_sys_script_t) + +-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; +- +-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; +-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; +- +-kernel_read_kernel_sysctls(httpd_sys_script_t) +- +-fs_search_auto_mountpoints(httpd_sys_script_t) +- +-files_read_var_symlinks(httpd_sys_script_t) +-files_search_var_lib(httpd_sys_script_t) +-files_search_spool(httpd_sys_script_t) +- +-apache_domtrans_rotatelogs(httpd_sys_script_t) +- +-auth_use_nsswitch(httpd_sys_script_t) +- +-tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) +- corenet_tcp_connect_smtp_port(httpd_sys_script_t) +- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t) +- corenet_sendrecv_pop_client_packets(httpd_sys_script_t) +- corenet_tcp_connect_pop_port(httpd_sys_script_t) +- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) +- +- mta_send_mail(httpd_sys_script_t) +- mta_signal_system_mail(httpd_sys_script_t) ++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_sys_script_t self:udp_socket create_socket_perms; + - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_sys_script_t self:udp_socket create_socket_perms; - -- corenet_tcp_bind_all_nodes(httpd_sys_script_t) -- corenet_udp_bind_all_nodes(httpd_sys_script_t) -- corenet_all_recvfrom_unlabeled(httpd_sys_script_t) -- corenet_all_recvfrom_netlabel(httpd_sys_script_t) -- corenet_tcp_sendrecv_all_if(httpd_sys_script_t) -- corenet_udp_sendrecv_all_if(httpd_sys_script_t) -- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) -- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) + corenet_tcp_bind_generic_node(httpd_sys_script_t) + corenet_udp_bind_generic_node(httpd_sys_script_t) + corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) + corenet_udp_sendrecv_generic_if(httpd_sys_script_t) + corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) + corenet_udp_sendrecv_generic_node(httpd_sys_script_t) - corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) - corenet_udp_sendrecv_all_ports(httpd_sys_script_t) - corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_tcp_connect_all_ports(httpd_sys_script_t) ++ corenet_sendrecv_all_client_packets(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_sys_script_t) -+ userdom_search_user_home_dirs(httpd_sys_script_t) + userdom_search_user_home_dirs(httpd_sys_script_t) ') - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +- corenet_tcp_connect_all_ports(httpd_sys_script_t) +- corenet_sendrecv_all_client_packets(httpd_sys_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_execmem',` +- allow httpd_sys_script_t self:process { execmem execstack }; ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_list_auto_mountpoints(httpd_sys_script_t) - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ') -+tunable_policy(`httpd_read_user_content',` -+ userdom_read_user_home_content_files(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_sys_script_t) -+ fs_manage_cifs_files(httpd_sys_script_t) -+ fs_manage_cifs_symlinks(httpd_sys_script_t) + tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1376,70 @@ tunable_policy(`httpd_read_user_content',` + ') + + tunable_policy(`httpd_use_cifs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_suexec_t) + fs_manage_cifs_files(httpd_suexec_t) + fs_manage_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) -+') -+ -+tunable_policy(`httpd_use_fusefs',` -+ fs_manage_fusefs_dirs(httpd_sys_script_t) -+ fs_manage_fusefs_files(httpd_sys_script_t) + ') + + tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_sys_script_t) + fs_manage_fusefs_files(httpd_sys_script_t) +- fs_read_fusefs_symlinks(httpd_sys_script_t) +-') +- +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_sys_script_t) + fs_manage_fusefs_symlinks(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_suexec_t) + fs_manage_fusefs_files(httpd_suexec_t) + fs_manage_fusefs_symlinks(httpd_suexec_t) + fs_exec_fusefs_files(httpd_suexec_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + ') - optional_policy(` - clamav_domtrans_clamscan(httpd_sys_script_t) +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) +- fs_manage_nfs_dirs(httpd_sys_script_t) +- fs_manage_nfs_files(httpd_sys_script_t) +- fs_manage_nfs_symlinks(httpd_sys_script_t) ++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(httpd_sys_script_t) ++ fs_read_cifs_symlinks(httpd_sys_script_t) + ') + +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_sys_script_t) ++optional_policy(` ++ clamav_domtrans_clamscan(httpd_sys_script_t) + clamav_domtrans_clamscan(httpd_t) ') optional_policy(` - mysql_stream_connect(httpd_sys_script_t) - mysql_rw_db_sockets(httpd_sys_script_t) +- clamav_domtrans_clamscan(httpd_sys_script_t) ++ mysql_stream_connect(httpd_sys_script_t) ++ mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) + + tunable_policy(`httpd_can_network_connect_db',` @@ -4308,8 +5635,8 @@ index 0833afb..2864927 100644 ') optional_policy(` - postgresql_stream_connect(httpd_sys_script_t) -+ postgresql_unpriv_client(httpd_sys_script_t) ++ postgresql_stream_connect(httpd_sys_script_t) + postgresql_unpriv_client(httpd_sys_script_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_sys_script_t) @@ -4317,9 +5644,19 @@ index 0833afb..2864927 100644 ') ######################################## -@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) + # +-# Rotatelogs local policy ++# httpd_rotatelogs local policy + # + + allow httpd_rotatelogs_t self:capability dac_override; + + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + + kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) - kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) ++kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) -files_read_etc_files(httpd_rotatelogs_t) @@ -4329,75 +5666,132 @@ index 0833afb..2864927 100644 ######################################## # -@@ -908,11 +1462,138 @@ optional_policy(` +@@ -1315,8 +1447,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) + # - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_user_script_t httpdcontent:file entrypoint; + optional_policy(` +- apache_content_template(unconfined) ++ type httpd_unconfined_script_t; ++ type httpd_unconfined_script_exec_t; ++ domain_type(httpd_unconfined_script_t) ++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) ++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) ++ ++ role system_r types httpd_unconfined_script_t; ++ allow httpd_t httpd_unconfined_script_t:process signal_perms; + ') + + ######################################## +@@ -1324,49 +1463,36 @@ optional_policy(` + # User content local policy + # + +-tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_user_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +- fs_list_auto_mountpoints(httpd_user_script_t) +- fs_read_cifs_files(httpd_user_script_t) +- fs_read_cifs_symlinks(httpd_user_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_user_script_t) +-') +- +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +- fs_list_auto_mountpoints(httpd_user_script_t) +- fs_read_nfs_files(httpd_user_script_t) +- fs_read_nfs_symlinks(httpd_user_script_t) ++tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_user_script_t httpdcontent:file entrypoint; + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) + manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ') - # allow accessing files/dirs below the users home dir - tunable_policy(`httpd_enable_homedirs',` -- userdom_search_user_home_dirs(httpd_t) -- userdom_search_user_home_dirs(httpd_suexec_t) -- userdom_search_user_home_dirs(httpd_user_script_t) +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_user_script_t) ++# allow accessing files/dirs below the users home dir ++tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') -+ -+tunable_policy(`httpd_read_user_content',` + ') + + tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) -+ userdom_read_user_home_content_files(httpd_user_script_t) -+') -+ -+######################################## -+# + userdom_read_user_home_content_files(httpd_user_script_t) + ') + +-optional_policy(` +- postgresql_unpriv_client(httpd_user_script_t) +-') +- + ######################################## + # +-# Passwd local policy +# httpd_passwd local policy -+# -+ -+allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; -+allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; -+allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; -+ -+kernel_read_system_state(httpd_passwd_t) -+ -+corecmd_exec_bin(httpd_passwd_t) -+corecmd_exec_shell(httpd_passwd_t) -+ -+dev_read_urand(httpd_passwd_t) -+ -+domain_use_interactive_fds(httpd_passwd_t) -+ -+ -+auth_use_nsswitch(httpd_passwd_t) + # + + allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; + allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; + allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; + +-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms; +- + kernel_read_system_state(httpd_passwd_t) + + corecmd_exec_bin(httpd_passwd_t) +@@ -1376,38 +1502,101 @@ dev_read_urand(httpd_passwd_t) + + domain_use_interactive_fds(httpd_passwd_t) + + + auth_use_nsswitch(httpd_passwd_t) + +-miscfiles_read_generic_certs(httpd_passwd_t) +-miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_certs(httpd_passwd_t) -+ + +-######################################## +-# +-# GPG local policy +-# +systemd_manage_passwd_run(httpd_passwd_t) +systemd_manage_passwd_run(httpd_t) +#systemd_passwd_agent_dev_template(httpd) -+ + +-allow httpd_gpg_t self:process setrlimit; +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; -+ + +-allow httpd_gpg_t httpd_t:fd use; +-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +-allow httpd_gpg_t httpd_t:process sigchld; +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) +corecmd_shell_entry_type(httpd_script_type) -+ + +-dev_read_rand(httpd_gpg_t) +-dev_read_urand(httpd_gpg_t) +allow httpd_script_type self:fifo_file rw_file_perms; +allow httpd_script_type self:unix_stream_socket connectto; -+ + +-files_read_usr_files(httpd_gpg_t) +allow httpd_script_type httpd_t:fifo_file write; +# apache should set close-on-exec +apache_dontaudit_leaks(httpd_script_type) -+ + +-miscfiles_read_localization(httpd_gpg_t) +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) +logging_search_logs(httpd_script_type) -+ + +-tunable_policy(`httpd_gpg_anon_write',` +- miscfiles_manage_public_files(httpd_gpg_t) +kernel_dontaudit_search_sysctl(httpd_script_type) +kernel_dontaudit_search_kernel_sysctl(httpd_script_type) + @@ -4445,12 +5839,16 @@ index 0833afb..2864927 100644 + +tunable_policy(`httpd_enable_cgi && nis_enabled',` + nis_use_ypbind_uncond(httpd_script_type) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_manage_sys_rw_content(httpd_gpg_t) + nscd_socket_use(httpd_script_type) -+') -+ + ') + +-optional_policy(` +- gpg_entry_type(httpd_gpg_t) +- gpg_exec(httpd_gpg_t) +read_files_pattern(httpd_t, httpd_content_type, httpd_content_type) + +tunable_policy(`httpd_builtin_scripting',` @@ -4472,33 +5870,22 @@ index 0833afb..2864927 100644 + corenet_tcp_connect_glance_port(httpd_sys_script_t) ') diff --git a/apcupsd.fc b/apcupsd.fc -index cd07b96..f3506be 100644 +index 5ec0e13..2da2368 100644 --- a/apcupsd.fc +++ b/apcupsd.fc -@@ -1,9 +1,13 @@ +@@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) +/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) + - /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - -+/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0) -+ - /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - -@@ -13,3 +17,4 @@ - /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) - /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) - /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) diff --git a/apcupsd.if b/apcupsd.if -index e342775..1fedbe5 100644 +index f3c0aba..5189407 100644 --- a/apcupsd.if +++ b/apcupsd.if -@@ -123,6 +123,29 @@ interface(`apcupsd_cgi_script_domtrans',` +@@ -125,6 +125,29 @@ interface(`apcupsd_cgi_script_domtrans',` ######################################## ## @@ -4525,13 +5912,13 @@ index e342775..1fedbe5 100644 + +######################################## +## - ## All of the rules required to administrate - ## an apcupsd environment + ## All of the rules required to + ## administrate an apcupsd environment. ## @@ -144,11 +167,16 @@ interface(`apcupsd_admin',` - type apcupsd_log_t, apcupsd_lock_t; - type apcupsd_var_run_t; - type apcupsd_initrc_exec_t; + gen_require(` + type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; + type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; + type apcupsd_unit_file_t; ') @@ -4556,7 +5943,7 @@ index e342775..1fedbe5 100644 + allow $1 apcupsd_unit_file_t:service all_service_perms; ') diff --git a/apcupsd.te b/apcupsd.te -index d052bf0..8f2695f 100644 +index b236327..febec9a 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) @@ -4568,8 +5955,8 @@ index d052bf0..8f2695f 100644 + ######################################## # - # apcupsd local policy -@@ -53,15 +56,16 @@ kernel_read_system_state(apcupsd_t) + # Local policy +@@ -54,7 +57,6 @@ kernel_read_system_state(apcupsd_t) corecmd_exec_bin(apcupsd_t) corecmd_exec_shell(apcupsd_t) @@ -4577,27 +5964,34 @@ index d052bf0..8f2695f 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) - corenet_tcp_sendrecv_all_ports(apcupsd_t) - corenet_tcp_bind_generic_node(apcupsd_t) +@@ -64,9 +66,11 @@ corenet_udp_sendrecv_generic_node(apcupsd_t) + corenet_udp_bind_generic_node(apcupsd_t) + corenet_tcp_bind_apcupsd_port(apcupsd_t) +corenet_udp_bind_generic_node(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) + corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) +corenet_udp_bind_snmp_port(apcupsd_t) + corenet_udp_bind_snmp_port(apcupsd_t) + corenet_sendrecv_snmp_server_packets(apcupsd_t) +@@ -74,25 +78,33 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) + dev_rw_generic_usb_dev(apcupsd_t) -@@ -76,24 +80,29 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file) +-files_read_etc_files(apcupsd_t) + files_manage_etc_runtime_files(apcupsd_t) + files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") - # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 term_use_unallocated_ttys(apcupsd_t) +term_use_usb_ttys(apcupsd_t) - #apcupsd runs shutdown, probably need a shutdown domain - init_rw_utmp(apcupsd_t) - init_telinit(apcupsd_t) - -logging_send_syslog_msg(apcupsd_t) ++#apcupsd runs shutdown, probably need a shutdown domain ++init_rw_utmp(apcupsd_t) ++init_telinit(apcupsd_t) ++ +auth_read_passwd(apcupsd_t) -miscfiles_read_localization(apcupsd_t) @@ -4620,7 +6014,7 @@ index d052bf0..8f2695f 100644 mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') -@@ -113,7 +122,6 @@ optional_policy(` +@@ -112,7 +124,6 @@ optional_policy(` allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; @@ -4629,46 +6023,22 @@ index d052bf0..8f2695f 100644 corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) diff --git a/apm.fc b/apm.fc -index 0123777..5bfd421 100644 +index ce27d2f..d20377e 100644 --- a/apm.fc +++ b/apm.fc @@ -1,3 +1,4 @@ +/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0) + /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0) - # - # /usr -@@ -14,6 +15,7 @@ - /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) - - /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) -+/var/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) - /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) - /var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) - /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) + /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) diff --git a/apm.if b/apm.if -index 1ea99b2..0b668ae 100644 +index 1a7a97e..1d29dce 100644 --- a/apm.if +++ b/apm.if -@@ -89,7 +89,7 @@ interface(`apm_append_log',` - ') - - logging_search_logs($1) -- allow $1 apmd_log_t:file append; -+ allow $1 apmd_log_t:file append_file_perms; - ') +@@ -141,6 +141,29 @@ interface(`apm_stream_connect',` ######################################## -@@ -108,6 +108,28 @@ interface(`apm_stream_connect',` - ') - - files_search_pids($1) -- allow $1 apmd_var_run_t:sock_file write; -- allow $1 apmd_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) -+') -+ -+######################################## -+## + ## +## Execute apmd server in the apmd domain. +## +## @@ -4688,30 +6058,43 @@ index 1ea99b2..0b668ae 100644 + allow $1 apmd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, apmd_t) - ') -diff --git a/apm.te b/apm.te -index 1c8c27e..4c09721 100644 ---- a/apm.te -+++ b/apm.te -@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) - # - # Declarations - # ++') + - type apmd_t; - type apmd_exec_t; - init_daemon_domain(apmd_t, apmd_exec_t) -@@ -32,6 +33,9 @@ ifdef(`distro_suse',` - files_type(apmd_var_lib_t) - ') ++######################################## ++## + ## All of the rules required to + ## administrate an apm environment. + ## +@@ -163,9 +186,13 @@ interface(`apm_admin',` + type apmd_tmp_t; + ') + +- allow $1 apmd_t:process { ptrace signal_perms }; ++ allow $1 apmd_t:process { signal_perms }; + ps_process_pattern($1, apmd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 apmd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, apmd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apmd_initrc_exec_t system_r; +diff --git a/apm.te b/apm.te +index 3590e2f..29e3af5 100644 +--- a/apm.te ++++ b/apm.te +@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) + type apmd_var_run_t; + files_pid_file(apmd_var_run_t) +type apmd_unit_file_t; +systemd_unit_file(apmd_unit_file_t) + ######################################## # - # apm client Local policy -@@ -45,7 +49,7 @@ dev_rw_apm_bios(apm_t) + # Client local policy +@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t) fs_getattr_xattr_fs(apm_t) @@ -4720,48 +6103,36 @@ index 1c8c27e..4c09721 100644 domain_use_interactive_fds(apm_t) -@@ -59,9 +63,10 @@ logging_send_syslog_msg(apm_t) - # mknod: controlling an orderly resume of PCMCIA requires creating device - # nodes 254,{0,1,2} for some reason. +@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t) + # + allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; -+allow apmd_t self:netlink_socket create_socket_perms; - allow apmd_t self:unix_dgram_socket create_socket_perms; - allow apmd_t self:unix_stream_socket create_stream_socket_perms; - -@@ -81,6 +86,8 @@ kernel_rw_all_sysctls(apmd_t) - kernel_read_system_state(apmd_t) - kernel_write_proc_files(apmd_t) - -+dev_read_input(apmd_t) -+dev_read_mouse(apmd_t) - dev_read_realtime_clock(apmd_t) - dev_read_urand(apmd_t) - dev_rw_apm_bios(apmd_t) -@@ -96,8 +103,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? - fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive? - fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive? + allow apmd_t self:netlink_socket create_socket_perms; +@@ -115,8 +118,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) + fs_dontaudit_getattr_all_pipes(apmd_t) + fs_dontaudit_getattr_all_sockets(apmd_t) -selinux_search_fs(apmd_t) - corecmd_exec_all_executables(apmd_t) domain_read_all_domains_state(apmd_t) -@@ -114,6 +119,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? - files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? - files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? +@@ -128,6 +129,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) + + auth_use_nsswitch(apmd_t) +auth_use_nsswitch(apmd_t) + init_domtrans_script(apmd_t) - init_rw_utmp(apmd_t) - init_telinit(apmd_t) -@@ -124,13 +131,12 @@ libs_exec_lib_files(apmd_t) - logging_send_syslog_msg(apmd_t) + + libs_exec_ld_so(apmd_t) +@@ -136,17 +139,54 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) + logging_send_syslog_msg(apmd_t) -miscfiles_read_localization(apmd_t) miscfiles_read_hwdata(apmd_t) @@ -4774,21 +6145,27 @@ index 1c8c27e..4c09721 100644 userdom_dontaudit_use_unpriv_user_fds(apmd_t) userdom_dontaudit_search_user_home_dirs(apmd_t) -@@ -142,9 +148,8 @@ ifdef(`distro_redhat',` - - can_exec(apmd_t, apmd_var_run_t) - -- # ifconfig_exec_t needs to be run in its own domain for Red Hat - optional_policy(` -- sysnet_domtrans_ifconfig(apmd_t) +-userdom_dontaudit_search_user_home_content(apmd_t) ++userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? ++ ++ifdef(`distro_redhat',` ++ allow apmd_t apmd_lock_t:file manage_file_perms; ++ files_lock_filetrans(apmd_t, apmd_lock_t, file) ++ ++ can_exec(apmd_t, apmd_var_run_t) ++ ++ optional_policy(` + fstools_domtrans(apmd_t) - ') - - optional_policy(` -@@ -155,6 +160,15 @@ ifdef(`distro_redhat',` - netutils_domtrans(apmd_t) - ') - ++ ') ++ ++ optional_policy(` ++ iptables_domtrans(apmd_t) ++ ') ++ ++ optional_policy(` ++ netutils_domtrans(apmd_t) ++ ') ++ + # ifconfig_exec_t needs to be run in its own domain for Red Hat + optional_policy(` + sssd_search_lib(apmd_t) @@ -4798,23 +6175,20 @@ index 1c8c27e..4c09721 100644 + sysnet_domtrans_ifconfig(apmd_t) + ') + - ',` - # for ifconfig which is run all the time - kernel_dontaudit_search_sysctl(apmd_t) -@@ -181,6 +195,12 @@ optional_policy(` - ') - - optional_policy(` -+ devicekit_manage_pid_files(apmd_t) -+ devicekit_manage_log_files(apmd_t) -+ devicekit_relabel_log_files(apmd_t) ++',` ++ # for ifconfig which is run all the time ++ kernel_dontaudit_search_sysctl(apmd_t) +') + -+optional_policy(` - dbus_system_bus_client(apmd_t) ++ifdef(`distro_suse',` ++ manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) ++ manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t) ++ files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file) ++') - optional_policy(` -@@ -210,7 +230,11 @@ optional_policy(` + optional_policy(` + automount_domtrans(apmd_t) +@@ -206,7 +246,11 @@ optional_policy(` ') optional_policy(` @@ -4828,18 +6202,18 @@ index 1c8c27e..4c09721 100644 optional_policy(` diff --git a/apt.te b/apt.te -index 8555315..af9bcbe 100644 +index e2d8d52..c6e62d7 100644 --- a/apt.te +++ b/apt.te -@@ -94,7 +94,6 @@ kernel_read_kernel_sysctls(apt_t) +@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t) corecmd_exec_bin(apt_t) corecmd_exec_shell(apt_t) -corenet_all_recvfrom_unlabeled(apt_t) corenet_all_recvfrom_netlabel(apt_t) corenet_tcp_sendrecv_generic_if(apt_t) - corenet_udp_sendrecv_generic_if(apt_t) -@@ -121,20 +120,18 @@ fs_getattr_all_fs(apt_t) + corenet_tcp_sendrecv_generic_node(apt_t) +@@ -105,20 +104,18 @@ fs_getattr_all_fs(apt_t) term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) @@ -4860,25 +6234,25 @@ index 8555315..af9bcbe 100644 -userdom_use_user_terminals(apt_t) +userdom_use_inherited_user_terminals(apt_t) - # with boolean, for cron-apt and such? - #optional_policy(` + optional_policy(` + cron_system_entry(apt_t, apt_exec_t) diff --git a/arpwatch.fc b/arpwatch.fc -index a86a6c7..ab50afe 100644 +index 9ca0d0f..9a1a61f 100644 --- a/arpwatch.fc +++ b/arpwatch.fc @@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) + /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) +/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0) + - # - # /usr - # + /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) + + /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) diff --git a/arpwatch.if b/arpwatch.if -index c804110..06a516f 100644 +index 50c9b9c..51c8cc0 100644 --- a/arpwatch.if +++ b/arpwatch.if -@@ -115,6 +115,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` +@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` ######################################## ## @@ -4905,17 +6279,17 @@ index c804110..06a516f 100644 + +######################################## +## - ## All of the rules required to administrate - ## an arpwatch environment + ## All of the rules required to + ## administrate an arpwatch environment. ## -@@ -135,11 +158,16 @@ interface(`arpwatch_admin',` - type arpwatch_t, arpwatch_tmp_t; +@@ -138,11 +161,16 @@ interface(`arpwatch_admin',` + gen_require(` + type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; type arpwatch_data_t, arpwatch_var_run_t; - type arpwatch_initrc_exec_t; + type arpwatch_unit_file_t; ') -- allow $1 arpwatch_t:process { ptrace signal_perms getattr }; +- allow $1 arpwatch_t:process { ptrace signal_perms }; + allow $1 arpwatch_t:process signal_perms; ps_process_pattern($1, arpwatch_t) @@ -4926,7 +6300,7 @@ index c804110..06a516f 100644 arpwatch_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; -@@ -153,4 +181,8 @@ interface(`arpwatch_admin',` +@@ -156,4 +184,8 @@ interface(`arpwatch_admin',` files_list_pids($1) admin_pattern($1, arpwatch_var_run_t) @@ -4936,7 +6310,7 @@ index c804110..06a516f 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 804135f..8d012f7 100644 +index fa18c76..ef976af 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -4949,38 +6323,40 @@ index 804135f..8d012f7 100644 ######################################## # # Local policy -@@ -34,6 +37,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; - allow arpwatch_t self:udp_socket create_socket_perms; +@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen }; + allow arpwatch_t self:tcp_socket { accept listen }; allow arpwatch_t self:packet_socket create_socket_perms; allow arpwatch_t self:socket create_socket_perms; +allow arpwatch_t self:netlink_socket create_socket_perms; manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -@@ -47,12 +51,12 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) +@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) + manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) +-kernel_read_kernel_sysctls(arpwatch_t) kernel_read_network_state(arpwatch_t) +# meminfo -+kernel_read_system_state(arpwatch_t) - kernel_read_kernel_sysctls(arpwatch_t) --kernel_list_proc(arpwatch_t) - kernel_read_proc_symlinks(arpwatch_t) + kernel_read_system_state(arpwatch_t) ++kernel_read_kernel_sysctls(arpwatch_t) ++kernel_read_proc_symlinks(arpwatch_t) kernel_request_load_module(arpwatch_t) --corenet_all_recvfrom_unlabeled(arpwatch_t) - corenet_all_recvfrom_netlabel(arpwatch_t) - corenet_tcp_sendrecv_generic_if(arpwatch_t) - corenet_udp_sendrecv_generic_if(arpwatch_t) -@@ -74,7 +78,6 @@ corecmd_read_bin_symlinks(arpwatch_t) - - domain_use_interactive_fds(arpwatch_t) - --files_read_etc_files(arpwatch_t) - files_read_usr_files(arpwatch_t) - files_search_var_lib(arpwatch_t) - -@@ -82,8 +85,6 @@ auth_use_nsswitch(arpwatch_t) ++corenet_all_recvfrom_netlabel(arpwatch_t) ++corenet_tcp_sendrecv_generic_if(arpwatch_t) ++corenet_udp_sendrecv_generic_if(arpwatch_t) ++corenet_raw_sendrecv_generic_if(arpwatch_t) ++corenet_tcp_sendrecv_generic_node(arpwatch_t) ++corenet_udp_sendrecv_generic_node(arpwatch_t) ++corenet_raw_sendrecv_generic_node(arpwatch_t) ++corenet_tcp_sendrecv_all_ports(arpwatch_t) ++corenet_udp_sendrecv_all_ports(arpwatch_t) ++ + dev_read_sysfs(arpwatch_t) + dev_read_usbmon_dev(arpwatch_t) + dev_rw_generic_usb_dev(arpwatch_t) +@@ -66,8 +82,6 @@ auth_use_nsswitch(arpwatch_t) logging_send_syslog_msg(arpwatch_t) @@ -4990,14 +6366,14 @@ index 804135f..8d012f7 100644 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) diff --git a/asterisk.if b/asterisk.if -index b6168fd..313c6e4 100644 +index 7268a04..3a5dc33 100644 --- a/asterisk.if +++ b/asterisk.if @@ -105,9 +105,13 @@ interface(`asterisk_admin',` - type asterisk_initrc_exec_t; + type asterisk_var_lib_t, asterisk_initrc_exec_t; ') -- allow $1 asterisk_t:process { ptrace signal_perms getattr }; +- allow $1 asterisk_t:process { ptrace signal_perms }; + allow $1 asterisk_t:process signal_perms; ps_process_pattern($1, asterisk_t) @@ -5009,10 +6385,10 @@ index b6168fd..313c6e4 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 159610b..164b672 100644 +index 5439f1c..37841a1 100644 --- a/asterisk.te +++ b/asterisk.te -@@ -20,10 +20,11 @@ type asterisk_log_t; +@@ -19,10 +19,11 @@ type asterisk_log_t; logging_log_file(asterisk_log_t) type asterisk_spool_t; @@ -5025,33 +6401,21 @@ index 159610b..164b672 100644 type asterisk_tmpfs_t; files_tmpfs_file(asterisk_tmpfs_t) -@@ -40,8 +41,8 @@ files_pid_file(asterisk_var_run_t) - # - - # dac_override for /var/run/asterisk --allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown }; --dontaudit asterisk_t self:capability sys_tty_config; -+allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; -+dontaudit asterisk_t self:capability { sys_module sys_tty_config }; - allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; - allow asterisk_t self:fifo_file rw_fifo_file_perms; - allow asterisk_t self:sem create_sem_perms; -@@ -77,11 +78,13 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f +@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f + manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) - files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) +manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) +- +files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file }) + can_exec(asterisk_t, asterisk_exec_t) -+kernel_read_network_state(asterisk_t) - kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) - kernel_request_load_module(asterisk_t) -@@ -89,7 +92,6 @@ kernel_request_load_module(asterisk_t) +@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t) corecmd_exec_bin(asterisk_t) corecmd_exec_shell(asterisk_t) @@ -5059,34 +6423,23 @@ index 159610b..164b672 100644 corenet_all_recvfrom_netlabel(asterisk_t) corenet_tcp_sendrecv_generic_if(asterisk_t) corenet_udp_sendrecv_generic_if(asterisk_t) -@@ -109,9 +111,13 @@ corenet_tcp_bind_generic_port(asterisk_t) - corenet_udp_bind_generic_port(asterisk_t) - corenet_dontaudit_udp_bind_all_ports(asterisk_t) - corenet_sendrecv_generic_server_packets(asterisk_t) -+corenet_tcp_connect_festival_port(asterisk_t) -+corenet_tcp_connect_jabber_client_port(asterisk_t) -+corenet_tcp_connect_pktcable_port(asterisk_t) - corenet_tcp_connect_postgresql_port(asterisk_t) - corenet_tcp_connect_snmp_port(asterisk_t) +@@ -125,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t) + + corenet_sendrecv_sip_client_packets(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) +corenet_tcp_connect_jabber_client_port(asterisk_t) dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) -@@ -122,11 +128,11 @@ dev_read_urand(asterisk_t) +@@ -135,7 +136,6 @@ dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) --files_read_etc_files(asterisk_t) +-files_read_usr_files(asterisk_t) files_search_spool(asterisk_t) - # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm - # are labeled usr_t - files_read_usr_files(asterisk_t) -+files_dontaudit_search_home(asterisk_t) + files_dontaudit_search_home(asterisk_t) - fs_getattr_all_fs(asterisk_t) - fs_list_inotifyfs(asterisk_t) -@@ -137,12 +143,14 @@ auth_use_nsswitch(asterisk_t) +@@ -148,8 +148,6 @@ auth_use_nsswitch(asterisk_t) logging_send_syslog_msg(asterisk_t) @@ -5095,14 +6448,6 @@ index 159610b..164b672 100644 userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) - optional_policy(` -+ alsa_read_rw_config(asterisk_t) -+') -+ -+optional_policy(` - mysql_stream_connect(asterisk_t) - ') - diff --git a/authconfig.fc b/authconfig.fc new file mode 100644 index 0000000..86bbf21 @@ -5290,20 +6635,20 @@ index 0000000..aeea7cf + +unconfined_domain_noaudit(authconfig_t) diff --git a/automount.fc b/automount.fc -index f16ab68..e4178a4 100644 +index 92adb37..0a2ffc6 100644 --- a/automount.fc +++ b/automount.fc -@@ -4,6 +4,8 @@ - /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) +@@ -1,6 +1,8 @@ + /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) +/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0) + - # - # /usr - # + /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) + + /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) diff --git a/automount.if b/automount.if -index d80a16b..ef740ef 100644 +index 089430a..7cd037b 100644 --- a/automount.if +++ b/automount.if @@ -29,7 +29,6 @@ interface(`automount_domtrans',` @@ -5314,16 +6659,10 @@ index d80a16b..ef740ef 100644 interface(`automount_signal',` gen_require(` type automount_t; -@@ -123,7 +122,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` - type automount_tmp_t; - ') +@@ -134,6 +133,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` -- dontaudit $1 automount_tmp_t:dir getattr; -+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms; -+') -+ -+######################################## -+## + ######################################## + ## +## Execute automount server in the automount domain. +## +## @@ -5343,17 +6682,21 @@ index d80a16b..ef740ef 100644 + allow $1 automount_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, automount_t) - ') - - ######################################## -@@ -147,11 +169,16 @@ interface(`automount_admin',` ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an automount environment. + ## +@@ -153,11 +175,16 @@ interface(`automount_admin',` gen_require(` type automount_t, automount_lock_t, automount_tmp_t; type automount_var_run_t, automount_initrc_exec_t; + type automount_unit_file_t; ') -- allow $1 automount_t:process { ptrace signal_perms getattr }; +- allow $1 automount_t:process { ptrace signal_perms }; + allow $1 automount_t:process signal_perms; ps_process_pattern($1, automount_t) @@ -5364,7 +6707,7 @@ index d80a16b..ef740ef 100644 init_labeled_script_domtrans($1, automount_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; -@@ -165,4 +192,8 @@ interface(`automount_admin',` +@@ -171,4 +198,8 @@ interface(`automount_admin',` files_list_pids($1) admin_pattern($1, automount_var_run_t) @@ -5374,7 +6717,7 @@ index d80a16b..ef740ef 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 39799db..6264256 100644 +index a579c3b..9fdef3d 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -5387,13 +6730,14 @@ index 39799db..6264256 100644 ######################################## # # Local policy -@@ -56,14 +59,17 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) +@@ -50,19 +53,20 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) kernel_read_kernel_sysctls(automount_t) +kernel_read_vm_sysctls(automount_t) kernel_read_irq_sysctls(automount_t) kernel_read_fs_sysctls(automount_t) + kernel_read_vm_sysctls(automount_t) kernel_read_proc_symlinks(automount_t) kernel_read_system_state(automount_t) kernel_read_network_state(automount_t) @@ -5401,11 +6745,6 @@ index 39799db..6264256 100644 kernel_list_proc(automount_t) kernel_dontaudit_search_xen_state(automount_t) -+files_read_usr_files(automount_t) - files_search_boot(automount_t) - # Automount is slowly adding all mount functionality internally - files_search_all(automount_t) -@@ -79,7 +85,6 @@ fs_search_all(automount_t) corecmd_exec_bin(automount_t) corecmd_exec_shell(automount_t) @@ -5413,30 +6752,25 @@ index 39799db..6264256 100644 corenet_all_recvfrom_netlabel(automount_t) corenet_tcp_sendrecv_generic_if(automount_t) corenet_udp_sendrecv_generic_if(automount_t) -@@ -113,7 +118,6 @@ files_dontaudit_write_var_dirs(automount_t) - files_getattr_all_dirs(automount_t) - files_list_mnt(automount_t) - files_getattr_home_dir(automount_t) --files_read_etc_files(automount_t) +@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t) + files_mounton_all_mountpoints(automount_t) + files_mounton_mnt(automount_t) files_read_etc_runtime_files(automount_t) - # for if the mount point is not labelled - files_getattr_isid_type_dirs(automount_t) -@@ -140,13 +144,8 @@ auth_use_nsswitch(automount_t) +-files_read_usr_files(automount_t) + files_search_boot(automount_t) + files_search_all(automount_t) + files_unmount_all_file_type_fs(automount_t) +@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) -miscfiles_read_localization(automount_t) miscfiles_read_generic_certs(automount_t) --# Run mount in the mount_t domain. -mount_domtrans(automount_t) -mount_signal(automount_t) - userdom_dontaudit_use_unpriv_user_fds(automount_t) - userdom_dontaudit_search_user_home_dirs(automount_t) - -@@ -155,6 +154,13 @@ optional_policy(` - ') optional_policy(` + # Run mount in the mount_t domain. @@ -5450,7 +6784,7 @@ index 39799db..6264256 100644 ') diff --git a/avahi.fc b/avahi.fc -index 7e36549..010b2bc 100644 +index e9fe2ca..4c2d076 100644 --- a/avahi.fc +++ b/avahi.fc @@ -1,5 +1,7 @@ @@ -5458,14 +6792,23 @@ index 7e36549..010b2bc 100644 +/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0) + - /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) - /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) - /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) + /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) + /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) + /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) diff --git a/avahi.if b/avahi.if -index 61c74bc..17b3ecc 100644 +index aebe7cb..33fe57b 100644 --- a/avahi.if +++ b/avahi.if -@@ -133,6 +133,29 @@ interface(`avahi_dontaudit_search_pid',` +@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',` + ######################################## + ## + ## Connect to avahi using a unix +-$$ stream socket. ++## stream socket. + ## + ## + ## +@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',` ######################################## ## @@ -5492,14 +6835,15 @@ index 61c74bc..17b3ecc 100644 + +######################################## +## - ## All of the rules required to administrate - ## an avahi environment + ## All of the rules required to + ## administrate an avahi environment. ## -@@ -151,11 +174,16 @@ interface(`avahi_dontaudit_search_pid',` +@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',` interface(`avahi_admin',` gen_require(` type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + type avahi_unit_file_t; + type avahi_var_lib_t; ') - allow $1 avahi_t:process { ptrace signal_perms }; @@ -5513,17 +6857,17 @@ index 61c74bc..17b3ecc 100644 init_labeled_script_domtrans($1, avahi_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 avahi_initrc_exec_t system_r; -@@ -163,4 +191,8 @@ interface(`avahi_admin',` +@@ -169,4 +197,8 @@ interface(`avahi_admin',` - files_list_pids($1) - admin_pattern($1, avahi_var_run_t) + files_search_var_lib($1) + admin_pattern($1, avahi_var_lib_t) + + avahi_systemctl($1) + admin_pattern($1, avahi_unit_file_t) + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index a7a0e71..34bc1be 100644 +index 60e76be..0f0891b 100644 --- a/avahi.te +++ b/avahi.te @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) @@ -5537,12 +6881,7 @@ index a7a0e71..34bc1be 100644 ######################################## # -@@ -46,11 +50,11 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) - kernel_read_system_state(avahi_t) - kernel_read_kernel_sysctls(avahi_t) - kernel_read_network_state(avahi_t) -+kernel_request_load_module(avahi_t) - +@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t) corecmd_exec_bin(avahi_t) corecmd_exec_shell(avahi_t) @@ -5550,17 +6889,15 @@ index a7a0e71..34bc1be 100644 corenet_all_recvfrom_netlabel(avahi_t) corenet_tcp_sendrecv_generic_if(avahi_t) corenet_udp_sendrecv_generic_if(avahi_t) -@@ -73,8 +77,8 @@ fs_search_auto_mountpoints(avahi_t) +@@ -72,6 +75,7 @@ fs_search_auto_mountpoints(avahi_t) fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) +domain_dontaudit_signull_all_domains(avahi_t) --files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) files_read_usr_files(avahi_t) - -@@ -85,13 +89,14 @@ init_signull_script(avahi_t) +@@ -83,13 +87,14 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) @@ -5576,7 +6913,7 @@ index a7a0e71..34bc1be 100644 userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -@@ -104,6 +109,10 @@ optional_policy(` +@@ -106,6 +111,10 @@ optional_policy(` ') optional_policy(` @@ -5587,64 +6924,11 @@ index a7a0e71..34bc1be 100644 seutil_sigchld_newrole(avahi_t) ') -diff --git a/awstats.if b/awstats.if -index 283ff0d..53f9ba1 100644 ---- a/awstats.if -+++ b/awstats.if -@@ -5,6 +5,25 @@ - - ######################################## - ## -+## Execute the awstats program in the awstats domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`awstats_domtrans',` -+ gen_require(` -+ type awstats_t, awstats_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, awstats_exec_t, awstats_t) -+') -+ -+######################################## -+## - ## Read and write awstats unnamed pipes. - ## - ## diff --git a/awstats.te b/awstats.te -index 6bd3ad3..9cd42eb 100644 +index d6ab824..eec2bdb 100644 --- a/awstats.te +++ b/awstats.te -@@ -5,6 +5,13 @@ policy_module(awstats, 1.4.0) - # Declarations - # - -+## -+##

    -+## Allow awstats to purge Apache logs -+##

    -+##     -+gen_tunable(awstats_purge_apache_log, false) -+ - type awstats_t; - type awstats_exec_t; - domain_type(awstats_t) -@@ -17,8 +24,6 @@ files_tmp_file(awstats_tmp_t) - type awstats_var_lib_t; - files_type(awstats_var_lib_t) - --apache_content_template(awstats) -- - ######################################## - # - # awstats policy -@@ -55,11 +60,15 @@ libs_read_lib_files(awstats_t) +@@ -61,8 +61,6 @@ libs_read_lib_files(awstats_t) logging_read_generic_logs(awstats_t) @@ -5652,50 +6936,36 @@ index 6bd3ad3..9cd42eb 100644 - sysnet_dns_name_resolve(awstats_t) --apache_read_log(awstats_t) -+tunable_policy(`awstats_purge_apache_log',` -+ apache_write_log(awstats_t) -+') -+ -+optional_policy(` -+ apache_read_log(awstats_t) -+') - - optional_policy(` - cron_system_entry(awstats_t, awstats_exec_t) -@@ -79,7 +88,16 @@ optional_policy(` - # awstats cgi script policy + tunable_policy(`awstats_purge_apache_log_files',` +@@ -90,9 +88,13 @@ optional_policy(` + # CGI local policy # --allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; -+optional_policy(` -+ apache_content_template(awstats) -+ apache_read_log(httpd_awstats_script_t) ++apache_read_log(httpd_awstats_script_t) + -+ manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+ manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+ files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file }) - --read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) --files_search_var_lib(httpd_awstats_script_t) -+ allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; ++manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) ++manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) ++files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file }) + -+ read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) -+ files_search_var_lib(httpd_awstats_script_t) -+') + allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; + + read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) + files_search_var_lib(httpd_awstats_script_t) +- +-apache_read_log(httpd_awstats_script_t) diff --git a/backup.te b/backup.te -index 0bfc958..81fc8bd 100644 +index d6ceef4..c10d39c 100644 --- a/backup.te +++ b/backup.te -@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(backup_t) +@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t) corecmd_exec_bin(backup_t) corecmd_exec_shell(backup_t) -corenet_all_recvfrom_unlabeled(backup_t) corenet_all_recvfrom_netlabel(backup_t) corenet_tcp_sendrecv_generic_if(backup_t) - corenet_udp_sendrecv_generic_if(backup_t) -@@ -70,7 +69,7 @@ logging_send_syslog_msg(backup_t) + corenet_tcp_sendrecv_generic_node(backup_t) +@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t) sysnet_read_config(backup_t) @@ -5705,10 +6975,10 @@ index 0bfc958..81fc8bd 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) diff --git a/bacula.te b/bacula.te -index fc4ba2a..813e5c1 100644 +index 3beba2f..67e074e 100644 --- a/bacula.te +++ b/bacula.te -@@ -111,7 +111,6 @@ domain_use_interactive_fds(bacula_admin_t) +@@ -150,7 +150,6 @@ domain_use_interactive_fds(bacula_admin_t) files_read_etc_files(bacula_admin_t) @@ -5717,22 +6987,22 @@ index fc4ba2a..813e5c1 100644 sysnet_dns_name_resolve(bacula_admin_t) diff --git a/bcfg2.fc b/bcfg2.fc -index f5413da..9e06a9d 100644 +index fb42e35..8af0e14 100644 --- a/bcfg2.fc +++ b/bcfg2.fc @@ -1,5 +1,7 @@ - /etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) + /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) +/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0) + - /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) + /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) - /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) + /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) diff --git a/bcfg2.if b/bcfg2.if -index b289d93..070f22b 100644 +index ec95d36..7132e1e 100644 --- a/bcfg2.if +++ b/bcfg2.if -@@ -115,6 +115,31 @@ interface(`bcfg2_manage_lib_dirs',` +@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',` ######################################## ## @@ -5761,18 +7031,28 @@ index b289d93..070f22b 100644 + +######################################## +## - ## All of the rules required to administrate - ## an bcfg2 environment + ## All of the rules required to + ## administrate an bcfg2 environment. ## -@@ -135,6 +160,7 @@ interface(`bcfg2_admin',` - type bcfg2_t; - type bcfg2_initrc_exec_t; - type bcfg2_var_lib_t; -+ type bcfg2_unit_file_t; +@@ -136,11 +161,16 @@ interface(`bcfg2_admin',` + gen_require(` + type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; + type bcfg2_var_run_t; ++ type bcfg2_unit_file_t; ') - allow $1 bcfg2_t:process { ptrace signal_perms }; -@@ -147,4 +173,13 @@ interface(`bcfg2_admin',` +- allow $1 bcfg2_t:process { ptrace signal_perms }; ++ allow $1 bcfg2_t:process { signal_perms }; + ps_process_pattern($1, bcfg2_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bcfg2_t:process ptrace; ++ ') ++ + bcfg2_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 bcfg2_initrc_exec_t system_r; +@@ -151,4 +181,13 @@ interface(`bcfg2_admin',` files_search_var_lib($1) admin_pattern($1, bcfg2_var_lib_t) @@ -5787,7 +7067,7 @@ index b289d93..070f22b 100644 + ') ') diff --git a/bcfg2.te b/bcfg2.te -index cf8e59f..ad57d4a 100644 +index 536ec3c..2d04d51 100644 --- a/bcfg2.te +++ b/bcfg2.te @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) @@ -5800,29 +7080,37 @@ index cf8e59f..ad57d4a 100644 type bcfg2_var_run_t; files_pid_file(bcfg2_var_run_t) -@@ -36,6 +39,8 @@ files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file ) - - kernel_read_system_state(bcfg2_t) - -+corenet_tcp_bind_cyphesis_port(bcfg2_t) -+ - corecmd_exec_bin(bcfg2_t) - - dev_read_urand(bcfg2_t) -@@ -47,5 +52,3 @@ files_read_usr_files(bcfg2_t) +@@ -57,5 +60,3 @@ files_read_usr_files(bcfg2_t) auth_use_nsswitch(bcfg2_t) logging_send_syslog_msg(bcfg2_t) - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 59aa54f..b01072c 100644 +index 2b9a3a1..005bb7e 100644 --- a/bind.fc +++ b/bind.fc -@@ -4,6 +4,11 @@ - /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +@@ -1,54 +1,69 @@ +-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + +-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) +-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0) +/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0) + @@ -5830,9 +7118,92 @@ index 59aa54f..b01072c 100644 +/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) +-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) ++/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) ++/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) + /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) + +-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) + +-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) + +-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) ++ifdef(`distro_debian',` ++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++') ++ ++ifdef(`distro_gentoo',` ++/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++') + +-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++ifdef(`distro_redhat',` ++/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) +-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot/proc(/.*)? <> +-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) ++/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) ++/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) ++/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) +-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +- +-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ++') diff --git a/bind.if b/bind.if -index 44a1e3d..bc50fd6 100644 +index 866a1e2..6c2dbe4 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` @@ -5865,7 +7236,7 @@ index 44a1e3d..bc50fd6 100644 ## Execute ndc in the ndc domain. ## ## -@@ -167,6 +190,7 @@ interface(`bind_read_config',` +@@ -169,6 +192,7 @@ interface(`bind_read_config',` type named_conf_t; ') @@ -5873,16 +7244,7 @@ index 44a1e3d..bc50fd6 100644 read_files_pattern($1, named_conf_t, named_conf_t) ') -@@ -186,7 +210,7 @@ interface(`bind_write_config',` - ') - - write_files_pattern($1, named_conf_t, named_conf_t) -- allow $1 named_conf_t:file setattr; -+ allow $1 named_conf_t:file setattr_file_perms; - ') - - ######################################## -@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',` +@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',` ######################################## ## @@ -5905,28 +7267,10 @@ index 44a1e3d..bc50fd6 100644 + +######################################## +## - ## Search the BIND cache directory. + ## Search bind cache directories. ## ## -@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',` - type named_var_run_t; - ') - -- allow $1 named_var_run_t:dir setattr; -+ allow $1 named_var_run_t:dir setattr_dir_perms; - ') - - ######################################## -@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',` - type named_zone_t; - ') - -- allow $1 named_zone_t:dir setattr; -+ allow $1 named_zone_t:dir setattr_dir_perms; - ') - - ######################################## -@@ -308,6 +351,27 @@ interface(`bind_read_zone',` +@@ -310,6 +353,27 @@ interface(`bind_read_zone',` ######################################## ## @@ -5951,93 +7295,65 @@ index 44a1e3d..bc50fd6 100644 + +######################################## +## - ## Manage BIND zone files. + ## Create, read, write, and delete + ## bind zone files. ## - ## -@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',` +@@ -362,12 +426,20 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; -- type named_conf_t, named_var_lib_t, named_var_run_t; -- type named_cache_t, named_zone_t; -- type dnssec_t, ndc_t; -- type named_initrc_exec_t; +- type named_cache_t, named_zone_t, named_initrc_exec_t; +- type dnssec_t, ndc_t, named_conf_t, named_var_run_t; + type named_conf_t, named_var_run_t, named_cache_t; + type named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_keytab_t; + type named_unit_file_t; ') -- allow $1 named_t:process { ptrace signal_perms }; +- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { named_t ndc_t }) + allow $1 named_t:process signal_perms; - ps_process_pattern($1, named_t) - -- allow $1 ndc_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 named_t:process ptrace; -+ ') ++ ps_process_pattern($1, named_t) + -+ allow $1 ndc_t:process signal_perms; - ps_process_pattern($1, ndc_t) - + tunable_policy(`deny_ptrace',`',` -+ allow $1 ndc_t:process ptrace; ++ allow $1 named_t:process ptrace; + ') + - bind_run_ndc($1, $2) ++ bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) -@@ -391,9 +463,12 @@ interface(`bind_admin',` - admin_pattern($1, named_zone_t) - admin_pattern($1, dnssec_t) + domain_system_change_exemption($1) +@@ -383,11 +455,15 @@ interface(`bind_admin',` + files_list_etc($1) + admin_pattern($1, named_conf_t) -- files_list_var_lib($1) -- admin_pattern($1, named_var_lib_t) + admin_pattern($1, named_keytab_t) ++ + files_list_var($1) + admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) files_list_pids($1) admin_pattern($1, named_var_run_t) -+ + +- bind_run_ndc($1, $2) + admin_pattern($1, named_unit_file_t) + bind_systemctl($1) + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 0968cb4..70bebb1 100644 +index 076ffee..6a12335 100644 --- a/bind.te +++ b/bind.te -@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0) - # +@@ -34,7 +34,7 @@ type named_checkconf_exec_t; + init_system_domain(named_t, named_checkconf_exec_t) - ## -+##

    -+## Allow BIND to bind apache port. -+##

    -+##     -+gen_tunable(named_bind_http_port, false) -+ -+## - ##

    - ## Allow BIND to write the master zone files. - ## Generally this is used for dynamic DNS or zone transfers. -@@ -16,6 +23,7 @@ gen_tunable(named_write_master_zones, false) - # for DNSSEC key files - type dnssec_t; - files_security_file(dnssec_t) -+files_mountpoint(dnssec_t) - - type named_t; - type named_exec_t; -@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t) - - # A type for configuration files of named. type named_conf_t; -files_type(named_conf_t) +files_config_file(named_conf_t) files_mountpoint(named_conf_t) # for secondary zone files -@@ -37,6 +45,9 @@ files_type(named_cache_t) +@@ -44,6 +44,9 @@ files_type(named_cache_t) type named_initrc_exec_t; init_script_file(named_initrc_exec_t) @@ -6047,19 +7363,7 @@ index 0968cb4..70bebb1 100644 type named_log_t; logging_log_file(named_log_t) -@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) - manage_files_pattern(named_t, named_tmp_t, named_tmp_t) - files_tmp_filetrans(named_t, named_tmp_t, { file dir }) - -+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) - manage_files_pattern(named_t, named_var_run_t, named_var_run_t) - manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) --files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) -+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir }) - - # read zone files - allow named_t named_zone_t:dir list_dir_perms; -@@ -104,7 +116,6 @@ kernel_read_network_state(named_t) +@@ -110,7 +113,6 @@ kernel_read_network_state(named_t) corecmd_search_bin(named_t) @@ -6067,32 +7371,7 @@ index 0968cb4..70bebb1 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -131,7 +142,6 @@ dev_read_urand(named_t) - - domain_use_interactive_fds(named_t) - --files_read_etc_files(named_t) - files_read_etc_runtime_files(named_t) - - fs_getattr_all_fs(named_t) -@@ -141,12 +151,15 @@ auth_use_nsswitch(named_t) - - logging_send_syslog_msg(named_t) - --miscfiles_read_localization(named_t) - miscfiles_read_generic_certs(named_t) - - userdom_dontaudit_use_unpriv_user_fds(named_t) - userdom_dontaudit_search_user_home_dirs(named_t) - -+tunable_policy(`named_bind_http_port',` -+ corenet_tcp_bind_http_port(named_t) -+') -+ - tunable_policy(`named_write_master_zones',` - manage_dirs_pattern(named_t, named_zone_t, named_zone_t) - manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -154,6 +167,12 @@ tunable_policy(`named_write_master_zones',` +@@ -170,6 +172,12 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -6102,10 +7381,10 @@ index 0968cb4..70bebb1 100644 +') + +optional_policy(` - init_dbus_chat_script(named_t) + dbus_system_domain(named_t, named_exec_t) - sysnet_dbus_chat_dhcpc(named_t) -@@ -168,6 +187,7 @@ optional_policy(` + init_dbus_chat_script(named_t) +@@ -183,6 +191,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(named, named_t) @@ -6113,87 +7392,43 @@ index 0968cb4..70bebb1 100644 ') optional_policy(` -@@ -199,6 +219,7 @@ optional_policy(` +@@ -209,7 +218,8 @@ optional_policy(` + # - # cjp: why net_admin?! allow ndc_t self:capability { dac_override net_admin }; +-allow ndc_t self:process signal_perms; +allow ndc_t self:capability2 block_suspend; - allow ndc_t self:process { fork signal_perms }; ++allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; - allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; -@@ -211,13 +232,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; - stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) + allow ndc_t self:unix_stream_socket { accept listen }; - allow ndc_t named_conf_t:file read_file_perms; --allow ndc_t named_conf_t:lnk_file { getattr read }; -+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +233,10 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; +kernel_read_system_state(ndc_t) kernel_read_kernel_sysctls(ndc_t) + kernel_read_system_state(ndc_t) -corenet_all_recvfrom_unlabeled(ndc_t) corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -228,28 +249,26 @@ corenet_sendrecv_rndc_client_packets(ndc_t) - - domain_use_interactive_fds(ndc_t) - --files_read_etc_files(ndc_t) - files_search_pids(ndc_t) - - fs_getattr_xattr_fs(ndc_t) - -+auth_use_nsswitch(ndc_t) -+ - init_use_fds(ndc_t) - init_use_script_ptys(ndc_t) +@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) -miscfiles_read_localization(ndc_t) +userdom_use_inherited_user_terminals(ndc_t) - sysnet_read_config(ndc_t) --sysnet_dns_name_resolve(ndc_t) -- --userdom_use_user_terminals(ndc_t) - - term_dontaudit_use_console(ndc_t) - - # for /etc/rndc.key - ifdef(`distro_redhat',` -- allow ndc_t named_conf_t:dir search; -+ allow ndc_t named_conf_t:dir search_dir_perms; - ') - - optional_policy(` -diff --git a/bitlbee.fc b/bitlbee.fc -index 0197980..909ce04 100644 ---- a/bitlbee.fc -+++ b/bitlbee.fc -@@ -1,6 +1,13 @@ - /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) - /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) - -+/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0) - /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) + userdom_use_user_terminals(ndc_t) - /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) -+ -+/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) -+ -+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) -+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) -+/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/bitlbee.if b/bitlbee.if -index de0bd67..1df2048 100644 +index e73fb79..2badfc0 100644 --- a/bitlbee.if +++ b/bitlbee.if -@@ -43,9 +43,13 @@ interface(`bitlbee_admin',` - type bitlbee_initrc_exec_t; +@@ -44,9 +44,13 @@ interface(`bitlbee_admin',` + type bitlbee_log_t, bitlbee_tmp_t; ') - allow $1 bitlbee_t:process { ptrace signal_perms }; @@ -6208,46 +7443,25 @@ index de0bd67..1df2048 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f4e7ad3..8e85e9d 100644 +index ac8c91e..5ca06bb 100644 --- a/bitlbee.te +++ b/bitlbee.te -@@ -22,36 +22,57 @@ files_tmp_file(bitlbee_tmp_t) - type bitlbee_var_t; - files_type(bitlbee_var_t) - -+type bitlbee_log_t; -+logging_log_file(bitlbee_log_t) -+ -+type bitlbee_var_run_t; -+files_pid_file(bitlbee_var_run_t) -+ - ######################################## - # - # Local policy - # +@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) --allow bitlbee_t self:capability { setgid setuid }; --allow bitlbee_t self:process signal; -+allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; -+allow bitlbee_t self:process { setsched signal }; + allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; + allow bitlbee_t self:process { setsched signal }; + -+allow bitlbee_t self:fifo_file rw_fifo_file_perms; - allow bitlbee_t self:udp_socket create_socket_perms; - allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; - allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; --allow bitlbee_t self:fifo_file rw_fifo_file_perms; + allow bitlbee_t self:fifo_file rw_fifo_file_perms; +-allow bitlbee_t self:tcp_socket { accept listen }; +-allow bitlbee_t self:unix_stream_socket { accept listen }; ++allow bitlbee_t self:udp_socket create_socket_perms; ++allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; ++allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; - bitlbee_read_config(bitlbee_t) - - # tmp files - manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) --files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) -+manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) - - # user account information is read and edited at runtime; give the usual - # r/w access to bitlbee_var_t + allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; + allow bitlbee_t bitlbee_conf_t:file read_file_perms; +@@ -54,13 +57,17 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) @@ -6255,27 +7469,19 @@ index f4e7ad3..8e85e9d 100644 +manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + -+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -+files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) -+ + manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) + +-kernel_read_kernel_sysctls(bitlbee_t) kernel_read_system_state(bitlbee_t) +kernel_read_kernel_sysctls(bitlbee_t) --corenet_all_recvfrom_unlabeled(bitlbee_t) - corenet_udp_sendrecv_generic_if(bitlbee_t) - corenet_udp_sendrecv_generic_node(bitlbee_t) - corenet_tcp_sendrecv_generic_if(bitlbee_t) - corenet_tcp_sendrecv_generic_node(bitlbee_t) -+corenet_tcp_bind_generic_node(bitlbee_t) -+corenet_tcp_connect_gatekeeper_port(bitlbee_t) -+corenet_tcp_connect_ircd_port(bitlbee_t) - # Allow bitlbee to connect to jabber servers - corenet_tcp_connect_jabber_client_port(bitlbee_t) - corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) -@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t) - corenet_tcp_sendrecv_http_port(bitlbee_t) + corenet_all_recvfrom_unlabeled(bitlbee_t) + corenet_all_recvfrom_netlabel(bitlbee_t) +@@ -95,6 +102,11 @@ corenet_tcp_sendrecv_http_port(bitlbee_t) + corenet_sendrecv_http_cache_client_packets(bitlbee_t) corenet_tcp_connect_http_cache_port(bitlbee_t) corenet_tcp_sendrecv_http_cache_port(bitlbee_t) +corenet_tcp_bind_ircd_port(bitlbee_t) @@ -6284,77 +7490,60 @@ index f4e7ad3..8e85e9d 100644 +corenet_tcp_bind_interwise_port(bitlbee_t) +corenet_tcp_sendrecv_interwise_port(bitlbee_t) + corenet_sendrecv_ircd_server_packets(bitlbee_t) + corenet_tcp_bind_ircd_port(bitlbee_t) +@@ -109,16 +121,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) --files_read_etc_files(bitlbee_t) - files_search_pids(bitlbee_t) - # grant read-only access to the user help files - files_read_usr_files(bitlbee_t) -@@ -84,10 +109,6 @@ auth_use_nsswitch(bitlbee_t) +-files_read_usr_files(bitlbee_t) +- + libs_legacy_use_shared_libs(bitlbee_t) + + auth_use_nsswitch(bitlbee_t) logging_send_syslog_msg(bitlbee_t) -miscfiles_read_localization(bitlbee_t) - --sysnet_dns_name_resolve(bitlbee_t) -- optional_policy(` - # normally started from inetd using tcpwrappers, so use those entry points tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) + ') diff --git a/blueman.fc b/blueman.fc -index 6355318..98ba16a 100644 +index c295d2e..4f84e9c 100644 --- a/blueman.fc +++ b/blueman.fc @@ -1,3 +1,4 @@ + /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) - /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) + /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.te b/blueman.te -index 70969fa..4d18e6e 100644 +index bc5c984..b0c90e9 100644 --- a/blueman.te +++ b/blueman.te -@@ -7,23 +7,35 @@ policy_module(blueman, 1.0.0) +@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) type blueman_t; type blueman_exec_t; -dbus_system_domain(blueman_t, blueman_exec_t) - init_daemon_domain(blueman_t, blueman_exec_t) ++init_daemon_domain(blueman_t, blueman_exec_t) type blueman_var_lib_t; files_type(blueman_var_lib_t) - -+type blueman_var_run_t; -+files_pid_file(blueman_var_run_t) -+ - ######################################## +@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t) # - # blueman local policy - # -+ -+allow blueman_t self:capability { net_admin sys_nice }; -+allow blueman_t self:process { signal_perms setsched }; + + allow blueman_t self:capability { net_admin sys_nice }; +-allow blueman_t self:process { signal_perms setsched }; ++allow blueman_t self:process { execmem signal_perms setsched }; + allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) - manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) - files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) - -+manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) -+manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) -+files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) -+ - kernel_read_system_state(blueman_t) -+kernel_request_load_module(blueman_t) -+kernel_read_net_sysctls(blueman_t) - - corecmd_exec_bin(blueman_t) - -@@ -34,13 +46,36 @@ dev_rw_wireless(blueman_t) - domain_use_interactive_fds(blueman_t) +@@ -46,12 +47,14 @@ domain_use_interactive_fds(blueman_t) + files_list_tmp(blueman_t) files_read_usr_files(blueman_t) +files_list_tmp(blueman_t) @@ -6366,79 +7555,75 @@ index 70969fa..4d18e6e 100644 +sysnet_domtrans_ifconfig(blueman_t) +sysnet_dns_name_resolve(blueman_t) - optional_policy(` - avahi_domtrans(blueman_t) + sysnet_domtrans_ifconfig(blueman_t) + +@@ -60,10 +63,22 @@ optional_policy(` ') -+ -+optional_policy(` + + optional_policy(` + dbus_system_domain(blueman_t, blueman_exec_t) +') + +optional_policy(` -+ dnsmasq_domtrans(blueman_t) -+ dnsmasq_read_pid_files(blueman_t) -+') -+ -+optional_policy(` + dnsmasq_domtrans(blueman_t) + dnsmasq_read_pid_files(blueman_t) + ') + + optional_policy(` + gnome_search_gconf(blueman_t) +') + +optional_policy(` -+ iptables_domtrans(blueman_t) -+') + iptables_domtrans(blueman_t) + ') + +optional_policy(` + xserver_read_state_xdm(blueman_t) +') diff --git a/bluetooth.fc b/bluetooth.fc -index dc687e6..e0255eb 100644 +index 2b9c7f3..e1b7177 100644 --- a/bluetooth.fc +++ b/bluetooth.fc -@@ -7,6 +7,8 @@ +@@ -5,6 +5,8 @@ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) +/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0) + - # - # /usr - # + /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) + /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/bluetooth.if b/bluetooth.if -index 3e45431..758bd64 100644 +index c723a0a..3e8a553 100644 --- a/bluetooth.if +++ b/bluetooth.if -@@ -27,7 +27,11 @@ interface(`bluetooth_role',` +@@ -37,7 +37,12 @@ interface(`bluetooth_role',` + domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - # allow ps to show cdrecord and allow the user to kill it ps_process_pattern($2, bluetooth_helper_t) -- allow $2 bluetooth_helper_t:process signal; +- allow $2 bluetooth_helper_t:process { ptrace signal_perms }; ++ + allow $2 bluetooth_helper_t:process signal_perms; + + tunable_policy(`deny_ptrace',`',` + allow $2 bluetooth_helper_t:process ptrace; + ') - manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -@@ -35,6 +39,8 @@ interface(`bluetooth_role',` + allow $2 bluetooth_t:socket rw_socket_perms; - manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) - manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) -+ +@@ -45,8 +50,10 @@ interface(`bluetooth_role',` + allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + ++ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) ++ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) + bluetooth_stream_connect($2) + stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) +- files_search_pids($2) ') ##################################### -@@ -91,7 +97,7 @@ interface(`bluetooth_read_config',` - type bluetooth_conf_t; - ') - -- allow $1 bluetooth_conf_t:file { getattr read ioctl }; -+ allow $1 bluetooth_conf_t:file read_file_perms; - ') - - ######################################## -@@ -117,6 +123,27 @@ interface(`bluetooth_dbus_chat',` +@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',` ######################################## ##

    @@ -6466,27 +7651,10 @@ index 3e45431..758bd64 100644 ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## -@@ -157,7 +184,7 @@ interface(`bluetooth_run_helper',` +@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',` ######################################## ## --## Read bluetooth helper state files. -+## Do not audit attempts to read bluetooth helper state files. - ## - ## - ## -@@ -170,8 +197,31 @@ interface(`bluetooth_dontaudit_read_helper_state',` - type bluetooth_helper_t; - ') - -- dontaudit $1 bluetooth_helper_t:dir search; -- dontaudit $1 bluetooth_helper_t:file { read getattr }; -+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms; -+ dontaudit $1 bluetooth_helper_t:file read_file_perms; -+') -+ -+######################################## -+## +## Execute bluetooth server in the bluetooth domain. +## +## @@ -6506,21 +7674,19 @@ index 3e45431..758bd64 100644 + allow $1 bluetooth_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, bluetooth_t) - ') - - ######################################## -@@ -193,15 +243,19 @@ interface(`bluetooth_dontaudit_read_helper_state',` - # - interface(`bluetooth_admin',` - gen_require(` -- type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; -- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; -- type bluetooth_conf_t, bluetooth_conf_rw_t; ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an bluetooth environment. + ## +@@ -210,12 +261,16 @@ interface(`bluetooth_admin',` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; + type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; - type bluetooth_initrc_exec_t; -+ type bluetooth_t, bluetooth_lock_t, bluetooth_spool_t; -+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t; -+ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_tmp_t; -+ type bluetooth_unit_file_t; ++ type bluetooth_unit_file_t, bluetooth_initrc_exec_t; ') - allow $1 bluetooth_t:process { ptrace signal_perms }; @@ -6534,7 +7700,7 @@ index 3e45431..758bd64 100644 init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bluetooth_initrc_exec_t system_r; -@@ -225,4 +279,8 @@ interface(`bluetooth_admin',` +@@ -235,4 +290,8 @@ interface(`bluetooth_admin',` files_list_pids($1) admin_pattern($1, bluetooth_var_run_t) @@ -6544,25 +7710,10 @@ index 3e45431..758bd64 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index d3019b3..aed14bb 100644 +index 6f09d24..0b43ce7 100644 --- a/bluetooth.te +++ b/bluetooth.te -@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0) - # - # Declarations - # -+ - type bluetooth_t; - type bluetooth_exec_t; - init_daemon_domain(bluetooth_t, bluetooth_exec_t) - - type bluetooth_conf_t; --files_type(bluetooth_conf_t) -+files_config_file(bluetooth_conf_t) - - type bluetooth_conf_rw_t; - files_type(bluetooth_conf_rw_t) -@@ -45,6 +46,9 @@ files_type(bluetooth_var_lib_t) +@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -6571,24 +7722,43 @@ index d3019b3..aed14bb 100644 + ######################################## # - # Bluetooth services local policy -@@ -96,7 +100,6 @@ kernel_request_load_module(bluetooth_t) - #search debugfs - redhat bug 548206 + # Local policy +@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) + + can_exec(bluetooth_t, bluetooth_helper_exec_t) + ++corecmd_exec_bin(bluetooth_t) ++corecmd_exec_shell(bluetooth_t) ++ + kernel_read_kernel_sysctls(bluetooth_t) + kernel_read_system_state(bluetooth_t) + kernel_read_network_state(bluetooth_t) + kernel_request_load_module(bluetooth_t) kernel_search_debugfs(bluetooth_t) --corenet_all_recvfrom_unlabeled(bluetooth_t) - corenet_all_recvfrom_netlabel(bluetooth_t) - corenet_tcp_sendrecv_generic_if(bluetooth_t) - corenet_udp_sendrecv_generic_if(bluetooth_t) -@@ -127,7 +130,6 @@ corecmd_exec_shell(bluetooth_t) - domain_use_interactive_fds(bluetooth_t) +-corecmd_exec_bin(bluetooth_t) +-corecmd_exec_shell(bluetooth_t) ++corenet_all_recvfrom_netlabel(bluetooth_t) ++corenet_tcp_sendrecv_generic_if(bluetooth_t) ++corenet_udp_sendrecv_generic_if(bluetooth_t) ++corenet_raw_sendrecv_generic_if(bluetooth_t) ++corenet_tcp_sendrecv_generic_node(bluetooth_t) ++corenet_udp_sendrecv_generic_node(bluetooth_t) ++corenet_raw_sendrecv_generic_node(bluetooth_t) ++corenet_tcp_sendrecv_all_ports(bluetooth_t) ++corenet_udp_sendrecv_all_ports(bluetooth_t) + + dev_read_sysfs(bluetooth_t) + dev_rw_usbfs(bluetooth_t) +@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) --files_read_etc_files(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) - files_read_usr_files(bluetooth_t) +-files_read_usr_files(bluetooth_t) -@@ -135,7 +137,6 @@ auth_use_nsswitch(bluetooth_t) + fs_getattr_all_fs(bluetooth_t) + fs_search_auto_mountpoints(bluetooth_t) +@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t) logging_send_syslog_msg(bluetooth_t) @@ -6596,7 +7766,7 @@ index d3019b3..aed14bb 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -144,6 +145,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) +@@ -131,6 +142,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` @@ -6605,39 +7775,24 @@ index d3019b3..aed14bb 100644 + +optional_policy(` dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) - -@@ -212,17 +217,16 @@ corecmd_exec_shell(bluetooth_helper_t) - - domain_read_all_domains_state(bluetooth_helper_t) --files_read_etc_files(bluetooth_helper_t) - files_read_etc_runtime_files(bluetooth_helper_t) - files_read_usr_files(bluetooth_helper_t) - files_dontaudit_list_default(bluetooth_helper_t) - -+auth_use_nsswitch(bluetooth_helper_t) -+ - locallogin_dontaudit_use_fds(bluetooth_helper_t) - - logging_send_syslog_msg(bluetooth_helper_t) - --miscfiles_read_localization(bluetooth_helper_t) -- - sysnet_read_config(bluetooth_helper_t) - - optional_policy(` + optional_policy(` diff --git a/boinc.fc b/boinc.fc -new file mode 100644 -index 0000000..bda740a ---- /dev/null +index 6d3ccad..bda740a 100644 +--- a/boinc.fc +++ b/boinc.fc -@@ -0,0 +1,12 @@ -+ +@@ -1,9 +1,12 @@ +-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + +-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) +/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) -+ + +-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) -+ + +-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) +/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) + +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) @@ -6646,15 +7801,17 @@ index 0000000..bda740a + +/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if -new file mode 100644 -index 0000000..fbcef10 ---- /dev/null +index 02fefaa..fbcef10 100644 +--- a/boinc.if +++ b/boinc.if -@@ -0,0 +1,206 @@ +@@ -1,9 +1,165 @@ +-## Platform for computing using volunteered resources. +## policy for boinc -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an boinc environment. +## Execute a domain transition to run boinc. +## +## @@ -6813,94 +7970,96 @@ index 0000000..fbcef10 +## +## All of the rules required to administrate +## an boinc environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`boinc_admin',` -+ gen_require(` + ## + ## + ## +@@ -19,26 +175,32 @@ + # + interface(`boinc_admin',` + gen_require(` +- +- type boinc_t, boinc_project_t, boinc_log_t; +- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; +- type boinc_project_var_lib_t, boinc_project_tmp_t; + type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; + type boinc_unit_file_t; -+ ') -+ + ') + +- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { boinc_t boinc_project_t }) + allow $1 boinc_t:process signal_perms; + ps_process_pattern($1, boinc_t) -+ + +- init_labeled_script_domtrans($1, boinc_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 boinc_t:process ptrace; + ') + + boinc_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 boinc_initrc_exec_t system_r; -+ allow $2 system_r; -+ + domain_system_change_exemption($1) + role_transition $2 boinc_initrc_exec_t system_r; + allow $2 system_r; + +- logging_search_logs($1) +- admin_pattern($1, boinc_log_t) + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) -+ + +- files_search_tmp($1) +- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) + boinc_systemctl($1) + admin_pattern($1, boinc_unit_file_t) -+ + +- files_search_var_lib($1) +- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) + allow $1 boinc_unit_file_t:service all_service_perms; + + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/boinc.te b/boinc.te -new file mode 100644 -index 0000000..0a7e857 ---- /dev/null +index 7c92aa1..3dbacf3 100644 +--- a/boinc.te +++ b/boinc.te -@@ -0,0 +1,199 @@ +@@ -1,11 +1,13 @@ +-policy_module(boinc, 1.0.3) +policy_module(boinc, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ + + ######################################## + # + # Declarations + # + +-type boinc_t; +attribute boinc_domain; + +type boinc_t, boinc_domain; -+type boinc_exec_t; -+init_daemon_domain(boinc_t, boinc_exec_t) -+ -+type boinc_initrc_exec_t; -+init_script_file(boinc_initrc_exec_t) -+ -+type boinc_tmp_t; -+files_tmp_file(boinc_tmp_t) -+ -+type boinc_tmpfs_t; -+files_tmpfs_file(boinc_tmpfs_t) -+ -+type boinc_var_lib_t; -+files_type(boinc_var_lib_t) -+ -+type boinc_log_t; -+logging_log_file(boinc_log_t) -+ + type boinc_exec_t; + init_daemon_domain(boinc_t, boinc_exec_t) + +@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t) + type boinc_var_lib_t; + files_type(boinc_var_lib_t) + +-type boinc_project_var_lib_t; +-files_type(boinc_project_var_lib_t) +- + type boinc_log_t; + logging_log_file(boinc_log_t) + +type boinc_unit_file_t; +systemd_unit_file(boinc_unit_file_t) + -+type boinc_project_t; -+domain_type(boinc_project_t) -+role system_r types boinc_project_t; -+ -+type boinc_project_tmp_t; -+files_tmp_file(boinc_project_tmp_t) -+ + type boinc_project_t; + domain_type(boinc_project_t) +-domain_entry_file(boinc_project_t, boinc_project_var_lib_t) + role system_r types boinc_project_t; + + type boinc_project_tmp_t; + files_tmp_file(boinc_project_tmp_t) + +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + @@ -6916,7 +8075,6 @@ index 0000000..0a7e857 +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) +manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) + -+ +corecmd_exec_bin(boinc_domain) +corecmd_exec_shell(boinc_domain) + @@ -6939,81 +8097,141 @@ index 0000000..0a7e857 + sysnet_dns_name_resolve(boinc_domain) +') + -+######################################## -+# + ######################################## + # +-# Local policy +# boinc local policy -+# -+ -+allow boinc_t self:process { setsched setpgid signull sigkill }; + # + + allow boinc_t self:process { setsched setpgid signull sigkill }; +-allow boinc_t self:unix_stream_socket { accept listen }; +-allow boinc_t self:tcp_socket { accept listen }; + +allow boinc_t self:unix_stream_socket create_stream_socket_perms; +allow boinc_t self:tcp_socket create_stream_socket_perms; -+allow boinc_t self:shm create_shm_perms; -+ -+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) -+ -+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) -+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) -+ + allow boinc_t self:shm create_shm_perms; +-allow boinc_t self:fifo_file rw_fifo_file_perms; +-allow boinc_t self:sem create_sem_perms; + + manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) + manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) +@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) + manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) + fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) + +-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +- +-# entry files to the boinc_project_t domain +-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +# this should be created by default by boinc +# we need this label for transition to boinc_project_t +# other boinc lib files will end up with boinc_var_lib_t -+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") -+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") -+ + filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") + filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") + +-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +-logging_log_filetrans(boinc_t, boinc_log_t, file) +- +-can_exec(boinc_t, boinc_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+ + +-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +logging_log_filetrans(boinc_t, boinc_log_t, { file }) -+ + +# needs read /proc/interrupts -+kernel_read_system_state(boinc_t) -+kernel_search_vm_sysctl(boinc_t) -+ + kernel_read_system_state(boinc_t) + kernel_search_vm_sysctl(boinc_t) + +-corenet_all_recvfrom_unlabeled(boinc_t) +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) + -+corenet_all_recvfrom_netlabel(boinc_t) -+corenet_tcp_sendrecv_generic_if(boinc_t) + corenet_all_recvfrom_netlabel(boinc_t) + corenet_tcp_sendrecv_generic_if(boinc_t) +corenet_udp_sendrecv_generic_if(boinc_t) -+corenet_tcp_sendrecv_generic_node(boinc_t) + corenet_tcp_sendrecv_generic_node(boinc_t) +corenet_udp_sendrecv_generic_node(boinc_t) +corenet_tcp_sendrecv_all_ports(boinc_t) +corenet_udp_sendrecv_all_ports(boinc_t) -+corenet_tcp_bind_generic_node(boinc_t) + corenet_tcp_bind_generic_node(boinc_t) +- +-corenet_sendrecv_boinc_client_packets(boinc_t) +-corenet_sendrecv_boinc_server_packets(boinc_t) +corenet_udp_bind_generic_node(boinc_t) -+corenet_tcp_bind_boinc_port(boinc_t) -+corenet_tcp_bind_boinc_client_ctrl_port(boinc_t) + corenet_tcp_bind_boinc_port(boinc_t) +-corenet_tcp_connect_boinc_port(boinc_t) +-corenet_tcp_sendrecv_boinc_port(boinc_t) +- +-corenet_sendrecv_boinc_client_server_packets(boinc_t) + corenet_tcp_bind_boinc_client_port(boinc_t) +-corenet_tcp_sendrecv_boinc_client_port(boinc_t) +- +-corenet_sendrecv_http_client_packets(boinc_t) +corenet_tcp_connect_boinc_port(boinc_t) -+corenet_tcp_connect_http_port(boinc_t) -+corenet_tcp_connect_http_cache_port(boinc_t) -+corenet_tcp_connect_squid_port(boinc_t) -+ -+files_dontaudit_getattr_boot_dirs(boinc_t) -+ + corenet_tcp_connect_http_port(boinc_t) +-corenet_tcp_sendrecv_http_port(boinc_t) +- +-corenet_sendrecv_http_cache_client_packets(boinc_t) + corenet_tcp_connect_http_cache_port(boinc_t) +-corenet_tcp_sendrecv_http_cache_port(boinc_t) +- +-corenet_sendrecv_squid_client_packets(boinc_t) + corenet_tcp_connect_squid_port(boinc_t) +-corenet_tcp_sendrecv_squid_port(boinc_t) +- +-corecmd_exec_bin(boinc_t) +-corecmd_exec_shell(boinc_t) +- +-dev_read_rand(boinc_t) +-dev_read_urand(boinc_t) +-dev_read_sysfs(boinc_t) +-dev_rw_xserver_misc(boinc_t) +- +-domain_read_all_domains_state(boinc_t) + + files_dontaudit_getattr_boot_dirs(boinc_t) +-files_getattr_all_dirs(boinc_t) +-files_getattr_all_files(boinc_t) +-files_read_etc_files(boinc_t) +-files_read_etc_runtime_files(boinc_t) +-files_read_usr_files(boinc_t) + +-fs_getattr_all_fs(boinc_t) +auth_read_passwd(boinc_t) -+ -+term_getattr_all_ptys(boinc_t) -+term_getattr_unallocated_ttys(boinc_t) -+ -+init_read_utmp(boinc_t) -+ -+logging_send_syslog_msg(boinc_t) -+ -+optional_policy(` -+ mta_send_mail(boinc_t) -+') -+ -+######################################## -+# + + term_getattr_all_ptys(boinc_t) + term_getattr_unallocated_ttys(boinc_t) +@@ -130,55 +138,61 @@ init_read_utmp(boinc_t) + + logging_send_syslog_msg(boinc_t) + +-miscfiles_read_fonts(boinc_t) +-miscfiles_read_localization(boinc_t) +- + optional_policy(` + mta_send_mail(boinc_t) + ') + +-optional_policy(` +- sysnet_dns_name_resolve(boinc_t) +-') +- + ######################################## + # +-# Project local policy +# boinc-projects local policy -+# -+ -+allow boinc_project_t self:capability { setuid setgid }; + # + + allow boinc_project_t self:capability { setuid setgid }; +-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; + +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +allow boinc_t boinc_project_t:process sigkill; @@ -7021,32 +8239,43 @@ index 0000000..0a7e857 + +allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; -+ -+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -+manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) -+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) -+ + + manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) + manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) + manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) + files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) + +allow boinc_project_t boinc_project_var_lib_t:file entrypoint; +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects") +files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" ) -+ -+allow boinc_project_t boinc_project_var_lib_t:file execmod; -+ -+allow boinc_project_t boinc_t:shm rw_shm_perms; + + allow boinc_project_t boinc_project_var_lib_t:file execmod; +-can_exec(boinc_project_t, boinc_project_var_lib_t) + + allow boinc_project_t boinc_t:shm rw_shm_perms; +-allow boinc_project_t boinc_tmpfs_t:file { read write }; +allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; -+ -+kernel_read_kernel_sysctls(boinc_project_t) -+kernel_search_vm_sysctl(boinc_project_t) + + kernel_read_kernel_sysctls(boinc_project_t) +-kernel_read_network_state(boinc_project_t) + kernel_search_vm_sysctl(boinc_project_t) +kernel_read_network_state(boinc_project_t) -+ -+corenet_tcp_connect_boinc_port(boinc_project_t) -+ -+files_dontaudit_search_home(boinc_project_t) -+ + +-corenet_all_recvfrom_unlabeled(boinc_project_t) +-corenet_all_recvfrom_netlabel(boinc_project_t) +-corenet_tcp_sendrecv_generic_if(boinc_project_t) +-corenet_tcp_sendrecv_generic_node(boinc_project_t) +-corenet_tcp_bind_generic_node(boinc_project_t) +- +-corenet_sendrecv_boinc_client_packets(boinc_project_t) + corenet_tcp_connect_boinc_port(boinc_project_t) +-corenet_tcp_sendrecv_boinc_port(boinc_project_t) + + files_dontaudit_search_home(boinc_project_t) + +# needed by java +fs_read_hugetlbfs_files(boinc_project_t) + @@ -7054,70 +8283,38 @@ index 0000000..0a7e857 + gnome_read_gconf_config(boinc_project_t) +') + -+optional_policy(` -+ java_exec(boinc_project_t) -+') + optional_policy(` + java_exec(boinc_project_t) + ') + +# until solution for VirtualBox, java .. +optional_policy(` + unconfined_domain(boinc_project_t) +') -diff --git a/brctl.if b/brctl.if -index 2c2cdb6..73b3814 100644 ---- a/brctl.if -+++ b/brctl.if -@@ -18,3 +18,28 @@ interface(`brctl_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, brctl_exec_t, brctl_t) - ') -+ -+##################################### -+## -+## Execute brctl in the brctl domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`brctl_run',` -+ gen_require(` -+ type brctl_t, brctl_exec_t; -+ ') -+ -+ brctl_domtrans($1) -+ role $2 types brctl_t; -+') diff --git a/brctl.te b/brctl.te -index 9a62a1d..283f4fa 100644 +index bcd1e87..a2559fe 100644 --- a/brctl.te +++ b/brctl.te -@@ -36,7 +36,6 @@ files_read_etc_files(brctl_t) +@@ -38,8 +38,6 @@ files_read_etc_files(brctl_t) term_dontaudit_use_console(brctl_t) -miscfiles_read_localization(brctl_t) - +- optional_policy(` xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) diff --git a/bugzilla.if b/bugzilla.if -index de89d0f..86e4ee7 100644 +index 1b22262..bf0cefa 100644 --- a/bugzilla.if +++ b/bugzilla.if -@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` +@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` ## Domain allowed access. ## ## -## -## --## The role to be allowed to manage the bugzilla domain. +-## Role allowed access. -## -## -## @@ -7134,6 +8331,7 @@ index de89d0f..86e4ee7 100644 + allow $1 httpd_bugzilla_script_t:process signal_perms; ps_process_pattern($1, httpd_bugzilla_script_t) +- files_search_usr($1) + tunable_policy(`deny_ptrace',`',` + allow $1 httpd_bugzilla_script_t:process ptrace; + ') @@ -7141,14 +8339,25 @@ index de89d0f..86e4ee7 100644 + files_list_tmp($1) + admin_pattern($1, httpd_bugzilla_tmp_t) + - files_list_var_lib(httpd_bugzilla_script_t) ++ files_list_var_lib(httpd_bugzilla_script_t) ++ + admin_pattern($1, httpd_bugzilla_script_exec_t) + admin_pattern($1, httpd_bugzilla_script_t) + admin_pattern($1, httpd_bugzilla_content_t) +@@ -76,5 +78,7 @@ interface(`bugzilla_admin',` + files_search_var_lib($1) + admin_pattern($1, httpd_bugzilla_rw_content_t) - apache_list_sys_content($1) +- apache_list_sys_content($1) ++ optional_policy(` ++ apache_list_sys_content($1) ++ ') + ') diff --git a/bugzilla.te b/bugzilla.te -index 048abbf..dece084 100644 +index 41f8251..e0449c8 100644 --- a/bugzilla.te +++ b/bugzilla.te -@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0) +@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4) apache_content_template(bugzilla) @@ -7157,18 +8366,18 @@ index 048abbf..dece084 100644 + ######################################## # - # bugzilla local policy -@@ -16,7 +19,6 @@ allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; - allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; + # Local policy +@@ -14,7 +17,6 @@ apache_content_template(bugzilla) + + allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; -corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) - corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) -@@ -31,8 +33,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) - corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) - corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) + corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) +@@ -27,9 +29,15 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) + corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) + corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) +manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) +manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) @@ -7176,17 +8385,19 @@ index 048abbf..dece084 100644 + files_search_var_lib(httpd_bugzilla_script_t) +-sysnet_dns_name_resolve(httpd_bugzilla_script_t) +auth_read_passwd(httpd_bugzilla_script_t) + - sysnet_read_config(httpd_bugzilla_script_t) ++sysnet_read_config(httpd_bugzilla_script_t) sysnet_use_ldap(httpd_bugzilla_script_t) + optional_policy(` diff --git a/cachefilesd.fc b/cachefilesd.fc -new file mode 100644 -index 0000000..aa03fc8 ---- /dev/null +index 648c790..aa03fc8 100644 +--- a/cachefilesd.fc +++ b/cachefilesd.fc -@@ -0,0 +1,34 @@ +@@ -1,9 +1,34 @@ +-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0) +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. @@ -7211,22 +8422,24 @@ index 0000000..aa03fc8 +# MCS categories: + +/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) -+ -+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) -+ -+/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) -+ + + /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) + + /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) + +-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) +/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) -+ + +-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) diff --git a/cachefilesd.if b/cachefilesd.if -new file mode 100644 -index 0000000..3b41945 ---- /dev/null +index 8de2ab9..3b41945 100644 +--- a/cachefilesd.if +++ b/cachefilesd.if -@@ -0,0 +1,35 @@ +@@ -1,39 +1,35 @@ +-## CacheFiles user-space management daemon. +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. @@ -7244,30 +8457,55 @@ index 0000000..3b41945 +# Define the policy interface for the CacheFiles userspace management daemon. +# +## policy for cachefilesd -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an cachefilesd environment. +## Execute a domain transition to run cachefilesd. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+# + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`cachefilesd_admin',` +interface(`cachefilesd_domtrans',` -+ gen_require(` + gen_require(` +- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; +- type cachefilesd_var_run_t; + type cachefilesd_t, cachefilesd_exec_t; -+ ') -+ + ') + +- allow $1 cachefilesd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, cachefilesd_t) +- +- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 cachefilesd_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_var($1) +- admin_pattern($1, cachefilesd_cache_t) +- +- files_search_pids($1) +- admin_pattern($1, cachefilesd_var_run_t) + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) -+') + ') diff --git a/cachefilesd.te b/cachefilesd.te -new file mode 100644 -index 0000000..3eda1b1 ---- /dev/null +index 581c8ef..3eda1b1 100644 +--- a/cachefilesd.te +++ b/cachefilesd.te -@@ -0,0 +1,144 @@ +@@ -1,52 +1,144 @@ +-policy_module(cachefilesd, 1.0.1) +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. @@ -7280,7 +8518,8 @@ index 0000000..3eda1b1 +# 2 of the License, or (at your option) any later version. +# +############################################################################### -+ + +-######################################## +# +# This security policy governs access by the CacheFiles kernel module and +# userspace management daemon to the files and directories in the on-disk @@ -7290,10 +8529,10 @@ index 0000000..3eda1b1 +policy_module(cachefilesd, 1.0.17) + +############################################################################### -+# -+# Declarations -+# -+ + # + # Declarations + # + +# +# Files in the cache are created by the cachefiles module with security ID +# cachefiles_var_t @@ -7310,17 +8549,25 @@ index 0000000..3eda1b1 +# +# The cachefilesd daemon normally runs with security ID cachefilesd_t +# -+type cachefilesd_t; -+type cachefilesd_exec_t; -+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) -+ + type cachefilesd_t; + type cachefilesd_exec_t; + init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) + +-type cachefilesd_initrc_exec_t; +-init_script_file(cachefilesd_initrc_exec_t) +- +-type cachefilesd_cache_t; +-files_type(cachefilesd_cache_t) +- +# +# The cachefilesd daemon pid file context +# -+type cachefilesd_var_run_t; -+files_pid_file(cachefilesd_var_run_t) -+ -+# + type cachefilesd_var_run_t; + files_pid_file(cachefilesd_var_run_t) + +-######################################## + # +-# Local policy +# The CacheFiles kernel module causes processes accessing the cache files to do +# so acting as security ID cachefiles_kernel_t +# @@ -7332,11 +8579,11 @@ index 0000000..3eda1b1 +############################################################################### +# +# Permit RPM to deal with files in the cache -+# + # +optional_policy(` + rpm_use_script_fds(cachefilesd_t) +') -+ + +############################################################################### +# +# cachefilesd local policy @@ -7349,32 +8596,39 @@ index 0000000..3eda1b1 +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow +# rules. +# -+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; -+ + allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; + +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; -+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) + manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) +manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) -+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) + files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) +files_create_as_is_all_files(cachefilesd_t) -+ + +-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) +-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) +# Allow access to cachefiles device file +allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; -+ + +-dev_rw_cachefiles(cachefilesd_t) +- +-files_create_all_files_as(cachefilesd_t) +-files_read_etc_files(cachefilesd_t) +# Allow access to cache superstructure +manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) +manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) -+ + +# Permit statfs on the backing filesystem -+fs_getattr_xattr_fs(cachefilesd_t) -+ + fs_getattr_xattr_fs(cachefilesd_t) + +# Basic access +files_read_etc_files(cachefilesd_t) +logging_send_syslog_msg(cachefilesd_t) +init_dontaudit_use_script_ptys(cachefilesd_t) -+term_dontaudit_use_generic_ptys(cachefilesd_t) -+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) -+ + term_dontaudit_use_generic_ptys(cachefilesd_t) + term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) + +-logging_send_syslog_msg(cachefilesd_t) +############################################################################### +# +# When cachefilesd invokes the kernel module to begin caching, it has to tell @@ -7387,14 +8641,16 @@ index 0000000..3eda1b1 +# as set by the 'secctx' command in /etc/cachefilesd.conf, and +# +allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; -+ + +-miscfiles_read_localization(cachefilesd_t) +# +# (2) the label that will be assigned to new files and directories created in +# the cache by the module, which will be the same as the label on the +# directory pointed to by the 'dir' command. +# +allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; -+ + +-init_dontaudit_use_script_ptys(cachefilesd_t) +############################################################################### +# +# cachefiles kernel module local policy @@ -7403,7 +8659,10 @@ index 0000000..3eda1b1 +# cache. +# +allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; -+ + +-optional_policy(` +- rpm_use_script_fds(cachefilesd_t) +-') +manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) +manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) + @@ -7413,26 +8672,30 @@ index 0000000..3eda1b1 + +init_sigchld_script(cachefiles_kernel_t) diff --git a/calamaris.te b/calamaris.te -index b13fb66..8926e84 100644 +index f4f21d3..de28437 100644 --- a/calamaris.te +++ b/calamaris.te -@@ -39,7 +39,6 @@ kernel_read_system_state(calamaris_t) +@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t) corecmd_exec_bin(calamaris_t) --corenet_all_recvfrom_unlabeled(calamaris_t) - corenet_all_recvfrom_netlabel(calamaris_t) - corenet_tcp_sendrecv_generic_if(calamaris_t) - corenet_udp_sendrecv_generic_if(calamaris_t) -@@ -51,7 +50,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t) ++corenet_all_recvfrom_netlabel(calamaris_t) ++corenet_tcp_sendrecv_generic_if(calamaris_t) ++corenet_udp_sendrecv_generic_if(calamaris_t) ++corenet_tcp_sendrecv_generic_node(calamaris_t) ++corenet_udp_sendrecv_generic_node(calamaris_t) ++corenet_tcp_sendrecv_all_ports(calamaris_t) ++corenet_udp_sendrecv_all_ports(calamaris_t) ++ dev_read_urand(calamaris_t) - files_search_pids(calamaris_t) --files_read_etc_files(calamaris_t) - files_read_usr_files(calamaris_t) - files_read_var_files(calamaris_t) +-files_read_usr_files(calamaris_t) ++files_search_pids(calamaris_t) files_read_etc_runtime_files(calamaris_t) -@@ -62,8 +60,6 @@ auth_use_nsswitch(calamaris_t) + +-libs_read_lib_files(calamaris_t) +- + auth_use_nsswitch(calamaris_t) logging_send_syslog_msg(calamaris_t) @@ -7441,1041 +8704,1341 @@ index b13fb66..8926e84 100644 userdom_dontaudit_list_user_home_dirs(calamaris_t) optional_policy(` -diff --git a/callweaver.fc b/callweaver.fc -new file mode 100644 -index 0000000..3e15c63 ---- /dev/null -+++ b/callweaver.fc -@@ -0,0 +1,11 @@ -+/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0) +diff --git a/callweaver.te b/callweaver.te +index 528051e..44e5b7d 100644 +--- a/callweaver.te ++++ b/callweaver.te +@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t) + + auth_use_nsswitch(callweaver_t) + +-miscfiles_read_localization(callweaver_t) +diff --git a/canna.if b/canna.if +index 400db07..f416e22 100644 +--- a/canna.if ++++ b/canna.if +@@ -43,9 +43,13 @@ interface(`canna_admin',` + type canna_var_run_t, canna_initrc_exec_t; + ') + +- allow $1 canna_t:process { ptrace signal_perms }; ++ allow $1 canna_t:process signal_perms; + ps_process_pattern($1, canna_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 canna_t:process ptrace; ++ ') + -+/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0) + init_labeled_script_domtrans($1, canna_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 canna_initrc_exec_t system_r; +diff --git a/canna.te b/canna.te +index 4ec0626..a209a9b 100644 +--- a/canna.te ++++ b/canna.te +@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) + kernel_read_kernel_sysctls(canna_t) + kernel_read_system_state(canna_t) + +-corenet_all_recvfrom_unlabeled(canna_t) + corenet_all_recvfrom_netlabel(canna_t) + corenet_tcp_sendrecv_generic_if(canna_t) + corenet_tcp_sendrecv_generic_node(canna_t) +@@ -76,8 +75,6 @@ files_dontaudit_read_root_files(canna_t) + + logging_send_syslog_msg(canna_t) + +-miscfiles_read_localization(canna_t) +- + sysnet_read_config(canna_t) + + userdom_dontaudit_use_unpriv_user_fds(canna_t) +diff --git a/ccs.if b/ccs.if +index 5ded72d..f6b854c 100644 +--- a/ccs.if ++++ b/ccs.if +@@ -102,9 +102,13 @@ interface(`ccs_admin',` + type ccs_var_run_t, ccs_tmp_t; + ') + +- allow $1 ccs_t:process { ptrace signal_perms }; ++ allow $1 ccs_t:process { signal_perms }; + ps_process_pattern($1, ccs_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ccs_t:process ptrace; ++ ') + -+/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0) + init_labeled_script_domtrans($1, ccs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ccs_initrc_exec_t system_r; +diff --git a/ccs.te b/ccs.te +index b85b53b..619a4c5 100644 +--- a/ccs.te ++++ b/ccs.te +@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) + + allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; + allow ccs_t self:process { signal setrlimit setsched }; +-dontaudit ccs_t self:process ptrace; + -+/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0) + allow ccs_t self:fifo_file rw_fifo_file_perms; + allow ccs_t self:unix_stream_socket { accept connectto listen }; + allow ccs_t self:tcp_socket { accept listen }; +@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t) + corecmd_list_bin(ccs_t) + corecmd_exec_bin(ccs_t) + +-corenet_all_recvfrom_unlabeled(ccs_t) + corenet_all_recvfrom_netlabel(ccs_t) + corenet_tcp_sendrecv_generic_if(ccs_t) + corenet_udp_sendrecv_generic_if(ccs_t) +@@ -99,11 +98,10 @@ files_read_etc_files(ccs_t) + files_read_etc_runtime_files(ccs_t) + + init_rw_script_tmp_files(ccs_t) ++init_signal(ccs_t) + + logging_send_syslog_msg(ccs_t) + +-miscfiles_read_localization(ccs_t) +- + sysnet_dns_name_resolve(ccs_t) + + userdom_manage_unpriv_user_shared_mem(ccs_t) +diff --git a/cdrecord.te b/cdrecord.te +index 55fb26a..e380b26 100644 +--- a/cdrecord.te ++++ b/cdrecord.te +@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t) + domain_interactive_fd(cdrecord_t) + domain_use_interactive_fds(cdrecord_t) + +-files_read_etc_files(cdrecord_t) +- + term_use_controlling_term(cdrecord_t) + term_list_ptys(cdrecord_t) + +@@ -52,8 +50,6 @@ storage_write_scsi_generic(cdrecord_t) + + logging_send_syslog_msg(cdrecord_t) + +-miscfiles_read_localization(cdrecord_t) +- + userdom_use_user_terminals(cdrecord_t) + userdom_read_user_home_content_files(cdrecord_t) + +@@ -104,11 +100,7 @@ tunable_policy(`cdrecord_read_content',` + userdom_dontaudit_read_user_home_content_files(cdrecord_t) + ') + +-tunable_policy(`use_nfs_home_dirs',` +- files_search_mnt(cdrecord_t) +- fs_read_nfs_files(cdrecord_t) +- fs_read_nfs_symlinks(cdrecord_t) +-') ++userdom_home_manager(cdrecord_t) + + optional_policy(` + resmgr_stream_connect(cdrecord_t) +diff --git a/certmaster.if b/certmaster.if +index 0c53b18..ef29f6e 100644 +--- a/certmaster.if ++++ b/certmaster.if +@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',` + interface(`certmaster_admin',` + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; +- type certmaster_etc_rw_t, certmaster_var_log_t; +- type certmaster_initrc_exec_t; ++ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; + ') + +- allow $1 certmaster_t:process { ptrace signal_perms }; ++ allow $1 certmaster_t:process signal_perms; + ps_process_pattern($1, certmaster_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 certmaster_t:process ptrace; ++ ') + -+/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0) + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; +diff --git a/certmaster.te b/certmaster.te +index bf82163..5397bb9 100644 +--- a/certmaster.te ++++ b/certmaster.te +@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) + dev_read_urand(certmaster_t) + + files_list_var(certmaster_t) +-files_search_etc(certmaster_t) +-files_read_usr_files(certmaster_t) + + auth_use_nsswitch(certmaster_t) + +-miscfiles_read_localization(certmaster_t) + miscfiles_manage_generic_cert_dirs(certmaster_t) + miscfiles_manage_generic_cert_files(certmaster_t) +diff --git a/certmonger.fc b/certmonger.fc +index ed298d8..cd8eb4d 100644 +--- a/certmonger.fc ++++ b/certmonger.fc +@@ -2,6 +2,8 @@ + + /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) + ++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0) + -+/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) -diff --git a/callweaver.if b/callweaver.if -new file mode 100644 -index 0000000..e07d3b8 ---- /dev/null -+++ b/callweaver.if -@@ -0,0 +1,362 @@ -+## Open source PBX project. + /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) + + /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) +diff --git a/certmonger.if b/certmonger.if +index 008f8ef..144c074 100644 +--- a/certmonger.if ++++ b/certmonger.if +@@ -160,16 +160,20 @@ interface(`certmonger_admin',` + ') + + ps_process_pattern($1, certmonger_t) +- allow $1 certmonger_t:process { ptrace signal_perms }; ++ allow $1 certmonger_t:process signal_perms; + -+######################################## -+## -+## Execute callweaver in the -+## callweaver domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`callweaver_domtrans',` -+ gen_require(` -+ type callweaver_t, callweaver_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, callweaver_exec_t, callweaver_t) -+') -+ -+######################################## -+## -+## Execute callweaver in the -+## callers domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`callweaver_exec',` -+ gen_require(` -+ type callweaver_exec_t; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 certmonger_t:process ptrace; + ') + + certmonger_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 certmonger_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, certmonger_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, certmonger_var_run_t) + ') +diff --git a/certmonger.te b/certmonger.te +index 2354e21..1bb3f10 100644 +--- a/certmonger.te ++++ b/certmonger.te +@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) + type certmonger_var_run_t; + files_pid_file(certmonger_var_run_t) + ++type certmonger_unconfined_exec_t; ++application_executable_file(certmonger_unconfined_exec_t) + -+ corecmd_search_bin($1) -+ can_exec($1, callweaver_exec_t) + ######################################## + # + # Local policy +@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t) + allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; + dontaudit certmonger_t self:capability sys_tty_config; + allow certmonger_t self:capability2 block_suspend; ++ + allow certmonger_t self:process { getsched setsched sigkill signal }; +-allow certmonger_t self:fifo_file rw_fifo_file_perms; +-allow certmonger_t self:unix_stream_socket { accept listen }; +-allow certmonger_t self:tcp_socket { accept listen }; ++allow certmonger_t self:fifo_file rw_file_perms; ++allow certmonger_t self:unix_stream_socket create_stream_socket_perms; ++allow certmonger_t self:tcp_socket create_stream_socket_perms; ++allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; + + manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) + manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) +@@ -49,16 +54,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) + + corenet_sendrecv_certmaster_client_packets(certmonger_t) + corenet_tcp_connect_certmaster_port(certmonger_t) ++ ++corenet_tcp_connect_http_port(certmonger_t) ++corenet_tcp_connect_http_cache_port(certmonger_t) ++ ++corenet_tcp_connect_pki_ca_port(certmonger_t) + corenet_tcp_sendrecv_certmaster_port(certmonger_t) + + corecmd_exec_bin(certmonger_t) + corecmd_exec_shell(certmonger_t) + ++dev_read_rand(certmonger_t) + dev_read_urand(certmonger_t) + + domain_use_interactive_fds(certmonger_t) + +-files_read_usr_files(certmonger_t) + files_list_tmp(certmonger_t) + + fs_search_cgroup_dirs(certmonger_t) +@@ -70,16 +80,17 @@ init_getattr_all_script_files(certmonger_t) + + logging_send_syslog_msg(certmonger_t) + +-miscfiles_read_localization(certmonger_t) + miscfiles_manage_generic_cert_files(certmonger_t) + ++systemd_exec_systemctl(certmonger_t) ++ + userdom_search_user_home_content(certmonger_t) + + optional_policy(` +- apache_initrc_domtrans(certmonger_t) + apache_search_config(certmonger_t) + apache_signal(certmonger_t) + apache_signull(certmonger_t) ++ apache_systemctl(certmonger_t) + ') + + optional_policy(` +@@ -92,11 +103,47 @@ optional_policy(` + ') + + optional_policy(` +- kerberos_read_keytab(certmonger_t) ++ dirsrv_manage_config(certmonger_t) ++ dirsrv_signal(certmonger_t) ++ dirsrv_signull(certmonger_t) +') + -+######################################## -+## -+## Execute callweaver in the -+## callweaver domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`callweaver_initrc_domtrans',` -+ gen_require(` -+ type callweaver_initrc_exec_t; -+ ') ++optional_policy(` + kerberos_use(certmonger_t) ++ kerberos_read_keytab(certmonger_t) + ') + + optional_policy(` ++ pcscd_read_pub_files(certmonger_t) + pcscd_read_pid_files(certmonger_t) + pcscd_stream_connect(certmonger_t) + ') + -+ init_labeled_script_domtrans($1, callweaver_initrc_exec_t) ++optional_policy(` ++ pki_rw_tomcat_cert(certmonger_t) +') + +######################################## -+## -+## Read callweaver log files. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`callweaver_read_log',` -+ gen_require(` -+ type callweaver_log_t; -+ ') ++# certmonger_unconfined_script_t local policy ++# + -+ logging_search_logs($1) -+ read_files_pattern($1, callweaver_log_t, callweaver_log_t) ++optional_policy(` ++ type certmonger_unconfined_t; ++ domain_type(certmonger_unconfined_t) ++ ++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t) ++ role system_r types certmonger_unconfined_t; ++ ++ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t) ++ ++ unconfined_domain(certmonger_unconfined_t) ++ ++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms; ++ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms; ++ allow certmonger_t certmonger_unconfined_exec_t:file ioctl; ++ ++ init_domtrans_script(certmonger_unconfined_t) ++ ++ unconfined_domain(certmonger_unconfined_t) +') +diff --git a/certwatch.te b/certwatch.te +index 403af41..fd3cbaf 100644 +--- a/certwatch.te ++++ b/certwatch.te +@@ -21,25 +21,24 @@ role certwatch_roles types certwatch_t; + allow certwatch_t self:capability sys_nice; + allow certwatch_t self:process { setsched getsched }; + ++dev_read_rand(certwatch_t) + dev_read_urand(certwatch_t) + +-files_read_etc_files(certwatch_t) +-files_read_usr_files(certwatch_t) + files_read_usr_symlinks(certwatch_t) + files_list_tmp(certwatch_t) + + fs_list_inotifyfs(certwatch_t) + + auth_manage_cache(certwatch_t) ++auth_read_passwd(certwatch_t) + auth_var_filetrans_cache(certwatch_t) + + logging_send_syslog_msg(certwatch_t) + + miscfiles_read_all_certs(certwatch_t) +-miscfiles_read_localization(certwatch_t) + +-userdom_use_user_terminals(certwatch_t) +-userdom_dontaudit_list_user_home_dirs(certwatch_t) ++userdom_use_inherited_user_terminals(certwatch_t) ++userdom_dontaudit_list_admin_dir(certwatch_t) + + optional_policy(` + apache_exec_modules(certwatch_t) +diff --git a/cfengine.if b/cfengine.if +index a731122..5279d4e 100644 +--- a/cfengine.if ++++ b/cfengine.if +@@ -13,7 +13,6 @@ + template(`cfengine_domain_template',` + gen_require(` + attribute cfengine_domain; +- type cfengine_log_t, cfengine_var_lib_t; + ') + + ######################################## +@@ -30,7 +29,29 @@ template(`cfengine_domain_template',` + # Policy + # + ++ kernel_read_system_state(cfengine_$1_t) + -+######################################## -+## -+## Append to callweaver log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`callweaver_append_log',` -+ gen_require(` -+ type callweaver_log_t; -+ ') + auth_use_nsswitch(cfengine_$1_t) + -+ logging_search_logs($1) -+ append_files_pattern($1, callweaver_log_t, callweaver_log_t) ++ logging_send_syslog_msg(cfengine_$1_t) +') + -+######################################## ++###################################### +## -+## Manage callweaver log files ++## Search cfengine lib files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`callweaver_manage_log',` ++interface(`cfengine_search_lib_files',` + gen_require(` -+ type callweaver_log_t; ++ type cfengine_var_lib_t; + ') + -+ logging_search_logs($1) -+ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t) -+ manage_files_pattern($1, callweaver_log_t, callweaver_log_t) -+ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t) -+') -+ -+######################################## ++ allow $1 cfengine_var_lib_t:dir search_dir_perms; + ') + + ######################################## +@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',` + dontaudit $1 cfengine_var_log_t:file write_file_perms; + ') + ++##################################### +## -+## Search callweaver lib directories. ++## Allow the specified domain to append cfengine's log files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`callweaver_search_lib',` -+ gen_require(` -+ type callweaver_var_lib_t; -+ ') ++interface(`cfengine_append_inherited_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') + -+ allow $1 callweaver_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ cfengine_search_lib_files($1) ++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; +') + -+######################################## ++#################################### +## -+## Read callweaver lib files. ++## Dontaudit the specified domain to write cfengine's log files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`callweaver_read_lib_files',` -+ gen_require(` -+ type callweaver_var_lib_t; -+ ') ++interface(`cfengine_dontaudit_write_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t) ++ dontaudit $1 cfengine_var_log_t:file write; +') + -+######################################## -+## -+## Manage callweaver lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`callweaver_manage_lib_files',` -+ gen_require(` -+ type callweaver_var_lib_t; + ######################################## + ## + ## All of the rules required to +@@ -94,7 +152,7 @@ interface(`cfengine_admin',` + type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; + ') + +- allow $1 cfengine_domain:process { ptrace signal_perms }; ++ allow $1 cfengine_domain:process { signal_perms }; + ps_process_pattern($1, cfengine_domain) + + init_labeled_script_domtrans($1, cfengine_initrc_exec_t) +@@ -105,3 +163,4 @@ interface(`cfengine_admin',` + files_search_var_lib($1) + admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) + ') ++ +diff --git a/cfengine.te b/cfengine.te +index 8af5bbe..168f01f 100644 +--- a/cfengine.te ++++ b/cfengine.te +@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) + setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) + logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) + +-kernel_read_system_state(cfengine_domain) +- + corecmd_exec_bin(cfengine_domain) + corecmd_exec_shell(cfengine_domain) + + dev_read_urand(cfengine_domain) + dev_read_sysfs(cfengine_domain) + +-logging_send_syslog_msg(cfengine_domain) +- +-miscfiles_read_localization(cfengine_domain) +- ++sysnet_dns_name_resolve(cfengine_domain) + sysnet_domtrans_ifconfig(cfengine_domain) + + ######################################## +diff --git a/cgroup.if b/cgroup.if +index 85ca63f..1d1c99c 100644 +--- a/cgroup.if ++++ b/cgroup.if +@@ -171,8 +171,26 @@ interface(`cgroup_admin',` + type cgrules_etc_t, cgclear_t; + ') + +- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) ++ allow $1 cgclear_t:process signal_perms; ++ ps_process_pattern($1, cgclear_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgclear_t:process ptrace; + ') + -+ files_search_var_lib($1) -+ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t) -+') ++ allow $1 cgconfig_t:process signal_perms; ++ ps_process_pattern($1, cgconfig_t) + -+######################################## -+## -+## Manage callweaver lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`callweaver_manage_lib_dirs',` -+ gen_require(` -+ type callweaver_var_lib_t; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgconfig_t:process ptrace; + ') + -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t) -+') ++ allow $1 cgred_t:process signal_perms; ++ ps_process_pattern($1, cgred_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cgred_t:process ptrace; ++ ') + + admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) + files_list_etc($1) +diff --git a/cgroup.te b/cgroup.te +index fdee107..18cf736 100644 +--- a/cgroup.te ++++ b/cgroup.te +@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) + type cgrules_etc_t; + files_config_file(cgrules_etc_t) + +-type cgconfig_t; +-type cgconfig_exec_t; ++type cgconfig_t alias cgconfigparser_t; ++type cgconfig_exec_t alias cgconfigparser_exec_t; + init_daemon_domain(cgconfig_t, cgconfig_exec_t) + + type cgconfig_initrc_exec_t; +@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t) + + allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; + +-allow cgclear_t cgconfig_etc_t:file read_file_perms; ++read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) + + kernel_read_system_state(cgclear_t) + ++auth_use_nsswitch(cgclear_t) ++ + domain_setpriority_all_domains(cgclear_t) + + fs_manage_cgroup_dirs(cgclear_t) +@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; + kernel_list_unlabeled(cgconfig_t) + kernel_read_system_state(cgconfig_t) + +-files_read_etc_files(cgconfig_t) +- + fs_manage_cgroup_dirs(cgconfig_t) + fs_manage_cgroup_files(cgconfig_t) + fs_mount_cgroup(cgconfig_t) + fs_mounton_cgroup(cgconfig_t) + fs_unmount_cgroup(cgconfig_t) + ++auth_use_nsswitch(cgconfig_t) ++ + ######################################## + # + # cgred local policy + # + +-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; ++ + allow cgred_t self:netlink_socket { write bind create read }; + allow cgred_t self:unix_dgram_socket { write create connect }; + +@@ -92,6 +95,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) + + kernel_read_all_sysctls(cgred_t) + kernel_read_system_state(cgred_t) ++kernel_read_all_sysctls(cgred_t) + + domain_read_all_domains_state(cgred_t) + domain_setpriority_all_domains(cgred_t) +@@ -99,10 +103,9 @@ domain_setpriority_all_domains(cgred_t) + files_getattr_all_files(cgred_t) + files_getattr_all_sockets(cgred_t) + files_read_all_symlinks(cgred_t) +-files_read_etc_files(cgred_t) + + fs_write_cgroup_files(cgred_t) + +-logging_send_syslog_msg(cgred_t) ++auth_use_nsswitch(cgred_t) + +-miscfiles_read_localization(cgred_t) ++logging_send_syslog_msg(cgred_t) +diff --git a/chrome.fc b/chrome.fc +new file mode 100644 +index 0000000..88107d7 +--- /dev/null ++++ b/chrome.fc +@@ -0,0 +1,6 @@ ++/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++ ++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + ++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) ++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) +diff --git a/chrome.if b/chrome.if +new file mode 100644 +index 0000000..efebae7 +--- /dev/null ++++ b/chrome.if +@@ -0,0 +1,134 @@ ++ ++## policy for chrome + +######################################## +## -+## Read callweaver PID files. ++## Execute a domain transition to run chrome_sandbox. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`callweaver_read_pid_files',` ++interface(`chrome_domtrans_sandbox',` + gen_require(` -+ type callweaver_var_run_t; ++ type chrome_sandbox_t, chrome_sandbox_exec_t; + ') + -+ files_search_pids($1) -+ allow $1 callweaver_var_run_t:file read_file_perms; ++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) ++ ps_process_pattern(chrome_sandbox_t, $1) ++ ++ allow $1 chrome_sandbox_t:fd use; ++ ++ ifdef(`hide_broken_symptoms',` ++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) ++ ') +') + ++ +######################################## +## -+## Connect to callweaver over a unix stream socket. ++## Execute chrome_sandbox in the chrome_sandbox domain, and ++## allow the specified role the chrome_sandbox domain. +## +## +## -+## Domain allowed access. ++## Domain allowed access +## +## -+# -+interface(`callweaver_stream_connect',` -+ gen_require(` -+ type callweaver_t, callweaver_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) -+') -+ -+######################################## -+## -+## Search callweaver spool directories. -+## -+## ++## +## -+## Domain allowed access. ++## The role to be allowed the chrome_sandbox domain. +## +## +# -+interface(`callweaver_search_spool',` ++interface(`chrome_run_sandbox',` + gen_require(` -+ type callweaver_spool_t; ++ type chrome_sandbox_t; ++ type chrome_sandbox_nacl_t; + ') + -+ allow $1 callweaver_spool_t:dir search_dir_perms; -+ files_search_spool($1) ++ chrome_domtrans_sandbox($1) ++ role $2 types chrome_sandbox_t; ++ role $2 types chrome_sandbox_nacl_t; +') + +######################################## +## -+## Read callweaver spool files. ++## Role access for chrome sandbox +## -+## ++## +## -+## Domain allowed access. ++## Role allowed access +## +## -+# -+interface(`callweaver_read_spool_files',` -+ gen_require(` -+ type callweaver_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, callweaver_spool_t, callweaver_spool_t) -+') -+ -+######################################## -+## -+## Manage callweaver spool files. -+## +## +## -+## Domain allowed access. ++## User domain for the role +## +## +# -+interface(`callweaver_manage_spool_files',` ++interface(`chrome_role_notrans',` + gen_require(` -+ type callweaver_spool_t; ++ type chrome_sandbox_t; ++ type chrome_sandbox_tmpfs_t; ++ type chrome_sandbox_nacl_t; + ') + -+ files_search_spool($1) -+ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t) ++ role $1 types chrome_sandbox_t; ++ role $1 types chrome_sandbox_nacl_t; ++ ++ ps_process_pattern($2, chrome_sandbox_t) ++ allow $2 chrome_sandbox_t:process signal_perms; ++ ++ allow chrome_sandbox_t $2:unix_dgram_socket { read write }; ++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; ++ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write }; ++ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; ++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write }; ++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; ++ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; ++ ++ allow $2 chrome_sandbox_t:shm rw_shm_perms; ++ ++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + +######################################## +## -+## Manage callweaver spool dirs. ++## Role access for chrome sandbox +## ++## ++## ++## Role allowed access ++## ++## +## +## -+## Domain allowed access. ++## User domain for the role +## +## +# -+interface(`callweaver_manage_spool_dirs',` -+ gen_require(` -+ type callweaver_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t) ++interface(`chrome_role',` ++ chrome_role_notrans($1, $2) ++ chrome_domtrans_sandbox($2) +') + +######################################## +## -+## All of the rules required to administrate -+## an callweaver environment ++## Dontaudit read/write to a chrome_sandbox leaks +## +## +## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. ++## Domain to not audit. +## +## -+## +# -+interface(`callweaver_admin',` ++interface(`chrome_dontaudit_sandbox_leaks',` + gen_require(` -+ type callweaver_t; -+ type callweaver_initrc_exec_t; -+ type callweaver_log_t; -+ type callweaver_var_lib_t; -+ type callweaver_var_run_t; -+ type callweaver_spool_t; -+ ') -+ -+ allow $1 callweaver_t:process signal_perms; -+ ps_process_pattern($1, callweaver_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 callweaver_t:process ptrace; ++ type chrome_sandbox_t; + ') + -+ callweaver_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 callweaver_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_search_logs($1) -+ admin_pattern($1, callweaver_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, callweaver_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, callweaver_var_run_t) -+ -+ files_search_spool($1) -+ admin_pattern($1, callweaver_spool_t) ++ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; +') -diff --git a/callweaver.te b/callweaver.te +diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..978f92f +index 0000000..0ce7275 --- /dev/null -+++ b/callweaver.te -@@ -0,0 +1,75 @@ -+policy_module(callweaver,1.0.0) ++++ b/chrome.te +@@ -0,0 +1,197 @@ ++policy_module(chrome,1.0.0) + +######################################## +# +# Declarations +# + -+type callweaver_t; -+type callweaver_exec_t; -+init_daemon_domain(callweaver_t, callweaver_exec_t) -+ -+type callweaver_initrc_exec_t; -+init_script_file(callweaver_initrc_exec_t) -+ -+type callweaver_log_t; -+logging_log_file(callweaver_log_t) ++type chrome_sandbox_t; ++type chrome_sandbox_exec_t; ++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) ++role system_r types chrome_sandbox_t; ++ubac_constrained(chrome_sandbox_t) + -+type callweaver_var_lib_t; -+files_type(callweaver_var_lib_t) ++type chrome_sandbox_tmp_t; ++files_tmp_file(chrome_sandbox_tmp_t) + -+type callweaver_var_run_t; -+files_pid_file(callweaver_var_run_t) ++type chrome_sandbox_tmpfs_t; ++files_tmpfs_file(chrome_sandbox_tmpfs_t) ++ubac_constrained(chrome_sandbox_tmpfs_t) + -+type callweaver_spool_t; -+files_spool_file(callweaver_spool_t) ++type chrome_sandbox_nacl_t; ++type chrome_sandbox_nacl_exec_t; ++application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) ++role system_r types chrome_sandbox_nacl_t; ++ubac_constrained(chrome_sandbox_nacl_t) + +######################################## +# -+# callweaver local policy ++# chrome_sandbox local policy +# ++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; ++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; ++allow chrome_sandbox_t self:process setsched; ++allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; ++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; ++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_t self:shm create_shm_perms; ++allow chrome_sandbox_t self:sem create_sem_perms; ++allow chrome_sandbox_t self:msgq create_msgq_perms; ++allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; ++dontaudit chrome_sandbox_t self:memprotect mmap_zero; + -+allow callweaver_t self:capability { setuid sys_nice setgid }; -+allow callweaver_t self:process { setsched signal }; -+allow callweaver_t self:fifo_file rw_fifo_file_perms; -+allow callweaver_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) -+manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) -+logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } ) -+ -+manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) -+manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) -+files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } ) ++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) ++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) + -+manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -+manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -+manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -+files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file }) ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) ++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) + -+manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) -+manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) -+manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) -+files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file }) ++kernel_read_system_state(chrome_sandbox_t) ++kernel_read_kernel_sysctls(chrome_sandbox_t) + -+allow callweaver_t self:tcp_socket create_stream_socket_perms; -+allow callweaver_t self:udp_socket create_socket_perms; ++fs_manage_cgroup_dirs(chrome_sandbox_t) ++fs_manage_cgroup_files(chrome_sandbox_t) ++fs_read_dos_files(chrome_sandbox_t) ++fs_read_hugetlbfs_files(chrome_sandbox_t) + -+kernel_read_sysctl(callweaver_t) -+kernel_read_kernel_sysctls(callweaver_t) ++corecmd_exec_bin(chrome_sandbox_t) + -+corenet_udp_bind_asterisk_port(callweaver_t) -+corenet_udp_bind_generic_port(callweaver_t) -+corenet_udp_bind_sip_port(callweaver_t) ++corenet_all_recvfrom_netlabel(chrome_sandbox_t) ++corenet_tcp_connect_asterisk_port(chrome_sandbox_t) ++corenet_tcp_connect_flash_port(chrome_sandbox_t) ++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t) ++corenet_tcp_connect_rtsp_port(chrome_sandbox_t) ++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) ++corenet_tcp_connect_http_port(chrome_sandbox_t) ++corenet_tcp_connect_http_cache_port(chrome_sandbox_t) ++corenet_tcp_connect_msnp_port(chrome_sandbox_t) ++corenet_tcp_connect_squid_port(chrome_sandbox_t) ++corenet_tcp_connect_tor_port(chrome_sandbox_t) ++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) ++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) ++corenet_tcp_connect_ipp_port(chrome_sandbox_t) ++corenet_tcp_connect_speech_port(chrome_sandbox_t) + -+dev_manage_generic_symlinks(callweaver_t) ++domain_dontaudit_read_all_domains_state(chrome_sandbox_t) + -+domain_use_interactive_fds(callweaver_t) ++dev_read_urand(chrome_sandbox_t) ++dev_read_sysfs(chrome_sandbox_t) ++dev_rwx_zero(chrome_sandbox_t) ++dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t) + ++files_read_etc_files(chrome_sandbox_t) ++files_read_usr_files(chrome_sandbox_t) + -+term_getattr_pty_fs(callweaver_t) -+term_use_generic_ptys(callweaver_t) -+term_use_ptmx(callweaver_t) ++fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + -+auth_use_nsswitch(callweaver_t) ++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) ++userdom_execute_user_tmpfs_files(chrome_sandbox_t) + -diff --git a/canna.fc b/canna.fc -index 5432d0e..f77df02 100644 ---- a/canna.fc -+++ b/canna.fc -@@ -20,4 +20,4 @@ - - /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) - /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) --/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) -+/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0) -diff --git a/canna.if b/canna.if -index 4a26b0c..00b64dc 100644 ---- a/canna.if -+++ b/canna.if -@@ -42,9 +42,13 @@ interface(`canna_admin',` - type canna_var_run_t, canna_initrc_exec_t; - ') - -- allow $1 canna_t:process { ptrace signal_perms }; -+ allow $1 canna_t:process signal_perms; - ps_process_pattern($1, canna_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 canna_t:process ptrace; -+ ') ++userdom_use_user_ptys(chrome_sandbox_t) ++userdom_write_inherited_user_tmp_files(chrome_sandbox_t) ++userdom_read_inherited_user_home_content_files(chrome_sandbox_t) ++userdom_dontaudit_use_user_terminals(chrome_sandbox_t) ++userdom_search_user_home_content(chrome_sandbox_t) ++# This one we should figure a way to make it more secure ++userdom_manage_home_certs(chrome_sandbox_t) + - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; -diff --git a/canna.te b/canna.te -index 1d25efe..910b94c 100644 ---- a/canna.te -+++ b/canna.te -@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms; - allow canna_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(canna_t, canna_log_t, canna_log_t) --allow canna_t canna_log_t:dir setattr; -+allow canna_t canna_log_t:dir setattr_dir_perms; - logging_log_filetrans(canna_t, canna_log_t, { file dir }) - - manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) -@@ -50,7 +50,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file }) - kernel_read_kernel_sysctls(canna_t) - kernel_read_system_state(canna_t) - --corenet_all_recvfrom_unlabeled(canna_t) - corenet_all_recvfrom_netlabel(canna_t) - corenet_tcp_sendrecv_generic_if(canna_t) - corenet_tcp_sendrecv_generic_node(canna_t) -@@ -73,8 +72,6 @@ files_dontaudit_read_root_files(canna_t) - - logging_send_syslog_msg(canna_t) - --miscfiles_read_localization(canna_t) -- - sysnet_read_config(canna_t) - - userdom_dontaudit_use_unpriv_user_fds(canna_t) -diff --git a/ccs.fc b/ccs.fc -index 8a7177d..bc4f6e7 100644 ---- a/ccs.fc -+++ b/ccs.fc -@@ -2,5 +2,7 @@ - - /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) - -+/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) ++miscfiles_read_fonts(chrome_sandbox_t) + - /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) - /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) -diff --git a/ccs.te b/ccs.te -index 4c90b57..30265d4 100644 ---- a/ccs.te -+++ b/ccs.te -@@ -10,7 +10,7 @@ type ccs_exec_t; - init_daemon_domain(ccs_t, ccs_exec_t) - - type cluster_conf_t; --files_type(cluster_conf_t) -+files_config_file(cluster_conf_t) - - type ccs_tmp_t; - files_tmp_file(ccs_tmp_t) -@@ -34,7 +34,7 @@ files_pid_file(ccs_var_run_t) - - allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; - allow ccs_t self:process { signal setrlimit setsched }; --dontaudit ccs_t self:process ptrace; ++sysnet_dns_name_resolve(chrome_sandbox_t) + - allow ccs_t self:fifo_file rw_fifo_file_perms; - allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow ccs_t self:unix_dgram_socket create_socket_perms; -@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) - manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) - files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) - --allow ccs_t ccs_var_log_t:dir setattr; -+allow ccs_t ccs_var_log_t:dir setattr_dir_perms; - manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) - manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) - logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) -@@ -77,7 +77,6 @@ kernel_read_kernel_sysctls(ccs_t) - corecmd_list_bin(ccs_t) - corecmd_exec_bin(ccs_t) - --corenet_all_recvfrom_unlabeled(ccs_t) - corenet_all_recvfrom_netlabel(ccs_t) - corenet_tcp_sendrecv_generic_if(ccs_t) - corenet_udp_sendrecv_generic_if(ccs_t) -@@ -97,11 +96,10 @@ files_read_etc_files(ccs_t) - files_read_etc_runtime_files(ccs_t) - - init_rw_script_tmp_files(ccs_t) -+init_signal(ccs_t) - - logging_send_syslog_msg(ccs_t) - --miscfiles_read_localization(ccs_t) -- - sysnet_dns_name_resolve(ccs_t) - - userdom_manage_unpriv_user_shared_mem(ccs_t) -@@ -118,5 +116,10 @@ optional_policy(` - ') - - optional_policy(` -+ qpidd_rw_semaphores(ccs_t) -+ qpidd_rw_shm(ccs_t) ++optional_policy(` ++ gnome_rw_inherited_config(chrome_sandbox_t) ++ gnome_read_home_config(chrome_sandbox_t) +') + +optional_policy(` - unconfined_use_fds(ccs_t) - ') -diff --git a/cdrecord.te b/cdrecord.te -index 4626931..93e1495 100644 ---- a/cdrecord.te -+++ b/cdrecord.te -@@ -52,10 +52,8 @@ storage_write_scsi_generic(cdrecord_t) - - logging_send_syslog_msg(cdrecord_t) - --miscfiles_read_localization(cdrecord_t) -- - # write to the user domain tty. --userdom_use_user_terminals(cdrecord_t) -+userdom_use_inherited_user_terminals(cdrecord_t) - userdom_read_user_home_content_files(cdrecord_t) - - # Handle nfs home dirs -@@ -108,11 +106,7 @@ tunable_policy(`cdrecord_read_content',` - userdom_dontaudit_read_user_home_content_files(cdrecord_t) - ') - --tunable_policy(`use_nfs_home_dirs',` -- files_search_mnt(cdrecord_t) -- fs_read_nfs_files(cdrecord_t) -- fs_read_nfs_symlinks(cdrecord_t) --') -+userdom_home_manager(cdrecord_t) - - optional_policy(` - resmgr_stream_connect(cdrecord_t) -diff --git a/certmaster.if b/certmaster.if -index fa62787..4230c25 100644 ---- a/certmaster.if -+++ b/certmaster.if -@@ -116,19 +116,23 @@ interface(`certmaster_manage_log',` - interface(`certmaster_admin',` - gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; -- type certmaster_etc_rw_t, certmaster_var_log_t; -- type certmaster_initrc_exec_t; -+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; - ') - -- allow $1 certmaster_t:process { ptrace signal_perms }; -+ allow $1 certmaster_t:process signal_perms; - ps_process_pattern($1, certmaster_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 certmaster_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) -+ - miscfiles_manage_generic_cert_dirs($1) - miscfiles_manage_generic_cert_files($1) - -diff --git a/certmaster.te b/certmaster.te -index 3384132..e40c81c 100644 ---- a/certmaster.te -+++ b/certmaster.te -@@ -53,19 +53,20 @@ files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) - # read meminfo - kernel_read_system_state(certmaster_t) - --corecmd_search_bin(certmaster_t) --corecmd_getattr_bin_files(certmaster_t) -+corecmd_exec_bin(certmaster_t) - - corenet_tcp_bind_generic_node(certmaster_t) - corenet_tcp_bind_certmaster_port(certmaster_t) - -+dev_read_urand(certmaster_t) -+ - files_search_etc(certmaster_t) -+files_read_usr_files(certmaster_t) - files_list_var(certmaster_t) - files_search_var_lib(certmaster_t) - - auth_use_nsswitch(certmaster_t) - --miscfiles_read_localization(certmaster_t) - - miscfiles_manage_generic_cert_dirs(certmaster_t) - miscfiles_manage_generic_cert_files(certmaster_t) -diff --git a/certmonger.fc b/certmonger.fc -index 5ad1a52..e66fcf6 100644 ---- a/certmonger.fc -+++ b/certmonger.fc -@@ -4,3 +4,5 @@ - - /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) - /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) -+ -+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0) -diff --git a/certmonger.if b/certmonger.if -index 7a6e5ba..7475aa5 100644 ---- a/certmonger.if -+++ b/certmonger.if -@@ -158,7 +158,11 @@ interface(`certmonger_admin',` - ') - - ps_process_pattern($1, certmonger_t) -- allow $1 certmonger_t:process { ptrace signal_perms }; -+ allow $1 certmonger_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 certmonger_t:process ptrace; -+ ') - - # Allow certmonger_t to restart the apache service - certmonger_initrc_domtrans($1) -@@ -166,9 +170,9 @@ interface(`certmonger_admin',` - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, certmonger_var_run_t) - ') -diff --git a/certmonger.te b/certmonger.te -index c3e3f79..89db900 100644 ---- a/certmonger.te -+++ b/certmonger.te -@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t) - type certmonger_var_lib_t; - files_type(certmonger_var_lib_t) - -+type certmonger_unconfined_exec_t; -+application_executable_file(certmonger_unconfined_exec_t) -+ - ######################################## - # - # certmonger local policy - # - --allow certmonger_t self:capability { kill sys_nice }; --allow certmonger_t self:process { getsched setsched sigkill }; -+allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; -+dontaudit certmonger_t self:capability sys_tty_config; -+allow certmonger_t self:capability2 block_suspend; -+ -+allow certmonger_t self:process { getsched setsched sigkill signal }; - allow certmonger_t self:fifo_file rw_file_perms; - allow certmonger_t self:unix_stream_socket create_stream_socket_perms; - allow certmonger_t self:tcp_socket create_stream_socket_perms; -@@ -38,25 +44,52 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) - manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) - files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) - -+kernel_read_kernel_sysctls(certmonger_t) -+kernel_read_system_state(certmonger_t) -+ -+corecmd_exec_bin(certmonger_t) -+corecmd_exec_shell(certmonger_t) -+ - corenet_tcp_sendrecv_generic_if(certmonger_t) - corenet_tcp_sendrecv_generic_node(certmonger_t) - corenet_tcp_sendrecv_all_ports(certmonger_t) - corenet_tcp_connect_certmaster_port(certmonger_t) -+corenet_tcp_connect_http_port(certmonger_t) -+corenet_tcp_connect_http_cache_port(certmonger_t) -+corenet_tcp_connect_pki_ca_port(certmonger_t) - - dev_read_urand(certmonger_t) - - domain_use_interactive_fds(certmonger_t) - --files_read_etc_files(certmonger_t) - files_read_usr_files(certmonger_t) - files_list_tmp(certmonger_t) - -+fs_search_cgroup_dirs(certmonger_t) -+ -+auth_use_nsswitch(certmonger_t) -+auth_rw_cache(certmonger_t) -+ -+init_getattr_all_script_files(certmonger_t) -+ - logging_send_syslog_msg(certmonger_t) - --miscfiles_read_localization(certmonger_t) - miscfiles_manage_generic_cert_files(certmonger_t) - --sysnet_dns_name_resolve(certmonger_t) -+systemd_exec_systemctl(certmonger_t) -+ -+userdom_search_user_home_content(certmonger_t) ++ mozilla_write_user_home_files(chrome_sandbox_t) ++') + +optional_policy(` -+ apache_search_config(certmonger_t) -+ apache_signal(certmonger_t) -+ apache_signull(certmonger_t) -+ apache_systemctl(certmonger_t) ++ xserver_use_user_fonts(chrome_sandbox_t) ++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) +') + -+optional_policy(` -+ bind_search_cache(certmonger_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs(chrome_sandbox_t) ++ fs_exec_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_files(chrome_sandbox_t) ++ fs_rw_inherited_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_symlinks(chrome_sandbox_t) ++ fs_dontaudit_append_nfs_files(chrome_sandbox_t) +') - - optional_policy(` - dbus_system_bus_client(certmonger_t) -@@ -64,9 +97,46 @@ optional_policy(` - ') - - optional_policy(` -+ dirsrv_manage_config(certmonger_t) -+ dirsrv_signal(certmonger_t) -+ dirsrv_signull(certmonger_t) ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(chrome_sandbox_t) ++ fs_exec_cifs_files(chrome_sandbox_t) ++ fs_rw_inherited_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_symlinks(chrome_sandbox_t) ++ fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') + -+optional_policy(` - kerberos_use(certmonger_t) -+ kerberos_read_keytab(certmonger_t) - ') - - optional_policy(` -+ pcscd_read_pub_files(certmonger_t) - pcscd_stream_connect(certmonger_t) - ') ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(chrome_sandbox_t) ++ fs_read_fusefs_files(chrome_sandbox_t) ++ fs_exec_fusefs_files(chrome_sandbox_t) ++ fs_read_fusefs_symlinks(chrome_sandbox_t) ++') + +optional_policy(` -+ pki_rw_tomcat_cert(certmonger_t) ++ sandbox_use_ptys(chrome_sandbox_t) +') + ++ +######################################## +# -+# certmonger_unconfined_script_t local policy ++# chrome_sandbox_nacl local policy +# + -+optional_policy(` -+ type certmonger_unconfined_t; -+ domain_type(certmonger_unconfined_t) -+ -+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t) -+ role system_r types certmonger_unconfined_t; -+ -+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t) -+ -+ unconfined_domain(certmonger_unconfined_t) ++allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal }; + -+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms; -+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms; -+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl; ++allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; ++allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; ++allow chrome_sandbox_nacl_t self:shm create_shm_perms; ++allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; ++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write }; + -+ init_domtrans_script(certmonger_unconfined_t) ++allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; ++allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; + -+ unconfined_domain(certmonger_unconfined_t) -+') -diff --git a/certwatch.te b/certwatch.te -index e07cef5..55051ce 100644 ---- a/certwatch.te -+++ b/certwatch.te -@@ -27,15 +27,15 @@ files_list_tmp(certwatch_t) - fs_list_inotifyfs(certwatch_t) - - auth_manage_cache(certwatch_t) -+auth_read_passwd(certwatch_t) - auth_var_filetrans_cache(certwatch_t) - - logging_send_syslog_msg(certwatch_t) - - miscfiles_read_all_certs(certwatch_t) --miscfiles_read_localization(certwatch_t) - --userdom_use_user_terminals(certwatch_t) --userdom_dontaudit_list_user_home_dirs(certwatch_t) -+userdom_use_inherited_user_terminals(certwatch_t) -+userdom_dontaudit_list_admin_dir(certwatch_t) - - optional_policy(` - apache_exec_modules(certwatch_t) -diff --git a/cfengine.fc b/cfengine.fc -new file mode 100644 -index 0000000..4c52fa3 ---- /dev/null -+++ b/cfengine.fc -@@ -0,0 +1,12 @@ ++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) ++fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) + -+/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0) -+/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0) -+/usr/sbin/cf-monitord -- gen_context(system_u:object_r:cfengine_monitord_exec_t,s0) ++domain_use_interactive_fds(chrome_sandbox_nacl_t) + -+/etc/rc\.d/init\.d/cf-serverd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/cf-monitord -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) ++dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; + -+/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) -+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0) ++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) + -diff --git a/cfengine.if b/cfengine.if -new file mode 100644 -index 0000000..f3c23e9 ---- /dev/null -+++ b/cfengine.if -@@ -0,0 +1,146 @@ ++kernel_read_state(chrome_sandbox_nacl_t) ++kernel_read_system_state(chrome_sandbox_nacl_t) + -+## policy for cfengine ++corecmd_sbin_entry_type(chrome_sandbox_nacl_t) + -+###################################### -+## -+## Creates types and rules for a basic -+## cfengine init daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`cfengine_domain_template',` -+ gen_require(` -+ attribute cfengine_domain; -+ ') ++dev_read_urand(chrome_sandbox_nacl_t) ++dev_read_sysfs(chrome_sandbox_nacl_t) + -+ ############################## -+ # -+ # Declarations -+ # ++files_read_etc_files(chrome_sandbox_nacl_t) + -+ type cfengine_$1_t, cfengine_domain; -+ type cfengine_$1_exec_t; -+ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) ++init_read_state(chrome_sandbox_nacl_t) + -+ kernel_read_system_state(cfengine_$1_t) ++userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) ++userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t) + -+ logging_send_syslog_msg(cfengine_$1_t) ++optional_policy(` ++ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t) ++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) +') +diff --git a/chronyd.fc b/chronyd.fc +index 4e4143e..a665b32 100644 +--- a/chronyd.fc ++++ b/chronyd.fc +@@ -2,6 +2,8 @@ + + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) + -+######################################## -+## -+## Transition to cfengine. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`cfengine_domtrans_server',` + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) + + /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) +diff --git a/chronyd.if b/chronyd.if +index 32e8265..0de4af3 100644 +--- a/chronyd.if ++++ b/chronyd.if +@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',` + + ######################################## + ## +-## Connect to chronyd using a unix +-## domain stream socket. ++## Read chronyd keys files. + ## + ## + ## +@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',` + ## + ## + # +-interface(`chronyd_stream_connect',` ++interface(`chronyd_read_keys',` + gen_require(` +- type chronyd_t, chronyd_var_run_t; ++ type chronyd_keys_t; + ') + +- files_search_pids($1) +- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) + ') + + ######################################## + ## +-## Send to chronyd using a unix domain +-## datagram socket. ++## Append chronyd keys files. + ## + ## + ## +@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',` + ## + ## + # +-interface(`chronyd_dgram_send',` ++interface(`chronyd_append_keys',` + gen_require(` -+ type cfengine_server_t, cfengine_server_exec_t; ++ type chronyd_keys_t; + ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t) -+') -+ -+####################################### -+## -+## Search cfengine lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cfengine_search_lib_files',` -+ gen_require(` -+ type cfengine_var_lib_t; -+ ') -+ -+ allow $1 cfengine_var_lib_t:dir search_dir_perms; ++ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) +') + +######################################## +## -+## Read cfengine lib files. ++## Execute chronyd server in the chronyd domain. +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`cfengine_read_lib_files',` ++interface(`chronyd_systemctl',` + gen_require(` -+ type cfengine_var_lib_t; ++ type chronyd_t; ++ type chronyd_unit_file_t; + ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) -+') -+ -+###################################### -+## -+## Allow the specified domain to read cfengine's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cfengine_read_log',` -+ gen_require(` -+ type cfengine_var_log_t; -+ ') ++ systemd_exec_systemctl($1) ++ allow $1 chronyd_unit_file_t:file read_file_perms; ++ allow $1 chronyd_unit_file_t:service manage_service_perms; + -+ logging_search_logs($1) -+ files_search_var_lib($1) -+ cfengine_search_lib_files($1) -+ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t) ++ ps_process_pattern($1, chronyd_t) +') + -+##################################### ++####################################### +## -+## Allow the specified domain to append cfengine's log files. ++## Connect to chronyd using a unix ++## domain stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`cfengine_append_inherited_log',` -+ gen_require(` -+ type cfengine_var_log_t; -+ ') -+ -+ cfengine_search_lib_files($1) -+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; ++interface(`chronyd_stream_connect',` + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) +- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + ') + + ######################################## + ## +-## Read chronyd key files. ++## Send to chronyd using a unix domain ++## datagram socket. + ## + ## + ## +@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',` + ## + ## + # +-interface(`chronyd_read_key_files',` ++interface(`chronyd_dgram_send',` + gen_require(` +- type chronyd_keys_t; ++ type chronyd_t, chronyd_var_run_t; + ') + +- files_search_etc($1) +- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ++ files_search_pids($1) ++ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + ') + + #################################### +@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',` + # + interface(`chronyd_admin',` + gen_require(` +- type chronyd_t, chronyd_var_log_t; +- type chronyd_var_run_t, chronyd_var_lib_t; +- type chronyd_initrc_exec_t, chronyd_keys_t; ++ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; ++ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; ++ type chronyd_keys_t, chronyd_unit_file_t; + ') + +- allow $1 chronyd_t:process { ptrace signal_perms }; ++ allow $1 chronyd_t:process signal_perms; + ps_process_pattern($1, chronyd_t) + +- chronyd_initrc_domtrans($1) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 chronyd_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 chronyd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) ++ files_list_etc($1) + admin_pattern($1, chronyd_keys_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, chronyd_var_log_t) + +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, chronyd_var_lib_t) + +- files_search_pids($1) ++ files_list_pids($1) + admin_pattern($1, chronyd_var_run_t) ++ ++ admin_pattern($1, chronyd_tmpfs_t) ++ ++ admin_pattern($1, chronyd_unit_file_t) ++ chronyd_systemctl($1) ++ allow $1 chronyd_unit_file_t:service all_service_perms; + ') +diff --git a/chronyd.te b/chronyd.te +index 914ee2d..dac9e4c 100644 +--- a/chronyd.te ++++ b/chronyd.te +@@ -18,6 +18,9 @@ files_type(chronyd_keys_t) + type chronyd_tmpfs_t; + files_tmpfs_file(chronyd_tmpfs_t) + ++type chronyd_unit_file_t; ++systemd_unit_file(chronyd_unit_file_t) ++ + type chronyd_var_lib_t; + files_type(chronyd_var_lib_t) + +@@ -35,6 +38,8 @@ files_pid_file(chronyd_var_run_t) + allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; + allow chronyd_t self:process { getcap setcap setrlimit signal }; + allow chronyd_t self:shm create_shm_perms; ++allow chronyd_t self:udp_socket create_socket_perms; ++allow chronyd_t self:unix_dgram_socket create_socket_perms; + allow chronyd_t self:fifo_file rw_fifo_file_perms; + + allow chronyd_t chronyd_keys_t:file read_file_perms; +@@ -82,7 +87,7 @@ auth_use_nsswitch(chronyd_t) + + logging_send_syslog_msg(chronyd_t) + +-miscfiles_read_localization(chronyd_t) ++mta_send_mail(chronyd_t) + + optional_policy(` + gpsd_rw_shm(chronyd_t) +diff --git a/cipe.te b/cipe.te +index 28c8475..a53162d 100644 +--- a/cipe.te ++++ b/cipe.te +@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) + corecmd_exec_shell(ciped_t) + corecmd_exec_bin(ciped_t) + +-corenet_all_recvfrom_unlabeled(ciped_t) + corenet_all_recvfrom_netlabel(ciped_t) + corenet_udp_sendrecv_generic_if(ciped_t) + corenet_udp_sendrecv_generic_node(ciped_t) +@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t) + + logging_send_syslog_msg(ciped_t) + +-miscfiles_read_localization(ciped_t) +- + sysnet_read_config(ciped_t) + + userdom_dontaudit_use_unpriv_user_fds(ciped_t) +diff --git a/clamav.fc b/clamav.fc +index d72afcc..c53b80d 100644 +--- a/clamav.fc ++++ b/clamav.fc +@@ -6,6 +6,8 @@ + /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) + /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + ++/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0) ++ + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) + /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + +diff --git a/clamav.if b/clamav.if +index 4cc4a5c..99c5cca 100644 +--- a/clamav.if ++++ b/clamav.if +@@ -1,4 +1,4 @@ +-## ClamAV Virus Scanner. ++## ClamAV Virus Scanner + + ######################################## + ## +@@ -15,14 +15,12 @@ interface(`clamav_domtrans',` + type clamd_t, clamd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, clamd_exec_t, clamd_t) + ') + + ######################################## + ## +-## Connect to clamd using a unix +-## domain stream socket. ++## Connect to run clamd. + ## + ## + ## +@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',` + + ######################################## + ## +-## Append clamav log files. ++## Allow the specified domain to append ++## to clamav log files. + ## + ## + ## +@@ -61,27 +60,6 @@ interface(`clamav_append_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## clamav pid content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`clamav_manage_pid_content',` +- gen_require(` +- type clamd_var_run_t; +- ') +- +- files_search_pids($1) +- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) +- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) +-') +- +-######################################## +-## + ## Read clamav configuration files. + ## + ## +@@ -101,7 +79,7 @@ interface(`clamav_read_config',` + + ######################################## + ## +-## Search clamav library directories. ++## Search clamav libraries directories. + ## + ## + ## +@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',` + type clamscan_t, clamscan_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, clamscan_exec_t, clamscan_t) + ') + + ######################################## + ## +-## Execute clamscan in the caller domain. ++## Execute clamscan without a transition. + ## + ## + ## +@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',` + type clamscan_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, clamscan_exec_t) + ') + +-####################################### ++######################################## + ## +-## Read clamd process state files. ++## Manage clamd pid content. + ## + ## + ## +@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',` + ## + ## + # +-interface(`clamav_read_state_clamd',` ++interface(`clamav_manage_clamd_pid',` + gen_require(` +- type clamd_t; ++ type clamd_var_run_t; + ') + +- kernel_search_proc($1) +- allow $1 clamd_t:dir list_dir_perms; +- read_files_pattern($1, clamd_t, clamd_t) +- read_lnk_files_pattern($1, clamd_t, clamd_t) ++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) ++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) +') + -+#################################### ++####################################### +## -+## Dontaudit the specified domain to write cfengine's log files. ++## Read clamd state files. +## +## +## @@ -8483,674 +10046,751 @@ index 0000000..f3c23e9 +## +## +# -+interface(`cfengine_dontaudit_write_log',` ++interface(`clamav_read_state_clamd',` + gen_require(` -+ type cfengine_var_log_t; ++ type clamd_t; + ') + -+ dontaudit $1 cfengine_var_log_t:file write; ++ kernel_search_proc($1) ++ ps_process_pattern($1, clamd_t) +') -diff --git a/cfengine.te b/cfengine.te -new file mode 100644 -index 0000000..5b123e1 ---- /dev/null -+++ b/cfengine.te -@@ -0,0 +1,94 @@ -+policy_module(cfengine, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+attribute cfengine_domain; -+ -+cfengine_domain_template(serverd) -+cfengine_domain_template(execd) -+cfengine_domain_template(monitord) -+ -+type cfengine_initrc_exec_t; -+init_script_file(cfengine_initrc_exec_t) -+ -+type cfengine_var_lib_t; -+files_type(cfengine_var_lib_t) -+ -+type cfengine_var_log_t; -+logging_log_file(cfengine_var_log_t) + +####################################### ++## ++## Execute clamd server in the clamd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## +# -+# cfengine domain local policy -+# -+ -+allow cfengine_domain self:fifo_file rw_fifo_file_perms; -+allow cfengine_domain self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) -+files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file }) -+ -+manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t) -+manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t) -+logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file }) -+ -+corecmd_exec_bin(cfengine_domain) -+corecmd_exec_shell(cfengine_domain) -+ -+dev_read_urand(cfengine_domain) -+dev_read_sysfs(cfengine_domain) ++interface(`clamd_systemctl',` ++ gen_require(` ++ type clamd_t; ++ type clamd_unit_file_t; ++ ') + -+sysnet_dns_name_resolve(cfengine_domain) -+sysnet_domtrans_ifconfig(cfengine_domain) ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 clamd_unit_file_t:file read_file_perms; ++ allow $1 clamd_unit_file_t:service manage_service_perms; + -+files_read_etc_files(cfengine_domain) ++ ps_process_pattern($1, clamd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an clamav environment. ++## All of the rules required to administrate ++## an clamav environment + ## + ## + ## +@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the clamav domain. + ## + ## + ## +@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',` + interface(`clamav_admin',` + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; +- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; +- type clamd_var_run_t, clamscan_t, clamscan_tmp_t; ++ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; ++ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; + type freshclam_t, freshclam_var_log_t; ++ type clamd_unit_file_t; + ') + +- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) ++ allow $1 clamd_t:process signal_perms; ++ ps_process_pattern($1, clamd_t) + -+######################################## -+# -+# cfengine-server local policy -+# ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 clamd_t:process ptrace; ++ allow $1 clamscan_t:process ptrace; ++ allow $1 freshclam_t:process ptrace; ++ ') + -+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_serverd_t self:process { fork setfscreate signal }; ++ allow $1 clamscan_t:process signal_perms; ++ ps_process_pattern($1, clamscan_t) + -+domain_use_interactive_fds(cfengine_serverd_t) ++ allow $1 freshclam_t:process signal_perms; ++ ps_process_pattern($1, freshclam_t) + + init_labeled_script_domtrans($1, clamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 clamd_initrc_exec_t system_r; + allow $2 system_r; + ++ clamd_systemctl($1) ++ admin_pattern($1, clamd_unit_file_t) ++ allow $1 clamd_unit_file_t:service all_service_perms; + -+auth_use_nsswitch(cfengine_serverd_t) + files_list_etc($1) + admin_pattern($1, clamd_etc_t) + +@@ -217,11 +251,21 @@ interface(`clamav_admin',` + admin_pattern($1, clamd_var_lib_t) + + logging_list_logs($1) +- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) ++ admin_pattern($1, clamd_var_log_t) + + files_list_pids($1) + admin_pattern($1, clamd_var_run_t) + + files_list_tmp($1) +- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) ++ admin_pattern($1, clamd_tmp_t) + -+######################################## -+# -+# cfengine_exec local policy -+# ++ admin_pattern($1, clamscan_tmp_t) + -+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_execd_t self:process { fork setfscreate signal }; ++ admin_pattern($1, freshclam_var_log_t) + -+kernel_read_sysctl(cfengine_execd_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + -+domain_read_all_domains_state(cfengine_execd_t) -+domain_use_interactive_fds(cfengine_execd_t) + ') +diff --git a/clamav.te b/clamav.te +index 8e1fef9..725029f 100644 +--- a/clamav.te ++++ b/clamav.te +@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) + type clamd_initrc_exec_t; + init_script_file(clamd_initrc_exec_t) + ++type clamd_unit_file_t; ++systemd_unit_file(clamd_unit_file_t) + -+auth_use_nsswitch(cfengine_execd_t) + type clamd_tmp_t; + files_tmp_file(clamd_tmp_t) + +@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t) + allow clamd_t self:capability { kill setgid setuid dac_override }; + dontaudit clamd_t self:capability sys_tty_config; + allow clamd_t self:process signal; + -+######################################## -+# -+# cfengine_monitord local policy -+# + allow clamd_t self:fifo_file rw_fifo_file_perms; + allow clamd_t self:unix_stream_socket { accept connectto listen }; + allow clamd_t self:tcp_socket { listen accept }; +@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t) + + corecmd_exec_shell(clamd_t) + +-corenet_all_recvfrom_unlabeled(clamd_t) + corenet_all_recvfrom_netlabel(clamd_t) + corenet_tcp_sendrecv_generic_if(clamd_t) + corenet_tcp_sendrecv_generic_node(clamd_t) +@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t) + + corenet_sendrecv_generic_client_packets(clamd_t) + corenet_tcp_connect_generic_port(clamd_t) ++corenet_tcp_connect_clamd_port(clamd_t) + + corenet_sendrecv_clamd_server_packets(clamd_t) + corenet_tcp_bind_clamd_port(clamd_t) +@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t) + + logging_send_syslog_msg(clamd_t) + +-miscfiles_read_localization(clamd_t) +- +-tunable_policy(`clamd_use_jit',` +- allow clamd_t self:process execmem; +-',` +- dontaudit clamd_t self:process execmem; +-') +- + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) ++ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file }) + amavis_create_pid_files(clamd_t) + ') + +@@ -165,6 +161,31 @@ optional_policy(` + mta_send_mail(clamd_t) + ') + ++optional_policy(` ++ spamd_stream_connect(clamd_t) ++ spamassassin_read_pid_files(clamd_t) ++') + -+allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_monitord_t self:process { fork setfscreate signal }; ++tunable_policy(`clamd_use_jit',` ++ allow clamd_t self:process execmem; ++ allow clamscan_t self:process execmem; ++',` ++ dontaudit clamd_t self:process execmem; ++ dontaudit clamscan_t self:process execmem; ++') + -+kernel_read_hotplug_sysctls(cfengine_monitord_t) -+kernel_read_network_state(cfengine_monitord_t) ++optional_policy(` ++ antivirus_domain_template(clamd_t) ++') + -+domain_read_all_domains_state(cfengine_monitord_t) -+domain_use_interactive_fds(cfengine_monitord_t) ++optional_policy(` ++ antivirus_domain_template(clamscan_t) ++') + -+fs_getattr_xattr_fs(cfengine_monitord_t) ++optional_policy(` ++ antivirus_domain_template(freshclam_t) ++') + -+auth_use_nsswitch(cfengine_monitord_t) -diff --git a/cgroup.fc b/cgroup.fc -index b6bb46c..9a2bf65 100644 ---- a/cgroup.fc -+++ b/cgroup.fc -@@ -11,5 +11,9 @@ - /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) - /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + ######################################## + # + # Freshclam local policy +@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t) --/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) -+/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) -+/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) -+/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) -+ -+/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0) - /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) -diff --git a/cgroup.if b/cgroup.if -index 33facaf..11700ae 100644 ---- a/cgroup.if -+++ b/cgroup.if -@@ -171,15 +171,27 @@ interface(`cgroup_admin',` - type cgrules_etc_t, cgclear_t; - ') + logging_send_syslog_msg(freshclam_t) -- allow $1 cgclear_t:process { ptrace signal_perms }; -+ allow $1 cgclear_t:process signal_perms; - ps_process_pattern($1, cgclear_t) +-miscfiles_read_localization(freshclam_t) -- allow $1 cgconfig_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgclear_t:process ptrace; -+ ') -+ -+ allow $1 cgconfig_t:process signal_perms; - ps_process_pattern($1, cgconfig_t) + tunable_policy(`clamd_use_jit',` + allow freshclam_t self:process execmem; +@@ -244,6 +264,14 @@ optional_policy(` + cron_system_entry(freshclam_t, freshclam_exec_t) + ') -- allow $1 cgred_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgconfig_t:process ptrace; -+ ') ++optional_policy(` ++ clamd_systemctl(freshclam_t) ++') + -+ allow $1 cgred_t:process signal_perms; - ps_process_pattern($1, cgred_t) ++optional_policy(` ++ cron_system_entry(freshclam_t, freshclam_exec_t) ++') ++ + ######################################## + # + # Clamscam local policy +@@ -275,7 +303,12 @@ kernel_dontaudit_list_proc(clamscan_t) + kernel_read_kernel_sysctls(clamscan_t) + kernel_read_system_state(clamscan_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgred_t:process ptrace; -+ ') +-corenet_all_recvfrom_unlabeled(clamscan_t) ++read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) ++allow clamscan_t clamd_var_run_t:dir list_dir_perms; + - admin_pattern($1, cgconfig_etc_t) - admin_pattern($1, cgrules_etc_t) - files_list_etc($1) -diff --git a/cgroup.te b/cgroup.te -index 806191a..d962a82 100644 ---- a/cgroup.te -+++ b/cgroup.te -@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) - type cgrules_etc_t; - files_config_file(cgrules_etc_t) ++kernel_dontaudit_list_proc(clamscan_t) ++kernel_read_system_state(clamscan_t) ++ + corenet_all_recvfrom_netlabel(clamscan_t) + corenet_tcp_sendrecv_generic_if(clamscan_t) + corenet_tcp_sendrecv_generic_node(clamscan_t) +@@ -286,14 +319,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) --type cgconfig_t; --type cgconfig_exec_t; -+type cgconfig_t alias cgconfigparser_t; -+type cgconfig_exec_t alias cgconfigparser_exec_t; - init_daemon_domain(cgconfig_t, cgconfig_exec_t) + corecmd_read_all_executables(clamscan_t) - type cgconfig_initrc_exec_t; -@@ -42,8 +42,12 @@ files_config_file(cgconfig_etc_t) +-files_read_etc_files(clamscan_t) + files_read_etc_runtime_files(clamscan_t) + files_search_var_lib(clamscan_t) - allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; + init_read_utmp(clamscan_t) + init_dontaudit_write_utmp(clamscan_t) -+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) -+ - kernel_read_system_state(cgclear_t) +-miscfiles_read_localization(clamscan_t) + miscfiles_read_public_files(clamscan_t) -+auth_use_nsswitch(cgclear_t) -+ - domain_setpriority_all_domains(cgclear_t) + sysnet_dns_name_resolve(clamscan_t) +@@ -310,10 +341,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',` + ') - fs_manage_cgroup_dirs(cgclear_t) -@@ -64,7 +68,6 @@ kernel_list_unlabeled(cgconfig_t) - kernel_read_system_state(cgconfig_t) + optional_policy(` +- amavis_read_spool_files(clamscan_t) +-') +- +-optional_policy(` + apache_read_sys_content(clamscan_t) + ') - # /etc/nsswitch.conf, /etc/passwd --files_read_etc_files(cgconfig_t) +diff --git a/clockspeed.te b/clockspeed.te +index b59c592..c21a405 100644 +--- a/clockspeed.te ++++ b/clockspeed.te +@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; - fs_manage_cgroup_dirs(cgconfig_t) - fs_manage_cgroup_files(cgconfig_t) -@@ -72,12 +75,15 @@ fs_mount_cgroup(cgconfig_t) - fs_mounton_cgroup(cgconfig_t) - fs_unmount_cgroup(cgconfig_t) + read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) -+auth_use_nsswitch(cgconfig_t) -+ - ######################################## - # - # cgred personal policy. - # +-corenet_all_recvfrom_unlabeled(clockspeed_cli_t) + corenet_all_recvfrom_netlabel(clockspeed_cli_t) + corenet_udp_sendrecv_generic_if(clockspeed_cli_t) + corenet_udp_sendrecv_generic_node(clockspeed_cli_t) +@@ -40,9 +39,8 @@ corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) + files_list_var_lib(clockspeed_cli_t) + files_read_etc_files(clockspeed_cli_t) --allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; -+ - allow cgred_t self:netlink_socket { write bind create read }; - allow cgred_t self:unix_dgram_socket { write create connect }; +-miscfiles_read_localization(clockspeed_cli_t) -@@ -86,12 +92,16 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) +-userdom_use_user_terminals(clockspeed_cli_t) ++userdom_use_inherited_user_terminals(clockspeed_cli_t) - allow cgred_t cgrules_etc_t:file read_file_perms; + ######################################## + # +@@ -57,7 +55,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; + manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) + manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) -+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t) -+logging_log_filetrans(cgred_t, cgred_log_t, file) -+ - # rc script creates pid file - manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) - manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) - files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) +-corenet_all_recvfrom_unlabeled(clockspeed_srv_t) + corenet_all_recvfrom_netlabel(clockspeed_srv_t) + corenet_udp_sendrecv_generic_if(clockspeed_srv_t) + corenet_udp_sendrecv_generic_node(clockspeed_srv_t) +@@ -70,7 +67,6 @@ corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) + files_list_var_lib(clockspeed_srv_t) + files_read_etc_files(clockspeed_srv_t) - kernel_read_system_state(cgred_t) -+kernel_read_all_sysctls(cgred_t) +-miscfiles_read_localization(clockspeed_srv_t) - domain_read_all_domains_state(cgred_t) - domain_setpriority_all_domains(cgred_t) -@@ -100,10 +110,9 @@ files_getattr_all_files(cgred_t) - files_getattr_all_sockets(cgred_t) - files_read_all_symlinks(cgred_t) - # /etc/group --files_read_etc_files(cgred_t) + optional_policy(` + daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) +diff --git a/clogd.te b/clogd.te +index 29782b8..c614d47 100644 +--- a/clogd.te ++++ b/clogd.te +@@ -41,8 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) - fs_write_cgroup_files(cgred_t) + logging_send_syslog_msg(clogd_t) --logging_send_syslog_msg(cgred_t) -+auth_use_nsswitch(cgred_t) - --miscfiles_read_localization(cgred_t) -+logging_send_syslog_msg(cgred_t) -diff --git a/chrome.fc b/chrome.fc +-miscfiles_read_localization(clogd_t) +- + optional_policy(` + aisexec_stream_connect(clogd_t) + corosync_stream_connect(clogd_t) +diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..88107d7 +index 0000000..8a40857 --- /dev/null -+++ b/chrome.fc -@@ -0,0 +1,6 @@ -+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++++ b/cloudform.fc +@@ -0,0 +1,22 @@ ++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + -+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) ++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) ++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) + -+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) -+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) -diff --git a/chrome.if b/chrome.if ++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) ++ ++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) ++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) ++ ++/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) ++/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) ++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) ++/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) ++/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) ++/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) ++ ++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) ++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) ++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) +diff --git a/cloudform.if b/cloudform.if new file mode 100644 -index 0000000..efebae7 +index 0000000..8ac848b --- /dev/null -+++ b/chrome.if -@@ -0,0 +1,134 @@ -+ -+## policy for chrome ++++ b/cloudform.if +@@ -0,0 +1,42 @@ ++## cloudform policy + -+######################################## -+## -+## Execute a domain transition to run chrome_sandbox. -+## -+## ++####################################### +## -+## Domain allowed to transition. ++## Creates types and rules for a basic ++## cloudform daemon domain. +## ++## ++## ++## Prefix for the domain. ++## +## +# -+interface(`chrome_domtrans_sandbox',` -+ gen_require(` -+ type chrome_sandbox_t, chrome_sandbox_exec_t; -+ ') -+ -+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) -+ ps_process_pattern(chrome_sandbox_t, $1) ++template(`cloudform_domain_template',` ++ gen_require(` ++ attribute cloudform_domain; ++ ') + -+ allow $1 chrome_sandbox_t:fd use; ++ type $1_t, cloudform_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) + -+ ifdef(`hide_broken_symptoms',` -+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) -+ ') ++ kernel_read_system_state($1_t) +') + -+ -+######################################## ++###################################### +## -+## Execute chrome_sandbox in the chrome_sandbox domain, and -+## allow the specified role the chrome_sandbox domain. ++## Execute mongod in the caller domain. +## +## +## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the chrome_sandbox domain. ++## Domain allowed access. +## +## +# -+interface(`chrome_run_sandbox',` -+ gen_require(` -+ type chrome_sandbox_t; -+ type chrome_sandbox_nacl_t; -+ ') ++interface(`cloudform_exec_mongod',` ++ gen_require(` ++ type mongod_exec_t; ++ ') + -+ chrome_domtrans_sandbox($1) -+ role $2 types chrome_sandbox_t; -+ role $2 types chrome_sandbox_nacl_t; ++ can_exec($1, mongod_exec_t) +') -+ +diff --git a/cloudform.te b/cloudform.te +new file mode 100644 +index 0000000..def8328 +--- /dev/null ++++ b/cloudform.te +@@ -0,0 +1,195 @@ ++policy_module(cloudform, 1.0) +######################################## -+## -+## Role access for chrome sandbox -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## +# -+interface(`chrome_role_notrans',` -+ gen_require(` -+ type chrome_sandbox_t; -+ type chrome_sandbox_tmpfs_t; -+ type chrome_sandbox_nacl_t; -+ ') ++# Declarations ++# + -+ role $1 types chrome_sandbox_t; -+ role $1 types chrome_sandbox_nacl_t; ++attribute cloudform_domain; + -+ ps_process_pattern($2, chrome_sandbox_t) -+ allow $2 chrome_sandbox_t:process signal_perms; ++cloudform_domain_template(deltacloudd) ++cloudform_domain_template(iwhd) ++cloudform_domain_template(mongod) + -+ allow chrome_sandbox_t $2:unix_dgram_socket { read write }; -+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; -+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write }; -+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; -+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write }; -+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; -+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; ++type deltacloudd_log_t; ++logging_log_file(deltacloudd_log_t) + -+ allow $2 chrome_sandbox_t:shm rw_shm_perms; ++type deltacloudd_var_run_t; ++files_pid_file(deltacloudd_var_run_t) + -+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; -+') ++type deltacloudd_tmp_t; ++files_tmp_file(deltacloudd_tmp_t) + -+######################################## -+## -+## Role access for chrome sandbox -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`chrome_role',` -+ chrome_role_notrans($1, $2) -+ chrome_domtrans_sandbox($2) -+') ++type iwhd_initrc_exec_t; ++init_script_file(iwhd_initrc_exec_t) + -+######################################## -+## -+## Dontaudit read/write to a chrome_sandbox leaks -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`chrome_dontaudit_sandbox_leaks',` -+ gen_require(` -+ type chrome_sandbox_t; -+ ') ++type iwhd_var_lib_t; ++files_type(iwhd_var_lib_t) + -+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; -+') -diff --git a/chrome.te b/chrome.te -new file mode 100644 -index 0000000..32ff486 ---- /dev/null -+++ b/chrome.te -@@ -0,0 +1,195 @@ -+policy_module(chrome,1.0.0) ++type iwhd_var_run_t; ++files_pid_file(iwhd_var_run_t) ++ ++type mongod_initrc_exec_t; ++init_script_file(mongod_initrc_exec_t) ++ ++type mongod_log_t; ++logging_log_file(mongod_log_t) ++ ++type mongod_var_lib_t; ++files_type(mongod_var_lib_t) ++ ++type mongod_tmp_t; ++files_tmp_file(mongod_tmp_t) ++ ++type mongod_var_run_t; ++files_pid_file(mongod_var_run_t) ++ ++type iwhd_log_t; ++logging_log_file(iwhd_log_t) + +######################################## +# -+# Declarations ++# cloudform_domain local policy +# + -+type chrome_sandbox_t; -+type chrome_sandbox_exec_t; -+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) -+role system_r types chrome_sandbox_t; -+ubac_constrained(chrome_sandbox_t) ++allow cloudform_domain self:fifo_file rw_fifo_file_perms; ++allow cloudform_domain self:tcp_socket create_stream_socket_perms; + -+type chrome_sandbox_tmp_t; -+files_tmp_file(chrome_sandbox_tmp_t) ++dev_read_rand(cloudform_domain) ++dev_read_urand(cloudform_domain) ++dev_read_sysfs(cloudform_domain) + -+type chrome_sandbox_tmpfs_t; -+files_tmpfs_file(chrome_sandbox_tmpfs_t) -+ubac_constrained(chrome_sandbox_tmpfs_t) ++auth_read_passwd(cloudform_domain) + -+type chrome_sandbox_nacl_t; -+type chrome_sandbox_nacl_exec_t; -+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) -+role system_r types chrome_sandbox_nacl_t; -+ubac_constrained(chrome_sandbox_nacl_t) ++miscfiles_read_certs(cloudform_domain) + +######################################## +# -+# chrome_sandbox local policy ++# deltacloudd local policy +# -+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; -+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; -+allow chrome_sandbox_t self:process setsched; -+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; -+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; -+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow chrome_sandbox_t self:shm create_shm_perms; -+allow chrome_sandbox_t self:sem create_sem_perms; -+allow chrome_sandbox_t self:msgq create_msgq_perms; -+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; -+dontaudit chrome_sandbox_t self:memprotect mmap_zero; -+ -+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) -+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) -+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) -+ -+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) -+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) + -+kernel_read_system_state(chrome_sandbox_t) -+kernel_read_kernel_sysctls(chrome_sandbox_t) ++allow deltacloudd_t self:capability { dac_override setuid setgid }; + -+fs_manage_cgroup_dirs(chrome_sandbox_t) -+fs_manage_cgroup_files(chrome_sandbox_t) -+fs_read_dos_files(chrome_sandbox_t) -+fs_read_hugetlbfs_files(chrome_sandbox_t) ++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; ++allow deltacloudd_t self:udp_socket create_socket_perms; + -+corecmd_exec_bin(chrome_sandbox_t) ++allow deltacloudd_t self:process signal; + -+corenet_all_recvfrom_netlabel(chrome_sandbox_t) -+corenet_tcp_connect_asterisk_port(chrome_sandbox_t) -+corenet_tcp_connect_flash_port(chrome_sandbox_t) -+corenet_tcp_connect_streaming_port(chrome_sandbox_t) -+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) -+corenet_tcp_connect_http_port(chrome_sandbox_t) -+corenet_tcp_connect_http_cache_port(chrome_sandbox_t) -+corenet_tcp_connect_msnp_port(chrome_sandbox_t) -+corenet_tcp_connect_squid_port(chrome_sandbox_t) -+corenet_tcp_connect_tor_socks_port(chrome_sandbox_t) -+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) -+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) -+corenet_tcp_connect_ipp_port(chrome_sandbox_t) -+corenet_tcp_connect_speech_port(chrome_sandbox_t) ++allow deltacloudd_t self:fifo_file rw_fifo_file_perms; ++allow deltacloudd_t self:tcp_socket create_stream_socket_perms; ++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms; + -+domain_dontaudit_read_all_domains_state(chrome_sandbox_t) ++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) ++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) ++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir }) + -+dev_read_urand(chrome_sandbox_t) -+dev_read_sysfs(chrome_sandbox_t) -+dev_rwx_zero(chrome_sandbox_t) -+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t) ++manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) ++manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) ++manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) ++files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir }) + -+files_read_etc_files(chrome_sandbox_t) -+files_read_usr_files(chrome_sandbox_t) ++manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) ++manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) ++logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir }) + -+fs_dontaudit_getattr_all_fs(chrome_sandbox_t) ++kernel_read_kernel_sysctls(deltacloudd_t) ++kernel_read_system_state(deltacloudd_t) + -+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) -+userdom_execute_user_tmpfs_files(chrome_sandbox_t) ++corecmd_exec_bin(deltacloudd_t) + -+userdom_use_user_ptys(chrome_sandbox_t) -+userdom_write_inherited_user_tmp_files(chrome_sandbox_t) -+userdom_read_inherited_user_home_content_files(chrome_sandbox_t) -+userdom_dontaudit_use_user_terminals(chrome_sandbox_t) -+userdom_search_user_home_content(chrome_sandbox_t) -+# This one we should figure a way to make it more secure -+userdom_manage_home_certs(chrome_sandbox_t) ++corenet_tcp_bind_generic_node(deltacloudd_t) ++corenet_tcp_bind_generic_port(deltacloudd_t) ++corenet_tcp_connect_http_port(deltacloudd_t) ++corenet_tcp_connect_keystone_port(deltacloudd_t) + -+miscfiles_read_fonts(chrome_sandbox_t) ++auth_use_nsswitch(deltacloudd_t) + -+sysnet_dns_name_resolve(chrome_sandbox_t) ++logging_send_syslog_msg(deltacloudd_t) + +optional_policy(` -+ gnome_rw_inherited_config(chrome_sandbox_t) -+ gnome_read_home_config(chrome_sandbox_t) ++ sysnet_read_config(deltacloudd_t) +') + -+optional_policy(` -+ mozilla_write_user_home_files(chrome_sandbox_t) -+') ++######################################## ++# ++# iwhd local policy ++# + -+optional_policy(` -+ xserver_use_user_fonts(chrome_sandbox_t) -+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) -+') ++allow iwhd_t self:capability { chown kill }; ++allow iwhd_t self:process { fork }; + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_search_nfs(chrome_sandbox_t) -+ fs_exec_nfs_files(chrome_sandbox_t) -+ fs_read_nfs_files(chrome_sandbox_t) -+ fs_rw_inherited_nfs_files(chrome_sandbox_t) -+ fs_read_nfs_symlinks(chrome_sandbox_t) -+ fs_dontaudit_append_nfs_files(chrome_sandbox_t) -+') ++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms; ++allow iwhd_t self:unix_stream_socket create_stream_socket_perms; + -+tunable_policy(`use_samba_home_dirs',` -+ fs_search_cifs(chrome_sandbox_t) -+ fs_exec_cifs_files(chrome_sandbox_t) -+ fs_rw_inherited_cifs_files(chrome_sandbox_t) -+ fs_read_cifs_files(chrome_sandbox_t) -+ fs_read_cifs_symlinks(chrome_sandbox_t) -+ fs_dontaudit_append_cifs_files(chrome_sandbox_t) -+') ++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) ++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) + -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_search_fusefs(chrome_sandbox_t) -+ fs_read_fusefs_files(chrome_sandbox_t) -+ fs_exec_fusefs_files(chrome_sandbox_t) -+ fs_read_fusefs_symlinks(chrome_sandbox_t) -+') ++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t) ++logging_log_filetrans(iwhd_t, iwhd_log_t, { file }) + -+optional_policy(` -+ sandbox_use_ptys(chrome_sandbox_t) -+') ++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) ++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) ++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file }) ++ ++kernel_read_system_state(iwhd_t) ++ ++corenet_tcp_bind_generic_node(iwhd_t) ++corenet_tcp_bind_websm_port(iwhd_t) ++corenet_tcp_connect_all_ports(iwhd_t) + ++dev_read_rand(iwhd_t) ++dev_read_urand(iwhd_t) ++ ++userdom_home_manager(iwhd_t) + +######################################## +# -+# chrome_sandbox_nacl local policy ++# mongod local policy +# + -+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal }; -+ -+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; -+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; -+allow chrome_sandbox_nacl_t self:shm create_shm_perms; -+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; -+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write }; ++allow mongod_t self:process { execmem setsched signal }; + -+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; -+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; ++allow mongod_t self:netlink_route_socket r_netlink_socket_perms; ++allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++allow mongod_t self:udp_socket create_socket_perms; + -+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) -+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) ++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) ++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) ++logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log") ++logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log") + -+domain_use_interactive_fds(chrome_sandbox_nacl_t) ++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) ++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) + -+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; ++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) + -+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) -+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) ++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++#needed by dbomatic ++files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) + -+kernel_read_state(chrome_sandbox_nacl_t) -+kernel_read_system_state(chrome_sandbox_nacl_t) ++corecmd_exec_bin(mongod_t) ++corecmd_exec_shell(mongod_t) + -+corecmd_sbin_entry_type(chrome_sandbox_nacl_t) ++corenet_tcp_bind_generic_node(mongod_t) ++corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_postgresql_port(mongod_t) + -+dev_read_urand(chrome_sandbox_nacl_t) -+dev_read_sysfs(chrome_sandbox_nacl_t) ++kernel_read_vm_sysctls(mongod_t) ++kernel_read_system_state(mongod_t) + -+files_read_etc_files(chrome_sandbox_nacl_t) ++fs_getattr_all_fs(mongod_t) + -+init_read_state(chrome_sandbox_nacl_t) ++optional_policy(` ++ mysql_stream_connect(mongod_t) ++') + -+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) -+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) -+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t) ++optional_policy(` ++ postgresql_stream_connect(mongod_t) ++') + +optional_policy(` -+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) ++ sysnet_dns_name_resolve(mongod_t) +') -diff --git a/chronyd.fc b/chronyd.fc -index fd8cd0b..f33885f 100644 ---- a/chronyd.fc -+++ b/chronyd.fc -@@ -2,8 +2,12 @@ - - /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) +diff --git a/cmirrord.if b/cmirrord.if +index cc4e7cb..f348d27 100644 +--- a/cmirrord.if ++++ b/cmirrord.if +@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',` + type cmirrord_t, cmirrord_tmpfs_t; + ') -+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) -+ - /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) +- allow $1 cmirrord_t:shm rw_shm_perms; ++ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; - /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) - /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) - /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) -+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) -+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) -diff --git a/chronyd.if b/chronyd.if -index 9a0da94..113eae2 100644 ---- a/chronyd.if -+++ b/chronyd.if -@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` - domtrans_pattern($1, chronyd_exec_t, chronyd_t) + allow $1 cmirrord_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + fs_search_tmpfs($1) ') +@@ -103,9 +104,13 @@ interface(`cmirrord_admin',` + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') -+######################################## -+## -+## Execute chronyd server in the chronyd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`chronyd_initrc_domtrans',` -+ gen_require(` -+ type chronyd_initrc_exec_t; +- allow $1 cmirrord_t:process { ptrace signal_perms }; ++ allow $1 cmirrord_t:process signal_perms; + ps_process_pattern($1, cmirrord_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cmirrord_t:process ptrace; + ') + -+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t) -+') -+ - #################################### - ## - ## Execute chronyd -@@ -56,6 +74,125 @@ interface(`chronyd_read_log',` - read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) - ') - -+######################################## -+## -+## Read and write chronyd shared memory. -+## + cmirrord_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cmirrord_initrc_exec_t system_r; +diff --git a/cmirrord.te b/cmirrord.te +index d8e9958..0046a69 100644 +--- a/cmirrord.te ++++ b/cmirrord.te +@@ -42,16 +42,12 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) + domain_use_interactive_fds(cmirrord_t) + domain_obj_id_change_exemption(cmirrord_t) + +-files_read_etc_files(cmirrord_t) +- + storage_create_fixed_disk_dev(cmirrord_t) + + seutil_read_file_contexts(cmirrord_t) + + logging_send_syslog_msg(cmirrord_t) + +-miscfiles_read_localization(cmirrord_t) +- + optional_policy(` + corosync_stream_connect(cmirrord_t) + ') +diff --git a/cobbler.if b/cobbler.if +index c223f81..1f3d0b7 100644 +--- a/cobbler.if ++++ b/cobbler.if +@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',` + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) + ') + ++ ++ ++######################################## ++## ++## Read cobbler configuration dirs. ++## +## +## +## Domain allowed access. +## +## +# -+interface(`chronyd_rw_shm',` ++interface(`cobbler_list_config',` + gen_require(` -+ type chronyd_t, chronyd_tmpfs_t; ++ type cobbler_etc_t; + ') + -+ allow $1 chronyd_t:shm rw_shm_perms; -+ allow $1 chronyd_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) -+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) -+ fs_search_tmpfs($1) ++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) ++ files_search_etc($1) ++') ++ ++ + ######################################## + ## + ## Read cobbler configuration files. +diff --git a/cobbler.te b/cobbler.te +index 2a71346..30c75af 100644 +--- a/cobbler.te ++++ b/cobbler.te +@@ -193,12 +193,11 @@ optional_policy(` + + optional_policy(` + rsync_read_config(cobblerd_t) +- rsync_manage_config_files(cobblerd_t) ++ rsync_manage_config(cobblerd_t) + rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") + ') + + optional_policy(` +- tftp_manage_config_files(cobblerd_t) +- tftp_etc_filetrans_config(cobblerd_t, file, "tftp") ++ tftp_manage_config(cobblerd_t) + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) + ') +diff --git a/collectd.fc b/collectd.fc +index 79a3abe..2e7d7ed 100644 +--- a/collectd.fc ++++ b/collectd.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) ++ + /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) + + /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) +diff --git a/collectd.if b/collectd.if +index 954309e..f4db2ca 100644 +--- a/collectd.if ++++ b/collectd.if +@@ -2,8 +2,144 @@ + + ######################################## + ## +-## All of the rules required to +-## administrate an collectd environment. ++## Transition to collectd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`collectd_domtrans',` ++ gen_require(` ++ type collectd_t, collectd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, collectd_exec_t, collectd_t) +') + +######################################## +## -+## Read chronyd keys files. ++## Execute collectd server in the collectd domain. +## +## +## @@ -9158,17 +10798,17 @@ index 9a0da94..113eae2 100644 +## +## +# -+interface(`chronyd_read_keys',` ++interface(`collectd_initrc_domtrans',` + gen_require(` -+ type chronyd_keys_t; ++ type collectd_initrc_exec_t; + ') + -+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ++ init_labeled_script_domtrans($1, collectd_initrc_exec_t) +') + +######################################## +## -+## Append chronyd keys files. ++## Search collectd lib directories. +## +## +## @@ -9176,40 +10816,37 @@ index 9a0da94..113eae2 100644 +## +## +# -+interface(`chronyd_append_keys',` ++interface(`collectd_search_lib',` + gen_require(` -+ type chronyd_keys_t; ++ type collectd_var_lib_t; + ') + -+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ++ allow $1 collectd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) +') + +######################################## +## -+## Execute chronyd server in the chronyd domain. ++## Read collectd lib files. +## +## +## -+## Domain allowed to transition. ++## Domain allowed access. +## +## +# -+interface(`chronyd_systemctl',` ++interface(`collectd_read_lib_files',` + gen_require(` -+ type chronyd_t; -+ type chronyd_unit_file_t; ++ type collectd_var_lib_t; + ') + -+ systemd_exec_systemctl($1) -+ allow $1 chronyd_unit_file_t:file read_file_perms; -+ allow $1 chronyd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, chronyd_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) +') + +######################################## +## -+## Connect to chronyd over a unix stream socket. ++## Manage collectd lib files. +## +## +## @@ -9217,19 +10854,18 @@ index 9a0da94..113eae2 100644 +## +## +# -+interface(`chronyd_stream_connect',` ++interface(`collectd_manage_lib_files',` + gen_require(` -+ type chronyd_t, chronyd_var_run_t; ++ type collectd_var_lib_t; + ') + -+ files_search_pids($1) -+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) +') + +######################################## +## -+## Send to chronyd over a unix domain -+## datagram socket. ++## Manage collectd lib directories. +## +## +## @@ -9237,712 +10873,577 @@ index 9a0da94..113eae2 100644 +## +## +# -+interface(`chronyd_dgram_send',` ++interface(`collectd_manage_lib_dirs',` + gen_require(` -+ type chronyd_t; ++ type collectd_var_lib_t; + ') + -+ allow $1 chronyd_t:unix_dgram_socket sendto; ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t) +') + - #################################### - ## - ## All of the rules required to administrate -@@ -75,31 +212,38 @@ interface(`chronyd_read_log',` - # - interface(`chronyd_admin',` ++######################################## ++## ++## Execute collectd server in the collectd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`collectd_systemctl',` ++ gen_require(` ++ type collectd_t; ++ type collectd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 collectd_unit_file_t:file read_file_perms; ++ allow $1 collectd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, collectd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an collectd environment + ## + ## + ## +@@ -20,13 +156,17 @@ + interface(`collectd_admin',` gen_require(` -- type chronyd_t, chronyd_var_log_t; -- type chronyd_var_run_t, chronyd_var_lib_t; -- type chronyd_initrc_exec_t, chronyd_keys_t; -+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; -+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; -+ type chronyd_keys_t, chronyd_unit_file_t; + type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; +- type collectd_var_lib_t; ++ type collectd_var_lib_t, collectd_unit_file_t; ') -- allow $1 chronyd_t:process { ptrace signal_perms }; -+ allow $1 chronyd_t:process signal_perms; - ps_process_pattern($1, chronyd_t) +- allow $1 collectd_t:process { ptrace signal_perms }; ++ allow $1 collectd_t:process signal_perms; + ps_process_pattern($1, collectd_t) +- init_labeled_script_domtrans($1, collectd_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` -+ allow $1 chronyd_t:process ptrace; ++ allow $1 collectd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) ++ collectd_initrc_domtrans($1) domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; + role_transition $2 collectd_initrc_exec_t system_r; allow $2 system_r; +@@ -36,4 +176,9 @@ interface(`collectd_admin',` -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, chronyd_keys_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, chronyd_var_log_t) - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, chronyd_var_run_t) - -- files_search_tmp($1) -- admin_pattern($1, chronyd_tmp_t) -+ admin_pattern($1, chronyd_tmpfs_t) + files_search_var_lib($1) + admin_pattern($1, collectd_var_lib_t) + -+ admin_pattern($1, chronyd_unit_file_t) -+ chronyd_systemctl($1) -+ allow $1 chronyd_unit_file_t:service all_service_perms; ++ collectd_systemctl($1) ++ admin_pattern($1, collectd_unit_file_t) ++ allow $1 collectd_unit_file_t:service all_service_perms; ') -diff --git a/chronyd.te b/chronyd.te -index fa82327..ab88d78 100644 ---- a/chronyd.te -+++ b/chronyd.te -@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t) - type chronyd_keys_t; - files_type(chronyd_keys_t) - -+type chronyd_tmpfs_t; -+files_tmpfs_file(chronyd_tmpfs_t) -+ -+type chronyd_unit_file_t; -+systemd_unit_file(chronyd_unit_file_t) -+ - type chronyd_var_lib_t; - files_type(chronyd_var_lib_t) - -@@ -30,13 +36,18 @@ files_pid_file(chronyd_var_run_t) - # - - allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; --allow chronyd_t self:process { getcap setcap setrlimit }; -+allow chronyd_t self:process { getcap setcap setrlimit signal }; - allow chronyd_t self:shm create_shm_perms; - allow chronyd_t self:udp_socket create_socket_perms; - allow chronyd_t self:unix_dgram_socket create_socket_perms; -+allow chronyd_t self:fifo_file rw_fifo_file_perms; - - allow chronyd_t chronyd_keys_t:file read_file_perms; - -+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) + - manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) - manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) - manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir }) +diff --git a/collectd.te b/collectd.te +index 6471fa8..4704562 100644 +--- a/collectd.te ++++ b/collectd.te +@@ -26,6 +26,9 @@ files_type(collectd_var_lib_t) + type collectd_var_run_t; + files_pid_file(collectd_var_run_t) - manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) - manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) --files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) -+manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) -+ -+kernel_read_system_state(chronyd_t) -+kernel_read_network_state(chronyd_t) ++type collectd_unit_file_t; ++systemd_unit_file(collectd_unit_file_t) + -+corecmd_exec_shell(chronyd_t) - -+corenet_udp_bind_generic_node(chronyd_t) - corenet_udp_bind_ntp_port(chronyd_t) - # bind to udp/323 - corenet_udp_bind_chronyd_port(chronyd_t) -@@ -61,7 +79,7 @@ auth_use_nsswitch(chronyd_t) - - logging_send_syslog_msg(chronyd_t) + apache_content_template(collectd) --miscfiles_read_localization(chronyd_t) -+mta_send_mail(chronyd_t) - - optional_policy(` - gpsd_rw_shm(chronyd_t) -diff --git a/cipe.te b/cipe.te -index 8e1ef38..08b238c 100644 ---- a/cipe.te -+++ b/cipe.te -@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t) - corecmd_exec_shell(ciped_t) - corecmd_exec_bin(ciped_t) + ######################################## +@@ -57,13 +60,9 @@ dev_read_sysfs(collectd_t) + dev_read_urand(collectd_t) --corenet_all_recvfrom_unlabeled(ciped_t) - corenet_all_recvfrom_netlabel(ciped_t) - corenet_udp_sendrecv_generic_if(ciped_t) - corenet_udp_sendrecv_generic_node(ciped_t) -@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t) + files_getattr_all_dirs(collectd_t) +-files_read_etc_files(collectd_t) +-files_read_usr_files(collectd_t) - logging_send_syslog_msg(ciped_t) + fs_getattr_all_fs(collectd_t) --miscfiles_read_localization(ciped_t) +-miscfiles_read_localization(collectd_t) - - sysnet_read_config(ciped_t) - - userdom_dontaudit_use_unpriv_user_fds(ciped_t) -diff --git a/clamav.fc b/clamav.fc -index e8e9a21..9c47777 100644 ---- a/clamav.fc -+++ b/clamav.fc -@@ -1,5 +1,5 @@ - /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) --/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) + logging_send_syslog_msg(collectd_t) - /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) -@@ -8,9 +8,13 @@ - /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) - /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + sysnet_dns_name_resolve(collectd_t) +@@ -88,3 +87,4 @@ optional_policy(` + list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) + miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) + ') ++ +diff --git a/colord.fc b/colord.fc +index 717ea0b..22e0385 100644 +--- a/colord.fc ++++ b/colord.fc +@@ -4,5 +4,7 @@ + /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) + /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) -+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0) ++/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) + - /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) - /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -+/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0) - /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) - /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) - /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) - /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -diff --git a/clamav.if b/clamav.if -index bbac14a..99c5cca 100644 ---- a/clamav.if -+++ b/clamav.if -@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` - type clamd_t, clamd_var_run_t; + /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) + /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) +diff --git a/colord.if b/colord.if +index 8e27a37..fa2c3cb 100644 +--- a/colord.if ++++ b/colord.if +@@ -1,4 +1,4 @@ +-## GNOME color manager. ++## GNOME color manager + + ######################################## + ## +@@ -15,7 +15,6 @@ interface(`colord_domtrans',` + type colord_t, colord_exec_t; ') -+ files_search_pids($1) - stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) +- corecmd_search_bin($1) + domtrans_pattern($1, colord_exec_t, colord_t) ') -@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',` - - ######################################## - ## -+## Manage clamd pid content. +@@ -58,3 +57,26 @@ interface(`colord_read_lib_files',` + files_search_var_lib($1) + read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) + ') ++ ++######################################## ++## ++## Execute colord server in the colord domain. +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`clamav_manage_clamd_pid',` ++interface(`colord_systemctl',` + gen_require(` -+ type clamd_var_run_t; ++ type colord_t; ++ type colord_unit_file_t; + ') + -+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) -+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) -+') -+ -+####################################### -+## -+## Read clamd state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clamav_read_state_clamd',` -+ gen_require(` -+ type clamd_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, clamd_t) -+') -+ -+####################################### -+## -+## Execute clamd server in the clamd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`clamd_systemctl',` -+ gen_require(` -+ type clamd_t; -+ type clamd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 clamd_unit_file_t:file read_file_perms; -+ allow $1 clamd_unit_file_t:service manage_service_perms; ++ systemd_exec_systemctl($1) ++ allow $1 colord_unit_file_t:file read_file_perms; ++ allow $1 colord_unit_file_t:service manage_service_perms; + -+ ps_process_pattern($1, clamd_t) ++ ps_process_pattern($1, colord_t) +') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an clamav environment - ## -@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',` - interface(`clamav_admin',` - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; -- type clamd_var_log_t, clamd_var_lib_t; -- type clamd_var_run_t, clamscan_t, clamscan_tmp_t; -- type clamd_initrc_exec_t; -+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; -+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; - type freshclam_t, freshclam_var_log_t; -+ type clamd_unit_file_t; - ') +diff --git a/colord.te b/colord.te +index 09f18e2..5c8bb84 100644 +--- a/colord.te ++++ b/colord.te +@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) + type colord_t; + type colord_exec_t; + dbus_system_domain(colord_t, colord_exec_t) ++init_daemon_domain(colord_t, colord_exec_t) -- allow $1 clamd_t:process { ptrace signal_perms }; -+ allow $1 clamd_t:process signal_perms; - ps_process_pattern($1, clamd_t) + type colord_tmp_t; + files_tmp_file(colord_tmp_t) +@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t) + type colord_var_lib_t; + files_type(colord_var_lib_t) -- allow $1 clamscan_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 clamd_t:process ptrace; -+ allow $1 clamscan_t:process ptrace; -+ allow $1 freshclam_t:process ptrace; -+ ') ++type colord_unit_file_t; ++systemd_unit_file(colord_unit_file_t) + -+ allow $1 clamscan_t:process signal_perms; - ps_process_pattern($1, clamscan_t) - -- allow $1 freshclam_t:process { ptrace signal_perms }; -+ allow $1 freshclam_t:process signal_perms; - ps_process_pattern($1, freshclam_t) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) -@@ -171,6 +240,10 @@ interface(`clamav_admin',` - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; - -+ clamd_systemctl($1) -+ admin_pattern($1, clamd_unit_file_t) -+ allow $1 clamd_unit_file_t:service all_service_perms; + ######################################## + # + # Local policy +@@ -26,10 +30,13 @@ files_type(colord_var_lib_t) + allow colord_t self:capability { dac_read_search dac_override }; + dontaudit colord_t self:capability sys_admin; + allow colord_t self:process signal; + - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - -@@ -189,4 +262,10 @@ interface(`clamav_admin',` - admin_pattern($1, clamscan_tmp_t) + allow colord_t self:fifo_file rw_fifo_file_perms; + allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +-allow colord_t self:tcp_socket { accept listen }; ++allow colord_t self:tcp_socket create_stream_socket_perms; + allow colord_t self:shm create_shm_perms; ++allow colord_t self:udp_socket create_socket_perms; ++allow colord_t self:unix_dgram_socket create_socket_perms; - admin_pattern($1, freshclam_var_log_t) -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+ - ') -diff --git a/clamav.te b/clamav.te -index a10350e..a28f16e 100644 ---- a/clamav.te -+++ b/clamav.te -@@ -1,9 +1,23 @@ - policy_module(clamav, 1.10.0) + manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) + manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) +@@ -74,9 +81,8 @@ dev_read_video_dev(colord_t) + dev_write_video_dev(colord_t) + dev_rw_printer(colord_t) + dev_read_rand(colord_t) +-dev_read_sysfs(colord_t) + dev_read_urand(colord_t) +-dev_list_sysfs(colord_t) ++dev_read_sysfs(colord_t) + dev_rw_generic_usb_dev(colord_t) - ## --##

    --## Allow clamd to use JIT compiler --##

    -+##

    -+## Allow clamscan to read user content -+##

    -+##     -+gen_tunable(clamscan_read_user_content, false) -+ -+## -+##

    -+## Allow clamscan to non security files on a system -+##

    -+##     -+gen_tunable(clamscan_can_scan_system, false) -+ -+## -+##

    -+## Allow clamd to use JIT compiler -+##

    - ##     - gen_tunable(clamd_use_jit, false) + domain_use_interactive_fds(colord_t) +@@ -84,8 +90,9 @@ domain_use_interactive_fds(colord_t) + files_list_mnt(colord_t) + files_read_usr_files(colord_t) -@@ -24,6 +38,9 @@ files_config_file(clamd_etc_t) - type clamd_initrc_exec_t; - init_script_file(clamd_initrc_exec_t) ++fs_search_all(colord_t) + fs_getattr_noxattr_fs(colord_t) +-fs_getattr_tmpfs(colord_t) ++fs_dontaudit_getattr_all_fs(colord_t) + fs_list_noxattr_fs(colord_t) + fs_read_noxattr_fs_files(colord_t) + fs_search_all(colord_t) +@@ -100,7 +107,11 @@ auth_use_nsswitch(colord_t) -+type clamd_unit_file_t; -+systemd_unit_file(clamd_unit_file_t) -+ - # tmp files - type clamd_tmp_t; - files_tmp_file(clamd_tmp_t) -@@ -64,6 +81,8 @@ logging_log_file(freshclam_var_log_t) + logging_send_syslog_msg(colord_t) - allow clamd_t self:capability { kill setgid setuid dac_override }; - dontaudit clamd_t self:capability sys_tty_config; -+allow clamd_t self:process signal; +-miscfiles_read_localization(colord_t) ++fs_getattr_tmpfs(colord_t) ++userdom_rw_user_tmpfs_files(colord_t) + - allow clamd_t self:fifo_file rw_fifo_file_perms; - allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow clamd_t self:unix_dgram_socket create_socket_perms; -@@ -80,6 +99,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) - files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) - - # var/lib files for clamd -+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) - manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) - manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) - -@@ -89,9 +109,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) - logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) - - # pid file -+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) - manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) - manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) --files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) -+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir }) - - kernel_dontaudit_list_proc(clamd_t) - kernel_read_sysctl(clamd_t) -@@ -100,7 +121,6 @@ kernel_read_system_state(clamd_t) - - corecmd_exec_shell(clamd_t) - --corenet_all_recvfrom_unlabeled(clamd_t) - corenet_all_recvfrom_netlabel(clamd_t) - corenet_tcp_sendrecv_generic_if(clamd_t) - corenet_tcp_sendrecv_generic_node(clamd_t) -@@ -110,6 +130,7 @@ corenet_tcp_bind_generic_node(clamd_t) - corenet_tcp_bind_clamd_port(clamd_t) - corenet_tcp_bind_generic_port(clamd_t) - corenet_tcp_connect_generic_port(clamd_t) -+corenet_tcp_connect_clamd_port(clamd_t) - corenet_sendrecv_clamd_server_packets(clamd_t) - - dev_read_rand(clamd_t) -@@ -117,7 +138,6 @@ dev_read_urand(clamd_t) - - domain_use_interactive_fds(clamd_t) - --files_read_etc_files(clamd_t) - files_read_etc_runtime_files(clamd_t) - files_search_spool(clamd_t) - -@@ -125,30 +145,51 @@ auth_use_nsswitch(clamd_t) - - logging_send_syslog_msg(clamd_t) ++userdom_home_reader(colord_t) ++userdom_read_inherited_user_home_content_files(colord_t) --miscfiles_read_localization(clamd_t) -- --cron_use_fds(clamd_t) --cron_use_system_job_fds(clamd_t) --cron_rw_pipes(clamd_t) -- --mta_read_config(clamd_t) --mta_send_mail(clamd_t) -- - optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) -- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) -+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file }) - amavis_create_pid_files(clamd_t) + tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(colord_t) +@@ -120,6 +131,12 @@ optional_policy(` ') optional_policy(` -+ cron_use_fds(clamd_t) -+ cron_use_system_job_fds(clamd_t) -+ cron_rw_pipes(clamd_t) ++ gnome_read_home_icc_data_content(colord_t) ++ # Fixes lots of breakage in F16 on upgrade ++ gnome_read_generic_data_home_files(colord_t) +') + +optional_policy(` - exim_read_spool_files(clamd_t) + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) +@@ -133,3 +150,13 @@ optional_policy(` + optional_policy(` + udev_read_db(colord_t) ') - -+optional_policy(` -+ mta_read_config(clamd_t) -+ mta_send_mail(clamd_t) -+') -+ -+optional_policy(` -+ spamd_stream_connect(clamd_t) -+ spamassassin_read_pid_files(clamd_t) -+') -+ - tunable_policy(`clamd_use_jit',` - allow clamd_t self:process execmem; --', ` -+ allow clamscan_t self:process execmem; -+',` - dontaudit clamd_t self:process execmem; -+ dontaudit clamscan_t self:process execmem; -+') + +optional_policy(` -+ antivirus_domain_template(clamd_t) ++ xserver_dbus_chat_xdm(colord_t) ++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc ++ xserver_read_inherited_xdm_lib_files(colord_t) +') + +optional_policy(` -+ antivirus_domain_template(clamscan_t) ++ zoneminder_rw_tmpfs_files(colord_t) +') -+ -+optional_policy(` -+ antivirus_domain_template(freshclam_t) - ') - - ######################################## -@@ -178,17 +219,27 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) - - # log files (own logfiles only) - manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) --allow freshclam_t freshclam_var_log_t:dir setattr; --allow freshclam_t clamd_var_log_t:dir search_dir_perms; -+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms; -+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) - logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +diff --git a/comsat.te b/comsat.te +index 3f6e4dc..88c4f19 100644 +--- a/comsat.te ++++ b/comsat.te +@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t) + kernel_read_network_state(comsat_t) + kernel_read_system_state(comsat_t) --corenet_all_recvfrom_unlabeled(freshclam_t) -+kernel_dontaudit_list_proc(freshclam_t) -+kernel_read_kernel_sysctls(freshclam_t) -+kernel_read_network_state(freshclam_t) -+kernel_read_system_state(freshclam_t) -+ -+corecmd_exec_shell(freshclam_t) -+corecmd_exec_bin(freshclam_t) ++corenet_all_recvfrom_netlabel(comsat_t) ++corenet_tcp_sendrecv_generic_if(comsat_t) ++corenet_udp_sendrecv_generic_if(comsat_t) ++corenet_tcp_sendrecv_generic_node(comsat_t) ++corenet_udp_sendrecv_generic_node(comsat_t) ++corenet_udp_sendrecv_all_ports(comsat_t) + - corenet_all_recvfrom_netlabel(freshclam_t) - corenet_tcp_sendrecv_generic_if(freshclam_t) - corenet_tcp_sendrecv_generic_node(freshclam_t) - corenet_tcp_sendrecv_all_ports(freshclam_t) - corenet_tcp_sendrecv_clamd_port(freshclam_t) - corenet_tcp_connect_http_port(freshclam_t) -+corenet_tcp_connect_http_cache_port(freshclam_t) -+corenet_tcp_connect_clamd_port(freshclam_t) -+corenet_tcp_connect_squid_port(freshclam_t) - corenet_sendrecv_http_client_packets(freshclam_t) + dev_read_urand(comsat_t) - dev_read_rand(freshclam_t) -@@ -196,27 +247,32 @@ dev_read_urand(freshclam_t) - - domain_use_interactive_fds(freshclam_t) - --files_read_etc_files(freshclam_t) -+files_search_var_lib(freshclam_t) - files_read_etc_runtime_files(freshclam_t) -+files_read_usr_files(freshclam_t) - - auth_use_nsswitch(freshclam_t) + fs_getattr_xattr_fs(comsat_t) +@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t) - logging_send_syslog_msg(freshclam_t) + logging_send_syslog_msg(comsat_t) --miscfiles_read_localization(freshclam_t) +-miscfiles_read_localization(comsat_t) - - clamav_stream_connect(freshclam_t) - --optional_policy(` -- cron_system_entry(freshclam_t, freshclam_exec_t) --') -+userdom_stream_connect(freshclam_t) + userdom_dontaudit_getattr_user_ttys(comsat_t) - tunable_policy(`clamd_use_jit',` - allow freshclam_t self:process execmem; --', ` -+',` - dontaudit freshclam_t self:process execmem; - ') + mta_getattr_spool(comsat_t) +diff --git a/condor.fc b/condor.fc +index 23dc348..7cc536b 100644 +--- a/condor.fc ++++ b/condor.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) ++/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0) -+optional_policy(` -+ clamd_systemctl(freshclam_t) -+') + /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) + /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) +diff --git a/condor.if b/condor.if +index 3fe3cb8..684b700 100644 +--- a/condor.if ++++ b/condor.if +@@ -1,81 +1,392 @@ +-## High-Throughput Computing System. + -+optional_policy(` -+ cron_system_entry(freshclam_t, freshclam_exec_t) ++## policy for condor ++ ++##################################### ++## ++## Creates types and rules for a basic ++## condor init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`condor_domain_template',` ++ gen_require(` ++ type condor_master_t; ++ attribute condor_domain; ++ ') ++ ++ ############################# ++ # ++ # Declarations ++ # ++ ++ type condor_$1_t, condor_domain; ++ type condor_$1_exec_t; ++ init_daemon_domain(condor_$1_t, condor_$1_exec_t) ++ role system_r types condor_$1_t; ++ ++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) ++ allow condor_master_t condor_$1_exec_t:file ioctl; ++ ++ kernel_read_system_state(condor_$1_t) ++ ++ corenet_all_recvfrom_netlabel(condor_$1_t) ++ corenet_all_recvfrom_unlabeled(condor_$1_t) ++ ++ auth_use_nsswitch(condor_$1_t) ++ ++ logging_send_syslog_msg(condor_$1_t) +') + - ######################################## - # - # clamscam local policy -@@ -242,15 +298,39 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) - manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) - allow clamscan_t clamd_var_lib_t:dir list_dir_perms; ++######################################## ++## ++## Transition to condor. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`condor_domtrans',` ++ gen_require(` ++ type condor_t, condor_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, condor_exec_t, condor_t) ++') --corenet_all_recvfrom_unlabeled(clamscan_t) -+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) -+allow clamscan_t clamd_var_run_t:dir list_dir_perms; + ####################################### + ## +-## The template to define a condor domain. ++## Allows to start userland processes ++## by transitioning to the specified domain, ++## with a range transition. ++## ++## ++## ++## The process type entered by condor_startd. ++## ++## ++## ++## ++## The executable type for the entrypoint. ++## ++## ++## ++## ++## Range for the domain. ++## ++## ++# ++interface(`condor_startd_ranged_domtrans_to',` ++ gen_require(` ++ type sshd_t; ++ ') ++ condor_startd_domtrans_to($1, $2) + -+kernel_dontaudit_list_proc(clamscan_t) -+kernel_read_system_state(clamscan_t) + - corenet_all_recvfrom_netlabel(clamscan_t) - corenet_tcp_sendrecv_generic_if(clamscan_t) - corenet_tcp_sendrecv_generic_node(clamscan_t) - corenet_tcp_sendrecv_all_ports(clamscan_t) - corenet_tcp_sendrecv_clamd_port(clamscan_t) -+corenet_tcp_bind_generic_node(clamscan_t) - corenet_tcp_connect_clamd_port(clamscan_t) - -+corecmd_read_all_executables(clamscan_t) ++ ifdef(`enable_mcs',` ++ range_transition condor_startd_t $2:process $3; ++ ') + -+tunable_policy(`clamscan_read_user_content',` -+ userdom_read_user_home_content_files(clamscan_t) -+ userdom_dontaudit_read_user_home_content_files(clamscan_t) +') + -+tunable_policy(`clamscan_can_scan_system',` -+ files_read_non_security_files(clamscan_t) -+ files_getattr_all_pipes(clamscan_t) -+ files_getattr_all_sockets(clamscan_t) ++####################################### ++## ++## Allows to start userlandprocesses ++## by transitioning to the specified domain. ++## ++## ++## ++## The process type entered by condor_startd. ++## ++## ++## ++## ++## The executable type for the entrypoint. ++## ++## ++# ++interface(`condor_startd_domtrans_to',` ++ gen_require(` ++ type condor_startd_t; ++ ') + -+ files_read_non_security_files(clamd_t) -+ files_getattr_all_pipes(clamd_t) -+ files_getattr_all_sockets(clamd_t) ++ domtrans_pattern(condor_startd_t, $2, $1) +') + - kernel_read_kernel_sysctls(clamscan_t) -+kernel_read_system_state(clamscan_t) ++######################################## ++## ++## Read condor's log files. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Domain allowed access. + ## + ## ++## + # +-template(`condor_domain_template',` ++interface(`condor_read_log',` + gen_require(` +- attribute condor_domain; +- type condor_master_t; ++ type condor_log_t; + ') - files_read_etc_files(clamscan_t) - files_read_etc_runtime_files(clamscan_t) -@@ -259,15 +339,15 @@ files_search_var_lib(clamscan_t) - init_read_utmp(clamscan_t) - init_dontaudit_write_utmp(clamscan_t) +- ############################# +- # +- # Declarations +- # ++ logging_search_logs($1) ++ read_files_pattern($1, condor_log_t, condor_log_t) ++') --miscfiles_read_localization(clamscan_t) - miscfiles_read_public_files(clamscan_t) +- type condor_$1_t, condor_domain; +- type condor_$1_exec_t; +- domain_type(condor_$1_t) +- domain_entry_file(condor_$1_t, condor_$1_exec_t) +- role system_r types condor_$1_t; ++######################################## ++## ++## Append to condor log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_append_log',` ++ gen_require(` ++ type condor_log_t; ++ ') - clamav_stream_connect(clamscan_t) +- ############################# +- # +- # Policy +- # ++ logging_search_logs($1) ++ append_files_pattern($1, condor_log_t, condor_log_t) ++') --mta_send_mail(clamscan_t) -+sysnet_read_config(clamscan_t) +- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) +- allow condor_master_t condor_$1_exec_t:file ioctl; ++######################################## ++## ++## Manage condor log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_log',` ++ gen_require(` ++ type condor_log_t; ++ ') - optional_policy(` -- amavis_read_spool_files(clamscan_t) -+ mta_send_mail(clamscan_t) -+ mta_read_queue(clamscan_t) +- auth_use_nsswitch(condor_$1_t) ++ logging_search_logs($1) ++ manage_dirs_pattern($1, condor_log_t, condor_log_t) ++ manage_files_pattern($1, condor_log_t, condor_log_t) ++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t) ') - optional_policy(` -diff --git a/clockspeed.te b/clockspeed.te -index b40f3f7..e8c9c35 100644 ---- a/clockspeed.te -+++ b/clockspeed.te -@@ -26,7 +26,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; - - read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - --corenet_all_recvfrom_unlabeled(clockspeed_cli_t) - corenet_all_recvfrom_netlabel(clockspeed_cli_t) - corenet_udp_sendrecv_generic_if(clockspeed_cli_t) - corenet_udp_sendrecv_generic_node(clockspeed_cli_t) -@@ -36,9 +35,8 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) - files_list_var_lib(clockspeed_cli_t) - files_read_etc_files(clockspeed_cli_t) - --miscfiles_read_localization(clockspeed_cli_t) - --userdom_use_user_terminals(clockspeed_cli_t) -+userdom_use_inherited_user_terminals(clockspeed_cli_t) - ######################################## - # -@@ -53,7 +51,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; - manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - --corenet_all_recvfrom_unlabeled(clockspeed_srv_t) - corenet_all_recvfrom_netlabel(clockspeed_srv_t) - corenet_udp_sendrecv_generic_if(clockspeed_srv_t) - corenet_udp_sendrecv_generic_node(clockspeed_srv_t) -@@ -65,7 +62,6 @@ corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t) - files_read_etc_files(clockspeed_srv_t) - files_list_var_lib(clockspeed_srv_t) - --miscfiles_read_localization(clockspeed_srv_t) - - optional_policy(` - daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) -diff --git a/clogd.te b/clogd.te -index 6077339..d44d33f 100644 ---- a/clogd.te -+++ b/clogd.te -@@ -46,8 +46,6 @@ storage_raw_write_fixed_disk(clogd_t) - - logging_send_syslog_msg(clogd_t) - --miscfiles_read_localization(clogd_t) -- - optional_policy(` - aisexec_stream_connect(clogd_t) - corosync_stream_connect(clogd_t) -diff --git a/cloudform.fc b/cloudform.fc -new file mode 100644 -index 0000000..8a40857 ---- /dev/null -+++ b/cloudform.fc -@@ -0,0 +1,22 @@ -+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) -+ -+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) -+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) -+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) -+ -+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) + ## +-## All of the rules required to +-## administrate an condor environment. ++## Search condor lib directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`condor_search_lib',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') + -+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) -+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) ++ allow $1 condor_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') + -+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) -+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) -+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) -+/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) -+/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) -+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) ++######################################## ++## ++## Read condor lib files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # +-interface(`condor_admin',` ++interface(`condor_read_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') + -+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) -+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) -+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) -diff --git a/cloudform.if b/cloudform.if -new file mode 100644 -index 0000000..8ac848b ---- /dev/null -+++ b/cloudform.if -@@ -0,0 +1,42 @@ -+## cloudform policy ++ files_search_var_lib($1) ++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') + -+####################################### ++###################################### +## -+## Creates types and rules for a basic -+## cloudform daemon domain. ++## Read and write condor lib files. +## -+## ++## +## -+## Prefix for the domain. ++## Domain allowed access. +## +## +# -+template(`cloudform_domain_template',` ++interface(`condor_rw_lib_files',` + gen_require(` -+ attribute cloudform_domain; ++ type condor_var_lib_t; + ') + -+ type $1_t, cloudform_domain; -+ type $1_exec_t; -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ kernel_read_system_state($1_t) ++ files_search_var_lib($1) ++ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t) +') + -+###################################### ++######################################## +## -+## Execute mongod in the caller domain. ++## Manage condor lib files. +## +## +## @@ -9950,432 +11451,294 @@ index 0000000..8ac848b +## +## +# -+interface(`cloudform_exec_mongod',` -+ gen_require(` -+ type mongod_exec_t; -+ ') ++interface(`condor_manage_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') + -+ can_exec($1, mongod_exec_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t) +') -diff --git a/cloudform.te b/cloudform.te -new file mode 100644 -index 0000000..b73fed6 ---- /dev/null -+++ b/cloudform.te -@@ -0,0 +1,201 @@ -+policy_module(cloudform, 1.0) ++ +######################################## ++## ++## Manage condor lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# Declarations -+# -+ -+attribute cloudform_domain; -+ -+cloudform_domain_template(deltacloudd) -+cloudform_domain_template(iwhd) -+cloudform_domain_template(mongod) -+ -+type deltacloudd_log_t; -+logging_log_file(deltacloudd_log_t) -+ -+type deltacloudd_var_run_t; -+files_pid_file(deltacloudd_var_run_t) ++interface(`condor_manage_lib_dirs',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') + -+type deltacloudd_tmp_t; -+files_tmp_file(deltacloudd_tmp_t) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') + -+type iwhd_initrc_exec_t; -+init_script_file(iwhd_initrc_exec_t) ++######################################## ++## ++## Read condor PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_read_pid_files',` ++ gen_require(` ++ type condor_var_run_t; ++ ') + -+type iwhd_var_lib_t; -+files_type(iwhd_var_lib_t) ++ files_search_pids($1) ++ allow $1 condor_var_run_t:file read_file_perms; ++') + -+type iwhd_var_run_t; -+files_pid_file(iwhd_var_run_t) ++######################################## ++## ++## Execute condor server in the condor domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`condor_systemctl',` ++ gen_require(` ++ type condor_t; ++ type condor_unit_file_t; ++ ') + -+type mongod_initrc_exec_t; -+init_script_file(mongod_initrc_exec_t) ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 condor_unit_file_t:file read_file_perms; ++ allow $1 condor_unit_file_t:service manage_service_perms; + -+type mongod_log_t; -+logging_log_file(mongod_log_t) ++ ps_process_pattern($1, condor_t) ++') + -+type mongod_var_lib_t; -+files_type(mongod_var_lib_t) + -+type mongod_tmp_t; -+files_tmp_file(mongod_tmp_t) ++####################################### ++## ++## Read and write condor_startd server TCP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_rw_tcp_sockets_startd',` + gen_require(` +- attribute condor_domain; +- type condor_initrc_exec_config_t, condor_log_t; +- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; +- type condor_var_run_t, condor_startd_tmp_t; ++ type condor_startd_t; + ') + +- allow $1 condor_domain:process { ptrace signal_perms }; ++ allow $1 condor_startd_t:tcp_socket rw_socket_perms; ++') + -+type mongod_var_run_t; -+files_pid_file(mongod_var_run_t) ++###################################### ++## ++## Read and write condor_schedd server TCP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_rw_tcp_sockets_schedd',` ++ gen_require(` ++ type condor_schedd_t; ++ ') + -+type iwhd_log_t; -+logging_log_file(iwhd_log_t) ++ allow $1 condor_schedd_t:tcp_socket rw_socket_perms; ++') + +######################################## ++## ++## All of the rules required to administrate ++## an condor environment ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# cloudform_domain local policy -+# ++interface(`condor_admin',` ++ gen_require(` ++ attribute condor_domain; ++ type condor_initrc_exec_config_t, condor_log_t; ++ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; ++ type condor_var_run_t, condor_startd_tmp_t; ++ type condor_unit_file_t; ++ ') + -+allow cloudform_domain self:fifo_file rw_fifo_file_perms; -+allow cloudform_domain self:tcp_socket create_stream_socket_perms; ++ allow $1 condor_domain:process { signal_perms }; + ps_process_pattern($1, condor_domain) + +- init_labeled_script_domtrans($1, condor_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 condor_initrc_exec_t system_r; +- allow $2 system_r; ++ init_labeled_script_domtrans($1, condor_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 condor_initrc_exec_t system_r; ++ allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, condor_log_t) + +- files_search_locks($1) +- admin_pattern($1, condor_var_lock_t) ++ files_search_locks($1) ++ admin_pattern($1, condor_var_lock_t) + + files_search_var_lib($1) + admin_pattern($1, condor_var_lib_t) +@@ -85,4 +396,13 @@ interface(`condor_admin',` + + files_search_tmp($1) + admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) + -+dev_read_rand(cloudform_domain) -+dev_read_urand(cloudform_domain) -+dev_read_sysfs(cloudform_domain) ++ condor_systemctl($1) ++ admin_pattern($1, condor_unit_file_t) ++ allow $1 condor_unit_file_t:service all_service_perms; + -+files_read_etc_files(cloudform_domain) -+ -+auth_read_passwd(cloudform_domain) -+ -+miscfiles_read_certs(cloudform_domain) -+ -+######################################## -+# -+# deltacloudd local policy -+# -+ -+allow deltacloudd_t self:capability { dac_override setuid setgid }; -+ -+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; -+allow deltacloudd_t self:udp_socket create_socket_perms; -+ -+allow deltacloudd_t self:process signal; -+ -+allow deltacloudd_t self:fifo_file rw_fifo_file_perms; -+allow deltacloudd_t self:tcp_socket create_stream_socket_perms; -+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) -+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) -+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir }) -+ -+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) -+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) -+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) -+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir }) -+ -+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) -+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) -+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir }) -+ -+kernel_read_kernel_sysctls(deltacloudd_t) -+kernel_read_system_state(deltacloudd_t) -+ -+corecmd_exec_bin(deltacloudd_t) -+ -+corenet_tcp_bind_generic_node(deltacloudd_t) -+corenet_tcp_bind_generic_port(deltacloudd_t) -+corenet_tcp_connect_http_port(deltacloudd_t) -+corenet_tcp_connect_keystone_port(deltacloudd_t) -+ -+auth_use_nsswitch(deltacloudd_t) -+ -+files_read_usr_files(deltacloudd_t) -+ -+logging_send_syslog_msg(deltacloudd_t) -+ -+optional_policy(` -+ sysnet_read_config(deltacloudd_t) -+') -+ -+######################################## -+# -+# iwhd local policy -+# -+ -+allow iwhd_t self:capability { chown kill }; -+allow iwhd_t self:process { fork }; -+ -+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms; -+allow iwhd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) -+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) -+ -+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t) -+logging_log_filetrans(iwhd_t, iwhd_log_t, { file }) -+ -+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) -+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) -+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file }) -+ -+kernel_read_system_state(iwhd_t) -+ -+corenet_tcp_bind_generic_node(iwhd_t) -+corenet_tcp_bind_websm_port(iwhd_t) -+corenet_tcp_connect_all_ports(iwhd_t) -+ -+dev_read_rand(iwhd_t) -+dev_read_urand(iwhd_t) -+ -+userdom_home_manager(iwhd_t) -+ -+######################################## -+# -+# mongod local policy -+# -+ -+allow mongod_t self:process { execmem setsched signal }; -+ -+allow mongod_t self:netlink_route_socket r_netlink_socket_perms; -+allow mongod_t self:unix_stream_socket create_stream_socket_perms; -+allow mongod_t self:udp_socket create_socket_perms; -+ -+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) -+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log") -+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log") -+ -+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -+ -+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) -+ -+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -+#needed by dbomatic -+files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) -+ -+corecmd_exec_bin(mongod_t) -+corecmd_exec_shell(mongod_t) -+ -+corenet_tcp_bind_generic_node(mongod_t) -+corenet_tcp_bind_mongod_port(mongod_t) -+corenet_tcp_connect_postgresql_port(mongod_t) -+ -+kernel_read_vm_sysctls(mongod_t) -+kernel_read_system_state(mongod_t) -+ -+files_read_usr_files(mongod_t) -+ -+fs_getattr_all_fs(mongod_t) -+ -+optional_policy(` -+ mysql_stream_connect(mongod_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(mongod_t) -+') -+ -+optional_policy(` -+ sysnet_dns_name_resolve(mongod_t) -+') -diff --git a/cmirrord.if b/cmirrord.if -index f8463c0..cc4d9ef 100644 ---- a/cmirrord.if -+++ b/cmirrord.if -@@ -70,10 +70,11 @@ interface(`cmirrord_rw_shm',` - type cmirrord_t, cmirrord_tmpfs_t; - ') - -- allow $1 cmirrord_t:shm rw_shm_perms; -+ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; - - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) -+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ') -@@ -100,9 +101,13 @@ interface(`cmirrord_admin',` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - -- allow $1 cmirrord_t:process { ptrace signal_perms }; -+ allow $1 cmirrord_t:process signal_perms; - ps_process_pattern($1, cmirrord_t) +diff --git a/condor.te b/condor.te +index 3f2b672..a7aaf98 100644 +--- a/condor.te ++++ b/condor.te +@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) + type condor_var_run_t; + files_pid_file(condor_var_run_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cmirrord_t:process ptrace; -+ ') ++type condor_unit_file_t; ++systemd_unit_file(condor_unit_file_t) + - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; -diff --git a/cmirrord.te b/cmirrord.te -index 28fdd8a..5605ed7 100644 ---- a/cmirrord.te -+++ b/cmirrord.te -@@ -51,8 +51,6 @@ seutil_read_file_contexts(cmirrord_t) + condor_domain_template(collector) + condor_domain_template(negotiator) + condor_domain_template(procd) +@@ -59,8 +62,9 @@ condor_domain_template(startd) - logging_send_syslog_msg(cmirrord_t) + allow condor_domain self:process signal_perms; + allow condor_domain self:fifo_file rw_fifo_file_perms; +-allow condor_domain self:tcp_socket { accept listen }; +-allow condor_domain self:unix_stream_socket { accept listen }; ++allow condor_domain self:tcp_socket create_stream_socket_perms; ++allow condor_domain self:udp_socket create_socket_perms; ++allow condor_domain self:unix_stream_socket create_stream_socket_perms; --miscfiles_read_localization(cmirrord_t) -- - optional_policy(` - corosync_stream_connect(cmirrord_t) - ') -diff --git a/cobbler.fc b/cobbler.fc -index 1cf6c4e..0858f92 100644 ---- a/cobbler.fc -+++ b/cobbler.fc -@@ -1,7 +1,35 @@ --/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) --/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) + manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) + append_files_pattern(condor_domain, condor_log_t, condor_log_t) +@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; --/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) -+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0) -+ -+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/cobblerd.* -- gen_context(system_u:object_r:cobblerd_unit_file_t,s0) -+ -+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) -+ -+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+ -+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+ -+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) -+ -+# This should removable when cobbler package installs /var/www/cobbler/rendered -+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0) -+ -+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + kernel_read_kernel_sysctls(condor_domain) + kernel_read_network_state(condor_domain) +-kernel_read_system_state(condor_domain) --/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) --/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) -diff --git a/cobbler.if b/cobbler.if -index 116d60f..e2c6ec6 100644 ---- a/cobbler.if -+++ b/cobbler.if -@@ -1,12 +1,12 @@ - ## Cobbler installation server. - ## - ##

    --## Cobbler is a Linux installation server that allows for --## rapid setup of network installation environments. It --## glues together and automates many associated Linux --## tasks so you do not have to hop between lots of various --## commands and applications when rolling out new systems, --## and, in some cases, changing existing ones. -+## Cobbler is a Linux installation server that allows for -+## rapid setup of network installation environments. It -+## glues together and automates many associated Linux -+## tasks so you do not have to hop between lots of various -+## commands and applications when rolling out new systems, -+## and, in some cases, changing existing ones. - ##

    - ##     + corecmd_exec_bin(condor_domain) + corecmd_exec_shell(condor_domain) -@@ -15,9 +15,9 @@ - ## Execute a domain transition to run cobblerd. - ##     - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`cobblerd_domtrans',` -@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',` - ') +-corenet_all_recvfrom_netlabel(condor_domain) +-corenet_all_recvfrom_unlabeled(condor_domain) + corenet_tcp_sendrecv_generic_if(condor_domain) + corenet_tcp_sendrecv_generic_node(condor_domain) - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) -+ corecmd_search_bin($1) - ') +@@ -106,10 +107,6 @@ dev_read_rand(condor_domain) + dev_read_sysfs(condor_domain) + dev_read_urand(condor_domain) - ######################################## -@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',` +-logging_send_syslog_msg(condor_domain) +- +-miscfiles_read_localization(condor_domain) +- + tunable_policy(`condor_tcp_network_connect',` + corenet_sendrecv_all_client_packets(condor_domain) + corenet_tcp_connect_all_ports(condor_domain) +@@ -150,8 +147,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) - ######################################## - ## --## Read Cobbler content in /etc -+## List Cobbler configuration. - ## - ## - ## -@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',` - ## - ## - # --interface(`cobbler_read_config',` -+interface(`cobbler_list_config',` - gen_require(` - type cobbler_etc_t; - ') + domain_read_all_domains_state(condor_master_t) -- read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) -+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) - files_search_etc($1) - ') +-auth_use_nsswitch(condor_master_t) +- + optional_policy(` + mta_send_mail(condor_master_t) + mta_read_config(condor_master_t) +@@ -178,6 +173,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; + allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; + allow condor_negotiator_t condor_master_t:udp_socket getattr; - ######################################## - ## --## Do not audit attempts to read and write --## Cobbler log files (leaked fd). -+## Read Cobbler configuration files. - ## - ## - ## -@@ -76,12 +76,13 @@ interface(`cobbler_read_config',` - ## - ## ++corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t) ++ + ###################################### # --interface(`cobbler_dontaudit_rw_log',` -+interface(`cobbler_read_config',` - gen_require(` -- type cobbler_var_log_t; -+ type cobbler_etc_t; - ') + # Procd local policy +@@ -209,6 +206,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) + relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) + files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) -- dontaudit $1 cobbler_var_log_t:file rw_file_perms; -+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) -+ files_search_etc($1) - ') ++corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t) ++ + ##################################### + # + # Startd local policy +@@ -233,11 +232,10 @@ domain_read_all_domains_state(condor_startd_t) + mcs_process_set_categories(condor_startd_t) - ######################################## -@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',` - ') + init_domtrans_script(condor_startd_t) ++init_initrc_domain(condor_startd_t) - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) - ') + libs_exec_lib_files(condor_startd_t) -@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',` +-files_read_usr_files(condor_startd_t) +- + optional_policy(` + ssh_basic_client_template(condor_startd, condor_startd_t, system_r) + ssh_domtrans(condor_startd_t) +@@ -249,3 +247,7 @@ optional_policy(` + kerberos_use(condor_startd_ssh_t) ') - - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) ') ++ ++optional_policy(` ++ unconfined_domain(condor_startd_t) ++') +diff --git a/consolekit.fc b/consolekit.fc +index 23c9558..29e5fd3 100644 +--- a/consolekit.fc ++++ b/consolekit.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) ++ + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) -@@ -137,12 +140,56 @@ interface(`cobbler_manage_lib_files',` - type cobbler_var_lib_t; - ') - -+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - files_search_var_lib($1) - ') + /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +diff --git a/consolekit.if b/consolekit.if +index 5b830ec..0647a3b 100644 +--- a/consolekit.if ++++ b/consolekit.if +@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',` ######################################## ## -+## Do not audit attempts to read and write -+## Cobbler log files (leaked fd). ++## dontaudit Send and receive messages from ++## consolekit over dbus. +## +## +## @@ -10383,408 +11746,54 @@ index 116d60f..e2c6ec6 100644 +## +## +# -+interface(`cobbler_dontaudit_rw_log',` ++interface(`consolekit_dontaudit_dbus_chat',` + gen_require(` -+ type cobbler_var_log_t; ++ type consolekit_t; ++ class dbus send_msg; + ') + -+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms; ++ dontaudit $1 consolekit_t:dbus send_msg; ++ dontaudit consolekit_t $1:dbus send_msg; +') + +######################################## +## -+## Execute cobblerd server in the cobblerd domain. + ## Send and receive messages from + ## consolekit over dbus. + ## +@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',` + + ######################################## + ## ++## Dontaudit attempts to read consolekit log files. +## +## +## -+## Domain allowed to transition. ++## Domain to not audit. +## +## +# -+interface(`cobblerd_systemctl',` ++interface(`consolekit_dontaudit_read_log',` + gen_require(` -+ type cobblerd_t; -+ type cobblerd_unit_file_t; ++ type consolekit_log_t; + ') + -+ systemd_exec_systemctl($1) -+ allow $1 cobblerd_unit_file_t:file read_file_perms; -+ allow $1 cobblerd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, cobblerd_t) ++ dontaudit $1 consolekit_log_t:file read_file_perms; +') + +######################################## +## - ## All of the rules required to administrate - ## an cobblerd environment + ## Read consolekit log files. ## -@@ -161,25 +208,43 @@ interface(`cobbler_manage_lib_files',` - interface(`cobblerd_admin',` - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; -- type cobbler_etc_t, cobblerd_initrc_exec_t; -+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; -+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; -+ type cobblerd_unit_file_t; - ') - -- allow $1 cobblerd_t:process { ptrace signal_perms getattr }; -- read_files_pattern($1, cobblerd_t, cobblerd_t) -+ allow $1 cobblerd_t:process signal_perms; -+ ps_process_pattern($1, cobblerd_t) - -- files_search_etc($1) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cobblerd_t:process ptrace; -+ ') -+ -+ files_list_etc($1) - admin_pattern($1, cobbler_etc_t) - - files_list_var_lib($1) - admin_pattern($1, cobbler_var_lib_t) - -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, cobbler_var_log_t) - -+ apache_list_sys_content($1) -+ admin_pattern($1, httpd_cobbler_content_t) -+ admin_pattern($1, httpd_cobbler_content_ra_t) - admin_pattern($1, httpd_cobbler_content_rw_t) - - cobblerd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cobblerd_initrc_exec_t system_r; - allow $2 system_r; -+ -+ optional_policy(` -+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there. -+ tftp_search_rw_content($1) -+ ') -+ -+ cobblerd_systemctl($1) -+ admin_pattern($1, cobblerd_unit_file_t) -+ allow $1 cobblerd_unit_file_t:service all_service_perms; - ') -diff --git a/cobbler.te b/cobbler.te -index 0258b48..c68160d 100644 ---- a/cobbler.te -+++ b/cobbler.te -@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0) - # - - ## --##

    --## Allow Cobbler to modify public files --## used for public file transfer services. --##

    -+##

    -+## Allow Cobbler to modify public files -+## used for public file transfer services. -+##

    - ##     - gen_tunable(cobbler_anon_write, false) - -+## -+##

    -+## Allow Cobbler to connect to the -+## network using TCP. -+##

    -+##     -+gen_tunable(cobbler_can_network_connect, false) -+ -+## -+##

    -+## Allow Cobbler to access cifs file systems. -+##

    -+##     -+gen_tunable(cobbler_use_cifs, false) -+ -+## -+##

    -+## Allow Cobbler to access nfs file systems. -+##

    -+##     -+gen_tunable(cobbler_use_nfs, false) -+ - type cobblerd_t; - type cobblerd_exec_t; - init_daemon_domain(cobblerd_t, cobblerd_exec_t) -@@ -26,25 +48,43 @@ files_config_file(cobbler_etc_t) - type cobbler_var_log_t; - logging_log_file(cobbler_var_log_t) - --type cobbler_var_lib_t; -+type cobbler_var_lib_t alias cobbler_content_t; - files_type(cobbler_var_lib_t) - -+type cobbler_tmp_t; -+files_tmp_file(cobbler_tmp_t) -+ -+type cobblerd_unit_file_t; -+systemd_unit_file(cobblerd_unit_file_t) -+ - ######################################## - # - # Cobbler personal policy. - # - --allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; -+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; -+dontaudit cobblerd_t self:capability sys_tty_config; -+ - allow cobblerd_t self:process { getsched setsched signal }; - allow cobblerd_t self:fifo_file rw_fifo_file_perms; -+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms; - allow cobblerd_t self:tcp_socket create_stream_socket_perms; -+allow cobblerd_t self:udp_socket create_socket_perms; -+allow cobblerd_t self:unix_dgram_socket create_socket_perms; - - list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) - read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) - -+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t. -+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms; -+ - manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) - manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) --files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) -+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file }) -+ -+# Something really needs to write to cobbler.log. Ideally this should not be happening. -+allow cobblerd_t cobbler_var_log_t:file write; - - append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) - create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -52,57 +92,131 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) - setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) - logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) - -+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) -+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) -+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) -+ - kernel_read_system_state(cobblerd_t) -+kernel_dontaudit_search_network_state(cobblerd_t) -+ -+auth_read_passwd(cobblerd_t) - - corecmd_exec_bin(cobblerd_t) - corecmd_exec_shell(cobblerd_t) - - corenet_all_recvfrom_netlabel(cobblerd_t) --corenet_all_recvfrom_unlabeled(cobblerd_t) - corenet_sendrecv_cobbler_server_packets(cobblerd_t) - corenet_tcp_bind_cobbler_port(cobblerd_t) - corenet_tcp_bind_generic_node(cobblerd_t) - corenet_tcp_sendrecv_generic_if(cobblerd_t) - corenet_tcp_sendrecv_generic_node(cobblerd_t) - corenet_tcp_sendrecv_generic_port(cobblerd_t) -+corenet_tcp_sendrecv_cobbler_port(cobblerd_t) -+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect. -+corenet_tcp_connect_ftp_port(cobblerd_t) -+corenet_tcp_connect_all_ephemeral_ports(cobblerd_t) -+corenet_tcp_sendrecv_ftp_port(cobblerd_t) -+corenet_sendrecv_ftp_client_packets(cobblerd_t) -+corenet_tcp_connect_http_port(cobblerd_t) -+corenet_tcp_sendrecv_http_port(cobblerd_t) -+corenet_sendrecv_http_client_packets(cobblerd_t) - - dev_read_urand(cobblerd_t) - -+domain_dontaudit_exec_all_entry_files(cobblerd_t) -+domain_dontaudit_read_all_domains_state(cobblerd_t) -+ -+files_read_etc_files(cobblerd_t) -+# mtab -+files_read_etc_runtime_files(cobblerd_t) - files_read_usr_files(cobblerd_t) - files_list_boot(cobblerd_t) -+files_read_boot_files(cobblerd_t) - files_list_tmp(cobblerd_t) --# read /etc/nsswitch.conf --files_read_etc_files(cobblerd_t) - --miscfiles_read_localization(cobblerd_t) -+# read from mounted images (install media) -+fs_read_iso9660_files(cobblerd_t) -+ -+auth_read_passwd(cobblerd_t) -+ -+init_dontaudit_read_all_script_files(cobblerd_t) -+ -+term_use_console(cobblerd_t) -+ -+logging_send_syslog_msg(cobblerd_t) -+ - miscfiles_read_public_files(cobblerd_t) - -+selinux_get_enforce_mode(cobblerd_t) -+ - sysnet_read_config(cobblerd_t) - sysnet_rw_dhcp_config(cobblerd_t) - sysnet_write_config(cobblerd_t) - -+userdom_dontaudit_use_user_terminals(cobblerd_t) -+userdom_dontaudit_search_user_home_dirs(cobblerd_t) -+userdom_dontaudit_search_admin_dir(cobblerd_t) -+ - tunable_policy(`cobbler_anon_write',` - miscfiles_manage_public_files(cobblerd_t) - ') - -+tunable_policy(`cobbler_can_network_connect',` -+ corenet_tcp_connect_all_ports(cobblerd_t) -+ corenet_tcp_sendrecv_all_ports(cobblerd_t) -+ corenet_sendrecv_all_client_packets(cobblerd_t) -+') -+ -+tunable_policy(`cobbler_use_cifs',` -+ fs_manage_cifs_dirs(cobblerd_t) -+ fs_manage_cifs_files(cobblerd_t) -+ fs_manage_cifs_symlinks(cobblerd_t) -+') -+ -+tunable_policy(`cobbler_use_nfs',` -+ fs_manage_nfs_dirs(cobblerd_t) -+ fs_manage_nfs_files(cobblerd_t) -+ fs_manage_nfs_symlinks(cobblerd_t) -+') -+ -+optional_policy(` -+ # Cobbler traverses /var/www to get to /var/www/cobbler/* -+ apache_search_sys_content(cobblerd_t) -+') -+ - optional_policy(` - bind_read_config(cobblerd_t) - bind_write_config(cobblerd_t) - bind_domtrans_ndc(cobblerd_t) - bind_domtrans(cobblerd_t) - bind_initrc_domtrans(cobblerd_t) -+ bind_systemctl(cobblerd_t) - bind_manage_zone(cobblerd_t) - ') - - optional_policy(` -+ certmaster_exec(cobblerd_t) -+') -+ -+optional_policy(` - dhcpd_domtrans(cobblerd_t) - dhcpd_initrc_domtrans(cobblerd_t) -+ dhcpd_systemctl(cobblerd_t) - ') - - optional_policy(` - dnsmasq_domtrans(cobblerd_t) - dnsmasq_initrc_domtrans(cobblerd_t) - dnsmasq_write_config(cobblerd_t) -+ dnsmasq_systemctl(cobblerd_t) -+') -+ -+optional_policy(` -+ gnome_dontaudit_search_config(cobblerd_t) -+') -+ -+optional_policy(` -+ puppet_domtrans_puppetca(cobblerd_t) - ') - - optional_policy(` -@@ -110,12 +224,21 @@ optional_policy(` - ') - - optional_policy(` -- rsync_read_config(cobblerd_t) -- rsync_write_config(cobblerd_t) -+ rsync_exec(cobblerd_t) -+ rsync_manage_config(cobblerd_t) -+ # cobbler creates /etc/rsync.conf if its not there. -+ rsync_filetrans_config(cobblerd_t, file) - ') - - optional_policy(` -- tftp_manage_rw_content(cobblerd_t) -+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images. -+ # tftp_manage_rw_content(cobblerd_t) can be used instead if: -+ # 1. cobbler package installs /var/lib/tftpdir/images. -+ # 2. no FILES in /var/lib/TFTPDIR are hard linked. -+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg) -+ # are any of those hard linked? -+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) -+ tftp_manage_config(cobblerd_t) + ## +@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',` + allow $1 consolekit_var_run_t:dir list_dir_perms; + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ') - - ######################################## -@@ -123,6 +246,10 @@ optional_policy(` - # Cobbler web local policy. - # - --apache_content_template(cobbler) --manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) --manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -+optional_policy(` -+ apache_content_template(cobbler) -+ -+ list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t) -+ manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -+ manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -+') -diff --git a/collectd.fc b/collectd.fc -new file mode 100644 -index 0000000..2e1007b ---- /dev/null -+++ b/collectd.fc -@@ -0,0 +1,13 @@ -+ -+/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) -+ -+/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) -+ -+/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) -+ -+/var/run/collectd\.pid gen_context(system_u:object_r:collectd_var_run_t,s0) -+ -+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) -+ -diff --git a/collectd.if b/collectd.if -new file mode 100644 -index 0000000..40415f8 ---- /dev/null -+++ b/collectd.if -@@ -0,0 +1,186 @@ -+ -+## policy for collectd -+ -+######################################## -+## -+## Transition to collectd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`collectd_domtrans',` -+ gen_require(` -+ type collectd_t, collectd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, collectd_exec_t, collectd_t) -+') -+ + +######################################## +## -+## Execute collectd server in the collectd domain. ++## List consolekit PID files. +## +## +## @@ -10792,18 +11801,18 @@ index 0000000..40415f8 +## +## +# -+interface(`collectd_initrc_domtrans',` ++interface(`consolekit_list_pid_files',` + gen_require(` -+ type collectd_initrc_exec_t; ++ type consolekit_var_run_t; + ') + -+ init_labeled_script_domtrans($1, collectd_initrc_exec_t) ++ files_search_pids($1) ++ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -+ +######################################## +## -+## Search collectd lib directories. ++## Allow the domain to read consolekit state files in /proc. +## +## +## @@ -10811,56 +11820,340 @@ index 0000000..40415f8 +## +## +# -+interface(`collectd_search_lib',` ++interface(`consolekit_read_state',` + gen_require(` -+ type collectd_var_lib_t; ++ type consolekit_t; + ') + -+ allow $1 collectd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ kernel_search_proc($1) ++ ps_process_pattern($1, consolekit_t) +') + +######################################## +## -+## Read collectd lib files. ++## Execute consolekit server in the consolekit domain. +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`collectd_read_lib_files',` ++interface(`consolekit_systemctl',` + gen_require(` -+ type collectd_var_lib_t; ++ type consolekit_t; ++ type consolekit_unit_file_t; + ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) ++ systemd_exec_systemctl($1) ++ allow $1 consolekit_unit_file_t:file read_file_perms; ++ allow $1 consolekit_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, consolekit_t) +') +diff --git a/consolekit.te b/consolekit.te +index 5f0c793..7d6c470 100644 +--- a/consolekit.te ++++ b/consolekit.te +@@ -19,12 +19,16 @@ type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") + ++type consolekit_unit_file_t; ++systemd_unit_file(consolekit_unit_file_t) + -+######################################## -+## -+## Manage collectd lib files. -+## -+## -+## -+## Domain allowed access. -+## + ######################################## + # + # Local policy + # + + allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; ++ + allow consolekit_t self:process { getsched signal }; + allow consolekit_t self:fifo_file rw_fifo_file_perms; + allow consolekit_t self:unix_stream_socket { accept listen }; +@@ -54,7 +58,6 @@ dev_read_sysfs(consolekit_t) + + domain_read_all_domains_state(consolekit_t) + domain_use_interactive_fds(consolekit_t) +-domain_dontaudit_ptrace_all_domains(consolekit_t) + + files_read_usr_files(consolekit_t) + # needs to read /var/lib/dbus/machine-id +@@ -74,17 +77,17 @@ auth_write_login_records(consolekit_t) + logging_send_syslog_msg(consolekit_t) + logging_send_audit_msgs(consolekit_t) + +-miscfiles_read_localization(consolekit_t) ++systemd_exec_systemctl(consolekit_t) + ++userdom_read_all_users_state(consolekit_t) + userdom_dontaudit_read_user_home_content_files(consolekit_t) ++userdom_dontaudit_getattr_admin_home_files(consolekit_t) + userdom_read_user_tmp_files(consolekit_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(consolekit_t) +-') ++userdom_home_reader(consolekit_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(consolekit_t) ++optional_policy(` ++ cron_read_system_job_lib_files(consolekit_t) + ') + + ifdef(`distro_debian',` +@@ -113,7 +116,7 @@ optional_policy(` + ') + + optional_policy(` +- hal_ptrace(consolekit_t) ++ networkmanager_append_log(consolekit_t) + ') + + optional_policy(` +diff --git a/corosync.fc b/corosync.fc +index da39f0f..6a96733 100644 +--- a/corosync.fc ++++ b/corosync.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + ++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0) ++ + /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) + /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) + +diff --git a/corosync.if b/corosync.if +index 694a037..283cf03 100644 +--- a/corosync.if ++++ b/corosync.if +@@ -91,29 +91,54 @@ interface(`corosync_read_log',` + interface(`corosync_stream_connect',` + gen_require(` + type corosync_t, corosync_var_run_t; ++ type corosync_var_lib_t; + ') + + files_search_pids($1) ++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) + stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) + ') + + ###################################### + ## +-## Read and write corosync tmpfs files. ++## Allow the specified domain to read/write corosync's tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## +## +# -+interface(`collectd_manage_lib_files',` ++interface(`corosync_rw_tmpfs',` ++ gen_require(` ++ type corosync_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) ++ ++') ++ ++######################################## ++## ++## Execute corosync server in the corosync domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`corosync_rw_tmpfs',` ++interface(`corosync_systemctl',` + gen_require(` +- type corosync_tmpfs_t; ++ type corosync_t; ++ type corosync_unit_file_t; + ') + +- fs_search_tmpfs($1) +- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) ++ systemd_exec_systemctl($1) ++ allow $1 corosync_unit_file_t:file read_file_perms; ++ allow $1 corosync_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, corosync_t) + ') + + ###################################### +@@ -160,12 +185,17 @@ interface(`corosync_admin',` + type corosync_t, corosync_var_lib_t, corosync_var_log_t; + type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; + type corosync_initrc_exec_t; ++ type corosync_unit_file_t; + ') + +- allow $1 corosync_t:process { ptrace signal_perms }; ++ allow $1 corosync_t:process signal_perms; + ps_process_pattern($1, corosync_t) + +- corosync_initrc_domtrans($1) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 corosync_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, corosync_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 corosync_initrc_exec_t system_r; + allow $2 system_r; +@@ -183,4 +213,8 @@ interface(`corosync_admin',` + + files_list_pids($1) + admin_pattern($1, corosync_var_run_t) ++ ++ corosync_systemctl($1) ++ admin_pattern($1, corosync_unit_file_t) ++ allow $1 corosync_unit_file_t:service all_service_perms; + ') +diff --git a/corosync.te b/corosync.te +index eeea48d..dc3795e 100644 +--- a/corosync.te ++++ b/corosync.te +@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t) + type corosync_var_run_t; + files_pid_file(corosync_var_run_t) + ++type corosync_unit_file_t; ++systemd_unit_file(corosync_unit_file_t) ++ + ######################################## + # + # Local policy +@@ -43,6 +46,8 @@ allow corosync_t self:shm create_shm_perms; + allow corosync_t self:unix_dgram_socket sendto; + allow corosync_t self:unix_stream_socket { accept connectto listen }; + ++can_exec(corosync_t, corosync_exec_t) ++ + manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) + manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) + relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +@@ -73,6 +78,8 @@ can_exec(corosync_t, corosync_exec_t) + kernel_read_all_sysctls(corosync_t) + kernel_read_network_state(corosync_t) + kernel_read_system_state(corosync_t) ++kernel_read_network_state(corosync_t) ++kernel_read_all_sysctls(corosync_t) + + corecmd_exec_bin(corosync_t) + corecmd_exec_shell(corosync_t) +@@ -89,6 +96,7 @@ corenet_udp_sendrecv_netsupport_port(corosync_t) + + dev_read_sysfs(corosync_t) + dev_read_urand(corosync_t) ++dev_read_sysfs(corosync_t) + + domain_read_all_domains_state(corosync_t) + +@@ -106,7 +114,13 @@ logging_send_syslog_msg(corosync_t) + miscfiles_read_localization(corosync_t) + + userdom_read_user_tmp_files(corosync_t) +-userdom_manage_user_tmpfs_files(corosync_t) ++userdom_delete_user_tmpfs_files(corosync_t) ++userdom_rw_user_tmpfs_files(corosync_t) ++ ++optional_policy(` ++ fs_manage_tmpfs_files(corosync_t) ++ init_manage_script_status_files(corosync_t) ++') + + optional_policy(` + ccs_read_config(corosync_t) +@@ -133,16 +147,44 @@ optional_policy(` + ') + + optional_policy(` +- rhcs_getattr_fenced_exec_files(corosync_t) ++ rhcs_getattr_fenced(corosync_t) + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) + ') + + optional_policy(` ++ lvm_rw_clvmd_tmpfs_files(corosync_t) ++ lvm_delete_clvmd_tmpfs_files(corosync_t) ++') ++ ++optional_policy(` ++ qpidd_rw_shm(corosync_t) ++') ++ ++optional_policy(` ++ rhcs_getattr_fenced(corosync_t) ++ # to communication with RHCS ++ rhcs_rw_cluster_shm(corosync_t) ++ rhcs_rw_cluster_semaphores(corosync_t) ++ rhcs_stream_connect_cluster(corosync_t) ++ rhcs_read_cluster_lib_files(corosync_t) ++ rhcs_manage_cluster_lib_files(corosync_t) ++ rhcs_relabel_cluster_lib_files(corosync_t) ++') ++ ++optional_policy(` ++ # should be removed in F19 ++ # workaround because we switch hearbeat from corosync to rgmanager ++ rgmanager_manage_files(corosync_t) ++ + rgmanager_manage_tmpfs_files(corosync_t) + ') + + optional_policy(` + rpc_search_nfs_state_data(corosync_t) +-') +\ No newline at end of file ++') ++ ++optional_policy(` ++ wdmd_rw_tmpfs(corosync_t) ++') +diff --git a/couchdb.fc b/couchdb.fc +index c086302..4f33119 100644 +--- a/couchdb.fc ++++ b/couchdb.fc +@@ -1,3 +1,6 @@ ++ ++/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0) ++ + /etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) + + /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) +diff --git a/couchdb.if b/couchdb.if +index 83d6744..627ab43 100644 +--- a/couchdb.if ++++ b/couchdb.if +@@ -10,6 +10,89 @@ + ## Domain allowed access. + ##     + ## ++# ++interface(`couchdb_manage_lib_files',` + gen_require(` -+ type collectd_var_lib_t; ++ type couchdb_var_lib_t; + ') + + files_search_var_lib($1) -+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) ++ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) +') + +######################################## +## -+## Manage collectd lib directories. ++## Manage couchdb lib directories. +## +## +## @@ -10868,5132 +12161,1433 @@ index 0000000..40415f8 +## +## +# -+interface(`collectd_manage_lib_dirs',` ++interface(`couchdb_manage_lib_dirs',` + gen_require(` -+ type collectd_var_lib_t; ++ type couchdb_var_lib_t; + ') + + files_search_var_lib($1) -+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t) ++ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) +') + +######################################## +## -+## Execute collectd server in the collectd domain. ++## Read couchdb PID files. +## +## +## -+## Domain allowed to transition. ++## Domain allowed access. +## +## +# -+interface(`collectd_systemctl',` ++interface(`couchdb_read_pid_files',` + gen_require(` -+ type collectd_t; -+ type collectd_unit_file_t; ++ type couchdb_var_run_t; + ') + -+ systemd_exec_systemctl($1) -+ allow $1 collectd_unit_file_t:file read_file_perms; -+ allow $1 collectd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, collectd_t) ++ files_search_pids($1) ++ allow $1 couchdb_var_run_t:file read_file_perms; +') + +######################################## +## -+## All of the rules required to administrate -+## an collectd environment ++## Execute couchdb server in the couchdb domain. +## +## +## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. ++## Domain allowed to transition. +## +## -+## +# -+interface(`collectd_admin',` ++interface(`couchdb_systemctl',` + gen_require(` -+ type collectd_t; -+ type collectd_initrc_exec_t; -+ type collectd_var_lib_t; -+ type collectd_unit_file_t; -+ ') -+ -+ allow $1 collectd_t:process signal_perms; -+ ps_process_pattern($1, collectd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 collectd_t:process ptrace; ++ type couchdb_t; ++ type couchdb_unit_file_t; + ') + -+ collectd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 collectd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, collectd_var_lib_t) -+ -+ collectd_systemctl($1) -+ admin_pattern($1, collectd_unit_file_t) -+ allow $1 collectd_unit_file_t:service all_service_perms; -+') -+ -diff --git a/collectd.te b/collectd.te -new file mode 100644 -index 0000000..cb6dbe6 ---- /dev/null -+++ b/collectd.te -@@ -0,0 +1,89 @@ -+policy_module(collectd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow collectd to connect to the -+## network using TCP. -+##

    -+##     -+gen_tunable(collectd_can_network_connect, false) -+ -+type collectd_t; -+type collectd_exec_t; -+init_daemon_domain(collectd_t, collectd_exec_t) -+ -+type collectd_initrc_exec_t; -+init_script_file(collectd_initrc_exec_t) -+ -+type collectd_var_lib_t; -+files_type(collectd_var_lib_t) -+ -+type collectd_var_run_t; -+files_pid_file(collectd_var_run_t) -+ -+type collectd_unit_file_t; -+systemd_unit_file(collectd_unit_file_t) -+ -+######################################## -+# -+# collectd local policy -+# -+ -+allow collectd_t self:capability { ipc_lock sys_nice }; -+allow collectd_t self:process { getsched setsched signal fork }; -+ -+allow collectd_t self:fifo_file rw_fifo_file_perms; -+allow collectd_t self:packet_socket create_socket_perms; -+allow collectd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -+manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -+files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -+manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file }) -+ -+domain_use_interactive_fds(collectd_t) -+ -+kernel_read_network_state(collectd_t) -+kernel_read_net_sysctls(collectd_t) -+kernel_read_system_state(collectd_t) -+ -+dev_read_sysfs(collectd_t) -+dev_read_urand(collectd_t) -+dev_read_rand(collectd_t) -+ -+files_getattr_all_dirs(collectd_t) -+files_read_etc_files(collectd_t) -+files_read_usr_files(collectd_t) -+ -+fs_getattr_all_fs(collectd_t) -+ -+logging_send_syslog_msg(collectd_t) -+ -+sysnet_dns_name_resolve(collectd_t) -+ -+tunable_policy(`collectd_can_network_connect',` -+ corenet_tcp_connect_all_ports(collectd_t) -+ corenet_tcp_sendrecv_all_ports(collectd_t) -+ corenet_sendrecv_all_client_packets(collectd_t) -+') -+ -+optional_policy(` -+ apache_content_template(collectd) -+ -+ files_search_var_lib(httpd_collectd_script_t) -+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) -+') ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 couchdb_unit_file_t:file read_file_perms; ++ allow $1 couchdb_unit_file_t:service manage_service_perms; + -+optional_policy(` -+ virt_read_config(collectd_t) ++ ps_process_pattern($1, couchdb_t) +') -diff --git a/colord.fc b/colord.fc -index 78b2fea..ef975ac 100644 ---- a/colord.fc -+++ b/colord.fc -@@ -1,4 +1,7 @@ - /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) -+/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) + -+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) - - /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) - /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) -diff --git a/colord.if b/colord.if -index 733e4e6..fa2c3cb 100644 ---- a/colord.if -+++ b/colord.if -@@ -57,3 +57,26 @@ interface(`colord_read_lib_files',` - files_search_var_lib($1) - read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) - ') + +######################################## +## -+## Execute colord server in the colord domain. ++## All of the rules required to administrate ++## an couchdb environment +## +## +## -+## Domain allowed to transition. -+## ++## Domain allowed access. ++##     +## -+# -+interface(`colord_systemctl',` -+ gen_require(` -+ type colord_t; -+ type colord_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 colord_unit_file_t:file read_file_perms; -+ allow $1 colord_unit_file_t:service manage_service_perms; + ## + ## + ## Role allowed access. +@@ -19,14 +102,19 @@ + # + interface(`couchdb_admin',` + gen_require(` ++ type couchdb_unit_file_t; + type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; + type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; + type couchdb_tmp_t; + ') + +- allow $1 couchdb_t:process { ptrace signal_perms }; ++ allow $1 couchdb_t:process { signal_perms }; + ps_process_pattern($1, couchdb_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 couchdb_t:process ptrace; ++ ') + -+ ps_process_pattern($1, colord_t) -+') -diff --git a/colord.te b/colord.te -index 74505cc..10d9a27 100644 ---- a/colord.te -+++ b/colord.te -@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0) - type colord_t; - type colord_exec_t; - dbus_system_domain(colord_t, colord_exec_t) -+init_daemon_domain(colord_t, colord_exec_t) + init_labeled_script_domtrans($1, couchdb_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 couchdb_initrc_exec_t system_r; +@@ -46,4 +134,13 @@ interface(`couchdb_admin',` - type colord_tmp_t; - files_tmp_file(colord_tmp_t) -@@ -18,14 +19,20 @@ files_tmpfs_file(colord_tmpfs_t) - type colord_var_lib_t; - files_type(colord_var_lib_t) + files_search_pids($1) + admin_pattern($1, couchdb_var_run_t) ++ ++ admin_pattern($1, couchdb_unit_file_t) ++ couchdb_systemctl($1) ++ allow $1 couchdb_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') + ') +diff --git a/couchdb.te b/couchdb.te +index 503adab..046fe9b 100644 +--- a/couchdb.te ++++ b/couchdb.te +@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t) + type couchdb_var_run_t; + files_pid_file(couchdb_var_run_t) -+type colord_unit_file_t; -+systemd_unit_file(colord_unit_file_t) ++type couchdb_unit_file_t; ++systemd_unit_file(couchdb_unit_file_t) + ######################################## # - # colord local policy - # - allow colord_t self:capability { dac_read_search dac_override }; -+dontaudit colord_t self:capability sys_admin; - allow colord_t self:process signal; - allow colord_t self:fifo_file rw_fifo_file_perms; - allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow colord_t self:tcp_socket create_stream_socket_perms; -+allow colord_t self:shm create_shm_perms; - allow colord_t self:udp_socket create_socket_perms; - allow colord_t self:unix_dgram_socket create_socket_perms; - -@@ -41,15 +48,22 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) - manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) - files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) - --kernel_getattr_proc_files(colord_t) -+kernel_read_network_state(colord_t) -+kernel_read_system_state(colord_t) - kernel_read_device_sysctls(colord_t) -+kernel_request_load_module(colord_t) -+ -+# reads *.ini files -+corecmd_exec_bin(colord_t) -+corecmd_exec_shell(colord_t) - --corenet_all_recvfrom_unlabeled(colord_t) - corenet_all_recvfrom_netlabel(colord_t) - corenet_udp_bind_generic_node(colord_t) - corenet_udp_bind_ipp_port(colord_t) - corenet_tcp_connect_ipp_port(colord_t) - -+dev_read_raw_memory(colord_t) -+dev_write_raw_memory(colord_t) - dev_read_video_dev(colord_t) - dev_write_video_dev(colord_t) - dev_rw_printer(colord_t) -@@ -62,22 +76,36 @@ dev_rw_generic_usb_dev(colord_t) - domain_use_interactive_fds(colord_t) + # Local policy +@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t) + dev_read_sysfs(couchdb_t) + dev_read_urand(couchdb_t) - files_list_mnt(colord_t) --files_read_etc_files(colord_t) - files_read_usr_files(colord_t) +-files_read_usr_files(couchdb_t) +- + fs_getattr_xattr_fs(couchdb_t) -+fs_search_all(colord_t) -+fs_getattr_noxattr_fs(colord_t) -+fs_dontaudit_getattr_all_fs(colord_t) -+fs_list_noxattr_fs(colord_t) - fs_read_noxattr_fs_files(colord_t) + auth_use_nsswitch(couchdb_t) -+storage_getattr_fixed_disk_dev(colord_t) -+storage_getattr_removable_dev(colord_t) -+storage_read_scsi_generic(colord_t) -+storage_write_scsi_generic(colord_t) -+ -+auth_use_nsswitch(colord_t) -+ - logging_send_syslog_msg(colord_t) +-miscfiles_read_localization(couchdb_t) +diff --git a/courier.fc b/courier.fc +index 8a4b596..cbecde8 100644 +--- a/courier.fc ++++ b/courier.fc +@@ -9,17 +9,18 @@ + /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) --miscfiles_read_localization(colord_t) -+fs_getattr_tmpfs(colord_t) -+userdom_rw_user_tmpfs_files(colord_t) + /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) +-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) ++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) ++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) --sysnet_dns_name_resolve(colord_t) -+userdom_home_reader(colord_t) -+userdom_read_inherited_user_home_content_files(colord_t) ++ifdef(`distro_gentoo',` ++/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) ++') - tunable_policy(`use_nfs_home_dirs',` -+ fs_getattr_nfs(colord_t) - fs_read_nfs_files(colord_t) - ') + /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) + /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) +diff --git a/courier.if b/courier.if +index 10f820f..4040ec2 100644 +--- a/courier.if ++++ b/courier.if +@@ -1,41 +1,50 @@ +-## Courier IMAP and POP3 email servers. ++## Courier IMAP and POP3 email servers - tunable_policy(`use_samba_home_dirs',` -+ fs_getattr_cifs(colord_t) - fs_read_cifs_files(colord_t) - ') +-####################################### ++######################################## + ## +-## The template to define a courier domain. ++## Template for creating courier server processes. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix name of the server process. + ## + ## + # + template(`courier_domain_template',` +- gen_require(` +- attribute courier_domain; +- ') -@@ -89,6 +117,12 @@ optional_policy(` - ') +- ######################################## ++ ############################## + # + # Declarations + # - optional_policy(` -+ gnome_read_home_icc_data_content(colord_t) -+ # Fixes lots of breakage in F16 on upgrade -+ gnome_read_generic_data_home_files(colord_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(colord_t) - policykit_domtrans_auth(colord_t) - policykit_read_lib(colord_t) -@@ -96,5 +130,19 @@ optional_policy(` - ') +- type courier_$1_t, courier_domain; ++ type courier_$1_t; + type courier_$1_exec_t; + init_daemon_domain(courier_$1_t, courier_$1_exec_t) - optional_policy(` -+ sysnet_exec_ifconfig(colord_t) -+') +- ######################################## ++ ############################## + # +- # Policy ++ # Declarations + # + + can_exec(courier_$1_t, courier_$1_exec_t) + -+optional_policy(` - udev_read_db(colord_t) - ') ++ kernel_read_system_state(courier_$1_t) + -+optional_policy(` -+ xserver_dbus_chat_xdm(colord_t) -+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc -+ xserver_read_inherited_xdm_lib_files(colord_t) -+') ++ corenet_all_recvfrom_netlabel(courier_$1_t) ++ corenet_tcp_sendrecv_generic_if(courier_$1_t) ++ corenet_udp_sendrecv_generic_if(courier_$1_t) ++ corenet_tcp_sendrecv_generic_node(courier_$1_t) ++ corenet_udp_sendrecv_generic_node(courier_$1_t) ++ corenet_tcp_sendrecv_all_ports(courier_$1_t) ++ corenet_udp_sendrecv_all_ports(courier_$1_t) + -+optional_policy(` -+ zoneminder_rw_tmpfs_files(colord_t) -+') -diff --git a/comsat.te b/comsat.te -index 3d121fd..b64c98c 100644 ---- a/comsat.te -+++ b/comsat.te -@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(comsat_t) - kernel_read_network_state(comsat_t) - kernel_read_system_state(comsat_t) - --corenet_all_recvfrom_unlabeled(comsat_t) - corenet_all_recvfrom_netlabel(comsat_t) - corenet_tcp_sendrecv_generic_if(comsat_t) - corenet_udp_sendrecv_generic_if(comsat_t) -@@ -51,7 +50,6 @@ dev_read_urand(comsat_t) - - fs_getattr_xattr_fs(comsat_t) - --files_read_etc_files(comsat_t) - files_list_usr(comsat_t) - files_search_spool(comsat_t) - files_search_home(comsat_t) -@@ -63,8 +61,6 @@ init_dontaudit_write_utmp(comsat_t) - - logging_send_syslog_msg(comsat_t) - --miscfiles_read_localization(comsat_t) -- - userdom_dontaudit_getattr_user_ttys(comsat_t) - - mta_getattr_spool(comsat_t) -diff --git a/condor.fc b/condor.fc -new file mode 100644 -index 0000000..b3a5b51 ---- /dev/null -+++ b/condor.fc -@@ -0,0 +1,21 @@ -+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0) -+ -+/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) -+/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) -+/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0) -+/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0) -+/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) -+/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) -+/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0) -+ -+/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) -+ -+/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) -+ -+/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) -+ -+/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0) -+ -+/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0) -+ -+/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) -diff --git a/condor.if b/condor.if -new file mode 100644 -index 0000000..8424fdb ---- /dev/null -+++ b/condor.if -@@ -0,0 +1,393 @@ -+ -+## policy for condor -+ -+##################################### -+## -+## Creates types and rules for a basic -+## condor init daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## -+## -+# -+template(`condor_domain_template',` -+ gen_require(` -+ type condor_master_t; -+ attribute condor_domain; -+ ') -+ -+ ############################# -+ # -+ # Declarations -+ # -+ -+ type condor_$1_t, condor_domain; -+ type condor_$1_exec_t; -+ init_daemon_domain(condor_$1_t, condor_$1_exec_t) -+ role system_r types condor_$1_t; -+ -+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) -+ allow condor_master_t condor_$1_exec_t:file ioctl; -+ -+ kernel_read_system_state(condor_$1_t) -+ -+ auth_use_nsswitch(condor_$1_t) -+ -+ logging_send_syslog_msg(condor_$1_t) -+') -+ -+######################################## -+## -+## Transition to condor. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`condor_domtrans',` -+ gen_require(` -+ type condor_t, condor_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, condor_exec_t, condor_t) -+') -+ -+####################################### -+## -+## Allows to start userland processes -+## by transitioning to the specified domain, -+## with a range transition. -+## -+## -+## -+## The process type entered by condor_startd. -+## -+## -+## -+## -+## The executable type for the entrypoint. -+## -+## -+## -+## -+## Range for the domain. -+## -+## -+# -+interface(`condor_startd_ranged_domtrans_to',` -+ gen_require(` -+ type sshd_t; -+ ') -+ condor_startd_domtrans_to($1, $2) -+ -+ -+ ifdef(`enable_mcs',` -+ range_transition condor_startd_t $2:process $3; -+ ') -+ -+') -+ -+####################################### -+## -+## Allows to start userlandprocesses -+## by transitioning to the specified domain. -+## -+## -+## -+## The process type entered by condor_startd. -+## -+## -+## -+## -+## The executable type for the entrypoint. -+## -+## -+# -+interface(`condor_startd_domtrans_to',` -+ gen_require(` -+ type condor_startd_t; -+ ') -+ -+ domtrans_pattern(condor_startd_t, $2, $1) -+') -+ -+######################################## -+## -+## Read condor's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`condor_read_log',` -+ gen_require(` -+ type condor_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, condor_log_t, condor_log_t) -+') -+ -+######################################## -+## -+## Append to condor log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_append_log',` -+ gen_require(` -+ type condor_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, condor_log_t, condor_log_t) -+') -+ -+######################################## -+## -+## Manage condor log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_manage_log',` -+ gen_require(` -+ type condor_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, condor_log_t, condor_log_t) -+ manage_files_pattern($1, condor_log_t, condor_log_t) -+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t) -+') -+ -+######################################## -+## -+## Search condor lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_search_lib',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ allow $1 condor_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read condor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_read_lib_files',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+###################################### -+## -+## Read and write condor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_rw_lib_files',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+######################################## -+## -+## Manage condor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_manage_lib_files',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+######################################## -+## -+## Manage condor lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_manage_lib_dirs',` -+ gen_require(` -+ type condor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t) -+') -+ -+######################################## -+## -+## Read condor PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_read_pid_files',` -+ gen_require(` -+ type condor_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 condor_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute condor server in the condor domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`condor_systemctl',` -+ gen_require(` -+ type condor_t; -+ type condor_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 condor_unit_file_t:file read_file_perms; -+ allow $1 condor_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, condor_t) -+') -+ -+ -+####################################### -+## -+## Read and write condor_startd server TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_rw_tcp_sockets_startd',` -+ gen_require(` -+ type condor_startd_t; -+ ') -+ -+ allow $1 condor_startd_t:tcp_socket rw_socket_perms; -+') -+ -+###################################### -+## -+## Read and write condor_schedd server TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_rw_tcp_sockets_schedd',` -+ gen_require(` -+ type condor_schedd_t; -+ ') -+ -+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an condor environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`condor_admin',` -+ gen_require(` -+ type condor_t; -+ type condor_log_t; -+ type condor_var_lib_t; -+ type condor_var_run_t; -+ type condor_unit_file_t; -+ ') -+ -+ allow $1 condor_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, condor_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, condor_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, condor_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, condor_var_run_t) -+ -+ condor_systemctl($1) -+ admin_pattern($1, condor_unit_file_t) -+ allow $1 condor_unit_file_t:service all_service_perms; -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/condor.te b/condor.te -new file mode 100644 -index 0000000..c2bc300 ---- /dev/null -+++ b/condor.te -@@ -0,0 +1,240 @@ -+policy_module(condor, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    -+## Allow codnor domain to connect to the network using TCP. -+##

    -+##     -+gen_tunable(condor_domain_can_network_connect, false) -+ -+attribute condor_domain; -+ -+type condor_master_t, condor_domain; -+type condor_master_exec_t; -+init_daemon_domain(condor_master_t, condor_master_exec_t) -+ -+condor_domain_template(collector) -+condor_domain_template(negotiator) -+condor_domain_template(schedd) -+condor_domain_template(startd) -+condor_domain_template(procd) -+ -+type condor_master_tmp_t; -+files_tmp_file(condor_master_tmp_t) -+ -+type condor_schedd_tmp_t; -+files_tmp_file(condor_schedd_tmp_t) -+ -+type condor_startd_tmp_t; -+files_tmp_file(condor_startd_tmp_t) -+ -+type condor_startd_tmpfs_t; -+files_tmpfs_file(condor_startd_tmpfs_t) -+ -+type condor_log_t; -+logging_log_file(condor_log_t) -+ -+type condor_var_lib_t; -+files_type(condor_var_lib_t) -+ -+type condor_var_lock_t; -+files_lock_file(condor_var_lock_t) -+ -+type condor_var_run_t; -+files_pid_file(condor_var_run_t) -+ -+type condor_unit_file_t; -+systemd_unit_file(condor_unit_file_t) -+ -+######################################## -+# -+# condor domain local policy -+# -+ -+allow condor_domain self:process signal_perms; -+allow condor_domain self:fifo_file rw_fifo_file_perms; -+ -+allow condor_domain self:tcp_socket create_stream_socket_perms; -+allow condor_domain self:udp_socket create_socket_perms; -+allow condor_domain self:unix_stream_socket create_stream_socket_perms; -+ -+allow condor_domain condor_master_t:process signull; -+allow condor_domain condor_master_t:tcp_socket getattr; -+ -+manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) -+manage_files_pattern(condor_domain, condor_log_t, condor_log_t) -+logging_log_filetrans(condor_domain, condor_log_t, { dir file }) -+ -+manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -+manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -+files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) -+manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) -+files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file }) -+ -+manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -+manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -+manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -+files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) -+ -+kernel_read_network_state(condor_domain) -+kernel_read_kernel_sysctls(condor_domain) -+ -+corecmd_exec_bin(condor_domain) -+corecmd_exec_shell(condor_domain) -+ -+corenet_tcp_connect_condor_port(condor_domain) -+corenet_tcp_connect_all_ephemeral_ports(condor_domain) -+ -+domain_use_interactive_fds(condor_domain) -+ -+dev_read_rand(condor_domain) -+dev_read_urand(condor_domain) -+dev_read_sysfs(condor_domain) -+ -+files_read_etc_files(condor_domain) -+ -+tunable_policy(`condor_domain_can_network_connect',` -+ corenet_tcp_connect_all_ports(condor_domain) -+') -+ -+optional_policy(` -+ rhcs_stream_connect_cluster(condor_domain) -+') -+ -+optional_policy(` -+ sysnet_dns_name_resolve(condor_domain) -+') -+ -+##################################### -+# -+# condor master local policy -+# -+ -+allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; -+ -+allow condor_master_t condor_domain:process { sigkill signal }; -+ -+manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) -+manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) -+files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) -+ -+corenet_tcp_bind_condor_port(condor_master_t) -+corenet_udp_bind_condor_port(condor_master_t) -+corenet_tcp_connect_amqp_port(condor_master_t) -+ -+domain_read_all_domains_state(condor_master_t) -+ -+optional_policy(` -+ mta_send_mail(condor_master_t) -+ mta_read_config(condor_master_t) -+') -+ -+###################################### -+# -+# condor collector local policy -+# -+ -+allow condor_collector_t self:capability { setuid setgid }; -+ -+allow condor_collector_t condor_master_t:tcp_socket rw_stream_socket_perms; -+allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; -+ -+kernel_read_network_state(condor_collector_t) -+ -+##################################### -+# -+# condor negotiator local policy -+# -+allow condor_negotiator_t self:capability { setuid setgid }; -+allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; -+allow condor_negotiator_t condor_master_t:udp_socket getattr; -+ -+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t) -+ -+###################################### -+# -+# condor procd local policy -+# -+ -+allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace }; -+ -+allow condor_procd_t self:capability kill; -+allow condor_procd_t condor_startd_t:process sigkill; -+ -+domain_read_all_domains_state(condor_procd_t) -+ -+####################################### -+# -+# condor schedd local policy -+# -+ -+domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) -+domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -+ -+# dac_override because of /var/log/condor -+allow condor_schedd_t self:capability { setuid chown setgid dac_override }; -+allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; -+allow condor_schedd_t condor_master_t:udp_socket getattr; -+ -+allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; -+ -+manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) -+manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) -+files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) -+allow condor_schedd_t condor_schedd_tmp_t:file { relabelfrom relabelto }; -+ -+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t) -+ -+##################################### -+# -+# condor startd local policy -+# -+ -+# also needed by java -+allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; -+allow condor_startd_t self:process execmem; -+ -+manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) -+manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) -+files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir }) -+allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto }; -+ -+manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) -+manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) -+fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file }) -+ -+can_exec(condor_startd_t, condor_startd_exec_t) -+ -+domain_read_all_domains_state(condor_startd_t) -+ -+mcs_process_set_categories(condor_startd_t) -+ -+init_domtrans_script(condor_startd_t) -+init_initrc_domain(condor_startd_t) -+ -+libs_exec_lib_files(condor_startd_t) -+ -+files_read_usr_files(condor_startd_t) -+ -+optional_policy(` -+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r) -+ ssh_domtrans(condor_startd_t) -+ -+ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) -+ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t) -+ -+ optional_policy(` -+ kerberos_use(condor_startd_ssh_t) -+ ') -+') -+ -+optional_policy(` -+ unconfined_domain(condor_startd_t) -+') -diff --git a/consolekit.fc b/consolekit.fc -index 32233ab..7058d21 100644 ---- a/consolekit.fc -+++ b/consolekit.fc -@@ -1,3 +1,5 @@ -+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) -+ - /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - - /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff --git a/consolekit.if b/consolekit.if -index fd15dfe..aac1e5d 100644 ---- a/consolekit.if -+++ b/consolekit.if -@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',` - - ######################################## - ## -+## dontaudit Send and receive messages from -+## consolekit over dbus. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`consolekit_dontaudit_dbus_chat',` -+ gen_require(` -+ type consolekit_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 consolekit_t:dbus send_msg; -+ dontaudit consolekit_t $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## consolekit over dbus. - ## -@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',` - - ######################################## - ## -+## Dontaudit attempts to read consolekit log files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`consolekit_dontaudit_read_log',` -+ gen_require(` -+ type consolekit_log_t; -+ ') -+ -+ dontaudit $1 consolekit_log_t:file read_file_perms; -+') -+ -+######################################## -+## - ## Read consolekit log files. - ## - ## -@@ -96,3 +135,64 @@ interface(`consolekit_read_pid_files',` - allow $1 consolekit_var_run_t:dir list_dir_perms; - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) - ') -+ -+######################################## -+## -+## List consolekit PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_list_pid_files',` -+ gen_require(` -+ type consolekit_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) -+') -+ -+######################################## -+## -+## Allow the domain to read consolekit state files in /proc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_read_state',` -+ gen_require(` -+ type consolekit_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, consolekit_t) -+') -+ -+######################################## -+## -+## Execute consolekit server in the consolekit domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`consolekit_systemctl',` -+ gen_require(` -+ type consolekit_t; -+ type consolekit_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 consolekit_unit_file_t:file read_file_perms; -+ allow $1 consolekit_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, consolekit_t) -+') -diff --git a/consolekit.te b/consolekit.te -index 6f2896d..ca0b28a 100644 ---- a/consolekit.te -+++ b/consolekit.te -@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t) - type consolekit_var_run_t; - files_pid_file(consolekit_var_run_t) - -+type consolekit_tmpfs_t; -+files_tmpfs_file(consolekit_tmpfs_t) -+ -+type consolekit_unit_file_t; -+systemd_unit_file(consolekit_unit_file_t) -+ - ######################################## - # - # consolekit local policy - # - - allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -+ - allow consolekit_t self:process { getsched signal }; - allow consolekit_t self:fifo_file rw_fifo_file_perms; - allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -43,9 +50,7 @@ dev_read_sysfs(consolekit_t) - - domain_read_all_domains_state(consolekit_t) - domain_use_interactive_fds(consolekit_t) --domain_dontaudit_ptrace_all_domains(consolekit_t) - --files_read_etc_files(consolekit_t) - files_read_usr_files(consolekit_t) - # needs to read /var/lib/dbus/machine-id - files_read_var_lib_files(consolekit_t) -@@ -67,17 +72,17 @@ init_rw_utmp(consolekit_t) - logging_send_syslog_msg(consolekit_t) - logging_send_audit_msgs(consolekit_t) - --miscfiles_read_localization(consolekit_t) -+systemd_exec_systemctl(consolekit_t) - -+userdom_read_all_users_state(consolekit_t) - userdom_dontaudit_read_user_home_content_files(consolekit_t) -+userdom_dontaudit_getattr_admin_home_files(consolekit_t) - userdom_read_user_tmp_files(consolekit_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(consolekit_t) --') -+userdom_home_reader(consolekit_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(consolekit_t) -+optional_policy(` -+ cron_read_system_job_lib_files(consolekit_t) - ') - - optional_policy(` -@@ -97,7 +102,7 @@ optional_policy(` - ') - - optional_policy(` -- hal_ptrace(consolekit_t) -+ networkmanager_append_log(consolekit_t) - ') - - optional_policy(` -@@ -108,9 +113,10 @@ optional_policy(` - ') - - optional_policy(` -- type consolekit_tmpfs_t; -- files_tmpfs_file(consolekit_tmpfs_t) -+ shutdown_domtrans(consolekit_t) -+') - -+optional_policy(` - xserver_read_xdm_pid(consolekit_t) - xserver_read_user_xauth(consolekit_t) - xserver_non_drawing_client(consolekit_t) -@@ -126,6 +132,5 @@ optional_policy(` - ') - - optional_policy(` -- #reading .Xauthity - unconfined_stream_connect(consolekit_t) - ') -diff --git a/corosync.fc b/corosync.fc -index 3a6d7eb..1bb208a 100644 ---- a/corosync.fc -+++ b/corosync.fc -@@ -1,12 +1,14 @@ - /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) - --/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) -+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0) - --/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) -+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) -+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) - - /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) - --/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) -+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0) - - /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) - /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) -+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) -diff --git a/corosync.if b/corosync.if -index 5220c9d..33df583 100644 ---- a/corosync.if -+++ b/corosync.if -@@ -20,6 +20,43 @@ interface(`corosync_domtrans',` - - ####################################### - ## -+## Execute a domain transition to run corosync. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`corosync_initrc_domtrans',` -+ gen_require(` -+ type corosync_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, corosync_initrc_exec_t) -+') -+ -+###################################### -+## -+## Execute corosync in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corosync_exec',` -+ gen_require(` -+ type corosync_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ can_exec($1, corosync_exec_t) -+') -+ -+####################################### -+## - ## Allow the specified domain to read corosync's log files. - ## - ## -@@ -52,14 +89,58 @@ interface(`corosync_read_log',` - interface(`corosync_stream_connect',` - gen_require(` - type corosync_t, corosync_var_run_t; -+ type corosync_var_lib_t; - ') - - files_search_pids($1) -+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) - ') - - ###################################### - ## -+## Allow the specified domain to read/write corosync's tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corosync_rw_tmpfs',` -+ gen_require(` -+ type corosync_tmpfs_t; -+ ') -+ -+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) -+ -+') -+ -+######################################## -+## -+## Execute corosync server in the corosync domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`corosync_systemctl',` -+ gen_require(` -+ type corosync_t; -+ type corosync_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 corosync_unit_file_t:file read_file_perms; -+ allow $1 corosync_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, corosync_t) -+') -+ -+###################################### -+## - ## All of the rules required to administrate - ## an corosync environment - ## -@@ -80,11 +161,16 @@ interface(`corosyncd_admin',` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; -+ type corosync_unit_file_t; - ') - -- allow $1 corosync_t:process { ptrace signal_perms }; -+ allow $1 corosync_t:process signal_perms; - ps_process_pattern($1, corosync_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 corosync_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, corosync_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; -@@ -103,4 +189,8 @@ interface(`corosyncd_admin',` - - files_list_pids($1) - admin_pattern($1, corosync_var_run_t) -+ -+ corosync_systemctl($1) -+ admin_pattern($1, corosync_unit_file_t) -+ allow $1 corosync_unit_file_t:service all_service_perms; - ') -diff --git a/corosync.te b/corosync.te -index 04969e5..1d60d9f 100644 ---- a/corosync.te -+++ b/corosync.te -@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) - type corosync_t; - type corosync_exec_t; - init_daemon_domain(corosync_t, corosync_exec_t) -+domain_obj_id_change_exemption(corosync_t) - - type corosync_initrc_exec_t; - init_script_file(corosync_initrc_exec_t) -@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t) - type corosync_var_run_t; - files_pid_file(corosync_var_run_t) - -+type corosync_unit_file_t; -+systemd_unit_file(corosync_unit_file_t) -+ - ######################################## - # - # corosync local policy - # - --allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; --allow corosync_t self:process { setrlimit setsched signal }; -+allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; -+# for hearbeat -+allow corosync_t self:capability { net_raw chown }; -+allow corosync_t self:process { setpgid setrlimit setsched signal signull }; - - allow corosync_t self:fifo_file rw_fifo_file_perms; - allow corosync_t self:sem create_sem_perms; -+allow corosync_t self:shm create_shm_perms; - allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow corosync_t self:unix_dgram_socket create_socket_perms; -+allow corosync_t self:unix_dgram_socket { create_socket_perms sendto }; - allow corosync_t self:udp_socket create_socket_perms; - -+can_exec(corosync_t, corosync_exec_t) -+ - manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) - manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) - files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) -+allow corosync_t corosync_tmp_t:file { relabelfrom relabelto }; - - manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) - manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) - manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) - manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) - manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) --files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) -+manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t) -+files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file }) - - manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) - manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -@@ -60,44 +71,96 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) - - manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) - manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) --files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) -+manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) -+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir }) - - kernel_read_system_state(corosync_t) -+kernel_read_network_state(corosync_t) -+kernel_read_all_sysctls(corosync_t) - - corecmd_exec_bin(corosync_t) -+corecmd_exec_shell(corosync_t) - - corenet_udp_bind_netsupport_port(corosync_t) -+corenet_tcp_connect_saphostctrl_port(corosync_t) - - dev_read_urand(corosync_t) -+dev_read_sysfs(corosync_t) - - domain_read_all_domains_state(corosync_t) - - files_manage_mounttab(corosync_t) -+files_read_usr_files(corosync_t) - - auth_use_nsswitch(corosync_t) - -+init_domtrans_script(corosync_t) - init_read_script_state(corosync_t) - init_rw_script_tmp_files(corosync_t) - - logging_send_syslog_msg(corosync_t) - --miscfiles_read_localization(corosync_t) -- -+userdom_read_user_tmp_files(corosync_t) -+userdom_delete_user_tmpfs_files(corosync_t) - userdom_rw_user_tmpfs_files(corosync_t) - - optional_policy(` -+ fs_manage_tmpfs_files(corosync_t) -+ init_manage_script_status_files(corosync_t) -+') -+ -+optional_policy(` - ccs_read_config(corosync_t) - ') - - optional_policy(` -- # to communication with RHCS -- rhcs_rw_dlm_controld_semaphores(corosync_t) -+ cmirrord_rw_shm(corosync_t) -+') - -- rhcs_rw_fenced_semaphores(corosync_t) -+optional_policy(` -+ consoletype_exec(corosync_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(corosync_t) -+') - -- rhcs_rw_gfs_controld_semaphores(corosync_t) -+optional_policy(` -+ drbd_domtrans(corosync_t) - ') - - optional_policy(` -+ lvm_rw_clvmd_tmpfs_files(corosync_t) -+ lvm_delete_clvmd_tmpfs_files(corosync_t) -+') -+ -+optional_policy(` -+ qpidd_rw_shm(corosync_t) -+') -+ -+optional_policy(` -+ rhcs_getattr_fenced(corosync_t) -+ # to communication with RHCS -+ rhcs_rw_cluster_shm(corosync_t) -+ rhcs_rw_cluster_semaphores(corosync_t) -+ rhcs_stream_connect_cluster(corosync_t) -+ rhcs_read_cluster_lib_files(corosync_t) -+ rhcs_manage_cluster_lib_files(corosync_t) -+ rhcs_relabel_cluster_lib_files(corosync_t) -+') -+ -+optional_policy(` -+ # should be removed in F19 -+ # workaround because we switch hearbeat from corosync to rgmanager -+ rgmanager_manage_files(corosync_t) -+ - rgmanager_manage_tmpfs_files(corosync_t) - ') -+ -+optional_policy(` -+ rpc_search_nfs_state_data(corosync_t) -+') -+ -+optional_policy(` -+ wdmd_rw_tmpfs(corosync_t) -+') -diff --git a/couchdb.fc b/couchdb.fc -new file mode 100644 -index 0000000..196461b ---- /dev/null -+++ b/couchdb.fc -@@ -0,0 +1,11 @@ -+/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_etc_t,s0) -+ -+/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) -+ -+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0) -+ -+/var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) -+ -+/var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0) -+ -+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0) -diff --git a/couchdb.if b/couchdb.if -new file mode 100644 -index 0000000..3e17383 ---- /dev/null -+++ b/couchdb.if -@@ -0,0 +1,244 @@ -+ -+## policy for couchdb -+ -+######################################## -+## -+## Transition to couchdb. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`couchdb_domtrans',` -+ gen_require(` -+ type couchdb_t, couchdb_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, couchdb_exec_t, couchdb_t) -+') -+######################################## -+## -+## Read couchdb's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`couchdb_read_log',` -+ gen_require(` -+ type couchdb_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, couchdb_log_t, couchdb_log_t) -+') -+ -+######################################## -+## -+## Append to couchdb log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_append_log',` -+ gen_require(` -+ type couchdb_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, couchdb_log_t, couchdb_log_t) -+') -+ -+######################################## -+## -+## Manage couchdb log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_manage_log',` -+ gen_require(` -+ type couchdb_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, couchdb_log_t, couchdb_log_t) -+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t) -+ manage_lnk_files_pattern($1, couchdb_log_t, couchdb_log_t) -+') -+ -+######################################## -+## -+## Search couchdb lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_search_lib',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ allow $1 couchdb_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read couchdb lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_read_lib_files',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) -+') -+ -+######################################## -+## -+## Manage couchdb lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_manage_lib_files',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) -+') -+ -+######################################## -+## -+## Manage couchdb lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_manage_lib_dirs',` -+ gen_require(` -+ type couchdb_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) -+') -+ -+######################################## -+## -+## Read couchdb PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`couchdb_read_pid_files',` -+ gen_require(` -+ type couchdb_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 couchdb_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute couchdb server in the couchdb domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`couchdb_systemctl',` -+ gen_require(` -+ type couchdb_t; -+ type couchdb_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) -+ allow $1 couchdb_unit_file_t:file read_file_perms; -+ allow $1 couchdb_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, couchdb_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an couchdb environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`couchdb_admin',` -+ gen_require(` -+ type couchdb_t, couchdb_etc_t, couchdb_log_t; -+ type couchdb_var_lib_t, couchdb_var_run_t; -+ type couchdb_unit_file_t; -+ ') -+ -+ allow $1 couchdb_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, couchdb_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, couchdb_log_t) -+ -+ files_search_etc($1) -+ admin_pattern($1, couchdb_etc_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, couchdb_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, couchdb_var_run_t) -+ -+ admin_pattern($1, couchdb_unit_file_t) -+ couchdb_systemctl($1) -+ allow $1 couchdb_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/couchdb.te b/couchdb.te -new file mode 100644 -index 0000000..4b0535f ---- /dev/null -+++ b/couchdb.te -@@ -0,0 +1,83 @@ -+policy_module(couchdb, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type couchdb_t; -+type couchdb_exec_t; -+init_daemon_domain(couchdb_t, couchdb_exec_t) -+ -+type couchdb_etc_t; -+files_config_file(couchdb_etc_t) -+ -+type couchdb_tmp_t; -+files_tmp_file(couchdb_tmp_t) -+ -+type couchdb_log_t; -+logging_log_file(couchdb_log_t) -+ -+type couchdb_var_lib_t; -+files_type(couchdb_var_lib_t) -+ -+type couchdb_var_run_t; -+files_pid_file(couchdb_var_run_t) -+ -+type couchdb_unit_file_t; -+systemd_unit_file(couchdb_unit_file_t) -+ -+######################################## -+# -+# couchdb local policy -+# -+allow couchdb_t self:process { setsched signal signull sigkill }; -+allow couchdb_t self:fifo_file rw_fifo_file_perms; -+allow couchdb_t self:unix_stream_socket create_stream_socket_perms; -+allow couchdb_t self:tcp_socket create_stream_socket_perms; -+allow couchdb_t self:udp_socket create_socket_perms; -+ -+allow couchdb_t couchdb_etc_t:dir list_dir_perms; -+read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t) -+ -+manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -+manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -+logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file }) -+ -+manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) -+manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t) -+files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file }) -+ -+manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) -+manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) -+files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -+manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -+files_pid_filetrans(couchdb_t, couchdb_var_run_t, { dir file }) -+ -+can_exec(couchdb_t, couchdb_exec_t) -+ -+kernel_read_system_state(couchdb_t) -+ -+corecmd_exec_bin(couchdb_t) -+corecmd_exec_shell(couchdb_t) -+ -+corenet_tcp_bind_generic_node(couchdb_t) -+corenet_udp_bind_generic_node(couchdb_t) -+corenet_tcp_bind_couchdb_port(couchdb_t) -+ -+dev_list_sysfs(couchdb_t) -+dev_read_sysfs(couchdb_t) -+dev_read_urand(couchdb_t) -+ -+domain_use_interactive_fds(couchdb_t) -+ -+files_read_usr_files(couchdb_t) -+ -+fs_getattr_xattr_fs(couchdb_t) -+ -+auth_use_nsswitch(couchdb_t) -+ -+libs_exec_lib_files(couchdb_t) -+ -diff --git a/courier.fc b/courier.fc -index 47dfa07..1beadbd 100644 ---- a/courier.fc -+++ b/courier.fc -@@ -8,15 +8,15 @@ - /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) - /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) - --/usr/lib/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) --/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) --/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) --/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) --/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) --/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) --/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -+/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) -+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) --/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) -+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) - - ifdef(`distro_gentoo',` - /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) -diff --git a/courier.if b/courier.if -index 9971337..4078c26 100644 ---- a/courier.if -+++ b/courier.if -@@ -50,7 +50,6 @@ template(`courier_domain_template',` - - corecmd_exec_bin(courier_$1_t) - -- corenet_all_recvfrom_unlabeled(courier_$1_t) - corenet_all_recvfrom_netlabel(courier_$1_t) - corenet_tcp_sendrecv_generic_if(courier_$1_t) - corenet_udp_sendrecv_generic_if(courier_$1_t) -@@ -90,7 +89,7 @@ template(`courier_domain_template',` - ## Execute the courier authentication daemon with - ## a domain transition. - ##     --## -+## - ## - ## Domain allowed to transition. - ## -@@ -104,12 +103,31 @@ interface(`courier_domtrans_authdaemon',` - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) - ') - -+####################################### -+## -+## Connect to courier-authdaemon over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`courier_stream_connect_authdaemon',` -+ gen_require(` -+ type courier_authdaemon_t, courier_spool_t; -+ ') -+ -+ files_search_spool($1) -+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) -+') -+ - ######################################## - ## - ## Execute the courier POP3 and IMAP server with - ## a domain transition. - ## --## -+## - ## - ## Domain allowed to transition. - ## -@@ -127,7 +145,7 @@ interface(`courier_domtrans_pop',` - ## - ## Read courier config files - ## --## -+## - ## - ## Domain allowed access. - ## -@@ -138,6 +156,7 @@ interface(`courier_read_config',` - type courier_etc_t; - ') - -+ files_search_etc($1) - read_files_pattern($1, courier_etc_t, courier_etc_t) - ') - -@@ -146,7 +165,7 @@ interface(`courier_read_config',` - ## Create, read, write, and delete courier - ## spool directories. - ##     --## -+## - ## - ## Domain allowed access. - ## -@@ -157,6 +176,7 @@ interface(`courier_manage_spool_dirs',` - type courier_spool_t; - ') - -+ files_search_spool($1) - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) - ') - -@@ -165,7 +185,7 @@ interface(`courier_manage_spool_dirs',` - ## Create, read, write, and delete courier - ## spool files. - ##     --## -+## - ## - ## Domain allowed access. - ## -@@ -176,6 +196,7 @@ interface(`courier_manage_spool_files',` - type courier_spool_t; - ') - -+ files_search_spool($1) - manage_files_pattern($1, courier_spool_t, courier_spool_t) - ') - -@@ -183,7 +204,7 @@ interface(`courier_manage_spool_files',` - ## - ## Read courier spool files. - ## --## -+## - ## - ## Domain allowed access. - ## -@@ -194,6 +215,7 @@ interface(`courier_read_spool',` - type courier_spool_t; - ') - -+ files_search_spool($1) - read_files_pattern($1, courier_spool_t, courier_spool_t) - ') - -diff --git a/courier.te b/courier.te -index d034450..820c10b 100644 ---- a/courier.te -+++ b/courier.te -@@ -15,7 +15,7 @@ courier_domain_template(pcp) - courier_domain_template(pop) - - type courier_spool_t; --files_type(courier_spool_t) -+files_spool_file(courier_spool_t) - - courier_domain_template(tcpd) - -@@ -68,7 +68,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) - - libs_read_lib_files(courier_authdaemon_t) - --miscfiles_read_localization(courier_authdaemon_t) - - # should not be needed! - userdom_search_user_home_dirs(courier_authdaemon_t) -@@ -95,9 +94,8 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; - allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; - - # inherits file handle - should it? --allow courier_pop_t courier_var_lib_t:file { read write }; -+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; - --miscfiles_read_localization(courier_pop_t) - - courier_domtrans_authdaemon(courier_pop_t) - -@@ -132,7 +130,6 @@ corenet_sendrecv_pop_server_packets(courier_tcpd_t) - dev_read_rand(courier_tcpd_t) - dev_read_urand(courier_tcpd_t) - --miscfiles_read_localization(courier_tcpd_t) - - courier_domtrans_pop(courier_tcpd_t) - -diff --git a/cpucontrol.fc b/cpucontrol.fc -index 789c8c7..d1723f5 100644 ---- a/cpucontrol.fc -+++ b/cpucontrol.fc -@@ -3,6 +3,7 @@ - - /sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) - -+/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) - /usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) - /usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) - /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -diff --git a/cpucontrol.te b/cpucontrol.te -index 13d2f63..1a00094 100644 ---- a/cpucontrol.te -+++ b/cpucontrol.te -@@ -10,7 +10,7 @@ type cpucontrol_exec_t; - init_system_domain(cpucontrol_t, cpucontrol_exec_t) - - type cpucontrol_conf_t; --files_type(cpucontrol_conf_t) -+files_config_file(cpucontrol_conf_t) - - type cpuspeed_t; - type cpuspeed_exec_t; -@@ -105,8 +105,6 @@ init_use_script_ptys(cpuspeed_t) - - logging_send_syslog_msg(cpuspeed_t) - --miscfiles_read_localization(cpuspeed_t) -- - userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) - - optional_policy(` -diff --git a/cpufreqselector.te b/cpufreqselector.te -index f77d58a..f3d98a9 100644 ---- a/cpufreqselector.te -+++ b/cpufreqselector.te -@@ -14,9 +14,10 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t) - # cpufreq-selector local policy - # - --allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -+allow cpufreqselector_t self:capability sys_nice; - allow cpufreqselector_t self:process getsched; - allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; -+allow cpufreqselector_t self:process getsched; - - kernel_read_system_state(cpufreqselector_t) - -@@ -27,13 +28,15 @@ corecmd_search_bin(cpufreqselector_t) - - dev_rw_sysfs(cpufreqselector_t) - --miscfiles_read_localization(cpufreqselector_t) -+kernel_read_system_state(cpufreqselector_t) -+ - - userdom_read_all_users_state(cpufreqselector_t) --userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) -+userdom_dontaudit_search_admin_dir(cpufreqselector_t) - - optional_policy(` - dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -+ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) - - optional_policy(` - consolekit_dbus_chat(cpufreqselector_t) -@@ -53,3 +56,7 @@ optional_policy(` - policykit_read_lib(cpufreqselector_t) - policykit_read_reload(cpufreqselector_t) - ') -+ -+optional_policy(` -+ xserver_dbus_chat_xdm(cpufreqselector_t) -+') -diff --git a/cron.fc b/cron.fc -index 3559a05..224142a 100644 ---- a/cron.fc -+++ b/cron.fc -@@ -3,6 +3,9 @@ - /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) -+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) -+ - /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) - /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - -@@ -12,20 +15,34 @@ - /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) - /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - -+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -+ - /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) - - /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - --/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) - #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - /var/spool/cron/[^/]* -- <> - -+ifdef(`distro_gentoo',` -+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -+/var/spool/cron/lastrun/[^/]* -- <> -+') -+ -+ifdef(`distro_suse', ` -+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -+/var/spool/cron/lastrun/[^/]* -- <> -+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+') -+ - /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/cron/crontabs/.* -- <> - #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -36,8 +53,10 @@ - /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - -+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -+ - ifdef(`distro_debian',` --/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) -+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) - - /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/cron/atjobs/[^/]* -- <> -diff --git a/cron.if b/cron.if -index 6e12dc7..b006818 100644 ---- a/cron.if -+++ b/cron.if -@@ -12,12 +12,17 @@ - ## - # - template(`cron_common_crontab_template',` -+ gen_require(` -+ attribute crontab_domain; -+ type crontab_exec_t; -+ ') -+ - ############################## - # - # Declarations - # - -- type $1_t; -+ type $1_t, crontab_domain; - userdom_user_application_domain($1_t, crontab_exec_t) - - type $1_tmp_t; -@@ -28,63 +33,19 @@ template(`cron_common_crontab_template',` - # Local policy - # - -- # dac_override is to create the file in the directory under /tmp -- allow $1_t self:capability { fowner setuid setgid chown dac_override }; -- allow $1_t self:process { setsched signal_perms }; -- allow $1_t self:fifo_file rw_fifo_file_perms; -- -- allow $1_t $1_tmp_t:file manage_file_perms; -- files_tmp_filetrans($1_t, $1_tmp_t, file) -- -- # create files in /var/spool/cron -- manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -- filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) -- files_list_spool($1_t) -- -- # crontab signals crond by updating the mtime on the spooldir -- allow $1_t cron_spool_t:dir setattr; -+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) - - kernel_read_system_state($1_t) - -- # for the checks used by crontab -u -- selinux_dontaudit_search_fs($1_t) -- -- fs_getattr_xattr_fs($1_t) -- -- domain_use_interactive_fds($1_t) -- -- files_read_etc_files($1_t) -- files_read_usr_files($1_t) -- files_dontaudit_search_pids($1_t) -- - auth_domtrans_chk_passwd($1_t) -+ auth_use_nsswitch($1_t) - - logging_send_syslog_msg($1_t) -- logging_send_audit_msgs($1_t) -- -- init_dontaudit_write_utmp($1_t) -- init_read_utmp($1_t) -- -- miscfiles_read_localization($1_t) - -- seutil_read_config($1_t) -+ userdom_home_reader($1_t) - -- userdom_manage_user_tmp_dirs($1_t) -- userdom_manage_user_tmp_files($1_t) -- # Access terminals. -- userdom_use_user_terminals($1_t) -- # Read user crontabs -- userdom_read_user_home_content_files($1_t) -- -- tunable_policy(`fcron_crond',` -- # fcron wants an instant update of a crontab change for the administrator -- # also crontab does a security check for crontab -u -- dontaudit $1_t crond_t:process signal; -- ') -- -- optional_policy(` -- nscd_socket_use($1_t) -- ') - ') - - ######################################## -@@ -101,10 +62,12 @@ template(`cron_common_crontab_template',` - ## User domain for the role - ##     - ## -+## - # - interface(`cron_role',` - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; -+ type user_cron_spool_t, crond_t; - ') - - role $1 types { cronjob_t crontab_t }; -@@ -115,9 +78,20 @@ interface(`cron_role',` - # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - -+ allow crond_t $2:process transition; -+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -+ allow $2 crond_t:process sigchld; -+ -+ # needs to be authorized SELinux context for cron -+ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint }; -+ - # crontab shows up in user ps - ps_process_pattern($2, crontab_t) -- allow $2 crontab_t:process signal; -+ allow $2 crontab_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 crontab_t:process ptrace; -+ ') - - # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) -@@ -150,29 +124,21 @@ interface(`cron_role',` - ## User domain for the role - ##     - ## -+## - # - interface(`cron_unconfined_role',` - gen_require(` -- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; -+ type unconfined_cronjob_t; - ') - -- role $1 types { unconfined_cronjob_t crontab_t }; -+ role $1 types unconfined_cronjob_t; - - # cronjob shows up in user ps - ps_process_pattern($2, unconfined_cronjob_t) -- -- # Transition from the user domain to the derived domain. -- domtrans_pattern($2, crontab_exec_t, crontab_t) -- -- # crontab shows up in user ps -- ps_process_pattern($2, crontab_t) -- allow $2 crontab_t:process signal; -- -- # Run helper programs as the user domain -- #corecmd_bin_domtrans(crontab_t, $2) -- #corecmd_shell_domtrans(crontab_t, $2) -- corecmd_exec_bin(crontab_t) -- corecmd_exec_shell(crontab_t) -+ allow $2 unconfined_cronjob_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 unconfined_cronjob_t:process ptrace; -+ ') - - optional_policy(` - gen_require(` -@@ -180,9 +146,8 @@ interface(`cron_unconfined_role',` - ') - - dbus_stub(unconfined_cronjob_t) -- - allow unconfined_cronjob_t $2:dbus send_msg; -- ') -+ ') - ') - - ######################################## -@@ -199,10 +164,12 @@ interface(`cron_unconfined_role',` - ## User domain for the role - ##     - ## -+## - # - interface(`cron_admin_role',` - gen_require(` - type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; -+ type user_cron_spool_t, crond_t; - class passwd crontab; - ') - -@@ -219,7 +186,18 @@ interface(`cron_admin_role',` - - # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) -- allow $2 admin_crontab_t:process signal; -+ allow $2 admin_crontab_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 admin_crontab_t:process ptrace; -+ ') -+ -+ allow $2 crond_t:process sigchld; -+ allow crond_t $2:process transition; -+ -+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -+ -+ # needs to be authorized SELinux context for cron -+ allow $2 user_cron_spool_t:file entrypoint; - - # Run helper programs as the user domain - #corecmd_bin_domtrans(admin_crontab_t, $2) -@@ -263,6 +241,9 @@ interface(`cron_system_entry',` - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; -+ -+ allow $1 crond_t:fifo_file rw_fifo_file_perms; -+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; - ') - - ######################################## -@@ -303,7 +284,7 @@ interface(`cron_exec',` - - ######################################## - ## --## Execute crond server in the nscd domain. -+## Execute crond server in the crond domain. - ## - ## - ## -@@ -321,6 +302,29 @@ interface(`cron_initrc_domtrans',` - - ######################################## - ## -+## Execute crond server in the crond domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`cron_systemctl',` -+ gen_require(` -+ type crond_unit_file_t; -+ type crond_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 crond_unit_file_t:file read_file_perms; -+ allow $1 crond_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, crond_t) -+') -+ -+######################################## -+## - ## Inherit and use a file descriptor - ## from the cron daemon. - ## -@@ -358,6 +362,24 @@ interface(`cron_sigchld',` - - ######################################## - ## -+## Send a generic signal to cron daemon. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_signal',` -+ gen_require(` -+ type crond_t; -+ ') -+ -+ allow $1 crond_t:process signal; -+') -+ -+######################################## -+## - ## Read a cron daemon unnamed pipe. - ## - ## -@@ -376,6 +398,47 @@ interface(`cron_read_pipes',` - - ######################################## - ## -+## Read crond state files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_read_state_crond',` -+ gen_require(` -+ type crond_t; -+ ') -+ -+ kernel_search_proc($1) -+ ps_process_pattern($1, crond_t) -+') -+ -+ -+######################################## -+## -+## Send and receive messages from -+## crond over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_dbus_chat_crond',` -+ gen_require(` -+ type crond_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 crond_t:dbus send_msg; -+ allow crond_t $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Do not audit attempts to write cron daemon unnamed pipes. - ## - ## -@@ -407,7 +470,43 @@ interface(`cron_rw_pipes',` - type crond_t; - ') - -- allow $1 crond_t:fifo_file { getattr read write }; -+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## Read and write inherited user spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_rw_inherited_user_spool_files',` -+ gen_require(` -+ type user_cron_spool_t; -+ ') -+ -+ allow $1 user_cron_spool_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read and write inherited spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_rw_inherited_spool_files',` -+ gen_require(` -+ type cron_spool_t; -+ ') -+ -+ allow $1 cron_spool_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -467,6 +566,25 @@ interface(`cron_search_spool',` - - ######################################## - ## -+## Search the directory containing user cron tables. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_manage_system_spool',` -+ gen_require(` -+ type cron_system_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) -+') -+ -+######################################## -+## - ## Manage pid files used by cron - ## - ## -@@ -480,6 +598,7 @@ interface(`cron_manage_pid_files',` - type crond_var_run_t; - ') - -+ files_search_pids($1) - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) - ') - -@@ -535,7 +654,7 @@ interface(`cron_write_system_job_pipes',` - type system_cronjob_t; - ') - -- allow $1 system_cronjob_t:file write; -+ allow $1 system_cronjob_t:fifo_file write; - ') - - ######################################## -@@ -553,7 +672,7 @@ interface(`cron_rw_system_job_pipes',` - type system_cronjob_t; - ') - -- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; -+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## -@@ -586,11 +705,14 @@ interface(`cron_rw_system_job_stream_sockets',` - # - interface(`cron_read_system_job_tmp_files',` - gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_tmp_t, cron_var_run_t; - ') - - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; -+ -+ files_search_pids($1) -+ allow $1 cron_var_run_t:file read_file_perms; - ') - - ######################################## -@@ -626,7 +748,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` - interface(`cron_dontaudit_write_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; -+ type cron_var_run_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -+ dontaudit $1 cron_var_run_t:file write_file_perms; -+') -+ -+######################################## -+## -+## Read temporary files from the system cron jobs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_read_system_job_lib_files',` -+ gen_require(` -+ type system_cronjob_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+') -+ -+######################################## -+## -+## Manage files from the system cron jobs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cron_manage_system_job_lib_files',` -+ gen_require(` -+ type system_cronjob_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - ') -diff --git a/cron.te b/cron.te -index b357856..28ae123 100644 ---- a/cron.te -+++ b/cron.te -@@ -1,4 +1,4 @@ --policy_module(cron, 2.4.0) -+policy_module(cron, 2.2.1) - - gen_require(` - class passwd rootok; -@@ -10,35 +10,36 @@ gen_require(` - # - - ## --##

    --## Allow system cron jobs to relabel filesystem --## for restoring file contexts. --##

    -+##

    -+## Allow system cron jobs to relabel filesystem -+## for restoring file contexts. -+##

    - ##     - gen_tunable(cron_can_relabel, false) - - ## --##

    --## Enable extra rules in the cron domain --## to support fcron. --##

    -+##

    -+## Enable extra rules in the cron domain -+## to support fcron. -+##

    - ##     - gen_tunable(fcron_crond, false) - -+attribute crontab_domain; - attribute cron_spool_type; - - type anacron_exec_t; - application_executable_file(anacron_exec_t) - - type cron_spool_t; --files_type(cron_spool_t) -+files_spool_file(cron_spool_t) - - # var/lib files - type cron_var_lib_t; - files_type(cron_var_lib_t) - - type cron_var_run_t; --files_type(cron_var_run_t) -+files_pid_file(cron_var_run_t) - - # var/log files - type cron_log_t; -@@ -61,11 +62,17 @@ domain_cron_exemption_source(crond_t) - type crond_initrc_exec_t; - init_script_file(crond_initrc_exec_t) - -+type crond_unit_file_t; -+systemd_unit_file(crond_unit_file_t) -+ - type crond_tmp_t; - files_tmp_file(crond_tmp_t) -+files_poly_parent(crond_tmp_t) -+mta_system_content(crond_tmp_t) - - type crond_var_run_t; - files_pid_file(crond_var_run_t) -+mta_system_content(crond_var_run_t) - - type crontab_exec_t; - application_executable_file(crontab_exec_t) -@@ -79,14 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; - typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; - typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; - typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; -+allow admin_crontab_t crond_t:process signal; - - type system_cron_spool_t, cron_spool_type; --files_type(system_cron_spool_t) -+files_spool_file(system_cron_spool_t) - - type system_cronjob_t alias system_crond_t; - init_daemon_domain(system_cronjob_t, anacron_exec_t) - corecmd_shell_entry_type(system_cronjob_t) - role system_r types system_cronjob_t; -+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) - - type system_cronjob_lock_t alias system_crond_lock_t; - files_lock_file(system_cronjob_lock_t) -@@ -94,10 +103,6 @@ files_lock_file(system_cronjob_lock_t) - type system_cronjob_tmp_t alias system_crond_tmp_t; - files_tmp_file(system_cronjob_tmp_t) - --ifdef(`enable_mcs',` -- init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) --') -- - type unconfined_cronjob_t; - domain_type(unconfined_cronjob_t) - domain_cron_exemption_target(unconfined_cronjob_t) -@@ -106,8 +111,20 @@ domain_cron_exemption_target(unconfined_cronjob_t) - type user_cron_spool_t, cron_spool_type; - typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; - typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; --files_type(user_cron_spool_t) -+files_spool_file(user_cron_spool_t) - ubac_constrained(user_cron_spool_t) -+mta_system_content(user_cron_spool_t) -+ -+type system_cronjob_var_lib_t; -+files_type(system_cronjob_var_lib_t) -+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; -+ -+type system_cronjob_var_run_t; -+files_pid_file(system_cronjob_var_run_t) -+ -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) -+') - - ######################################## - # -@@ -115,7 +132,7 @@ ubac_constrained(user_cron_spool_t) - # - - # Allow our crontab domain to unlink a user cron spool file. --allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; -+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; - - # Manipulate other users crontab. - selinux_get_fs_mount(admin_crontab_t) -@@ -125,7 +142,7 @@ selinux_compute_create_context(admin_crontab_t) - selinux_compute_relabel_context(admin_crontab_t) - selinux_compute_user_contexts(admin_crontab_t) - --tunable_policy(`fcron_crond', ` -+tunable_policy(`fcron_crond',` - # fcron wants an instant update of a crontab change for the administrator - # also crontab does a security check for crontab -u - allow admin_crontab_t self:process setfscreate; -@@ -136,9 +153,9 @@ tunable_policy(`fcron_crond', ` - # Cron daemon local policy - # - --allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; -+allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; - dontaudit crond_t self:capability { sys_resource sys_tty_config }; --allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; - allow crond_t self:process { setexec setfscreate }; - allow crond_t self:fd use; - allow crond_t self:fifo_file rw_fifo_file_perms; -@@ -151,6 +168,7 @@ allow crond_t self:sem create_sem_perms; - allow crond_t self:msgq create_msgq_perms; - allow crond_t self:msg { send receive }; - allow crond_t self:key { search write link }; -+dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; - - manage_files_pattern(crond_t, cron_log_t, cron_log_t) - logging_log_filetrans(crond_t, cron_log_t, file) -@@ -187,27 +205,47 @@ fs_list_inotifyfs(crond_t) - - # need auth_chkpwd to check for locked accounts. - auth_domtrans_chk_passwd(crond_t) -+auth_manage_var_auth(crond_t) - - corecmd_exec_shell(crond_t) - corecmd_list_bin(crond_t) -+corecmd_exec_bin(crond_t) - corecmd_read_bin_symlinks(crond_t) - - domain_use_interactive_fds(crond_t) -+domain_subj_id_change_exemption(crond_t) -+domain_role_change_exemption(crond_t) - - files_read_usr_files(crond_t) - files_read_etc_runtime_files(crond_t) --files_read_etc_files(crond_t) - files_read_generic_spool(crond_t) - files_list_usr(crond_t) - # Read from /var/spool/cron. - files_search_var_lib(crond_t) - files_search_default(crond_t) - -+fs_manage_cgroup_dirs(crond_t) -+fs_manage_cgroup_files(crond_t) -+ -+# needed by "crontab -e" -+mls_file_read_all_levels(crond_t) -+mls_file_write_all_levels(crond_t) -+ -+# needed because of kernel check of transition -+mls_process_set_level(crond_t) -+ -+# to make cronjob working -+mls_fd_share_all_levels(crond_t) -+mls_trusted_object(crond_t) -+ -+init_read_state(crond_t) - init_rw_utmp(crond_t) - init_spec_domtrans_script(crond_t) - -+auth_manage_var_auth(crond_t) - auth_use_nsswitch(crond_t) - -+logging_send_audit_msgs(crond_t) - logging_send_syslog_msg(crond_t) - logging_set_loginuid(crond_t) - -@@ -215,25 +253,27 @@ seutil_read_config(crond_t) - seutil_read_default_contexts(crond_t) - seutil_sigchld_newrole(crond_t) - --miscfiles_read_localization(crond_t) - - userdom_use_unpriv_users_fds(crond_t) - # Not sure why this is needed - userdom_list_user_home_dirs(crond_t) -+userdom_list_admin_dir(crond_t) -+userdom_manage_all_users_keys(crond_t) - - mta_send_mail(crond_t) -+mta_system_content(cron_spool_t) - - ifdef(`distro_debian',` - # pam_limits is used - allow crond_t self:process setrlimit; - -- optional_policy(` -- # Debian logcheck has the home dir set to its cache -- logwatch_search_cache_dir(crond_t) -- ') - ') - --ifdef(`distro_redhat', ` -+optional_policy(` -+ logwatch_search_cache_dir(crond_t) -+') -+ -+ifdef(`distro_redhat',` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - # via redirection of standard out. - optional_policy(` -@@ -241,7 +281,7 @@ ifdef(`distro_redhat', ` - ') - ') - --tunable_policy(`allow_polyinstantiation',` -+tunable_policy(`polyinstantiation_enabled',` - files_polyinstantiate_all(crond_t) - ') - -@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', ` - ') - - optional_policy(` -+ apache_search_sys_content(crond_t) -+') -+ -+optional_policy(` -+ djbdns_search_tinydns_keys(crond_t) -+ djbdns_link_tinydns_keys(crond_t) -+') -+ -+optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) - ') - - optional_policy(` -+ # these should probably be unconfined_crond_t -+ dbus_system_bus_client(crond_t) -+ init_dbus_send_script(crond_t) -+ init_dbus_chat(crond_t) -+') -+ -+optional_policy(` - amanda_search_var_lib(crond_t) - ') - -@@ -264,6 +320,8 @@ optional_policy(` - - optional_policy(` - hal_dbus_chat(crond_t) -+ hal_write_log(crond_t) -+ hal_dbus_chat(system_cronjob_t) - ') - - optional_policy(` -@@ -286,15 +344,25 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_use_fds_logind(crond_t) -+ systemd_write_inherited_logind_sessions_pipes(crond_t) -+') -+ -+optional_policy(` - udev_read_db(crond_t) - ') - -+optional_policy(` -+ vnstatd_search_lib(crond_t) -+') -+ - ######################################## - # - # System cron process domain - # - - allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -+ - allow system_cronjob_t self:process { signal_perms getsched setsched }; - allow system_cronjob_t self:fifo_file rw_fifo_file_perms; - allow system_cronjob_t self:passwd rootok; -@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) - - # This is to handle /var/lib/misc directory. Used currently - # by prelink var/lib files for cron --allow system_cronjob_t cron_var_lib_t:file manage_file_perms; -+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; - files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - -+allow system_cronjob_t cron_var_run_t:file manage_file_perms; -+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) -+ - allow system_cronjob_t system_cron_spool_t:file read_file_perms; -+ -+mls_file_read_to_clearance(system_cronjob_t) -+ -+# anacron forces the following -+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) -+ - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are - # not directly executed, crond must ensure that -@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use; - allow system_cronjob_t crond_t:fd use; - allow system_cronjob_t crond_t:fifo_file rw_file_perms; - allow system_cronjob_t crond_t:process sigchld; -+allow crond_t system_cronjob_t:key manage_key_perms; - - # Write /var/lock/makewhatis.lock. - allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) - filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) - files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - -+# var/lib files for system_crond -+files_search_var_lib(system_cronjob_t) -+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) -+ - # Read from /var/spool/cron. - allow system_cronjob_t cron_spool_t:dir list_dir_perms; --allow system_cronjob_t cron_spool_t:file read_file_perms; -+allow system_cronjob_t cron_spool_t:file rw_file_perms; - - kernel_read_kernel_sysctls(system_cronjob_t) -+kernel_read_network_state(system_cronjob_t) - kernel_read_system_state(system_cronjob_t) - kernel_read_software_raid_state(system_cronjob_t) - -@@ -353,7 +436,6 @@ files_dontaudit_search_boot(system_cronjob_t) - - corecmd_exec_all_executables(system_cronjob_t) - --corenet_all_recvfrom_unlabeled(system_cronjob_t) - corenet_all_recvfrom_netlabel(system_cronjob_t) - corenet_tcp_sendrecv_generic_if(system_cronjob_t) - corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) - dev_getattr_all_blk_files(system_cronjob_t) - dev_getattr_all_chr_files(system_cronjob_t) - dev_read_urand(system_cronjob_t) -+dev_read_sysfs(system_cronjob_t) - - fs_getattr_all_fs(system_cronjob_t) - fs_getattr_all_files(system_cronjob_t) -@@ -376,7 +459,6 @@ fs_getattr_all_sockets(system_cronjob_t) - domain_dontaudit_read_all_domains_state(system_cronjob_t) - - files_exec_etc_files(system_cronjob_t) --files_read_etc_files(system_cronjob_t) - files_read_etc_runtime_files(system_cronjob_t) - files_list_all(system_cronjob_t) - files_getattr_all_dirs(system_cronjob_t) -@@ -391,6 +473,7 @@ files_dontaudit_search_pids(system_cronjob_t) - # Access other spool directories like - # /var/spool/anacron and /var/spool/slrnpull. - files_manage_generic_spool(system_cronjob_t) -+files_create_boot_flag(system_cronjob_t) - - init_use_script_fds(system_cronjob_t) - init_read_utmp(system_cronjob_t) -@@ -408,23 +491,23 @@ logging_read_generic_logs(system_cronjob_t) - logging_send_audit_msgs(system_cronjob_t) - logging_send_syslog_msg(system_cronjob_t) - --miscfiles_read_localization(system_cronjob_t) --miscfiles_manage_man_pages(system_cronjob_t) -- - seutil_read_config(system_cronjob_t) - --ifdef(`distro_redhat', ` -+ifdef(`distro_redhat',` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files -+ allow crond_t system_cron_spool_t:file manage_file_perms; -+ - # via redirection of standard out. - optional_policy(` - rpm_manage_log(system_cronjob_t) - ') - ') - -+selinux_get_fs_mount(system_cronjob_t) -+ - tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_cronjob_t) - ',` -- selinux_get_fs_mount(system_cronjob_t) - selinux_validate_context(system_cronjob_t) - selinux_compute_access_vector(system_cronjob_t) - selinux_compute_create_context(system_cronjob_t) -@@ -439,6 +522,12 @@ optional_policy(` - apache_read_config(system_cronjob_t) - apache_read_log(system_cronjob_t) - apache_read_sys_content(system_cronjob_t) -+ apache_delete_cache_dirs(system_cronjob_t) -+ apache_delete_cache_files(system_cronjob_t) -+') -+ -+optional_policy(` -+ bind_read_config(system_cronjob_t) - ') - - optional_policy(` -@@ -446,6 +535,14 @@ optional_policy(` - ') - - optional_policy(` -+ dbus_system_bus_client(system_cronjob_t) -+') -+ -+optional_policy(` -+ exim_read_spool_files(system_cronjob_t) -+') -+ -+optional_policy(` - ftp_read_log(system_cronjob_t) - ') - -@@ -456,6 +553,10 @@ optional_policy(` - ') - - optional_policy(` -+ livecd_read_tmp_files(system_cronjob_t) -+') -+ -+optional_policy(` - lpd_list_spool(system_cronjob_t) - ') - -@@ -464,7 +565,9 @@ optional_policy(` - ') - - optional_policy(` -+ mta_read_config(system_cronjob_t) - mta_send_mail(system_cronjob_t) -+ mta_system_content(system_cron_spool_t) - ') - - optional_policy(` -@@ -472,6 +575,10 @@ optional_policy(` - ') - - optional_policy(` -+ networkmanager_dbus_chat(system_cronjob_t) -+') -+ -+optional_policy(` - postfix_read_config(system_cronjob_t) - ') - -@@ -480,7 +587,7 @@ optional_policy(` - prelink_manage_lib(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_read_cache(system_cronjob_t) -- prelink_relabelfrom_lib(system_cronjob_t) -+ prelink_relabel_lib(system_cronjob_t) - ') - - optional_policy(` -@@ -495,6 +602,7 @@ optional_policy(` - - optional_policy(` - spamassassin_manage_lib_files(system_cronjob_t) -+ spamassassin_manage_home_client(system_cronjob_t) - ') - - optional_policy(` -@@ -502,7 +610,18 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_dbus_chat_logind(system_cronjob_t) -+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) -+') -+ -+optional_policy(` -+ unconfined_domain(crond_t) - unconfined_domain(system_cronjob_t) -+') -+ -+optional_policy(` -+ unconfined_shell_domtrans(crond_t) -+ unconfined_dbus_send(crond_t) - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ++ logging_send_syslog_msg(courier_$1_t) ') -@@ -542,7 +661,6 @@ kernel_read_kernel_sysctls(cronjob_t) - # ps does not need to access /boot when run from cron - files_dontaudit_search_boot(cronjob_t) - --corenet_all_recvfrom_unlabeled(cronjob_t) - corenet_all_recvfrom_netlabel(cronjob_t) - corenet_tcp_sendrecv_generic_if(cronjob_t) - corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -579,7 +697,6 @@ logging_search_logs(cronjob_t) - - seutil_read_config(cronjob_t) - --miscfiles_read_localization(cronjob_t) - - userdom_manage_user_tmp_files(cronjob_t) - userdom_manage_user_tmp_symlinks(cronjob_t) -@@ -595,9 +712,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) - #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) - - list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) - read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+allow crond_t user_cron_spool_t:file manage_lnk_file_perms; + ######################################## + ## +-## Execute the courier authentication +-## daemon with a domain transition. ++## Execute the courier authentication daemon with ++## a domain transition. + ## + ## + ## +@@ -48,34 +57,32 @@ interface(`courier_domtrans_authdaemon',` + type courier_authdaemon_t, courier_authdaemon_exec_t; + ') --tunable_policy(`fcron_crond', ` -+tunable_policy(`fcron_crond',` - allow crond_t user_cron_spool_t:file manage_file_perms; +- corecmd_search_bin($1) + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) ') -@@ -626,3 +746,74 @@ optional_policy(` - - unconfined_domain(unconfined_cronjob_t) - ') -+ -+############################## -+# -+# crontab common policy -+# -+ -+# dac_override is to create the file in the directory under /tmp -+allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; -+allow crontab_domain self:process { getcap setsched signal_perms }; -+allow crontab_domain self:fifo_file rw_fifo_file_perms; -+ -+allow crontab_domain crond_t:process signal; -+allow crontab_domain crond_var_run_t:file read_file_perms; -+ -+# create files in /var/spool/cron -+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) -+files_list_spool(crontab_domain) -+ -+# crontab signals crond by updating the mtime on the spooldir -+allow crontab_domain cron_spool_t:dir setattr_dir_perms; -+ -+# for the checks used by crontab -u -+selinux_dontaudit_search_fs(crontab_domain) -+ -+fs_getattr_xattr_fs(crontab_domain) -+fs_manage_cgroup_dirs(crontab_domain) -+fs_manage_cgroup_files(crontab_domain) -+ -+domain_use_interactive_fds(crontab_domain) -+ -+files_read_etc_files(crontab_domain) -+files_read_usr_files(crontab_domain) -+files_dontaudit_search_pids(crontab_domain) -+ -+fs_dontaudit_rw_anon_inodefs_files(crontab_domain) -+ -+auth_rw_var_auth(crontab_domain) -+ -+logging_send_audit_msgs(crontab_domain) -+logging_set_loginuid(crontab_domain) -+ -+init_dontaudit_write_utmp(crontab_domain) -+init_read_utmp(crontab_domain) -+init_read_state(crontab_domain) -+ -+ -+seutil_read_config(crontab_domain) -+ -+userdom_manage_user_tmp_dirs(crontab_domain) -+userdom_manage_user_tmp_files(crontab_domain) -+# Access terminals. -+userdom_use_inherited_user_terminals(crontab_domain) -+# Read user crontabs -+userdom_read_user_home_content_files(crontab_domain) -+userdom_read_user_home_content_symlinks(crontab_domain) -+ -+tunable_policy(`fcron_crond',` -+ # fcron wants an instant update of a crontab change for the administrator -+ # also crontab does a security check for crontab -u -+ dontaudit crontab_domain crond_t:process signal; -+') -+ -+optional_policy(` -+ ssh_dontaudit_use_ptys(crontab_domain) -+') -+ -+optional_policy(` -+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain) -+ openshift_transition(system_cronjob_t) -+') -diff --git a/ctdbd.fc b/ctdbd.fc -new file mode 100644 -index 0000000..255568d ---- /dev/null -+++ b/ctdbd.fc -@@ -0,0 +1,19 @@ -+ -+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) -+ -+/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+ -+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) -+ -+/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) -+/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) -+ -+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) -+ -+/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) -+ -+ -+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+ -diff --git a/ctdbd.if b/ctdbd.if -new file mode 100644 -index 0000000..4f7d237 ---- /dev/null -+++ b/ctdbd.if -@@ -0,0 +1,259 @@ -+ -+## policy for ctdbd -+ -+######################################## -+## -+## Transition to ctdbd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ctdbd_domtrans',` -+ gen_require(` -+ type ctdbd_t, ctdbd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t) -+') -+ -+######################################## -+## -+## Execute ctdbd server in the ctdbd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_initrc_domtrans',` -+ gen_require(` -+ type ctdbd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) -+') -+ -+######################################## -+## -+## Read ctdbd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`ctdbd_read_log',` -+ gen_require(` -+ type ctdbd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+') -+ -+######################################## -+## -+## Append to ctdbd log files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ctdbd_append_log',` -+ gen_require(` -+ type ctdbd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+') -+ -+######################################## -+## -+## Manage ctdbd log files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`ctdbd_manage_log',` -+ gen_require(` -+ type ctdbd_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t) -+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t) -+') -+ -+######################################## -+## -+## Search ctdbd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_search_lib',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ allow $1 ctdbd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read ctdbd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_read_lib_files',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage ctdbd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_manage_lib_files',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage ctdbd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_manage_lib_dirs',` -+ gen_require(` -+ type ctdbd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) -+') -+ -+######################################## -+## -+## Read ctdbd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ctdbd_read_pid_files',` -+ gen_require(` -+ type ctdbd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 ctdbd_var_run_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Connect to ctdbd over a unix stream socket. -+## -+## + ####################################### + ## +-## Connect to courier-authdaemon over +-## a unix stream socket. ++## Connect to courier-authdaemon over a unix stream socket. + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# -+interface(`ctdbd_stream_connect',` + ## + # + interface(`courier_stream_connect_authdaemon',` +- gen_require(` +- type courier_authdaemon_t, courier_spool_t; +- ') + gen_require(` -+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; ++ type courier_authdaemon_t, courier_spool_t; + ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) -+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ctdbd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`ctdbd_admin',` -+ gen_require(` -+ type ctdbd_t, ctdbd_initrc_exec_t; -+ type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; -+ ') -+ -+ allow $1 ctdbd_t:process signal_perms; -+ ps_process_pattern($1, ctdbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ctdbd_t:process ptrace; -+ ') -+ -+ ctdbd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 ctdbd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_search_logs($1) -+ admin_pattern($1, ctdbd_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, ctdbd_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, ctdbd_var_run_t) -+') -+ -diff --git a/ctdbd.te b/ctdbd.te -new file mode 100644 -index 0000000..33656de ---- /dev/null -+++ b/ctdbd.te -@@ -0,0 +1,114 @@ -+policy_module(ctdbd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type ctdbd_t; -+type ctdbd_exec_t; -+init_daemon_domain(ctdbd_t, ctdbd_exec_t) -+ -+type ctdbd_initrc_exec_t; -+init_script_file(ctdbd_initrc_exec_t) -+ -+type ctdbd_log_t; -+logging_log_file(ctdbd_log_t) -+ -+type ctdbd_spool_t; -+files_type(ctdbd_spool_t) -+#files_spool_file(ctdbd_spool_t) -+ -+type ctdbd_tmp_t; -+files_tmp_file(ctdbd_tmp_t) -+ -+type ctdbd_var_lib_t; -+files_type(ctdbd_var_lib_t) -+ -+type ctdbd_var_run_t; -+files_pid_file(ctdbd_var_run_t) -+ -+######################################## -+# -+# ctdbd local policy -+# -+ -+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -+allow ctdbd_t self:process { setpgid signal_perms setsched }; -+ -+allow ctdbd_t self:fifo_file rw_fifo_file_perms; -+allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; -+allow ctdbd_t self:packet_socket create_socket_perms; -+allow ctdbd_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -+manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -+logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } ) -+ -+manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) -+manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) -+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file}) -+ -+manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) -+manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) -+manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) -+files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file }) -+ -+exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) -+manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) -+manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) -+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } ) -+ -+manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) -+manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) -+files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file }) -+ -+kernel_read_network_state(ctdbd_t) -+kernel_rw_net_sysctls(ctdbd_t) -+kernel_read_system_state(ctdbd_t) -+ -+corenet_tcp_bind_generic_node(ctdbd_t) -+corenet_tcp_bind_ctdb_port(ctdbd_t) -+corenet_tcp_connect_ctdb_port(ctdbd_t) -+ -+corecmd_exec_bin(ctdbd_t) -+corecmd_exec_shell(ctdbd_t) -+ -+dev_read_sysfs(ctdbd_t) -+dev_read_urand(ctdbd_t) -+ -+domain_use_interactive_fds(ctdbd_t) -+domain_dontaudit_read_all_domains_state(ctdbd_t) -+ -+files_read_etc_files(ctdbd_t) -+files_search_all_mountpoints(ctdbd_t) -+ -+auth_use_nsswitch(ctdbd_t) -+ -+logging_send_syslog_msg(ctdbd_t) -+ -+miscfiles_read_public_files(ctdbd_t) -+ -+optional_policy(` -+ consoletype_exec(ctdbd_t) -+') -+ -+optional_policy(` -+ hostname_exec(ctdbd_t) -+') -+ -+optional_policy(` -+ iptables_domtrans(ctdbd_t) -+') -+ -+optional_policy(` -+ samba_initrc_domtrans(ctdbd_t) -+ samba_domtrans_net(ctdbd_t) -+ samba_rw_var_files(ctdbd_t) -+ samba_systemctl(ctdbd_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_ifconfig(ctdbd_t) -+') -diff --git a/cups.fc b/cups.fc -index 848bb92..600efa5 100644 ---- a/cups.fc -+++ b/cups.fc -@@ -19,7 +19,10 @@ - - /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) -+ - /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + files_search_spool($1) +- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) ++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) + ') -@@ -52,18 +55,32 @@ + ######################################## + ## +-## Execute the courier POP3 and IMAP +-## server with a domain transition. ++## Execute the courier POP3 and IMAP server with ++## a domain transition. + ## + ## + ## +@@ -88,13 +95,12 @@ interface(`courier_domtrans_pop',` + type courier_pop_t, courier_pop_exec_t; + ') - /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) +- corecmd_search_bin($1) + domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) + ') - /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + ######################################## + ## +-## Read courier config files. ++## Read courier config files + ## + ## + ## +@@ -127,7 +133,7 @@ interface(`courier_manage_spool_dirs',` + type courier_spool_t; + ') - /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) - /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) +- files_search_var($1) ++ files_search_spool($1) + manage_dirs_pattern($1, courier_spool_t, courier_spool_t) + ') -+/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0) -+ - /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) --/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) - /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+ -+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) -+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --git a/cups.if b/cups.if -index 305ddf4..f3cd95f 100644 ---- a/cups.if -+++ b/cups.if -@@ -9,6 +9,11 @@ +@@ -136,7 +142,7 @@ interface(`courier_manage_spool_dirs',` + ## Create, read, write, and delete courier + ## spool files. + ## +-## ++## + ## ## Domain allowed access. ## - ## -+## -+## -+## Domain allowed access. -+## -+## - # - interface(`cups_backend',` - gen_require(` -@@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',` - interface(`cups_read_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; -+ type hplip_etc_t; +@@ -147,7 +153,7 @@ interface(`courier_manage_spool_files',` + type courier_spool_t; ') - files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) -+ read_files_pattern($1, hplip_etc_t, hplip_etc_t) - read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) +- files_search_var($1) ++ files_search_spool($1) + manage_files_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -296,6 +303,29 @@ interface(`cups_stream_connect_ptal',` +@@ -166,13 +172,13 @@ interface(`courier_read_spool',` + type courier_spool_t; + ') + +- files_search_var($1) ++ files_search_spool($1) + read_files_pattern($1, courier_spool_t, courier_spool_t) + ') ######################################## ## -+## Execute cupsd server in the cupsd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`cupsd_systemctl',` -+ gen_require(` -+ type cupsd_t; -+ type cupsd_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 cupsd_unit_file_t:file read_file_perms; -+ allow $1 cupsd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, cupsd_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an cups environment +-## Read and write courier spool pipes. ++## Read and write to courier spool pipes. ## -@@ -314,16 +344,20 @@ interface(`cups_stream_connect_ptal',` - interface(`cups_admin',` - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; -- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -- type cupsd_config_var_run_t, cupsd_lpd_var_run_t; -- type cupsd_var_run_t, ptal_etc_t; -- type ptal_var_run_t, hplip_var_run_t; -- type cupsd_initrc_exec_t; -+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t; -+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t; -+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t; -+ type ptal_var_run_t; -+ type cupsd_unit_file_t; + ## + ## +@@ -185,6 +191,5 @@ interface(`courier_rw_spool_pipes',` + type courier_spool_t; ') -- allow $1 cupsd_t:process { ptrace signal_perms }; -+ allow $1 cupsd_t:process signal_perms; - ps_process_pattern($1, cupsd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cupsd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; -@@ -341,18 +375,53 @@ interface(`cups_admin',` - - admin_pattern($1, cupsd_lpd_var_run_t) +- files_search_var($1) + allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; + ') +diff --git a/courier.te b/courier.te +index 77bb077..76b93d2 100644 +--- a/courier.te ++++ b/courier.te +@@ -18,7 +18,7 @@ type courier_etc_t; + files_config_file(courier_etc_t) -- admin_pattern($1, cupsd_spool_t) -- files_list_spool($1) -- - admin_pattern($1, cupsd_tmp_t) - files_list_tmp($1) + type courier_spool_t; +-files_type(courier_spool_t) ++files_spool_file(courier_spool_t) - admin_pattern($1, cupsd_var_run_t) - files_list_pids($1) + type courier_var_lib_t; + files_type(courier_var_lib_t) +@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) + files_pid_filetrans(courier_domain, courier_var_run_t, dir) -+ admin_pattern($1, hplip_etc_t) -+ - admin_pattern($1, hplip_var_run_t) + kernel_read_kernel_sysctls(courier_domain) +-kernel_read_system_state(courier_domain) - admin_pattern($1, ptal_etc_t) + corecmd_exec_bin(courier_domain) - admin_pattern($1, ptal_var_run_t) -+ -+ cupsd_systemctl($1) -+ admin_pattern($1, cupsd_unit_file_t) -+ allow $1 cupsd_unit_file_t:service all_service_perms; -+') -+ -+######################################## -+## -+## Transition to cups named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cups_filetrans_named_content',` -+ gen_require(` -+ type cupsd_rw_etc_t; -+ type cupsd_etc_t; -+ ') -+ -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N") -+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat") -+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat") -+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") -+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") -+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") - ') -diff --git a/cups.te b/cups.te -index e5a8924..e12c890 100644 ---- a/cups.te -+++ b/cups.te -@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) - type cupsd_t; - type cupsd_exec_t; - init_daemon_domain(cupsd_t, cupsd_exec_t) -+mls_trusted_object(cupsd_t) - - type cupsd_etc_t; - files_config_file(cupsd_etc_t) -@@ -60,6 +61,9 @@ type cupsd_var_run_t; - files_pid_file(cupsd_var_run_t) - mls_trusted_object(cupsd_var_run_t) +@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain) -+type cupsd_unit_file_t; -+systemd_unit_file(cupsd_unit_file_t) -+ - type hplip_t; - type hplip_exec_t; - init_daemon_domain(hplip_t, hplip_exec_t) -@@ -75,6 +79,9 @@ files_tmp_file(hplip_tmp_t) - type hplip_var_lib_t; - files_type(hplip_var_lib_t) + domain_use_interactive_fds(courier_domain) -+type hplip_var_log_t; -+logging_log_file(hplip_var_log_t) -+ - type hplip_var_run_t; - files_pid_file(hplip_var_run_t) +-files_read_etc_files(courier_domain) + files_read_etc_runtime_files(courier_domain) +-files_read_usr_files(courier_domain) -@@ -104,6 +111,7 @@ ifdef(`enable_mls',` - # /usr/lib/cups/backend/serial needs sys_admin(?!) - allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; - dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -+allow cupsd_t self:capability2 { block_suspend }; - allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; - allow cupsd_t self:fifo_file rw_fifo_file_perms; - allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -123,6 +131,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - files_search_etc(cupsd_t) + fs_getattr_xattr_fs(courier_domain) + fs_search_auto_mountpoints(courier_domain) - manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) -+can_exec(cupsd_t, cupsd_interface_t) +-logging_send_syslog_msg(courier_domain) +- + sysnet_read_config(courier_domain) - manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -137,6 +146,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; - allow cupsd_t cupsd_lock_t:file manage_file_perms; - files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - -+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - allow cupsd_t cupsd_log_t:dir setattr; - logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) -@@ -146,11 +156,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) + userdom_dontaudit_use_unpriv_user_fds(courier_domain) +@@ -112,7 +107,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) --allow cupsd_t cupsd_var_run_t:dir setattr; -+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; -+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) --files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file }) -+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file }) + libs_read_lib_files(courier_authdaemon_t) - allow cupsd_t hplip_t:process { signal sigkill }; +-miscfiles_read_localization(courier_authdaemon_t) -@@ -159,14 +170,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - allow cupsd_t hplip_var_run_t:file read_file_perms; + userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) - stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) --allow cupsd_t ptal_var_run_t : sock_file setattr; -+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -135,7 +129,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; - kernel_read_system_state(cupsd_t) - kernel_read_network_state(cupsd_t) - kernel_read_all_sysctls(cupsd_t) - kernel_request_load_module(cupsd_t) + allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; --corenet_all_recvfrom_unlabeled(cupsd_t) - corenet_all_recvfrom_netlabel(cupsd_t) - corenet_tcp_sendrecv_generic_if(cupsd_t) - corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -211,6 +221,7 @@ mls_rangetrans_target(cupsd_t) - mls_socket_write_all_levels(cupsd_t) - mls_fd_use_all_levels(cupsd_t) +-allow courier_pop_t courier_var_lib_t:file { read write }; ++allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; -+term_use_usb_ttys(cupsd_t) - term_use_unallocated_ttys(cupsd_t) - term_search_ptys(cupsd_t) + domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) -@@ -220,11 +231,12 @@ corecmd_exec_bin(cupsd_t) +@@ -172,7 +166,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) + dev_read_rand(courier_tcpd_t) + dev_read_urand(courier_tcpd_t) - domain_use_interactive_fds(cupsd_t) +-miscfiles_read_localization(courier_tcpd_t) -+files_getattr_boot_dirs(cupsd_t) - files_list_spool(cupsd_t) --files_read_etc_files(cupsd_t) - files_read_etc_runtime_files(cupsd_t) - # read python modules - files_read_usr_files(cupsd_t) -+files_exec_usr_files(cupsd_t) - # for /var/lib/defoma - files_read_var_lib_files(cupsd_t) - files_list_world_readable(cupsd_t) -@@ -258,7 +270,6 @@ libs_exec_lib_files(cupsd_t) - logging_send_audit_msgs(cupsd_t) - logging_send_syslog_msg(cupsd_t) + ######################################## + # +diff --git a/cpucontrol.te b/cpucontrol.te +index 2f1aad6..155a337 100644 +--- a/cpucontrol.te ++++ b/cpucontrol.te +@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain) + init_use_fds(cpucontrol_domain) + init_use_script_ptys(cpucontrol_domain) --miscfiles_read_localization(cupsd_t) - # invoking ghostscript needs to read fonts - miscfiles_read_fonts(cupsd_t) - miscfiles_setattr_fonts_cache_dirs(cupsd_t) -@@ -269,12 +280,7 @@ sysnet_exec_ifconfig(cupsd_t) - files_dontaudit_list_home(cupsd_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_t) - userdom_dontaudit_search_user_home_content(cupsd_t) +-logging_send_syslog_msg(cpucontrol_domain) - --# Write to /var/spool/cups. --lpd_manage_spool(cupsd_t) --lpd_read_config(cupsd_t) --lpd_exec_lpr(cupsd_t) --lpd_relabel_spool(cupsd_t) -+userdom_search_admin_dir(cupsd_t) + userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain) optional_policy(` - apm_domtrans_client(cupsd_t) -@@ -287,6 +293,8 @@ optional_policy(` - optional_policy(` - dbus_system_bus_client(cupsd_t) - -+ init_dbus_chat(cupsd_t) -+ - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` -@@ -297,8 +305,10 @@ optional_policy(` - hal_dbus_chat(cupsd_t) - ') +@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; + read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) + read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) -+ # talk to processes that do not have policy - optional_policy(` - unconfined_dbus_chat(cupsd_t) -+ files_write_generic_pid_pipes(cupsd_t) - ') - ') +-kernel_list_proc(cpucontrol_t) + kernel_read_proc_symlinks(cpucontrol_t) -@@ -311,10 +321,23 @@ optional_policy(` - ') + dev_read_sysfs(cpucontrol_t) + dev_rw_cpu_microcode(cpucontrol_t) - optional_policy(` -+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0") -+ kerberos_manage_host_rcache(cupsd_t) -+') ++logging_send_syslog_msg(cpucontrol_t) + -+optional_policy(` - logrotate_domtrans(cupsd_t) - ') - optional_policy(` -+ # Write to /var/spool/cups. -+ lpd_manage_spool(cupsd_t) -+ lpd_read_config(cupsd_t) -+ lpd_exec_lpr(cupsd_t) -+ lpd_relabel_spool(cupsd_t) -+') -+ -+optional_policy(` - mta_send_mail(cupsd_t) + rhgb_use_ptys(cpucontrol_t) ') +@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t) -@@ -322,6 +345,8 @@ optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) -+ # needed by smbspool -+ samba_stream_connect_nmbd(cupsd_t) - ') + domain_read_all_domains_state(cpuspeed_t) - optional_policy(` -@@ -336,12 +361,16 @@ optional_policy(` - udev_read_db(cupsd_t) - ') +-files_read_etc_files(cpuspeed_t) + files_read_etc_runtime_files(cpuspeed_t) -+optional_policy(` -+ virt_rw_chr_files(cupsd_t) -+') -+ - ######################################## - # - # Cups configuration daemon local policy +-miscfiles_read_localization(cpuspeed_t) ++logging_send_syslog_msg(cpuspeed_t) +diff --git a/cpufreqselector.te b/cpufreqselector.te +index a3bbc21..5bf715c 100644 +--- a/cpufreqselector.te ++++ b/cpufreqselector.te +@@ -14,24 +14,21 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) + # Local policy # --allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; -+allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config }; - dontaudit cupsd_config_t self:capability sys_tty_config; - allow cupsd_config_t self:process { getsched signal_perms }; - allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -371,8 +400,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) - - allow cupsd_config_t cupsd_var_run_t:file read_file_perms; - -+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) - manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) --files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) -+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) - - domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - -@@ -381,7 +411,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) - kernel_read_system_state(cupsd_config_t) - kernel_read_all_sysctls(cupsd_config_t) - --corenet_all_recvfrom_unlabeled(cupsd_config_t) - corenet_all_recvfrom_netlabel(cupsd_config_t) - corenet_tcp_sendrecv_generic_if(cupsd_config_t) - corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -407,7 +436,6 @@ domain_use_interactive_fds(cupsd_config_t) - domain_dontaudit_search_all_domains_state(cupsd_config_t) - - files_read_usr_files(cupsd_config_t) --files_read_etc_files(cupsd_config_t) - files_read_etc_runtime_files(cupsd_config_t) - files_read_var_symlinks(cupsd_config_t) - -@@ -418,18 +446,15 @@ auth_use_nsswitch(cupsd_config_t) +-allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; ++allow cpufreqselector_t self:capability sys_nice; + allow cpufreqselector_t self:process getsched; + allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; ++allow cpufreqselector_t self:process getsched; - logging_send_syslog_msg(cupsd_config_t) + kernel_read_system_state(cpufreqselector_t) --miscfiles_read_localization(cupsd_config_t) - miscfiles_read_hwdata(cupsd_config_t) +-files_read_etc_files(cpufreqselector_t) +-files_read_usr_files(cpufreqselector_t) +- + dev_rw_sysfs(cpufreqselector_t) --seutil_dontaudit_search_config(cupsd_config_t) +-miscfiles_read_localization(cpufreqselector_t) - - userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) - userdom_dontaudit_search_user_home_dirs(cupsd_config_t) -+userdom_rw_user_tmp_files(cupsd_config_t) -+userdom_read_user_tmp_symlinks(cupsd_config_t) + userdom_read_all_users_state(cpufreqselector_t) +-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) ++userdom_dontaudit_search_admin_dir(cpufreqselector_t) - cups_stream_connect(cupsd_config_t) + optional_policy(` + dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) ++ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) --lpd_read_config(cupsd_config_t) -- - ifdef(`distro_redhat',` optional_policy(` - rpm_read_db(cupsd_config_t) -@@ -453,6 +478,10 @@ optional_policy(` + consolekit_dbus_chat(cpufreqselector_t) +@@ -51,3 +48,7 @@ optional_policy(` + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) ') - - optional_policy(` -+ gnome_dontaudit_search_config(cupsd_config_t) -+') + +optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +496,10 @@ optional_policy(` - ') - - optional_policy(` -+ lpd_read_config(cupsd_config_t) ++ xserver_dbus_chat_xdm(cpufreqselector_t) +') -+ -+optional_policy(` - policykit_dbus_chat(cupsd_config_t) - userdom_read_all_users_state(cupsd_config_t) - ') -@@ -526,7 +559,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) - kernel_read_system_state(cupsd_lpd_t) - kernel_read_network_state(cupsd_lpd_t) - --corenet_all_recvfrom_unlabeled(cupsd_lpd_t) - corenet_all_recvfrom_netlabel(cupsd_lpd_t) - corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) - corenet_udp_sendrecv_generic_if(cupsd_lpd_t) -@@ -537,19 +569,18 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) - corenet_tcp_bind_generic_node(cupsd_lpd_t) - corenet_udp_bind_generic_node(cupsd_lpd_t) - corenet_tcp_connect_ipp_port(cupsd_lpd_t) -+corenet_tcp_connect_printer_port(cupsd_lpd_t) - - dev_read_urand(cupsd_lpd_t) - dev_read_rand(cupsd_lpd_t) - - fs_getattr_xattr_fs(cupsd_lpd_t) - --files_read_etc_files(cupsd_lpd_t) - - auth_use_nsswitch(cupsd_lpd_t) +diff --git a/cron.fc b/cron.fc +index 6e76215..224142a 100644 +--- a/cron.fc ++++ b/cron.fc +@@ -3,6 +3,9 @@ + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - logging_send_syslog_msg(cupsd_lpd_t) ++/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) ++/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) ++ + /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) + /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) --miscfiles_read_localization(cupsd_lpd_t) - miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) +@@ -12,9 +15,6 @@ + /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) + /usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - cups_stream_connect(cupsd_lpd_t) -@@ -577,7 +608,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) +-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) +- +-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) + /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) - kernel_read_system_state(cups_pdf_t) + /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +@@ -27,13 +27,23 @@ --files_read_etc_files(cups_pdf_t) - files_read_usr_files(cups_pdf_t) + /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) - corecmd_exec_shell(cups_pdf_t) -@@ -585,25 +615,23 @@ corecmd_exec_bin(cups_pdf_t) +-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + /var/spool/cron/[^/]* -- <> - auth_use_nsswitch(cups_pdf_t) +-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++ifdef(`distro_gentoo',` ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++/var/spool/cron/lastrun/[^/]* -- <> ++') ++ ++ifdef(`distro_suse', ` ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++/var/spool/cron/lastrun/[^/]* -- <> ++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++') ++ ++/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/cron/crontabs/.* -- <> + #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) --miscfiles_read_localization(cups_pdf_t) - miscfiles_read_fonts(cups_pdf_t) -+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) +@@ -43,19 +53,23 @@ + /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - userdom_home_filetrans_user_home_dir(cups_pdf_t) -+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) - userdom_manage_user_home_content_dirs(cups_pdf_t) - userdom_manage_user_home_content_files(cups_pdf_t) -+userdom_dontaudit_search_admin_dir(cups_pdf_t) ++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) ++ + ifdef(`distro_debian',` +-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) ++ ++/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/cron/atjobs/[^/]* -- <> +-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) + ') --lpd_manage_spool(cups_pdf_t) -- -- --tunable_policy(`use_nfs_home_dirs',` -- fs_search_auto_mountpoints(cups_pdf_t) -- fs_manage_nfs_dirs(cups_pdf_t) -- fs_manage_nfs_files(cups_pdf_t) -+optional_policy(` -+ lpd_manage_spool(cups_pdf_t) + ifdef(`distro_gentoo',` +-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> ') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(cups_pdf_t) -- fs_manage_cifs_files(cups_pdf_t) -+userdom_home_manager(cups_pdf_t) -+ -+optional_policy(` -+ gnome_read_config(cups_pdf_t) +-ifdef(`distro_suse',` +-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) ++ifdef(`distro_suse', ` ++/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> +-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') +diff --git a/cron.if b/cron.if +index 1303b30..058864e 100644 +--- a/cron.if ++++ b/cron.if +@@ -2,11 +2,12 @@ - ######################################## -@@ -635,9 +663,16 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - files_search_etc(hplip_t) + ####################################### + ## +-## The template to define a crontab domain. ++## The common rules for a crontab domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). + ## + ## + # +@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',` + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) -+allow hplip_t cupsd_unit_file_t:file read_file_perms; ++ kernel_read_system_state($1_t) + - manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) - -+manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) -+logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file }) + auth_domtrans_chk_passwd($1_t) + auth_use_nsswitch($1_t) + - manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) - files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) - -@@ -647,7 +682,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) - kernel_read_system_state(hplip_t) - kernel_read_kernel_sysctls(hplip_t) - --corenet_all_recvfrom_unlabeled(hplip_t) -+# for python -+corecmd_exec_bin(hplip_t) ++ logging_send_syslog_msg($1_t) + - corenet_all_recvfrom_netlabel(hplip_t) - corenet_tcp_sendrecv_generic_if(hplip_t) - corenet_udp_sendrecv_generic_if(hplip_t) -@@ -661,10 +698,10 @@ corenet_tcp_bind_generic_node(hplip_t) - corenet_udp_bind_generic_node(hplip_t) - corenet_tcp_bind_hplip_port(hplip_t) - corenet_tcp_connect_hplip_port(hplip_t) --corenet_tcp_connect_ipp_port(hplip_t) --corenet_sendrecv_hplip_client_packets(hplip_t) --corenet_receive_hplip_server_packets(hplip_t) -+corenet_tcp_bind_glance_port(hplip_t) -+corenet_tcp_connect_glance_port(hplip_t) - corenet_udp_bind_howl_port(hplip_t) -+corenet_tcp_connect_ipp_port(hplip_t) ++ userdom_home_reader($1_t) ++ + ') - dev_read_sysfs(hplip_t) - dev_rw_printer(hplip_t) -@@ -673,31 +710,34 @@ dev_read_rand(hplip_t) - dev_rw_generic_usb_dev(hplip_t) - dev_rw_usbfs(hplip_t) + ######################################## + ## +-## Role access for cron. ++## Role access for cron + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + ## +@@ -60,57 +68,37 @@ interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + type user_cron_spool_t, crond_t; +- bool cron_userdomain_transition; + ') --fs_getattr_all_fs(hplip_t) --fs_search_auto_mountpoints(hplip_t) --fs_rw_anon_inodefs_files(hplip_t) -- --# for python --corecmd_exec_bin(hplip_t) +- ############################## +- # +- # Declarations +- # - - domain_use_interactive_fds(hplip_t) + role $1 types { cronjob_t crontab_t }; - files_read_etc_files(hplip_t) - files_read_etc_runtime_files(hplip_t) - files_read_usr_files(hplip_t) -+files_dontaudit_write_usr_dirs(hplip_t) +- ############################## +- # +- # Local policy +- # ++ # cronjob shows up in user ps ++ ps_process_pattern($2, cronjob_t) --logging_send_syslog_msg(hplip_t) -+fs_getattr_all_fs(hplip_t) -+fs_search_auto_mountpoints(hplip_t) -+fs_rw_anon_inodefs_files(hplip_t) ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) --miscfiles_read_localization(hplip_t) -+term_use_ptmx(hplip_t) -+ -+auth_read_passwd(hplip_t) -+ -+logging_send_syslog_msg(hplip_t) ++ allow crond_t $2:process transition; + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; - sysnet_read_config(hplip_t) +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; ++ # needs to be authorized SELinux context for cron ++ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint }; - userdom_dontaudit_use_unpriv_user_fds(hplip_t) - userdom_dontaudit_search_user_home_dirs(hplip_t) - userdom_dontaudit_search_user_home_content(hplip_t) -+userdom_dbus_send_all_users(hplip_t) +- allow $2 crontab_t:process { ptrace signal_perms }; ++ # crontab shows up in user ps + ps_process_pattern($2, crontab_t) ++ allow $2 crontab_t:process signal_perms; ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 crontab_t:process ptrace; ++ ') --lpd_read_config(hplip_t) --lpd_manage_spool(hplip_t) -+optional_policy(` -+ lpd_read_config(hplip_t) -+ lpd_manage_spool(hplip_t) -+') ++ # Run helper programs as the user domain ++ #corecmd_bin_domtrans(crontab_t, $2) ++ #corecmd_shell_domtrans(crontab_t, $2) + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) - optional_policy(` - dbus_system_bus_client(hplip_t) -@@ -743,7 +783,6 @@ kernel_read_kernel_sysctls(ptal_t) - kernel_list_proc(ptal_t) - kernel_read_proc_symlinks(ptal_t) +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; +- +- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- +- allow $2 cronjob_t:process { ptrace signal_perms }; +- ps_process_pattern($2, cronjob_t) +- ',` +- dontaudit crond_t $2:process transition; +- dontaudit crond_t $2:fd use; +- dontaudit crond_t $2:key manage_key_perms; +- +- dontaudit $2 user_cron_spool_t:file entrypoint; +- +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- +- dontaudit $2 cronjob_t:process { ptrace signal_perms }; +- ') +- + optional_policy(` + gen_require(` + class dbus send_msg; +@@ -119,78 +107,38 @@ interface(`cron_role',` + dbus_stub(cronjob_t) --corenet_all_recvfrom_unlabeled(ptal_t) - corenet_all_recvfrom_netlabel(ptal_t) - corenet_tcp_sendrecv_generic_if(ptal_t) - corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -760,13 +799,10 @@ fs_search_auto_mountpoints(ptal_t) + allow cronjob_t $2:dbus send_msg; +- ') ++ ') + ') - domain_use_interactive_fds(ptal_t) + ######################################## + ## +-## Role access for unconfined cron. ++## Role access for unconfined cronjobs + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## + # + interface(`cron_unconfined_role',` + gen_require(` +- type unconfined_cronjob_t, crontab_t, crontab_exec_t; +- type crond_t, user_cron_spool_t; +- bool cron_userdomain_transition; ++ type unconfined_cronjob_t; + ') --files_read_etc_files(ptal_t) - files_read_etc_runtime_files(ptal_t) +- ############################## +- # +- # Declarations +- # +- +- role $1 types { unconfined_cronjob_t crontab_t }; ++ role $1 types unconfined_cronjob_t; + +- ############################## +- # +- # Local policy +- # +- +- domtrans_pattern($2, crontab_exec_t, crontab_t) +- +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; +- +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; +- +- allow $2 crontab_t:process { ptrace signal_perms }; +- ps_process_pattern($2, crontab_t) +- +- corecmd_exec_bin(crontab_t) +- corecmd_exec_shell(crontab_t) +- +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; +- +- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- +- allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; +- ps_process_pattern($2, unconfined_cronjob_t) +- ',` +- dontaudit crond_t $2:process transition; +- dontaudit crond_t $2:fd use; +- dontaudit crond_t $2:key manage_key_perms; +- +- dontaudit $2 user_cron_spool_t:file entrypoint; +- +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- +- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; +-') ++ # cronjob shows up in user ps ++ ps_process_pattern($2, unconfined_cronjob_t) ++ allow $2 unconfined_cronjob_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 unconfined_cronjob_t:process ptrace; ++ ') - logging_send_syslog_msg(ptal_t) + optional_policy(` + gen_require(` +@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',` + ') --miscfiles_read_localization(ptal_t) + dbus_stub(unconfined_cronjob_t) - - sysnet_read_config(ptal_t) - - userdom_dontaudit_use_unpriv_user_fds(ptal_t) -diff --git a/cvs.if b/cvs.if -index c43ff4c..5da88b5 100644 ---- a/cvs.if -+++ b/cvs.if -@@ -1,5 +1,23 @@ - ## Concurrent versions system + allow unconfined_cronjob_t $2:dbus send_msg; + ') + ') -+###################################### -+## -+## Dontaudit Attempts to list the CVS data and metadata. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`cvs_dontaudit_list_data',` -+ gen_require(` -+ type cvs_data_t; -+ ') -+ -+ dontaudit $1 cvs_data_t:dir list_dir_perms; -+') -+ ######################################## ## - ## Read the CVS data and metadata. -@@ -58,14 +76,17 @@ interface(`cvs_exec',` +-## Role access for admin cron. ++## Role access for cron + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## ++## # - interface(`cvs_admin',` + interface(`cron_admin_role',` gen_require(` -- type cvs_t, cvs_tmp_t; -+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_var_run_t; -- type cvs_initrc_exec_t; +- type cronjob_t, crontab_exec_t, admin_crontab_t; ++ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; ++ type user_cron_spool_t, crond_t; + class passwd crontab; +- type crond_t, user_cron_spool_t; +- bool cron_userdomain_transition; ') -- allow $1 cvs_t:process { ptrace signal_perms }; -+ allow $1 cvs_t:process signal_perms; - ps_process_pattern($1, cvs_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cvs_t:process ptrace; -+ ') -+ - # Allow cvs_t to restart the apache service - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/cvs.te b/cvs.te -index 88e7e97..b475317 100644 ---- a/cvs.te -+++ b/cvs.te -@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0) - ## Allow cvs daemon to read shadow - ##

    - ## --gen_tunable(allow_cvs_read_shadow, false) -+gen_tunable(cvs_read_shadow, false) +- ############################## +- # +- # Declarations +- # ++ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; - type cvs_t; - type cvs_exec_t; -@@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t) - # Local policy - # +- role $1 types { cronjob_t admin_crontab_t }; ++ # cronjob shows up in user ps ++ ps_process_pattern($2, cronjob_t) -+allow cvs_t self:capability { setuid setgid }; - allow cvs_t self:process signal_perms; - allow cvs_t self:fifo_file rw_fifo_file_perms; - allow cvs_t self:tcp_socket connected_stream_socket_perms; - # for identd; cjp: this should probably only be inetd_child rules? - allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow cvs_t self:capability { setuid setgid }; - - manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) - manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(cvs_t) - kernel_read_system_state(cvs_t) - kernel_read_network_state(cvs_t) - --corenet_all_recvfrom_unlabeled(cvs_t) - corenet_all_recvfrom_netlabel(cvs_t) - corenet_tcp_sendrecv_generic_if(cvs_t) - corenet_udp_sendrecv_generic_if(cvs_t) -@@ -76,21 +75,22 @@ auth_use_nsswitch(cvs_t) - corecmd_exec_bin(cvs_t) - corecmd_exec_shell(cvs_t) +- ############################## +- # +- # Local policy +- # ++ # Manipulate other users crontab. ++ allow $2 self:passwd crontab; --files_read_etc_files(cvs_t) - files_read_etc_runtime_files(cvs_t) - # for identd; cjp: this should probably only be inetd_child rules? - files_search_home(cvs_t) ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) -+init_dontaudit_read_utmp(cvs_t) -+ - logging_send_syslog_msg(cvs_t) - logging_send_audit_msgs(cvs_t) +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; ++ # crontab shows up in user ps ++ ps_process_pattern($2, admin_crontab_t) ++ allow $2 admin_crontab_t:process signal_perms; ++ tunable_policy(`deny_ptrace',`',` ++ allow $2 admin_crontab_t:process ptrace; ++ ') --miscfiles_read_localization(cvs_t) -- - mta_send_mail(cvs_t) +- allow $2 user_cron_spool_t:file { getattr read write ioctl }; ++ allow $2 crond_t:process sigchld; ++ allow crond_t $2:process transition; -+userdom_dontaudit_search_user_home_dirs(cvs_t) -+ - # cjp: typeattribute doesnt work in conditionals yet - auth_can_read_shadow_passwords(cvs_t) --tunable_policy(`allow_cvs_read_shadow',` -+tunable_policy(`cvs_read_shadow',` - allow cvs_t self:capability dac_override; - auth_tunable_read_shadow(cvs_t) - ') -@@ -112,4 +112,5 @@ optional_policy(` - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) - ') -diff --git a/cyphesis.te b/cyphesis.te -index 25897c9..814bdae 100644 ---- a/cyphesis.te -+++ b/cyphesis.te -@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) - corecmd_search_bin(cyphesis_t) - corecmd_getattr_bin_files(cyphesis_t) +- allow $2 admin_crontab_t:process { ptrace signal_perms }; +- ps_process_pattern($2, admin_crontab_t) ++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; --corenet_all_recvfrom_unlabeled(cyphesis_t) - corenet_tcp_sendrecv_generic_if(cyphesis_t) - corenet_tcp_sendrecv_generic_node(cyphesis_t) - corenet_tcp_sendrecv_all_ports(cyphesis_t) -@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t) +- # Manipulate other users crontab. +- allow $2 self:passwd crontab; ++ # needs to be authorized SELinux context for cron ++ allow $2 user_cron_spool_t:file entrypoint; - logging_send_syslog_msg(cyphesis_t) ++ # Run helper programs as the user domain ++ #corecmd_bin_domtrans(admin_crontab_t, $2) ++ #corecmd_shell_domtrans(admin_crontab_t, $2) + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) --miscfiles_read_localization(cyphesis_t) +- tunable_policy(`cron_userdomain_transition',` +- allow crond_t $2:process transition; +- allow crond_t $2:fd use; +- allow crond_t $2:key manage_key_perms; - - sysnet_dns_name_resolve(cyphesis_t) +- allow $2 user_cron_spool_t:file entrypoint; +- +- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- +- allow $2 cronjob_t:process { ptrace signal_perms }; +- ps_process_pattern($2, cronjob_t) +- ',` +- dontaudit crond_t $2:process transition; +- dontaudit crond_t $2:fd use; +- dontaudit crond_t $2:key manage_key_perms; +- +- dontaudit $2 user_cron_spool_t:file entrypoint; +- +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- +- dontaudit $2 cronjob_t:process { ptrace signal_perms }; +- ') +- + optional_policy(` + gen_require(` + class dbus send_msg; +@@ -285,13 +213,13 @@ interface(`cron_admin_role',` + dbus_stub(admin_cronjob_t) - # cyphesis wants to talk to avahi via dbus -diff --git a/cyrus.if b/cyrus.if -index e4e86d0..4203ea9 100644 ---- a/cyrus.if -+++ b/cyrus.if -@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) + allow cronjob_t $2:dbus send_msg; +- ') ++ ') ') -+####################################### -+## -+## Allow write cyrus data files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cyrus_write_data',` -+ gen_require(` -+ type cyrus_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) -+') -+ ######################################## ## - ## Connect to Cyrus using a unix domain stream socket. -@@ -62,9 +81,13 @@ interface(`cyrus_admin',` - type cyrus_var_run_t, cyrus_initrc_exec_t; +-## Make the specified program domain +-## accessable from the system cron jobs. ++## Make the specified program domain accessable ++## from the system cron jobs. + ## + ## + ## +@@ -307,15 +235,15 @@ interface(`cron_admin_role',` + interface(`cron_system_entry',` + gen_require(` + type crond_t, system_cronjob_t; +- type user_cron_spool_log_t; ') -- allow $1 cyrus_t:process { ptrace signal_perms }; -+ allow $1 cyrus_t:process signal_perms; - ps_process_pattern($1, cyrus_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cyrus_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; -diff --git a/cyrus.te b/cyrus.te -index 097fdcc..fb6e6da 100644 ---- a/cyrus.te -+++ b/cyrus.te -@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) - # Local policy - # - --allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; -+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; - dontaudit cyrus_t self:capability sys_tty_config; - allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow cyrus_t self:process setrlimit; -@@ -62,7 +62,6 @@ kernel_read_kernel_sysctls(cyrus_t) - kernel_read_system_state(cyrus_t) - kernel_read_all_sysctls(cyrus_t) - --corenet_all_recvfrom_unlabeled(cyrus_t) - corenet_all_recvfrom_netlabel(cyrus_t) - corenet_tcp_sendrecv_generic_if(cyrus_t) - corenet_udp_sendrecv_generic_if(cyrus_t) -@@ -73,6 +72,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t) - corenet_tcp_bind_generic_node(cyrus_t) - corenet_tcp_bind_mail_port(cyrus_t) - corenet_tcp_bind_lmtp_port(cyrus_t) -+corenet_tcp_bind_innd_port(cyrus_t) - corenet_tcp_bind_pop_port(cyrus_t) - corenet_tcp_bind_sieve_port(cyrus_t) - corenet_tcp_connect_all_ports(cyrus_t) -@@ -93,7 +93,6 @@ corecmd_exec_bin(cyrus_t) - domain_use_interactive_fds(cyrus_t) - - files_list_var_lib(cyrus_t) --files_read_etc_files(cyrus_t) - files_read_etc_runtime_files(cyrus_t) - files_read_usr_files(cyrus_t) - -@@ -103,7 +102,6 @@ libs_exec_lib_files(cyrus_t) - - logging_send_syslog_msg(cyrus_t) - --miscfiles_read_localization(cyrus_t) - miscfiles_read_generic_certs(cyrus_t) - - sysnet_read_config(cyrus_t) -@@ -119,6 +117,10 @@ optional_policy(` - ') +- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) +- + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) - optional_policy(` -+ dirsrv_stream_connect(cyrus_t) -+') + role system_r types $1; + -+optional_policy(` - kerberos_keytab_template(cyrus, cyrus_t) ++ allow $1 crond_t:fifo_file rw_fifo_file_perms; ++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; ') -@@ -135,6 +137,7 @@ optional_policy(` - ') + ######################################## +@@ -333,13 +261,12 @@ interface(`cron_domtrans',` + type system_cronjob_t, crond_exec_t; + ') - optional_policy(` -+ files_dontaudit_write_usr_dirs(cyrus_t) - snmp_read_snmp_var_lib_files(cyrus_t) - snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) - snmp_stream_connect(cyrus_t) -diff --git a/daemontools.if b/daemontools.if -index ce3e676..0158314 100644 ---- a/daemontools.if -+++ b/daemontools.if -@@ -210,3 +210,4 @@ interface(`daemontools_manage_svc',` - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file { read create }; +- corecmd_search_bin($1) + domtrans_pattern($1, crond_exec_t, system_cronjob_t) ') -+ -diff --git a/daemontools.te b/daemontools.te -index dcc5f1c..c6fa5c0 100644 ---- a/daemontools.te -+++ b/daemontools.te -@@ -38,7 +38,10 @@ files_type(svc_svc_t) - # multilog creates /service/*/log/status - manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) - -+term_write_console(svc_multilog_t) -+ - init_use_fds(svc_multilog_t) -+init_dontaudit_use_script_fds(svc_multilog_t) - # writes to /var/log/*/* - logging_manage_generic_logs(svc_multilog_t) -@@ -69,6 +72,8 @@ dev_read_urand(svc_run_t) - corecmd_exec_bin(svc_run_t) - corecmd_exec_shell(svc_run_t) + ######################################## + ## +-## Execute crond in the caller domain. ++## Execute crond_exec_t + ## + ## + ## +@@ -352,7 +279,6 @@ interface(`cron_exec',` + type crond_exec_t; + ') -+term_write_console(svc_run_t) -+ - files_read_etc_files(svc_run_t) - files_read_etc_runtime_files(svc_run_t) - files_search_pids(svc_run_t) -@@ -99,12 +104,19 @@ allow svc_start_t self:unix_stream_socket create_socket_perms; +- corecmd_search_bin($1) + can_exec($1, crond_exec_t) + ') - can_exec(svc_start_t, svc_start_exec_t) +@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',` -+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) + ######################################## + ## +-## Use crond file descriptors. ++## Execute crond server in the crond domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cron_systemctl',` ++ gen_require(` ++ type crond_unit_file_t; ++ type crond_t; ++ ') + - kernel_read_kernel_sysctls(svc_start_t) - kernel_read_system_state(svc_start_t) - - corecmd_exec_bin(svc_start_t) - corecmd_exec_shell(svc_start_t) - -+corenet_tcp_bind_generic_node(svc_start_t) -+corenet_tcp_bind_generic_port(svc_start_t) ++ systemd_exec_systemctl($1) ++ allow $1 crond_unit_file_t:file read_file_perms; ++ allow $1 crond_unit_file_t:service manage_service_perms; + -+term_write_console(svc_start_t) ++ ps_process_pattern($1, crond_t) ++') + - files_read_etc_files(svc_start_t) - files_read_etc_runtime_files(svc_start_t) - files_search_var(svc_start_t) -@@ -114,5 +126,3 @@ daemontools_domtrans_run(svc_start_t) - daemontools_manage_svc(svc_start_t) - - logging_send_syslog_msg(svc_start_t) -- --miscfiles_read_localization(svc_start_t) -diff --git a/dante.te b/dante.te -index 9636326..637fc71 100644 ---- a/dante.te -+++ b/dante.te -@@ -10,7 +10,7 @@ type dante_exec_t; - init_daemon_domain(dante_t, dante_exec_t) - - type dante_conf_t; --files_type(dante_conf_t) -+files_config_file(dante_conf_t) - - type dante_var_run_t; - files_pid_file(dante_var_run_t) -@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(dante_t) - kernel_list_proc(dante_t) - kernel_read_proc_symlinks(dante_t) - --corenet_all_recvfrom_unlabeled(dante_t) - corenet_all_recvfrom_netlabel(dante_t) - corenet_tcp_sendrecv_generic_if(dante_t) - corenet_udp_sendrecv_generic_if(dante_t) -@@ -46,7 +45,6 @@ corenet_udp_sendrecv_generic_node(dante_t) - corenet_tcp_sendrecv_all_ports(dante_t) - corenet_udp_sendrecv_all_ports(dante_t) - corenet_tcp_bind_generic_node(dante_t) --corenet_tcp_bind_socks_port(dante_t) - - dev_read_sysfs(dante_t) - -@@ -62,8 +60,6 @@ init_write_utmp(dante_t) - - logging_send_syslog_msg(dante_t) ++######################################## ++## ++## Inherit and use a file descriptor ++## from the cron daemon. + ## + ## + ## +@@ -394,7 +344,7 @@ interface(`cron_use_fds',` --miscfiles_read_localization(dante_t) -- - sysnet_read_config(dante_t) + ######################################## + ## +-## Send child terminated signals to crond. ++## Send a SIGCHLD signal to the cron daemon. + ## + ## + ## +@@ -412,7 +362,7 @@ interface(`cron_sigchld',` - userdom_dontaudit_use_unpriv_user_fds(dante_t) -diff --git a/dbadm.te b/dbadm.te -index 1875064..2adc35f 100644 ---- a/dbadm.te -+++ b/dbadm.te -@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm) - # database admin local policy + ######################################## + ## +-## Set the attributes of cron log files. ++## Send a generic signal to cron daemon. + ## + ## + ## +@@ -420,17 +370,17 @@ interface(`cron_sigchld',` + ## + ## # +-interface(`cron_setattr_log_files',` ++interface(`cron_signal',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') --allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; -+allow dbadm_t self:capability { dac_override dac_read_search }; - - files_dontaudit_search_all_dirs(dbadm_t) - files_delete_generic_locks(dbadm_t) -@@ -37,6 +37,7 @@ files_list_var(dbadm_t) - selinux_get_enforce_mode(dbadm_t) - - logging_send_syslog_msg(dbadm_t) -+logging_send_audit_msgs(dbadm_t) +- allow $1 cron_log_t:file setattr_file_perms; ++ allow $1 crond_t:process signal; + ') - userdom_dontaudit_search_user_home_dirs(dbadm_t) + ######################################## + ## +-## Create cron log files. ++## Read a cron daemon unnamed pipe. + ## + ## + ## +@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',` + ## + ## + # +-interface(`cron_create_log_files',` ++interface(`cron_read_pipes',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') -@@ -58,3 +59,7 @@ optional_policy(` - optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) +- create_files_pattern($1, cron_log_t, cron_log_t) ++ allow $1 crond_t:fifo_file read_fifo_file_perms; ') -+ -+optional_policy(` -+ sudo_role_template(dbadm, dbadm_r, dbadm_t) -+') -diff --git a/dbskk.te b/dbskk.te -index 1445f97..8ca064c 100644 ---- a/dbskk.te -+++ b/dbskk.te -@@ -47,7 +47,6 @@ kernel_read_kernel_sysctls(dbskkd_t) - kernel_read_system_state(dbskkd_t) - kernel_read_network_state(dbskkd_t) - --corenet_all_recvfrom_unlabeled(dbskkd_t) - corenet_all_recvfrom_netlabel(dbskkd_t) - corenet_tcp_sendrecv_generic_if(dbskkd_t) - corenet_udp_sendrecv_generic_if(dbskkd_t) -@@ -60,10 +59,7 @@ dev_read_urand(dbskkd_t) - fs_getattr_xattr_fs(dbskkd_t) + ######################################## + ## +-## Write to cron log files. ++## Read crond state files. + ## + ## + ## +@@ -456,18 +406,20 @@ interface(`cron_create_log_files',` + ## + ## + # +-interface(`cron_write_log_files',` ++interface(`cron_read_state_crond',` + gen_require(` +- type cron_log_t; ++ type crond_t; + ') --files_read_etc_files(dbskkd_t) +- allow $1 cron_log_t:file write_file_perms; ++ kernel_search_proc($1) ++ ps_process_pattern($1, crond_t) + ') - auth_use_nsswitch(dbskkd_t) ++ + ######################################## + ## +-## Create, read, write and delete +-## cron log files. ++## Send and receive messages from ++## crond over dbus. + ## + ## + ## +@@ -475,48 +427,37 @@ interface(`cron_write_log_files',` + ## + ## + # +-interface(`cron_manage_log_files',` ++interface(`cron_dbus_chat_crond',` + gen_require(` +- type cron_log_t; ++ type crond_t; ++ class dbus send_msg; + ') - logging_send_syslog_msg(dbskkd_t) +- manage_files_pattern($1, cron_log_t, cron_log_t) - --miscfiles_read_localization(dbskkd_t) -diff --git a/dbus.fc b/dbus.fc -index e6345ce..31f269b 100644 ---- a/dbus.fc -+++ b/dbus.fc -@@ -4,6 +4,7 @@ - - ifdef(`distro_redhat',` - /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +- logging_search_logs($1) ++ allow $1 crond_t:dbus send_msg; ++ allow crond_t $1:dbus send_msg; ') - /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) -diff --git a/dbus.if b/dbus.if -index fb4bf82..126d543 100644 ---- a/dbus.if -+++ b/dbus.if -@@ -41,9 +41,9 @@ interface(`dbus_stub',` - template(`dbus_role_template',` + ######################################## + ## +-## Create specified objects in generic +-## log directories with the cron log file type. ++## Do not audit attempts to write cron daemon unnamed pipes. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain to not audit. + ## + ## + # +-interface(`cron_generic_log_filetrans_log',` ++interface(`cron_dontaudit_write_pipes',` gen_require(` - class dbus { send_msg acquire_svc }; -- -- attribute session_bus_type; -+ attribute dbusd_unconfined, session_bus_type; - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; -+ type $1_t; +- type cron_log_t; ++ type crond_t; ') - ############################## -@@ -52,117 +52,47 @@ template(`dbus_role_template',` - # - - type $1_dbusd_t, session_bus_type; -- domain_type($1_dbusd_t) -- domain_entry_file($1_dbusd_t, dbusd_exec_t) -+ application_domain($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) - role $2 types $1_dbusd_t; - -+ kernel_read_system_state($1_dbusd_t) -+ -+ selinux_get_fs_mount($1_dbusd_t) -+ -+ userdom_home_manager($1_dbusd_t) -+ - ############################## - # - # Local policy - # - -- allow $1_dbusd_t self:process { getattr sigkill signal }; -- dontaudit $1_dbusd_t self:process ptrace; -- allow $1_dbusd_t self:file { getattr read write }; -- allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; -- allow $1_dbusd_t self:dbus { send_msg acquire_svc }; -- allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; -- allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; -- allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; -- allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; -- - # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; - - # SE-DBus specific permissions -- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; -+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; +- logging_log_filetrans($1, cron_log_t, $2, $3) ++ dontaudit $1 crond_t:fifo_file write; + ') -- allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -- read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) -- read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t) -+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + ######################################## + ## +-## Read cron daemon unnamed pipes. ++## Read and write a cron daemon unnamed pipe. + ## + ## + ## +@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',` + ## + ## + # +-interface(`cron_read_pipes',` ++interface(`cron_rw_pipes',` + gen_require(` + type crond_t; + ') -- manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) -- manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t) -- files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) -+ ps_process_pattern($3, $1_dbusd_t) -+ allow $3 $1_dbusd_t:process signal_perms; +- allow $1 crond_t:fifo_file read_fifo_file_perms; ++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; + ') -- domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) -- allow $3 $1_dbusd_t:process { signull sigkill signal }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $3 $1_dbusd_t:process ptrace; -+ ') + ######################################## + ## +-## Do not audit attempts to write +-## cron daemon unnamed pipes. ++## Read and write inherited user spool files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`cron_dontaudit_write_pipes',` ++interface(`cron_rw_inherited_user_spool_files',` + gen_require(` +- type crond_t; ++ type user_cron_spool_t; + ') - # cjp: this seems very broken -- corecmd_bin_domtrans($1_dbusd_t, $3) -+ corecmd_bin_domtrans($1_dbusd_t, $1_t) -+ corecmd_shell_domtrans($1_dbusd_t, $1_t) - allow $1_dbusd_t $3:process sigkill; - allow $3 $1_dbusd_t:fd use; - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -- allow $3 $1_dbusd_t:process sigchld; -- -- kernel_read_system_state($1_dbusd_t) -- kernel_read_kernel_sysctls($1_dbusd_t) -- -- corecmd_list_bin($1_dbusd_t) -- corecmd_read_bin_symlinks($1_dbusd_t) -- corecmd_read_bin_files($1_dbusd_t) -- corecmd_read_bin_pipes($1_dbusd_t) -- corecmd_read_bin_sockets($1_dbusd_t) - -- corenet_all_recvfrom_unlabeled($1_dbusd_t) -- corenet_all_recvfrom_netlabel($1_dbusd_t) -- corenet_tcp_sendrecv_generic_if($1_dbusd_t) -- corenet_tcp_sendrecv_generic_node($1_dbusd_t) -- corenet_tcp_sendrecv_all_ports($1_dbusd_t) -- corenet_tcp_bind_generic_node($1_dbusd_t) -- corenet_tcp_bind_reserved_port($1_dbusd_t) -- -- dev_read_urand($1_dbusd_t) -- -- domain_use_interactive_fds($1_dbusd_t) -- domain_read_all_domains_state($1_dbusd_t) -- -- files_read_etc_files($1_dbusd_t) -- files_list_home($1_dbusd_t) -- files_read_usr_files($1_dbusd_t) -- files_dontaudit_search_var($1_dbusd_t) -- -- fs_getattr_romfs($1_dbusd_t) -- fs_getattr_xattr_fs($1_dbusd_t) -- fs_list_inotifyfs($1_dbusd_t) -- fs_dontaudit_list_nfs($1_dbusd_t) -- -- selinux_get_fs_mount($1_dbusd_t) -- selinux_validate_context($1_dbusd_t) -- selinux_compute_access_vector($1_dbusd_t) -- selinux_compute_create_context($1_dbusd_t) -- selinux_compute_relabel_context($1_dbusd_t) -- selinux_compute_user_contexts($1_dbusd_t) -- -- auth_read_pam_console_data($1_dbusd_t) - auth_use_nsswitch($1_dbusd_t) +- dontaudit $1 crond_t:fifo_file write; ++ allow $1 user_cron_spool_t:file rw_inherited_file_perms; + ') -- logging_send_audit_msgs($1_dbusd_t) - logging_send_syslog_msg($1_dbusd_t) -- -- miscfiles_read_localization($1_dbusd_t) -- -- seutil_read_config($1_dbusd_t) -- seutil_read_default_contexts($1_dbusd_t) -- -- term_use_all_terms($1_dbusd_t) -- -- userdom_read_user_home_content_files($1_dbusd_t) -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; -- ') -- -- optional_policy(` -- hal_dbus_chat($1_dbusd_t) -- ') -- -- optional_policy(` -- xserver_use_xdm_fds($1_dbusd_t) -- xserver_rw_xdm_pipes($1_dbusd_t) -- ') + ######################################## + ## +-## Read and write crond unnamed pipes. ++## Read and write inherited spool files. + ## + ## + ## +@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',` + ## + ## + # +-interface(`cron_rw_pipes',` ++interface(`cron_rw_inherited_spool_files',` + gen_require(` +- type crond_t; ++ type cron_spool_t; + ') + +- allow $1 crond_t:fifo_file rw_fifo_file_perms; ++ allow $1 cron_spool_t:file rw_inherited_file_perms; ') - ####################################### -@@ -181,11 +111,12 @@ interface(`dbus_system_bus_client',` - type system_dbusd_t, system_dbusd_t; - type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; -+ attribute dbusd_unconfined; - ') + ######################################## + ## +-## Read and write crond TCP sockets. ++## Read, and write cron daemon TCP sockets. + ## + ## + ## +@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',` - # SE-DBus specific permissions - allow $1 { system_dbusd_t self }:dbus send_msg; -- allow system_dbusd_t $1:dbus send_msg; -+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; + ######################################## + ## +-## Do not audit attempts to read and +-## write cron daemon TCP sockets. ++## Dontaudit Read, and write cron daemon TCP sockets. + ## + ## + ## +@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($1) -@@ -198,6 +129,34 @@ interface(`dbus_system_bus_client',` + ######################################## + ## +-## Search cron spool directories. ++## Search the directory containing user cron tables. + ## + ## + ## +@@ -627,8 +566,26 @@ interface(`cron_search_spool',` - ####################################### + ######################################## ## -+## Creating connections to specified -+## DBUS sessions. +-## Create, read, write, and delete +-## crond pid files. ++## Search the directory containing user cron tables. +## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## +## +## +## Domain allowed access. +## +## +# -+interface(`dbus_session_client',` ++interface(`cron_manage_system_spool',` + gen_require(` -+ class dbus send_msg; -+ type $1_dbusd_t; ++ type cron_system_spool_t; + ') + -+ allow $2 $1_dbusd_t:fd use; -+ allow $2 { $1_dbusd_t self }:dbus send_msg; -+ allow $2 $1_dbusd_t:unix_stream_socket connectto; ++ files_search_spool($1) ++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) +') + -+####################################### ++######################################## +## - ## Template for creating connections to - ## a user DBUS. ++## Manage pid files used by cron ## -@@ -219,7 +178,7 @@ interface(`dbus_session_bus_client',` - # For connecting to the bus - allow $1 session_bus_type:unix_stream_socket connectto; + ## + ## +@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',` + type crond_var_run_t; + ') -- dontaudit $1 session_bus_type:fd use; -+ allow session_bus_type $1:process sigkill; ++ files_search_pids($1) + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') ######################################## -@@ -324,6 +283,11 @@ interface(`dbus_connect_session_bus',` - ## Allow a application domain to be started - ## by the session dbus. + ## +-## Execute anacron in the cron +-## system domain. ++## Execute anacron in the cron system domain. + ## + ## + ## +@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',` + type system_cronjob_t, anacron_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) + ') + + ######################################## + ## +-## Use system cron job file descriptors. ++## Inherit and use a file descriptor ++## from system cron jobs. + ## + ## + ## +@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',` + + ######################################## + ## +-## Read system cron job lib files. ++## Write a system cron job unnamed pipe. ## -+## -+## -+## User domain prefix to be used. -+## -+## ## ## - ## Type to be used as a domain. -@@ -338,13 +302,13 @@ interface(`dbus_connect_session_bus',` +@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',` + ## + ## # - interface(`dbus_session_domain',` +-interface(`cron_read_system_job_lib_files',` ++interface(`cron_write_system_job_pipes',` gen_require(` -- attribute session_bus_type; -+ type $1_dbusd_t; +- type system_cronjob_var_lib_t; ++ type system_cronjob_t; ') -- domtrans_pattern(session_bus_type, $2, $1) -+ domtrans_pattern($1_dbusd_t, $2, $3) +- files_search_var_lib($1) +- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ allow $1 system_cronjob_t:fifo_file write; + ') -- dbus_session_bus_client($1) -- dbus_connect_session_bus($1) -+ dbus_session_bus_client($3) -+ dbus_connect_session_bus($3) + ######################################## + ## +-## Create, read, write, and delete +-## system cron job lib files. ++## Read and write a system cron job unnamed pipe. + ## + ## + ## +@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',` + ## + ## + # +-interface(`cron_manage_system_job_lib_files',` ++interface(`cron_rw_system_job_pipes',` + gen_require(` +- type system_cronjob_var_lib_t; ++ type system_cronjob_t; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## -@@ -423,27 +387,16 @@ interface(`dbus_system_bus_unconfined',` + ## +-## Write system cron job unnamed pipes. ++## Allow read/write unix stream sockets from the system cron jobs. + ## + ## + ## +@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',` + ## + ## # - interface(`dbus_system_domain',` +-interface(`cron_write_system_job_pipes',` ++interface(`cron_rw_system_job_stream_sockets',` gen_require(` -+ attribute system_bus_type; - type system_dbusd_t; - role system_r; + type system_cronjob_t; ') -+ typeattribute $1 system_bus_type; - domain_type($1) - domain_entry_file($1, $2) +- allow $1 system_cronjob_t:file write; ++ allow $1 system_cronjob_t:unix_stream_socket { read write }; + ') -- role system_r types $1; -- - domtrans_pattern(system_dbusd_t, $2, $1) -- -- dbus_system_bus_client($1) -- dbus_connect_system_bus($1) -- -- ps_process_pattern(system_dbusd_t, $1) -- -- userdom_read_all_users_state($1) -- -- ifdef(`hide_broken_symptoms', ` -- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -- ') + ######################################## + ## +-## Read and write system cron job +-## unnamed pipes. ++## Read temporary files from the system cron jobs. + ## + ## + ## +@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',` + ## + ## + # +-interface(`cron_rw_system_job_pipes',` ++interface(`cron_read_system_job_tmp_files',` + gen_require(` +- type system_cronjob_t; ++ type system_cronjob_tmp_t, cron_var_run_t; + ') + +- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; ++ files_search_tmp($1) ++ allow $1 system_cronjob_tmp_t:file read_file_perms; ++ ++ files_search_pids($1) ++ allow $1 cron_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Read and write inherited system cron +-## job unix domain stream sockets. ++## Do not audit attempts to append temporary ++## files from the system cron jobs. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`cron_rw_system_job_stream_sockets',` ++interface(`cron_dontaudit_append_system_job_tmp_files',` + gen_require(` +- type system_cronjob_t; ++ type system_cronjob_tmp_t; + ') + +- allow $1 system_cronjob_t:unix_stream_socket { read write }; ++ dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') ######################################## -@@ -466,26 +419,25 @@ interface(`dbus_use_system_bus_fds',` + ## +-## Read system cron job temporary files. ++## Do not audit attempts to write temporary ++## files from the system cron jobs. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`cron_read_system_job_tmp_files',` ++interface(`cron_dontaudit_write_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; ++ type cron_var_run_t; + ') + +- files_search_tmp($1) +- allow $1 system_cronjob_tmp_t:file read_file_perms; ++ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ dontaudit $1 cron_var_run_t:file write_file_perms; + ') ######################################## ## --## Dontaudit Read, and write system dbus TCP sockets. -+## Allow unconfined access to the system DBUS. +-## Do not audit attempts to append temporary +-## system cron job files. ++## Read temporary files from the system cron jobs. ## ## ## @@ -16002,835 +13596,1074 @@ index fb4bf82..126d543 100644 ## ## # --interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_unconfined',` +-interface(`cron_dontaudit_append_system_job_tmp_files',` ++interface(`cron_read_system_job_lib_files',` gen_require(` -- type system_dbusd_t; -+ attribute dbusd_unconfined; +- type system_cronjob_tmp_t; ++ type system_cronjob_var_lib_t; ') -- allow $1 system_dbusd_t:tcp_socket { read write }; -- allow $1 system_dbusd_t:fd use; -+ typeattribute $1 dbusd_unconfined; +- dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ++ files_search_var_lib($1) ++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') ######################################## ## --## Allow unconfined access to the system DBUS. -+## Delete all dbus pid files +-## Do not audit attempts to write temporary +-## system cron job files. ++## Manage files from the system cron jobs. ## ## ## -@@ -493,10 +445,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`dbus_unconfined',` -+interface(`dbus_delete_pid_files',` +-interface(`cron_dontaudit_write_system_job_tmp_files',` ++interface(`cron_manage_system_job_lib_files',` gen_require(` -- attribute dbusd_unconfined; -+ type system_dbusd_var_run_t; +- type system_cronjob_tmp_t; ++ type system_cronjob_var_lib_t; ') -- typeattribute $1 dbusd_unconfined; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +- dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ files_search_var_lib($1) ++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + -+######################################## ++####################################### +## -+## Do not audit attempts to connect to -+## session bus types with a unix -+## stream socket. ++## Create, read, write and delete ++## cron log files. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dbus_dontaudit_stream_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ ') ++interface(`cron_manage_log_files',` ++ gen_require(` ++ type cron_log_t; ++ ') + -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; ++ manage_files_pattern($1, cron_log_t, cron_log_t) ++ ++ logging_search_logs($1) +') + -+######################################## ++####################################### +## -+## Do not audit attempts to send dbus -+## messages to session bus types. ++## Create specified objects in generic ++## log directories with the cron log file type. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## +## +# -+interface(`dbus_dontaudit_chat_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus send_msg; -+ ') ++interface(`cron_generic_log_filetrans_log',` ++ gen_require(` ++ type cron_log_t; ++ ') + -+ dontaudit $1 session_bus_type:dbus send_msg; ++ logging_log_filetrans($1, cron_log_t, $2, $3) ') -diff --git a/dbus.te b/dbus.te -index 625cb32..087cecf 100644 ---- a/dbus.te -+++ b/dbus.te -@@ -10,6 +10,7 @@ gen_require(` - # - - attribute dbusd_unconfined; -+attribute system_bus_type; - attribute session_bus_type; - - type dbusd_etc_t; -@@ -35,6 +36,7 @@ files_type(system_dbusd_var_lib_t) - - type system_dbusd_var_run_t; - files_pid_file(system_dbusd_var_run_t) -+init_sock_file(system_dbusd_var_run_t) - - ifdef(`enable_mcs',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,9 +53,9 @@ ifdef(`enable_mls',` - - # dac_override: /var/run/dbus is owned by messagebus on Debian - # cjp: dac_override should probably go in a distro_debian --allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; -+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; --allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; -+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; - allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -73,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) - - read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +diff --git a/cron.te b/cron.te +index 28e1b86..88a7b95 100644 +--- a/cron.te ++++ b/cron.te +@@ -1,4 +1,4 @@ +-policy_module(cron, 2.5.10) ++policy_module(cron, 2.2.1) -+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) - manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) - manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) --files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file) -+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) + gen_require(` + class passwd rootok; +@@ -11,46 +11,37 @@ gen_require(` - kernel_read_system_state(system_dbusd_t) - kernel_read_kernel_sysctls(system_dbusd_t) -@@ -83,11 +86,16 @@ kernel_read_kernel_sysctls(system_dbusd_t) - dev_read_urand(system_dbusd_t) - dev_read_sysfs(system_dbusd_t) + ## + ##

    +-## Determine whether system cron jobs +-## can relabel filesystem for +-## restoring file contexts. ++## Allow system cron jobs to relabel filesystem ++## for restoring file contexts. + ##

    + ##     + gen_tunable(cron_can_relabel, false) -+files_rw_inherited_non_security_files(system_dbusd_t) -+ - fs_getattr_all_fs(system_dbusd_t) - fs_list_inotifyfs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) - fs_dontaudit_list_nfs(system_dbusd_t) + ## + ##

    +-## Determine whether crond can execute jobs +-## in the user domain as opposed to the +-## the generic cronjob domain. +-##

    +-##     +-gen_tunable(cron_userdomain_transition, false) +- +-## +-##

    +-## Determine whether extra rules +-## should be enabled to support fcron. ++## Enable extra rules in the cron domain ++## to support fcron. + ##

    + ##     + gen_tunable(fcron_crond, false) -+storage_rw_inherited_fixed_disk_dev(system_dbusd_t) -+storage_rw_inherited_removable_device(system_dbusd_t) -+ - mls_fd_use_all_levels(system_dbusd_t) - mls_rangetrans_target(system_dbusd_t) - mls_file_read_all_levels(system_dbusd_t) -@@ -110,22 +118,25 @@ auth_read_pam_console_data(system_dbusd_t) - corecmd_list_bin(system_dbusd_t) - corecmd_read_bin_pipes(system_dbusd_t) - corecmd_read_bin_sockets(system_dbusd_t) -+# needed for system-tools-backends -+corecmd_exec_shell(system_dbusd_t) +-attribute cron_spool_type; + attribute crontab_domain; ++attribute cron_spool_type; - domain_use_interactive_fds(system_dbusd_t) - domain_read_all_domains_state(system_dbusd_t) + type anacron_exec_t; + application_executable_file(anacron_exec_t) --files_read_etc_files(system_dbusd_t) - files_list_home(system_dbusd_t) - files_read_usr_files(system_dbusd_t) + type cron_spool_t; +-files_type(cron_spool_t) +-mta_system_content(cron_spool_t) ++files_spool_file(cron_spool_t) - init_use_fds(system_dbusd_t) - init_use_script_ptys(system_dbusd_t) -+init_bin_domtrans_spec(system_dbusd_t) - init_domtrans_script(system_dbusd_t) -+init_rw_stream_sockets(system_dbusd_t) -+init_status(system_dbusd_t) ++# var/lib files + type cron_var_lib_t; + files_type(cron_var_lib_t) - logging_send_audit_msgs(system_dbusd_t) - logging_send_syslog_msg(system_dbusd_t) + type cron_var_run_t; + files_pid_file(cron_var_run_t) --miscfiles_read_localization(system_dbusd_t) - miscfiles_read_generic_certs(system_dbusd_t) ++# var/log files + type cron_log_t; + logging_log_file(cron_log_t) - seutil_read_config(system_dbusd_t) -@@ -135,11 +146,35 @@ seutil_sigchld_newrole(system_dbusd_t) - userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) - userdom_dontaudit_search_user_home_dirs(system_dbusd_t) +@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t) + type crond_initrc_exec_t; + init_script_file(crond_initrc_exec_t) -+userdom_home_reader(system_dbusd_t) ++type crond_unit_file_t; ++systemd_unit_file(crond_unit_file_t) + - optional_policy(` - bind_domtrans(system_dbusd_t) - ') + type crond_tmp_t; + files_tmp_file(crond_tmp_t) + files_poly_parent(crond_tmp_t) +@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; + typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; + typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; + typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; ++allow admin_crontab_t crond_t:process signal; - optional_policy(` -+ bluetooth_stream_connect(system_dbusd_t) -+') -+ -+optional_policy(` -+ cpufreqselector_dbus_chat(system_dbusd_t) -+') -+ -+optional_policy(` -+ getty_start_services(system_dbusd_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf(system_dbusd_t) -+ gnome_read_inherited_home_icc_data_files(system_dbusd_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_domtrans(system_dbusd_t) -+ networkmanager_systemctl(system_dbusd_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(system_dbusd_t) - policykit_domtrans_auth(system_dbusd_t) - policykit_search_lib(system_dbusd_t) -@@ -150,12 +185,162 @@ optional_policy(` - ') + type system_cron_spool_t, cron_spool_type; +-files_type(system_cron_spool_t) +-mta_system_content(system_cron_spool_t) ++files_spool_file(system_cron_spool_t) - optional_policy(` -+ systemd_use_fds_logind(system_dbusd_t) -+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) -+ systemd_write_inhibit_pipes(system_dbusd_t) -+# These are caused by broken systemd patch -+ systemd_start_power_services(system_dbusd_t) -+ systemd_config_all_services(system_dbusd_t) -+ files_config_all_files(system_dbusd_t) -+') -+ -+optional_policy(` - udev_read_db(system_dbusd_t) - ') + type system_cronjob_t alias system_crond_t; + init_daemon_domain(system_cronjob_t, anacron_exec_t) + corecmd_shell_entry_type(system_cronjob_t) +-domain_entry_file(system_cronjob_t, system_cron_spool_t) ++role system_r types system_cronjob_t; ++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) -+optional_policy(` -+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc -+ xserver_read_inherited_xdm_lib_files(system_dbusd_t) -+') -+ -+######################################## -+# -+# system_bus_type rules -+# -+role system_r types system_bus_type; -+ -+fs_search_all(system_bus_type) -+ -+dbus_system_bus_client(system_bus_type) -+dbus_connect_system_bus(system_bus_type) -+ -+init_status(system_bus_type) -+init_stream_connect(system_bus_type) -+init_dgram_send(system_bus_type) -+init_use_fds(system_bus_type) -+init_rw_stream_sockets(system_bus_type) -+ -+ps_process_pattern(system_dbusd_t, system_bus_type) -+ -+userdom_dontaudit_search_admin_dir(system_bus_type) -+userdom_read_all_users_state(system_bus_type) -+ -+optional_policy(` -+ abrt_stream_connect(system_bus_type) -+') -+ -+optional_policy(` -+ rpm_script_dbus_chat(system_bus_type) -+') -+ -+optional_policy(` -+ unconfined_dbus_send(system_bus_type) -+') -+ -+ifdef(`hide_broken_symptoms',` -+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; -+') -+ -+######################################## -+# -+# session_bus_type rules -+# -+allow session_bus_type self:capability2 block_suspend; -+dontaudit session_bus_type self:capability sys_resource; -+allow session_bus_type self:process { getattr sigkill signal }; -+dontaudit session_bus_type self:process setrlimit; -+allow session_bus_type self:file { getattr read write }; -+allow session_bus_type self:fifo_file rw_fifo_file_perms; -+allow session_bus_type self:dbus { send_msg acquire_svc }; -+allow session_bus_type self:unix_stream_socket create_stream_socket_perms; -+allow session_bus_type self:unix_dgram_socket create_socket_perms; -+allow session_bus_type self:tcp_socket create_stream_socket_perms; -+allow session_bus_type self:netlink_selinux_socket create_socket_perms; -+ -+allow session_bus_type dbusd_etc_t:dir list_dir_perms; -+read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) -+read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) -+ -+manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) -+manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) -+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) -+ -+kernel_read_kernel_sysctls(session_bus_type) -+ -+corecmd_list_bin(session_bus_type) -+corecmd_read_bin_symlinks(session_bus_type) -+corecmd_read_bin_files(session_bus_type) -+corecmd_read_bin_pipes(session_bus_type) -+corecmd_read_bin_sockets(session_bus_type) -+ -+corenet_tcp_sendrecv_generic_if(session_bus_type) -+corenet_tcp_sendrecv_generic_node(session_bus_type) -+corenet_tcp_sendrecv_all_ports(session_bus_type) -+corenet_tcp_bind_generic_node(session_bus_type) -+corenet_tcp_bind_reserved_port(session_bus_type) -+ -+dev_read_urand(session_bus_type) -+ -+domain_use_interactive_fds(session_bus_type) -+domain_read_all_domains_state(session_bus_type) -+ -+files_list_home(session_bus_type) -+files_read_usr_files(session_bus_type) -+files_dontaudit_search_var(session_bus_type) -+ -+fs_getattr_romfs(session_bus_type) -+fs_getattr_xattr_fs(session_bus_type) -+fs_list_inotifyfs(session_bus_type) -+fs_dontaudit_list_nfs(session_bus_type) -+ -+selinux_validate_context(session_bus_type) -+selinux_compute_access_vector(session_bus_type) -+selinux_compute_create_context(session_bus_type) -+selinux_compute_relabel_context(session_bus_type) -+selinux_compute_user_contexts(session_bus_type) -+ -+auth_read_pam_console_data(session_bus_type) -+ -+logging_send_audit_msgs(session_bus_type) -+ -+seutil_read_config(session_bus_type) -+seutil_read_default_contexts(session_bus_type) -+ -+term_use_all_inherited_terms(session_bus_type) -+ -+userdom_dontaudit_search_admin_dir(session_bus_type) -+userdom_manage_user_home_content_dirs(session_bus_type) -+userdom_manage_user_home_content_files(session_bus_type) -+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) -+userdom_manage_tmpfs_files(session_bus_type, file) -+userdom_tmpfs_filetrans(session_bus_type, file) -+ -+optional_policy(` -+ gnome_read_gconf_home_files(session_bus_type) -+') -+ -+optional_policy(` -+ hal_dbus_chat(session_bus_type) -+') -+ -+optional_policy(` -+ thumb_domtrans(session_bus_type) -+') -+ -+optional_policy(` -+ xserver_search_xdm_lib(session_bus_type) -+ xserver_use_xdm_fds(session_bus_type) -+ xserver_rw_xdm_pipes(session_bus_type) -+ xserver_use_xdm_fds(session_bus_type) -+ xserver_rw_xdm_pipes(session_bus_type) -+ xserver_append_xdm_home_files(session_bus_type) -+') + type system_cronjob_lock_t alias system_crond_lock_t; + files_lock_file(system_cronjob_lock_t) +@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t) + type system_cronjob_tmp_t alias system_crond_tmp_t; + files_tmp_file(system_cronjob_tmp_t) + +-type system_cronjob_var_lib_t; +-files_type(system_cronjob_var_lib_t) +- +-type system_cronjob_var_run_t; +-files_pid_file(system_cronjob_var_run_t) ++type unconfined_cronjob_t; ++domain_type(unconfined_cronjob_t) ++domain_cron_exemption_target(unconfined_cronjob_t) + ++# Type of user crontabs once moved to cron spool. + type user_cron_spool_t, cron_spool_type; + typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; + typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; +-files_type(user_cron_spool_t) ++files_spool_file(user_cron_spool_t) + ubac_constrained(user_cron_spool_t) + mta_system_content(user_cron_spool_t) + +-type user_cron_spool_log_t; +-logging_log_file(user_cron_spool_log_t) +-ubac_constrained(user_cron_spool_log_t) +-mta_system_content(user_cron_spool_log_t) ++type system_cronjob_var_lib_t; ++files_type(system_cronjob_var_lib_t) ++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; + ++type system_cronjob_var_run_t; ++files_pid_file(system_cronjob_var_run_t) + + ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) + ') + +-############################## +-# +-# Common crontab local policy +-# +- +-allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; +-allow crontab_domain self:process { getcap setsched signal_perms }; +-allow crontab_domain self:fifo_file rw_fifo_file_perms; +- +-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) +-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) +- +-allow crontab_domain cron_spool_t:dir setattr_dir_perms; +- +-allow crontab_domain crond_t:process signal; +-allow crontab_domain crond_var_run_t:file read_file_perms; +- +-kernel_read_system_state(crontab_domain) +- +-selinux_dontaudit_search_fs(crontab_domain) +- +-files_list_spool(crontab_domain) +-files_read_etc_files(crontab_domain) +-files_read_usr_files(crontab_domain) +-files_search_pids(crontab_domain) +- +-fs_getattr_xattr_fs(crontab_domain) +-fs_manage_cgroup_dirs(crontab_domain) +-fs_rw_cgroup_files(crontab_domain) +- +-domain_use_interactive_fds(crontab_domain) +- +-fs_dontaudit_rw_anon_inodefs_files(crontab_domain) +- +-auth_rw_var_auth(crontab_domain) +- +-logging_send_syslog_msg(crontab_domain) +-logging_send_audit_msgs(crontab_domain) +-logging_set_loginuid(crontab_domain) +- +-init_dontaudit_write_utmp(crontab_domain) +-init_read_utmp(crontab_domain) +-init_read_state(crontab_domain) +- +-miscfiles_read_localization(crontab_domain) +- +-seutil_read_config(crontab_domain) +- +-userdom_manage_user_tmp_dirs(crontab_domain) +-userdom_manage_user_tmp_files(crontab_domain) +-userdom_use_user_terminals(crontab_domain) +-userdom_read_user_home_content_files(crontab_domain) +-userdom_read_user_home_content_symlinks(crontab_domain) +- +-tunable_policy(`fcron_crond',` +- dontaudit crontab_domain crond_t:process signal; +-') +- ######################################## # - # Unconfined access to this module +-# Admin local policy ++# Admin crontab local policy # - allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; -+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; -+allow session_bus_type dbusd_unconfined:dbus send_msg; -diff --git a/dcc.if b/dcc.if -index 784753e..bf65e7d 100644 ---- a/dcc.if -+++ b/dcc.if -@@ -168,6 +168,6 @@ interface(`dcc_stream_connect_dccifd',` - type dcc_var_t, dccifd_var_run_t, dccifd_t; - ') +-allow admin_crontab_t self:capability fsetid; +-allow admin_crontab_t crond_t:process signal; ++# Allow our crontab domain to unlink a user cron spool file. ++allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; -- files_search_var($1) -+ files_search_pids($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ++# Manipulate other users crontab. + selinux_get_fs_mount(admin_crontab_t) + selinux_validate_context(admin_crontab_t) + selinux_compute_access_vector(admin_crontab_t) +@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t) + selinux_compute_user_contexts(admin_crontab_t) + + tunable_policy(`fcron_crond',` ++ # fcron wants an instant update of a crontab change for the administrator ++ # also crontab does a security check for crontab -u + allow admin_crontab_t self:process setfscreate; ') -diff --git a/dcc.te b/dcc.te -index 5178337..46bbbed 100644 ---- a/dcc.te -+++ b/dcc.te -@@ -36,7 +36,7 @@ type dcc_var_t; - files_type(dcc_var_t) - type dcc_var_run_t; --files_type(dcc_var_run_t) -+files_pid_file(dcc_var_run_t) + ######################################## + # +-# Daemon local policy ++# Cron daemon local policy + # - type dccd_t; - type dccd_exec_t; -@@ -95,22 +95,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms; - read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; +@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec + allow crond_t self:process { setexec setfscreate }; + allow crond_t self:fd use; + allow crond_t self:fifo_file rw_fifo_file_perms; ++allow crond_t self:unix_dgram_socket create_socket_perms; ++allow crond_t self:unix_stream_socket create_stream_socket_perms; + allow crond_t self:unix_dgram_socket sendto; +-allow crond_t self:unix_stream_socket { accept connectto listen }; ++allow crond_t self:unix_stream_socket connectto; + allow crond_t self:shm create_shm_perms; + allow crond_t self:sem create_sem_perms; + allow crond_t self:msgq create_msgq_perms; +@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive }; + allow crond_t self:key { search write link }; + dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; --corenet_all_recvfrom_unlabeled(cdcc_t) - corenet_all_recvfrom_netlabel(cdcc_t) - corenet_udp_sendrecv_generic_if(cdcc_t) - corenet_udp_sendrecv_generic_node(cdcc_t) - corenet_udp_sendrecv_all_ports(cdcc_t) +-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(crond_t, cron_log_t, cron_log_t) + logging_log_filetrans(crond_t, cron_log_t, file) --files_read_etc_files(cdcc_t) - files_read_etc_runtime_files(cdcc_t) + manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) +@@ -237,71 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) + + manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) + manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) +-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) ++files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) + + list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + +-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +- +-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t) ++kernel_read_kernel_sysctls(crond_t) ++kernel_read_fs_sysctls(crond_t) ++kernel_search_key(crond_t) + +-allow crond_t system_cronjob_t:process transition; +-allow crond_t system_cronjob_t:fd use; +-allow crond_t system_cronjob_t:key manage_key_perms; ++dev_read_sysfs(crond_t) ++selinux_get_fs_mount(crond_t) ++selinux_validate_context(crond_t) ++selinux_compute_access_vector(crond_t) ++selinux_compute_create_context(crond_t) ++selinux_compute_relabel_context(crond_t) ++selinux_compute_user_contexts(crond_t) + +-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; ++dev_read_urand(crond_t) + +-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) ++fs_getattr_all_fs(crond_t) ++fs_search_auto_mountpoints(crond_t) ++fs_list_inotifyfs(crond_t) + +-kernel_read_kernel_sysctls(crond_t) +-kernel_read_fs_sysctls(crond_t) +-kernel_search_key(crond_t) ++# need auth_chkpwd to check for locked accounts. ++auth_domtrans_chk_passwd(crond_t) ++auth_manage_var_auth(crond_t) - auth_use_nsswitch(cdcc_t) + corecmd_exec_shell(crond_t) +-corecmd_exec_bin(crond_t) + corecmd_list_bin(crond_t) +- +-dev_read_sysfs(crond_t) +-dev_read_urand(crond_t) ++corecmd_exec_bin(crond_t) ++corecmd_read_bin_symlinks(crond_t) - logging_send_syslog_msg(cdcc_t) + domain_use_interactive_fds(crond_t) + domain_subj_id_change_exemption(crond_t) + domain_role_change_exemption(crond_t) --miscfiles_read_localization(cdcc_t) +-fs_getattr_all_fs(crond_t) +-fs_list_inotifyfs(crond_t) +-fs_manage_cgroup_dirs(crond_t) +-fs_rw_cgroup_files(crond_t) +-fs_search_auto_mountpoints(crond_t) - --userdom_use_user_terminals(cdcc_t) -+userdom_use_inherited_user_terminals(cdcc_t) + files_read_usr_files(crond_t) + files_read_etc_runtime_files(crond_t) + files_read_generic_spool(crond_t) + files_list_usr(crond_t) ++# Read from /var/spool/cron. + files_search_var_lib(crond_t) + files_search_default(crond_t) - ######################################## - # -@@ -134,14 +130,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) +-mls_fd_share_all_levels(crond_t) ++fs_manage_cgroup_dirs(crond_t) ++fs_manage_cgroup_files(crond_t) ++ ++# needed by "crontab -e" + mls_file_read_all_levels(crond_t) + mls_file_write_all_levels(crond_t) ++ ++# needed because of kernel check of transition + mls_process_set_level(crond_t) +-mls_trusted_object(crond_t) + +-selinux_get_fs_mount(crond_t) +-selinux_validate_context(crond_t) +-selinux_compute_access_vector(crond_t) +-selinux_compute_create_context(crond_t) +-selinux_compute_relabel_context(crond_t) +-selinux_compute_user_contexts(crond_t) ++# to make cronjob working ++mls_fd_share_all_levels(crond_t) ++mls_trusted_object(crond_t) - kernel_read_system_state(dcc_client_t) + init_read_state(crond_t) + init_rw_utmp(crond_t) + init_spec_domtrans_script(crond_t) --corenet_all_recvfrom_unlabeled(dcc_client_t) - corenet_all_recvfrom_netlabel(dcc_client_t) - corenet_udp_sendrecv_generic_if(dcc_client_t) - corenet_udp_sendrecv_generic_node(dcc_client_t) - corenet_udp_sendrecv_all_ports(dcc_client_t) - corenet_udp_bind_generic_node(dcc_client_t) +-auth_domtrans_chk_passwd(crond_t) + auth_manage_var_auth(crond_t) + auth_use_nsswitch(crond_t) --files_read_etc_files(dcc_client_t) - files_read_etc_runtime_files(dcc_client_t) +@@ -311,41 +251,42 @@ logging_set_loginuid(crond_t) - fs_getattr_all_fs(dcc_client_t) -@@ -150,9 +144,7 @@ auth_use_nsswitch(dcc_client_t) + seutil_read_config(crond_t) + seutil_read_default_contexts(crond_t) ++seutil_sigchld_newrole(crond_t) - logging_send_syslog_msg(dcc_client_t) +-miscfiles_read_localization(crond_t) --miscfiles_read_localization(dcc_client_t) -- --userdom_use_user_terminals(dcc_client_t) -+userdom_use_inherited_user_terminals(dcc_client_t) ++userdom_use_unpriv_users_fds(crond_t) ++# Not sure why this is needed + userdom_list_user_home_dirs(crond_t) ++userdom_list_admin_dir(crond_t) ++userdom_manage_all_users_keys(crond_t) - optional_policy(` - amavis_read_spool_files(dcc_client_t) -@@ -182,22 +174,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) +-tunable_policy(`cron_userdomain_transition',` +- dontaudit crond_t cronjob_t:process transition; +- dontaudit crond_t cronjob_t:fd use; +- dontaudit crond_t cronjob_t:key manage_key_perms; +-',` +- allow crond_t cronjob_t:process transition; +- allow crond_t cronjob_t:fd use; +- allow crond_t cronjob_t:key manage_key_perms; +-') ++mta_send_mail(crond_t) ++mta_system_content(cron_spool_t) - kernel_read_system_state(dcc_dbclean_t) + ifdef(`distro_debian',` ++ # pam_limits is used + allow crond_t self:process setrlimit; --corenet_all_recvfrom_unlabeled(dcc_dbclean_t) - corenet_all_recvfrom_netlabel(dcc_dbclean_t) - corenet_udp_sendrecv_generic_if(dcc_dbclean_t) - corenet_udp_sendrecv_generic_node(dcc_dbclean_t) - corenet_udp_sendrecv_all_ports(dcc_dbclean_t) +- optional_policy(` +- logwatch_search_cache_dir(crond_t) +- ') ++') ++ ++optional_policy(` ++ logwatch_search_cache_dir(crond_t) + ') --files_read_etc_files(dcc_dbclean_t) - files_read_etc_runtime_files(dcc_dbclean_t) + ifdef(`distro_redhat',` ++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files ++ # via redirection of standard out. + optional_policy(` + rpm_manage_log(crond_t) + ') + ') - auth_use_nsswitch(dcc_dbclean_t) +-tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(crond_t) + ') - logging_send_syslog_msg(dcc_dbclean_t) +-tunable_policy(`fcron_crond',` +- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; ++tunable_policy(`fcron_crond', ` ++ allow crond_t system_cron_spool_t:file manage_file_perms; + ') --miscfiles_read_localization(dcc_dbclean_t) + optional_policy(` +@@ -353,102 +294,135 @@ optional_policy(` + ') + + optional_policy(` +- dbus_system_bus_client(crond_t) - --userdom_use_user_terminals(dcc_dbclean_t) -+userdom_use_inherited_user_terminals(dcc_dbclean_t) +- optional_policy(` +- hal_dbus_chat(crond_t) +- ') +- +- optional_policy(` +- unconfined_dbus_send(crond_t) +- ') ++ djbdns_search_tinydns_keys(crond_t) ++ djbdns_link_tinydns_keys(crond_t) + ') - ######################################## - # -@@ -238,7 +226,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) - kernel_read_system_state(dccd_t) - kernel_read_kernel_sysctls(dccd_t) + optional_policy(` +- amanda_search_var_lib(crond_t) ++ locallogin_search_keys(crond_t) ++ locallogin_link_keys(crond_t) + ') --corenet_all_recvfrom_unlabeled(dccd_t) - corenet_all_recvfrom_netlabel(dccd_t) - corenet_udp_sendrecv_generic_if(dccd_t) - corenet_udp_sendrecv_generic_node(dccd_t) -@@ -251,7 +238,6 @@ dev_read_sysfs(dccd_t) + optional_policy(` +- amavis_search_lib(crond_t) ++ # these should probably be unconfined_crond_t ++ dbus_system_bus_client(crond_t) ++ init_dbus_send_script(crond_t) ++ init_dbus_chat(crond_t) + ') - domain_use_interactive_fds(dccd_t) + optional_policy(` +- djbdns_search_tinydns_keys(crond_t) +- djbdns_link_tinydns_keys(crond_t) ++ amanda_search_var_lib(crond_t) + ') --files_read_etc_files(dccd_t) - files_read_etc_runtime_files(dccd_t) + optional_policy(` +- hal_write_log(crond_t) ++ amavis_search_lib(crond_t) + ') - fs_getattr_all_fs(dccd_t) -@@ -261,8 +247,6 @@ auth_use_nsswitch(dccd_t) + optional_policy(` +- locallogin_search_keys(crond_t) +- locallogin_link_keys(crond_t) ++ hal_dbus_chat(crond_t) ++ hal_write_log(crond_t) ++ hal_dbus_chat(system_cronjob_t) + ') - logging_send_syslog_msg(dccd_t) + optional_policy(` +- mta_send_mail(crond_t) ++ # cjp: why? ++ munin_search_lib(crond_t) + ') --miscfiles_read_localization(dccd_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccd_t) - userdom_dontaudit_search_user_home_dirs(dccd_t) + optional_policy(` +- munin_search_lib(crond_t) ++ rpc_search_nfs_state_data(crond_t) + ') -@@ -306,7 +290,6 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) - kernel_read_system_state(dccifd_t) - kernel_read_kernel_sysctls(dccifd_t) + optional_policy(` +- postgresql_search_db(crond_t) ++ # Commonly used from postinst scripts ++ rpm_read_pipes(crond_t) + ') --corenet_all_recvfrom_unlabeled(dccifd_t) - corenet_all_recvfrom_netlabel(dccifd_t) - corenet_udp_sendrecv_generic_if(dccifd_t) - corenet_udp_sendrecv_generic_node(dccifd_t) -@@ -316,7 +299,6 @@ dev_read_sysfs(dccifd_t) + optional_policy(` +- rpc_search_nfs_state_data(crond_t) ++ # allow crond to find /usr/lib/postgresql/bin/do.maintenance ++ postgresql_search_db(crond_t) + ') - domain_use_interactive_fds(dccifd_t) + optional_policy(` +- rpm_read_pipes(crond_t) ++ systemd_use_fds_logind(crond_t) ++ systemd_write_inherited_logind_sessions_pipes(crond_t) + ') --files_read_etc_files(dccifd_t) - files_read_etc_runtime_files(dccifd_t) + optional_policy(` +- seutil_sigchld_newrole(crond_t) ++ udev_read_db(crond_t) + ') - fs_getattr_all_fs(dccifd_t) -@@ -326,8 +308,6 @@ auth_use_nsswitch(dccifd_t) + optional_policy(` +- udev_read_db(crond_t) ++ vnstatd_search_lib(crond_t) + ') - logging_send_syslog_msg(dccifd_t) + ######################################## + # +-# System local policy ++# System cron process domain + # --miscfiles_read_localization(dccifd_t) -- - userdom_dontaudit_use_unpriv_user_fds(dccifd_t) - userdom_dontaudit_search_user_home_dirs(dccifd_t) + allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; ++ + allow system_cronjob_t self:process { signal_perms getsched setsched }; + allow system_cronjob_t self:fifo_file rw_fifo_file_perms; + allow system_cronjob_t self:passwd rootok; -@@ -370,7 +350,6 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) - kernel_read_system_state(dccm_t) - kernel_read_kernel_sysctls(dccm_t) +-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++# This is to handle creation of files in /var/log directory. ++# Used currently by rpm script log files ++allow system_cronjob_t cron_log_t:file manage_file_perms; + logging_log_filetrans(system_cronjob_t, cron_log_t, file) --corenet_all_recvfrom_unlabeled(dccm_t) - corenet_all_recvfrom_netlabel(dccm_t) - corenet_udp_sendrecv_generic_if(dccm_t) - corenet_udp_sendrecv_generic_node(dccm_t) -@@ -380,7 +359,6 @@ dev_read_sysfs(dccm_t) ++# This is to handle /var/lib/misc directory. Used currently ++# by prelink var/lib files for cron + allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; + files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - domain_use_interactive_fds(dccm_t) + allow system_cronjob_t cron_var_run_t:file manage_file_perms; + files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) --files_read_etc_files(dccm_t) - files_read_etc_runtime_files(dccm_t) ++allow system_cronjob_t system_cron_spool_t:file read_file_perms; ++ ++mls_file_read_to_clearance(system_cronjob_t) ++ ++# anacron forces the following + manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) + ++# The entrypoint interface is not used as this is not ++# a regular entrypoint. Since crontab files are ++# not directly executed, crond must ensure that ++# the crontab file has a type that is appropriate ++# for the domain of the user cron job. It ++# performs an entrypoint permission check ++# for this purpose. ++allow system_cronjob_t system_cron_spool_t:file entrypoint; ++ ++# Permit a transition from the crond_t domain to this domain. ++# The transition is requested explicitly by the modified crond ++# via setexeccon. There is no way to set up an automatic ++# transition, since crontabs are configuration files, not executables. ++allow crond_t system_cronjob_t:process transition; ++dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh }; ++allow crond_t system_cronjob_t:fd use; ++allow system_cronjob_t crond_t:fd use; ++allow system_cronjob_t crond_t:fifo_file rw_file_perms; ++allow system_cronjob_t crond_t:process sigchld; ++allow crond_t system_cronjob_t:key manage_key_perms; ++ ++# Write /var/lock/makewhatis.lock. + allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; + files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) - fs_getattr_all_fs(dccm_t) -@@ -390,8 +368,6 @@ auth_use_nsswitch(dccm_t) ++# write temporary files + manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) + manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) + filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) + files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - logging_send_syslog_msg(dccm_t) ++# var/lib files for system_crond ++files_search_var_lib(system_cronjob_t) + manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) --miscfiles_read_localization(dccm_t) +-allow system_cronjob_t crond_t:fd use; +-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; +-allow system_cronjob_t crond_t:process sigchld; - - userdom_dontaudit_use_unpriv_user_fds(dccm_t) - userdom_dontaudit_search_user_home_dirs(dccm_t) ++# Read from /var/spool/cron. + allow system_cronjob_t cron_spool_t:dir list_dir_perms; + allow system_cronjob_t cron_spool_t:file rw_file_perms; -diff --git a/ddclient.if b/ddclient.if -index 0a1a61b..64742c6 100644 ---- a/ddclient.if -+++ b/ddclient.if -@@ -64,13 +64,17 @@ interface(`ddclient_run',` - interface(`ddclient_admin',` - gen_require(` - type ddclient_t, ddclient_etc_t, ddclient_log_t; -- type ddclient_var_t, ddclient_var_lib_t; -- type ddclient_var_run_t, ddclient_initrc_exec_t; -+ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t; -+ type ddclient_var_run_t; - ') +@@ -457,11 +431,11 @@ kernel_read_network_state(system_cronjob_t) + kernel_read_system_state(system_cronjob_t) + kernel_read_software_raid_state(system_cronjob_t) -- allow $1 ddclient_t:process { ptrace signal_perms }; -+ allow $1 ddclient_t:process signal_perms; - ps_process_pattern($1, ddclient_t) ++# ps does not need to access /boot when run from cron + files_dontaudit_search_boot(system_cronjob_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ddclient_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; -diff --git a/ddclient.te b/ddclient.te -index 24ba98a..318a5a1 100644 ---- a/ddclient.te -+++ b/ddclient.te -@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t) - type ddclient_log_t; - logging_log_file(ddclient_log_t) + corecmd_exec_all_executables(system_cronjob_t) -+type ddclient_tmp_t; -+files_tmp_file(ddclient_tmp_t) -+ - type ddclient_var_t; - files_type(ddclient_var_t) +-corenet_all_recvfrom_unlabeled(system_cronjob_t) + corenet_all_recvfrom_netlabel(system_cronjob_t) + corenet_tcp_sendrecv_generic_if(system_cronjob_t) + corenet_udp_sendrecv_generic_if(system_cronjob_t) +@@ -481,6 +455,7 @@ fs_getattr_all_symlinks(system_cronjob_t) + fs_getattr_all_pipes(system_cronjob_t) + fs_getattr_all_sockets(system_cronjob_t) -@@ -32,17 +35,23 @@ files_pid_file(ddclient_var_run_t) - # Declarations - # ++# quiet other ps operations + domain_dontaudit_read_all_domains_state(system_cronjob_t) -+ - dontaudit ddclient_t self:capability sys_tty_config; - allow ddclient_t self:process signal_perms; - allow ddclient_t self:fifo_file rw_fifo_file_perms; - allow ddclient_t self:tcp_socket create_socket_perms; - allow ddclient_t self:udp_socket create_socket_perms; -+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; + files_exec_etc_files(system_cronjob_t) +@@ -493,13 +468,18 @@ files_getattr_all_pipes(system_cronjob_t) + files_getattr_all_sockets(system_cronjob_t) + files_read_usr_files(system_cronjob_t) + files_read_var_files(system_cronjob_t) ++# for nscd: + files_dontaudit_search_pids(system_cronjob_t) ++# Access other spool directories like ++# /var/spool/anacron and /var/spool/slrnpull. + files_manage_generic_spool(system_cronjob_t) + files_create_boot_flag(system_cronjob_t) --allow ddclient_t ddclient_etc_t:file read_file_perms; -+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) -+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) +-mls_file_read_to_clearance(system_cronjob_t) +- + init_use_script_fds(system_cronjob_t) ++init_read_utmp(system_cronjob_t) ++init_dontaudit_rw_utmp(system_cronjob_t) ++# prelink tells init to restart it self, we either need to allow or dontaudit ++init_telinit(system_cronjob_t) + init_domtrans_script(system_cronjob_t) + + auth_use_nsswitch(system_cronjob_t) +@@ -511,20 +491,23 @@ logging_read_generic_logs(system_cronjob_t) + logging_send_audit_msgs(system_cronjob_t) + logging_send_syslog_msg(system_cronjob_t) - allow ddclient_t ddclient_log_t:file manage_file_perms; - logging_log_filetrans(ddclient_t, ddclient_log_t, file) +-miscfiles_read_localization(system_cronjob_t) +- + seutil_read_config(system_cronjob_t) -+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t) -+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file }) + ifdef(`distro_redhat',` ++ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files ++ allow crond_t system_cron_spool_t:file manage_file_perms; + - manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) - manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) - manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -@@ -62,11 +71,11 @@ kernel_read_software_raid_state(ddclient_t) - kernel_getattr_core_if(ddclient_t) - kernel_getattr_message_if(ddclient_t) - kernel_read_kernel_sysctls(ddclient_t) -+kernel_search_network_sysctl(ddclient_t) - - corecmd_exec_shell(ddclient_t) - corecmd_exec_bin(ddclient_t) - --corenet_all_recvfrom_unlabeled(ddclient_t) - corenet_all_recvfrom_netlabel(ddclient_t) - corenet_tcp_sendrecv_generic_if(ddclient_t) - corenet_udp_sendrecv_generic_if(ddclient_t) -@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) - corenet_udp_sendrecv_generic_node(ddclient_t) - corenet_tcp_sendrecv_all_ports(ddclient_t) - corenet_udp_sendrecv_all_ports(ddclient_t) -+corenet_tcp_bind_generic_node(ddclient_t) -+corenet_udp_bind_generic_node(ddclient_t) - corenet_tcp_connect_all_ports(ddclient_t) - corenet_sendrecv_all_client_packets(ddclient_t) ++ # via redirection of standard out. + optional_policy(` + rpm_manage_log(system_cronjob_t) + ') + ') -@@ -89,9 +100,11 @@ files_read_usr_files(ddclient_t) - fs_getattr_all_fs(ddclient_t) - fs_search_auto_mountpoints(ddclient_t) ++selinux_get_fs_mount(system_cronjob_t) ++ + tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_cronjob_t) + ',` +- selinux_get_fs_mount(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) +@@ -534,10 +517,17 @@ tunable_policy(`cron_can_relabel',` + ') -+auth_read_passwd(ddclient_t) + optional_policy(` ++ # Needed for certwatch + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) ++ apache_delete_cache_dirs(system_cronjob_t) ++ apache_delete_cache_files(system_cronjob_t) ++') + - logging_send_syslog_msg(ddclient_t) ++optional_policy(` ++ bind_read_config(system_cronjob_t) + ') --miscfiles_read_localization(ddclient_t) -+mta_send_mail(ddclient_t) + optional_policy(` +@@ -546,10 +536,6 @@ optional_policy(` - sysnet_exec_ifconfig(ddclient_t) - sysnet_read_config(ddclient_t) -diff --git a/ddcprobe.te b/ddcprobe.te -index 5e062bc..c85c30d 100644 ---- a/ddcprobe.te -+++ b/ddcprobe.te -@@ -40,12 +40,15 @@ term_use_all_ptys(ddcprobe_t) + optional_policy(` + dbus_system_bus_client(system_cronjob_t) +- +- optional_policy(` +- networkmanager_dbus_chat(system_cronjob_t) +- ') + ') - libs_read_lib_files(ddcprobe_t) + optional_policy(` +@@ -581,6 +567,7 @@ optional_policy(` + optional_policy(` + mta_read_config(system_cronjob_t) + mta_send_mail(system_cronjob_t) ++ mta_system_content(system_cron_spool_t) + ') --miscfiles_read_localization(ddcprobe_t) + optional_policy(` +@@ -588,15 +575,19 @@ optional_policy(` + ') --modutils_read_module_deps(ddcprobe_t) -- --userdom_use_user_terminals(ddcprobe_t) -+userdom_use_inherited_user_terminals(ddcprobe_t) - userdom_use_all_users_fds(ddcprobe_t) + optional_policy(` +- postfix_read_config(system_cronjob_t) ++ networkmanager_dbus_chat(system_cronjob_t) + ') --#reh why? this does not seem even necessary to function properly --kudzu_getattr_exec_files(ddcprobe_t) + optional_policy(` ++ postfix_read_config(system_cronjob_t) ++') ++ +optional_policy(` -+ #reh why? this does not seem even necessary to function properly -+ kudzu_getattr_exec_files(ddcprobe_t) + prelink_delete_cache(system_cronjob_t) + prelink_manage_lib(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) +- prelink_relabelfrom_lib(system_cronjob_t) ++ prelink_relabel_lib(system_cronjob_t) + ') + + optional_policy(` +@@ -606,6 +597,7 @@ optional_policy(` + + optional_policy(` + spamassassin_manage_lib_files(system_cronjob_t) ++ spamassassin_manage_home_client(system_cronjob_t) + ') + + optional_policy(` +@@ -613,12 +605,24 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_dbus_chat_logind(system_cronjob_t) ++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) +') + +optional_policy(` -+ modutils_read_module_deps(ddcprobe_t) ++ unconfined_domain(crond_t) ++ unconfined_domain(system_cronjob_t) +') -diff --git a/denyhosts.if b/denyhosts.if -index 567865f..b5e9376 100644 ---- a/denyhosts.if -+++ b/denyhosts.if -@@ -59,6 +59,7 @@ interface(`denyhosts_initrc_domtrans', ` - ## Role allowed access. - ##     - ## -+## ++ ++optional_policy(` ++ unconfined_shell_domtrans(crond_t) ++ unconfined_dbus_send(crond_t) + userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) + ') + + ######################################## # - interface(`denyhosts_admin', ` - gen_require(` -@@ -66,20 +67,24 @@ interface(`denyhosts_admin', ` - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') +-# Cronjob local policy ++# User cronjobs local policy + # + + allow cronjob_t self:process { signal_perms setsched }; +@@ -626,12 +630,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; + allow cronjob_t self:unix_stream_socket create_stream_socket_perms; + allow cronjob_t self:unix_dgram_socket create_socket_perms; + ++# The entrypoint interface is not used as this is not ++# a regular entrypoint. Since crontab files are ++# not directly executed, crond must ensure that ++# the crontab file has a type that is appropriate ++# for the domain of the user cron job. It ++# performs an entrypoint permission check ++# for this purpose. ++allow cronjob_t user_cron_spool_t:file entrypoint; ++ ++# Permit a transition from the crond_t domain to this domain. ++# The transition is requested explicitly by the modified crond ++# via setexeccon. There is no way to set up an automatic ++# transition, since crontabs are configuration files, not executables. ++allow crond_t cronjob_t:process transition; ++dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh }; ++allow crond_t cronjob_t:fd use; ++allow cronjob_t crond_t:fd use; ++allow cronjob_t crond_t:fifo_file rw_file_perms; ++allow cronjob_t crond_t:process sigchld; ++ + kernel_read_system_state(cronjob_t) + kernel_read_kernel_sysctls(cronjob_t) + ++# ps does not need to access /boot when run from cron + files_dontaudit_search_boot(cronjob_t) -- allow $1 denyhosts_t:process { ptrace signal_perms }; -+ allow $1 denyhosts_t:process signal_perms; - ps_process_pattern($1, denyhosts_t) +-corenet_all_recvfrom_unlabeled(cronjob_t) + corenet_all_recvfrom_netlabel(cronjob_t) + corenet_tcp_sendrecv_generic_if(cronjob_t) + corenet_udp_sendrecv_generic_if(cronjob_t) +@@ -639,84 +663,152 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) + corenet_udp_sendrecv_generic_node(cronjob_t) + corenet_tcp_sendrecv_all_ports(cronjob_t) + corenet_udp_sendrecv_all_ports(cronjob_t) +- +-corenet_sendrecv_all_client_packets(cronjob_t) + corenet_tcp_connect_all_ports(cronjob_t) +- +-corecmd_exec_all_executables(cronjob_t) ++corenet_sendrecv_all_client_packets(cronjob_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 denyhosts_t:process ptrace; -+ ') + dev_read_urand(cronjob_t) + + fs_getattr_all_fs(cronjob_t) + ++corecmd_exec_all_executables(cronjob_t) + - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; ++# quiet other ps operations + domain_dontaudit_read_all_domains_state(cronjob_t) + domain_dontaudit_getattr_all_domains(cronjob_t) -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) +-files_exec_etc_files(cronjob_t) +-files_read_etc_runtime_files(cronjob_t) +-files_read_var_files(cronjob_t) + files_read_usr_files(cronjob_t) +-files_search_spool(cronjob_t) ++files_exec_etc_files(cronjob_t) ++# for nscd: + files_dontaudit_search_pids(cronjob_t) -- logging_search_logs($1) -+ logging_list_logs($1) - admin_pattern($1, denyhosts_var_log_t) + libs_exec_lib_files(cronjob_t) + libs_exec_ld_so(cronjob_t) -- files_search_locks($1) -+ files_list_locks($1) - admin_pattern($1, denyhosts_var_lock_t) - ') -diff --git a/denyhosts.te b/denyhosts.te -index 8ba9425..2030529 100644 ---- a/denyhosts.te -+++ b/denyhosts.te -@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) - # - # DenyHosts personal policy. - # -+# Bug #588563 -+allow denyhosts_t self:capability sys_tty_config; -+allow denyhosts_t self:fifo_file rw_fifo_file_perms; ++files_read_etc_runtime_files(cronjob_t) ++files_read_var_files(cronjob_t) ++files_search_spool(cronjob_t) ++ + logging_search_logs(cronjob_t) - allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; - allow denyhosts_t self:tcp_socket create_socket_perms; -@@ -43,26 +46,30 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) - setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) - logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + seutil_read_config(cronjob_t) -+kernel_read_network_state(denyhosts_t) - kernel_read_system_state(denyhosts_t) -+kernel_read_network_state(denyhosts_t) +-miscfiles_read_localization(cronjob_t) -+corecmd_exec_shell(denyhosts_t) - corecmd_exec_bin(denyhosts_t) + userdom_manage_user_tmp_files(cronjob_t) + userdom_manage_user_tmp_symlinks(cronjob_t) + userdom_manage_user_tmp_pipes(cronjob_t) + userdom_manage_user_tmp_sockets(cronjob_t) ++# Run scripts in user home directory and access shared libs. + userdom_exec_user_home_content_files(cronjob_t) ++# Access user files and dirs. + userdom_manage_user_home_content_files(cronjob_t) + userdom_manage_user_home_content_symlinks(cronjob_t) + userdom_manage_user_home_content_pipes(cronjob_t) + userdom_manage_user_home_content_sockets(cronjob_t) ++#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + +-tunable_policy(`cron_userdomain_transition',` +- dontaudit cronjob_t crond_t:fd use; +- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; +- dontaudit cronjob_t crond_t:process sigchld; +- +- dontaudit cronjob_t user_cron_spool_t:file entrypoint; +-',` +- allow cronjob_t crond_t:fd use; +- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms; +- allow cronjob_t crond_t:process sigchld; ++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++allow crond_t user_cron_spool_t:file manage_lnk_file_perms; --corenet_all_recvfrom_unlabeled(denyhosts_t) - corenet_all_recvfrom_netlabel(denyhosts_t) - corenet_tcp_sendrecv_generic_if(denyhosts_t) - corenet_tcp_sendrecv_generic_node(denyhosts_t) - corenet_tcp_bind_generic_node(denyhosts_t) - corenet_tcp_connect_smtp_port(denyhosts_t) -+corenet_tcp_connect_sype_port(denyhosts_t) - corenet_sendrecv_smtp_client_packets(denyhosts_t) +- allow cronjob_t user_cron_spool_t:file entrypoint; ++tunable_policy(`fcron_crond',` ++ allow crond_t user_cron_spool_t:file manage_file_perms; + ') - dev_read_urand(denyhosts_t) ++# need a per-role version of this: ++#optional_policy(` ++# mono_domtrans(cronjob_t) ++#') ++ + optional_policy(` + nis_use_ypbind(cronjob_t) + ') --files_read_etc_files(denyhosts_t) -+files_read_usr_files(denyhosts_t) + ######################################## + # +-# Unconfined local policy ++# Unconfined cronjobs local policy + # + + optional_policy(` +- type unconfined_cronjob_t; +- domain_type(unconfined_cronjob_t) +- domain_cron_exemption_target(unconfined_cronjob_t) +- ++ # Permit a transition from the crond_t domain to this domain. ++ # The transition is requested explicitly by the modified crond ++ # via setexeccon. There is no way to set up an automatic ++ # transition, since crontabs are configuration files, not executables. ++ allow crond_t unconfined_cronjob_t:process transition; + dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; ++ allow crond_t unconfined_cronjob_t:fd use; + + unconfined_domain(unconfined_cronjob_t) ++') + +- tunable_policy(`cron_userdomain_transition',` +- dontaudit crond_t unconfined_cronjob_t:process transition; +- dontaudit crond_t unconfined_cronjob_t:fd use; +- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms; +- ',` +- allow crond_t unconfined_cronjob_t:process transition; +- allow crond_t unconfined_cronjob_t:fd use; +- allow crond_t unconfined_cronjob_t:key manage_key_perms; +- ') ++############################## ++# ++# crontab common policy ++# ++ ++# dac_override is to create the file in the directory under /tmp ++allow crontab_domain self:capability { fowner setuid setgid chown dac_override }; ++allow crontab_domain self:process { getcap setsched signal_perms }; ++allow crontab_domain self:fifo_file rw_fifo_file_perms; ++ ++allow crontab_domain crond_t:process signal; ++allow crontab_domain crond_var_run_t:file read_file_perms; ++ ++# create files in /var/spool/cron ++manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) ++filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) ++files_list_spool(crontab_domain) ++ ++# crontab signals crond by updating the mtime on the spooldir ++allow crontab_domain cron_spool_t:dir setattr_dir_perms; ++ ++# for the checks used by crontab -u ++selinux_dontaudit_search_fs(crontab_domain) ++ ++fs_getattr_xattr_fs(crontab_domain) ++fs_manage_cgroup_dirs(crontab_domain) ++fs_manage_cgroup_files(crontab_domain) ++ ++domain_use_interactive_fds(crontab_domain) ++ ++files_read_etc_files(crontab_domain) ++files_read_usr_files(crontab_domain) ++files_dontaudit_search_pids(crontab_domain) ++ ++fs_dontaudit_rw_anon_inodefs_files(crontab_domain) ++ ++auth_rw_var_auth(crontab_domain) ++ ++logging_send_audit_msgs(crontab_domain) ++logging_set_loginuid(crontab_domain) + -+auth_use_nsswitch(denyhosts_t) - - # /var/log/secure - logging_read_generic_logs(denyhosts_t) -- --miscfiles_read_localization(denyhosts_t) -+logging_send_syslog_msg(denyhosts_t) - - sysnet_manage_config(denyhosts_t) - sysnet_etc_filetrans_config(denyhosts_t) -@@ -70,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t) - optional_policy(` - cron_system_entry(denyhosts_t, denyhosts_exec_t) - ') ++init_dontaudit_write_utmp(crontab_domain) ++init_read_utmp(crontab_domain) ++init_read_state(crontab_domain) ++ ++ ++seutil_read_config(crontab_domain) ++ ++userdom_manage_user_tmp_dirs(crontab_domain) ++userdom_manage_user_tmp_files(crontab_domain) ++# Access terminals. ++userdom_use_inherited_user_terminals(crontab_domain) ++# Read user crontabs ++userdom_read_user_home_content_files(crontab_domain) ++userdom_read_user_home_content_symlinks(crontab_domain) ++ ++tunable_policy(`fcron_crond',` ++ # fcron wants an instant update of a crontab change for the administrator ++ # also crontab does a security check for crontab -u ++ dontaudit crontab_domain crond_t:process signal; ++') + +optional_policy(` -+ gnome_dontaudit_search_config(denyhosts_t) ++ ssh_dontaudit_use_ptys(crontab_domain) +') -diff --git a/devicekit.fc b/devicekit.fc -index 9af85c8..5483806 100644 ---- a/devicekit.fc -+++ b/devicekit.fc -@@ -1,3 +1,8 @@ -+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -+/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + -+/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) -+/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) - /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) - - /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -@@ -6,15 +11,16 @@ - /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) - /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) - --ifdef(`distro_debian',` --/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) --') -- - /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) - /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) --/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -+/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) ++optional_policy(` ++ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain) ++ openshift_transition(system_cronjob_t) + ') +diff --git a/ctdb.if b/ctdb.if +index b25b01d..4f7d237 100644 +--- a/ctdb.if ++++ b/ctdb.if +@@ -1,9 +1,144 @@ +-## Clustered Database based on Samba Trivial Database. + -+/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) -+/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) - - /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) - /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) --/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++## policy for ctdbd + -+/var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) - /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff --git a/devicekit.if b/devicekit.if -index f706b99..3b4f593 100644 ---- a/devicekit.if -+++ b/devicekit.if -@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',` - - ######################################## - ## -+## Execute a domain transition to run devicekit_disk. ++######################################## ++## ++## Transition to ctdbd. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# -+interface(`devicekit_domtrans_disk',` ++interface(`ctdbd_domtrans',` + gen_require(` -+ type devicekit_disk_t, devicekit_disk_exec_t; ++ type ctdbd_t, ctdbd_exec_t; + ') + -+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t) +') + +######################################## +## - ## Send to devicekit over a unix domain - ## datagram socket. - ## -@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',` - - ######################################## - ## -+## Use file descriptors for devicekit_disk. ++## Execute ctdbd server in the ctdbd domain. +## +## +## @@ -16838,84 +14671,77 @@ index f706b99..3b4f593 100644 +## +## +# -+interface(`devicekit_use_fds_disk',` ++interface(`ctdbd_initrc_domtrans',` + gen_require(` -+ type devicekit_disk_t; ++ type ctdbd_initrc_exec_t; + ') + -+ allow $1 devicekit_disk_t:fd use; ++ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) +') + +######################################## +## -+## Dontaudit Send and receive messages from -+## devicekit disk over dbus. ++## Read ctdbd's log files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`devicekit_dontaudit_dbus_chat_disk',` ++interface(`ctdbd_read_log',` + gen_require(` -+ type devicekit_disk_t; -+ class dbus send_msg; ++ type ctdbd_log_t; + ') + -+ dontaudit $1 devicekit_disk_t:dbus send_msg; -+ dontaudit devicekit_disk_t $1:dbus send_msg; ++ logging_search_logs($1) ++ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') + +######################################## +## - ## Send signal devicekit power - ## - ## -@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',` - allow devicekit_power_t $1:dbus send_msg; - ') - -+####################################### -+## -+## Append inherited devicekit log files. ++## Append to ctdbd log files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`devicekit_append_inherited_log_files',` ++interface(`ctdbd_append_log',` + gen_require(` -+ type devicekit_var_log_t; ++ type ctdbd_log_t; + ') + -+ allow $1 devicekit_var_log_t:file append_inherited_file_perms; ++ logging_search_logs($1) ++ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') + -+####################################### ++######################################## +## -+## Do not audit attempts to write the devicekit -+## log files. ++## Manage ctdbd log files +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain to not audit. ++## +## +# -+interface(`devicekit_dontaudit_rw_log',` ++interface(`ctdbd_manage_log',` + gen_require(` -+ type devicekit_var_log_t; ++ type ctdbd_log_t; + ') + -+ dontaudit $1 devicekit_var_log_t:file rw_file_perms; ++ logging_search_logs($1) ++ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t) ++ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t) ++ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t) +') + +######################################## +## -+## Allow the domain to read devicekit_power state files in /proc. ++## Search ctdbd lib directories. +## +## +## @@ -16923,850 +14749,877 @@ index f706b99..3b4f593 100644 +## +## +# -+interface(`devicekit_read_state_power',` ++interface(`ctdbd_search_lib',` + gen_require(` -+ type devicekit_power_t; ++ type ctdbd_var_lib_t; + ') + -+ kernel_search_proc($1) -+ ps_process_pattern($1, devicekit_power_t) ++ allow $1 ctdbd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) +') + - ######################################## - ## - ## Read devicekit PID files. -@@ -139,22 +252,93 @@ interface(`devicekit_read_pid_files',` - - ######################################## - ## --## All of the rules required to administrate --## an devicekit environment -+## Do not audit attempts to read -+## devicekit PID files. ++######################################## ++## ++## Read ctdbd lib files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`devicekit_dontaudit_read_pid_files',` -+ gen_require(` -+ type devicekit_var_run_t; ++interface(`ctdbd_read_lib_files',` ++ gen_require(` ++ type ctdbd_var_lib_t; + ') + -+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; ++ files_search_var_lib($1) ++ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') -+ -+ + + ######################################## + ## +-## Create, read, write, and delete +-## ctdbd lib files. ++## Manage ctdbd lib files. + ## + ## + ## +@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',` + ') + + files_search_var_lib($1) +- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) ++ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) + ') + +-####################################### +######################################## -+## -+## Manage devicekit PID files. + ## +-## Connect to ctdbd with a unix +-## domain stream socket. ++## Manage ctdbd lib directories. ## ## ## - ## Domain allowed access. +@@ -31,19 +165,58 @@ interface(`ctdbd_manage_lib_files',` ## ## --## -+# -+interface(`devicekit_manage_pid_files',` + # +-interface(`ctdbd_stream_connect',` ++interface(`ctdbd_manage_lib_dirs',` + gen_require(` -+ type devicekit_var_run_t; ++ type ctdbd_var_lib_t; + ') + -+ files_search_pids($1) -+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') + -+####################################### ++######################################## +## -+## Relabel devicekit LOG files. ++## Read ctdbd PID files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`devicekit_relabel_log_files',` -+ gen_require(` -+ type devicekit_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++interface(`ctdbd_read_pid_files',` + gen_require(` +- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; ++ type ctdbd_var_run_t; + ') + + files_search_pids($1) +- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) ++ allow $1 ctdbd_var_run_t:file read_file_perms; +') + -+######################################## ++####################################### +## -+## Manage devicekit LOG files. ++## Connect to ctdbd over a unix stream socket. +## +## - ## --## The role to be allowed to manage the devicekit domain. -+## Domain allowed access. - ## - ## --## ++## ++## Domain allowed access. ++## ++## +# -+interface(`devicekit_manage_log_files',` -+ gen_require(` -+ type devicekit_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) -+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") -+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") -+') ++interface(`ctdbd_stream_connect',` ++ gen_require(` ++ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; ++ ') + -+######################################## -+## ++ files_search_pids($1) ++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) ++ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an ctdb environment. +## All of the rules required to administrate -+## an devicekit environment -+## -+## ++## an ctdbd environment + ## + ## ## --## The type of the user terminal. -+## Domain allowed access. - ## +@@ -57,16 +230,19 @@ interface(`ctdbd_stream_connect',` ## ## -@@ -165,21 +349,46 @@ interface(`devicekit_admin',` - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + # +-interface(`ctdb_admin',` ++interface(`ctdbd_admin',` + gen_require(` +- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; ++ type ctdbd_t, ctdbd_initrc_exec_t; + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; ') -- allow $1 devicekit_t:process { ptrace signal_perms getattr }; -+ allow $1 devicekit_t:process signal_perms; - ps_process_pattern($1, devicekit_t) +- allow $1 ctdbd_t:process { ptrace signal_perms }; ++ allow $1 ctdbd_t:process signal_perms; + ps_process_pattern($1, ctdbd_t) + tunable_policy(`deny_ptrace',`',` -+ allow $1 devicekit_t:process ptrace; -+ allow $1 devicekit_disk_t:process ptrace; -+ allow $1 devicekit_power_t:process ptrace; ++ allow $1 ctdbd_t:process ptrace; + ') -- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; -+ allow $1 devicekit_disk_t:process signal_perms; - ps_process_pattern($1, devicekit_disk_t) - -- allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; -+ allow $1 devicekit_power_t:process signal_perms; - ps_process_pattern($1, devicekit_power_t) +- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) ++ ctdbd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 ctdbd_initrc_exec_t system_r; + allow $2 system_r; +@@ -74,12 +250,10 @@ interface(`ctdb_admin',` + logging_search_logs($1) + admin_pattern($1, ctdbd_log_t) - admin_pattern($1, devicekit_tmp_t) - files_search_tmp($1) -+ files_list_tmp($1) - - admin_pattern($1, devicekit_var_lib_t) -- files_search_var_lib($1) -+ files_list_var_lib($1) +- admin_pattern($1, ctdbd_tmp_t) +- + files_search_var_lib($1) + admin_pattern($1, ctdbd_var_lib_t) - admin_pattern($1, devicekit_var_run_t) -- files_search_pids($1) -+ files_list_pids($1) -+') -+ -+######################################## -+## -+## Transition to devicekit named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_filetrans_named_content',` -+ gen_require(` -+ type devicekit_var_run_t, devicekit_var_log_t; -+ ') -+ -+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") -+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") -+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") + files_search_pids($1) + admin_pattern($1, ctdbd_var_run_t) ') -diff --git a/devicekit.te b/devicekit.te -index 1819518..2cd919b 100644 ---- a/devicekit.te -+++ b/devicekit.te -@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0) - - type devicekit_t; - type devicekit_exec_t; --dbus_system_domain(devicekit_t, devicekit_exec_t) -+init_daemon_domain(devicekit_t, devicekit_exec_t) - - type devicekit_power_t; - type devicekit_power_exec_t; --dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) -+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) - - type devicekit_disk_t; - type devicekit_disk_exec_t; --dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) -+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) ++ +diff --git a/ctdb.te b/ctdb.te +index 6ce66e7..1d0337a 100644 +--- a/ctdb.te ++++ b/ctdb.te +@@ -85,12 +85,10 @@ dev_read_urand(ctdbd_t) - type devicekit_tmp_t; - files_tmp_file(devicekit_tmp_t) -@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) - type devicekit_var_lib_t; - files_type(devicekit_var_lib_t) + domain_dontaudit_read_all_domains_state(ctdbd_t) -+type devicekit_var_log_t; -+logging_log_file(devicekit_var_log_t) -+ - ######################################## - # - # DeviceKit local policy -@@ -42,11 +45,10 @@ kernel_read_system_state(devicekit_t) - dev_read_sysfs(devicekit_t) - dev_read_urand(devicekit_t) +-files_read_etc_files(ctdbd_t) + files_search_all_mountpoints(ctdbd_t) --files_read_etc_files(devicekit_t) + logging_send_syslog_msg(ctdbd_t) --miscfiles_read_localization(devicekit_t) +-miscfiles_read_localization(ctdbd_t) + miscfiles_read_public_files(ctdbd_t) optional_policy(` -+ dbus_system_domain(devicekit_t, devicekit_exec_t) - dbus_system_bus_client(devicekit_t) +@@ -109,6 +107,7 @@ optional_policy(` + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) + samba_rw_var_files(ctdbd_t) ++ samba_systemctl(ctdbd_t) + ') - allow devicekit_t devicekit_disk_t:dbus send_msg; -@@ -62,7 +64,8 @@ optional_policy(` - # DeviceKit disk local policy - # + optional_policy(` +diff --git a/cups.fc b/cups.fc +index 949011e..f3c8888 100644 +--- a/cups.fc ++++ b/cups.fc +@@ -1,77 +1,85 @@ +-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) ++/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) + + /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) + +-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) +- +-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) + +-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) --allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; -+ - allow devicekit_disk_t self:process { getsched signal_perms }; - allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; - allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -75,10 +78,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) - manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) - files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+allow devicekit_disk_t devicekit_var_run_t:dir mounton; - manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) - manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) - files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) -+files_filetrans_named_content(devicekit_disk_t) +-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) + +-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) ++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + +-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + + /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) +-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) ++/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) + +-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) ++/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + +-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) ++/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) -+kernel_list_unlabeled(devicekit_disk_t) -+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) - kernel_getattr_message_if(devicekit_disk_t) - kernel_read_fs_sysctls(devicekit_disk_t) - kernel_read_network_state(devicekit_disk_t) -@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) - dev_manage_generic_files(devicekit_disk_t) - dev_getattr_all_chr_files(devicekit_disk_t) - dev_getattr_mtrr_dev(devicekit_disk_t) -+dev_rw_generic_blk_files(devicekit_disk_t) + /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) ++ ++/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) ++/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - domain_getattr_all_pipes(devicekit_disk_t) - domain_getattr_all_sockets(devicekit_disk_t) -@@ -105,14 +113,16 @@ domain_read_all_domains_state(devicekit_disk_t) - - files_dontaudit_read_all_symlinks(devicekit_disk_t) - files_getattr_all_sockets(devicekit_disk_t) --files_getattr_all_mountpoints(devicekit_disk_t) -+files_getattr_all_dirs(devicekit_disk_t) - files_getattr_all_files(devicekit_disk_t) -+files_getattr_all_pipes(devicekit_disk_t) -+files_manage_boot_dirs(devicekit_disk_t) - files_manage_isid_type_dirs(devicekit_disk_t) - files_manage_mnt_dirs(devicekit_disk_t) --files_read_etc_files(devicekit_disk_t) - files_read_etc_runtime_files(devicekit_disk_t) - files_read_usr_files(devicekit_disk_t) - -+fs_getattr_all_fs(devicekit_disk_t) - fs_list_inotifyfs(devicekit_disk_t) - fs_manage_fusefs_dirs(devicekit_disk_t) - fs_mount_all_fs(devicekit_disk_t) -@@ -127,16 +137,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) - storage_raw_read_removable_device(devicekit_disk_t) - storage_raw_write_removable_device(devicekit_disk_t) +-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) ++/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) --term_use_all_terms(devicekit_disk_t) -+term_use_all_inherited_terms(devicekit_disk_t) +-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/hp(/.*)? gen_context(system_u:object_r:hplip_var_log_t,s0) - auth_use_nsswitch(devicekit_disk_t) +-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) + /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) ++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++ ++/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++ ++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +diff --git a/cups.if b/cups.if +index 06da9a0..1a6b35f 100644 +--- a/cups.if ++++ b/cups.if +@@ -15,6 +15,11 @@ + ## Type of the program to be used as an entry point to this domain. + ## + ## ++## ++## ++## Domain allowed access. ++## ++## + # + interface(`cups_backend',` + gen_require(` +@@ -200,10 +205,13 @@ interface(`cups_dbus_chat_config',` + interface(`cups_read_config',` + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; ++ type hplip_etc_t; + ') --miscfiles_read_localization(devicekit_disk_t) -+logging_send_syslog_msg(devicekit_disk_t) + files_search_etc($1) +- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t }) ++ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) ++ read_files_pattern($1, hplip_etc_t, hplip_etc_t) ++ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) + ') - userdom_read_all_users_state(devicekit_disk_t) - userdom_search_user_home_dirs(devicekit_disk_t) -+userdom_manage_user_tmp_dirs(devicekit_disk_t) + ######################################## +@@ -306,6 +314,29 @@ interface(`cups_stream_connect_ptal',` - optional_policy(` -+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) - dbus_system_bus_client(devicekit_disk_t) + ######################################## + ## ++## Execute cupsd server in the cupsd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cupsd_systemctl',` ++ gen_require(` ++ type cupsd_t; ++ type cupsd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 cupsd_unit_file_t:file read_file_perms; ++ allow $1 cupsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cupsd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an cups environment. + ## +@@ -330,13 +361,18 @@ interface(`cups_admin',` + type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; + type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; + type hplip_t, ptal_t; ++ type cupsd_unit_file_t; + ') - allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -156,6 +168,7 @@ optional_policy(` +- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; +- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; ++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; ++ allow $1 { cups_pdf_t hplip_t ptal_t }:process { signal_perms }; + ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) + ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) - optional_policy(` - mount_domtrans(devicekit_disk_t) -+ mount_read_pid_files(devicekit_disk_t) - ') ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cupsd_initrc_exec_t system_r; +@@ -353,8 +389,42 @@ interface(`cups_admin',` - optional_policy(` -@@ -170,6 +183,10 @@ optional_policy(` + files_list_tmp($1) + admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) +- +- files_list_pids($1) + admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) + admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) ++ ++ cupsd_systemctl($1) ++ admin_pattern($1, cupsd_unit_file_t) ++ allow $1 cupsd_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Transition to cups named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cups_filetrans_named_content',` ++ gen_require(` ++ type cupsd_rw_etc_t; ++ type cupsd_etc_t; ++ ') ++ ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N") ++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat") ++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat") ++ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ') +diff --git a/cups.te b/cups.te +index 9f34c2e..2e06558 100644 +--- a/cups.te ++++ b/cups.te +@@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t) + init_daemon_run_dir(cupsd_var_run_t, "cups") + mls_trusted_object(cupsd_var_run_t) - optional_policy(` -+ systemd_read_logind_sessions_files(devicekit_disk_t) -+') ++type cupsd_unit_file_t; ++systemd_unit_file(cupsd_unit_file_t) + -+optional_policy(` - udev_domtrans(devicekit_disk_t) - udev_read_db(devicekit_disk_t) - ') -@@ -178,55 +195,84 @@ optional_policy(` - virt_manage_images(devicekit_disk_t) - ') + type hplip_t; + type hplip_exec_t; + init_daemon_domain(hplip_t, hplip_exec_t) +@@ -76,6 +79,9 @@ files_tmp_file(hplip_tmp_t) + type hplip_var_lib_t; + files_type(hplip_var_lib_t) -+optional_policy(` -+ unconfined_domain(devicekit_t) -+ unconfined_domain(devicekit_power_t) -+ unconfined_domain(devicekit_disk_t) -+') ++type hplip_var_log_t; ++logging_log_file(hplip_var_log_t) + - ######################################## - # - # DeviceKit-Power local policy - # + type hplip_var_run_t; + files_pid_file(hplip_var_run_t) --allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; --allow devicekit_power_t self:process getsched; -+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; -+allow devicekit_power_t self:capability2 compromise_kernel; -+allow devicekit_power_t self:process { getsched signal_perms }; - allow devicekit_power_t self:fifo_file rw_fifo_file_perms; - allow devicekit_power_t self:unix_dgram_socket create_socket_perms; - allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -120,6 +126,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) -+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) -+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) -+ -+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) -+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) -+ - manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) - manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) - files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) + manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) ++can_exec(cupsd_t, cupsd_interface_t) -+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) -+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) -+ -+manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -+manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -+files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir) -+ -+kernel_read_fs_sysctls(devicekit_power_t) - kernel_read_network_state(devicekit_power_t) - kernel_read_system_state(devicekit_power_t) - kernel_rw_hotplug_sysctls(devicekit_power_t) - kernel_rw_kernel_sysctl(devicekit_power_t) -+kernel_rw_vm_sysctls(devicekit_power_t) - kernel_search_debugfs(devicekit_power_t) - kernel_write_proc_files(devicekit_power_t) -+kernel_setsched(devicekit_power_t) - - corecmd_exec_bin(devicekit_power_t) - corecmd_exec_shell(devicekit_power_t) - --consoletype_exec(devicekit_power_t) -- - domain_read_all_domains_state(devicekit_power_t) - - dev_read_input(devicekit_power_t) -+dev_read_urand(devicekit_power_t) - dev_rw_generic_usb_dev(devicekit_power_t) - dev_rw_generic_chr_files(devicekit_power_t) - dev_rw_netcontrol(devicekit_power_t) - dev_rw_sysfs(devicekit_power_t) -+dev_read_rand(devicekit_power_t) -+dev_getattr_all_chr_files(devicekit_power_t) - - files_read_kernel_img(devicekit_power_t) --files_read_etc_files(devicekit_power_t) -+files_read_etc_runtime_files(devicekit_power_t) - files_read_usr_files(devicekit_power_t) -+files_dontaudit_list_mnt(devicekit_power_t) + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) +@@ -144,6 +151,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) - fs_list_inotifyfs(devicekit_power_t) -+fs_getattr_all_fs(devicekit_power_t) ++allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; + manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) +@@ -166,7 +174,6 @@ kernel_read_network_state(cupsd_t) + kernel_read_all_sysctls(cupsd_t) + kernel_request_load_module(cupsd_t) --term_use_all_terms(devicekit_power_t) -+term_use_all_inherited_terms(devicekit_power_t) +-corenet_all_recvfrom_unlabeled(cupsd_t) + corenet_all_recvfrom_netlabel(cupsd_t) + corenet_tcp_sendrecv_generic_if(cupsd_t) + corenet_udp_sendrecv_generic_if(cupsd_t) +@@ -206,7 +213,6 @@ domain_use_interactive_fds(cupsd_t) + files_getattr_boot_dirs(cupsd_t) + files_list_spool(cupsd_t) + files_read_etc_runtime_files(cupsd_t) +-files_read_usr_files(cupsd_t) + files_exec_usr_files(cupsd_t) + # for /var/lib/defoma + files_read_var_lib_files(cupsd_t) +@@ -247,13 +253,11 @@ auth_dontaudit_read_pam_pid(cupsd_t) + auth_rw_faillog(cupsd_t) + auth_use_nsswitch(cupsd_t) - auth_use_nsswitch(devicekit_power_t) +-libs_read_lib_files(cupsd_t) + libs_exec_lib_files(cupsd_t) --miscfiles_read_localization(devicekit_power_t) + logging_send_audit_msgs(cupsd_t) + logging_send_syslog_msg(cupsd_t) + +-miscfiles_read_localization(cupsd_t) + miscfiles_read_fonts(cupsd_t) + miscfiles_setattr_fonts_cache_dirs(cupsd_t) + +@@ -275,6 +279,8 @@ optional_policy(` + optional_policy(` + dbus_system_bus_client(cupsd_t) + ++ init_dbus_chat(cupsd_t) + -+seutil_exec_setfiles(devicekit_power_t) + userdom_dbus_send_all_users(cupsd_t) - sysnet_read_config(devicekit_power_t) - sysnet_domtrans_ifconfig(devicekit_power_t) -+sysnet_domtrans_dhcpc(devicekit_power_t) + optional_policy(` +@@ -285,8 +291,10 @@ optional_policy(` + hal_dbus_chat(cupsd_t) + ') - userdom_read_all_users_state(devicekit_power_t) ++ # talk to processes that do not have policy + optional_policy(` + unconfined_dbus_chat(cupsd_t) ++ files_write_generic_pid_pipes(cupsd_t) + ') + ') -@@ -235,10 +281,16 @@ optional_policy(` +@@ -299,8 +307,8 @@ optional_policy(` ') optional_policy(` -+ consoletype_exec(devicekit_power_t) -+') -+ -+optional_policy(` - cron_initrc_domtrans(devicekit_power_t) -+ cron_systemctl(devicekit_power_t) ++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0") + kerberos_manage_host_rcache(cupsd_t) +- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") ') optional_policy(` -+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) - dbus_system_bus_client(devicekit_power_t) - - allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -261,14 +313,21 @@ optional_policy(` +@@ -337,7 +345,7 @@ optional_policy(` ') optional_policy(` -+ gnome_manage_home_config(devicekit_power_t) -+') -+ -+optional_policy(` - hal_domtrans_mac(devicekit_power_t) -- hal_manage_log(devicekit_power_t) - hal_manage_pid_dirs(devicekit_power_t) - hal_manage_pid_files(devicekit_power_t) - hal_dbus_chat(devicekit_power_t) +- virt_rw_all_image_chr_files(cupsd_t) ++ virt_rw_chr_files(cupsd_t) ') - optional_policy(` -+ networkmanager_domtrans(devicekit_power_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(devicekit_power_t) - policykit_domtrans_auth(devicekit_power_t) - policykit_read_lib(devicekit_power_t) -@@ -276,9 +335,31 @@ optional_policy(` + ######################################## +@@ -386,7 +394,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) + kernel_read_system_state(cupsd_config_t) + kernel_read_all_sysctls(cupsd_config_t) + +-corenet_all_recvfrom_unlabeled(cupsd_config_t) + corenet_all_recvfrom_netlabel(cupsd_config_t) + corenet_tcp_sendrecv_generic_if(cupsd_config_t) + corenet_tcp_sendrecv_generic_node(cupsd_config_t) +@@ -420,11 +427,8 @@ auth_use_nsswitch(cupsd_config_t) + + logging_send_syslog_msg(cupsd_config_t) + +-miscfiles_read_localization(cupsd_config_t) + miscfiles_read_hwdata(cupsd_config_t) + +-seutil_dontaudit_search_config(cupsd_config_t) +- + userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) + userdom_dontaudit_search_user_home_dirs(cupsd_config_t) + userdom_read_all_users_state(cupsd_config_t) +@@ -452,6 +456,10 @@ optional_policy(` ') optional_policy(` -+ modutils_domtrans_insmod(devicekit_power_t) -+') -+ -+optional_policy(` -+ mount_domtrans(devicekit_power_t) -+') -+ -+optional_policy(` -+ readahead_domtrans(devicekit_power_t) ++ gnome_dontaudit_search_config(cupsd_config_t) +') + +optional_policy(` - udev_read_db(devicekit_power_t) + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) + hal_dontaudit_use_fds(hplip_t) +@@ -470,6 +478,11 @@ optional_policy(` ') optional_policy(` -+ usbmuxd_stream_connect(devicekit_power_t) ++ policykit_dbus_chat(cupsd_config_t) ++ userdom_read_all_users_state(cupsd_config_t) +') + +optional_policy(` - vbetool_domtrans(devicekit_power_t) + rpm_read_db(cupsd_config_t) ') -+ -+optional_policy(` -+ corenet_tcp_connect_xserver_port(devicekit_power_t) -+ xserver_stream_connect(devicekit_power_t) -+') -+ -diff --git a/dhcp.fc b/dhcp.fc -index 767e0c7..9553bcf 100644 ---- a/dhcp.fc -+++ b/dhcp.fc -@@ -1,8 +1,10 @@ --/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) -+ -+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) - /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) +@@ -513,13 +526,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) + kernel_read_system_state(cupsd_lpd_t) + kernel_read_network_state(cupsd_lpd_t) - /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) - /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) +-corenet_all_recvfrom_unlabeled(cupsd_lpd_t) + corenet_all_recvfrom_netlabel(cupsd_lpd_t) + corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) + corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) --/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) -+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) -diff --git a/dhcp.if b/dhcp.if -index 5e2cea8..2ab8a14 100644 ---- a/dhcp.if -+++ b/dhcp.if -@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` - ') + corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) + corenet_tcp_connect_ipp_port(cupsd_lpd_t) ++corenet_tcp_connect_printer_port(cupsd_lpd_t) + corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) - sysnet_search_dhcp_state($1) -- allow $1 dhcpd_state_t:file setattr; -+ allow $1 dhcpd_state_t:file setattr_file_perms; - ') + dev_read_urand(cupsd_lpd_t) +@@ -533,7 +546,6 @@ auth_use_nsswitch(cupsd_lpd_t) - ######################################## -@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',` + logging_send_syslog_msg(cupsd_lpd_t) - ######################################## - ## -+## Execute dhcpd server in the dhcpd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dhcpd_systemctl',` -+ gen_require(` -+ type dhcpd_unit_file_t; -+ type dhcpd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) -+ allow $1 dhcpd_unit_file_t:file read_file_perms; -+ allow $1 dhcpd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, dhcpd_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an dhcp environment - ## -@@ -77,12 +101,16 @@ interface(`dhcpd_initrc_domtrans',` - # - interface(`dhcpd_admin',` - gen_require(` -- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; -+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; -+ type dhcpd_unit_file_t; - ') +-miscfiles_read_localization(cupsd_lpd_t) + miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) -- allow $1 dhcpd_t:process { ptrace signal_perms }; -+ allow $1 dhcpd_t:process signal_perms; - ps_process_pattern($1, dhcpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dhcpd_t:process ptrace; -+ ') + optional_policy(` +@@ -569,7 +581,6 @@ corecmd_exec_shell(cups_pdf_t) - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -96,4 +124,8 @@ interface(`dhcpd_admin',` + auth_use_nsswitch(cups_pdf_t) - files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) +-miscfiles_read_localization(cups_pdf_t) + miscfiles_read_fonts(cups_pdf_t) + miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) + +@@ -582,9 +593,10 @@ tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(cups_pdf_t) + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(cups_pdf_t) +- fs_manage_cifs_files(cups_pdf_t) ++userdom_home_manager(cups_pdf_t) + -+ dhcpd_systemctl($1) -+ admin_pattern($1, dhcpd_unit_file_t) -+ allow $1 dhcpd_unit_file_t:service all_service_perms; ++optional_policy(` ++ gnome_read_config(cups_pdf_t) ') -diff --git a/dhcp.te b/dhcp.te -index ed07b26..bed6b0d 100644 ---- a/dhcp.te -+++ b/dhcp.te -@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) - type dhcpd_initrc_exec_t; - init_script_file(dhcpd_initrc_exec_t) -+type dhcpd_unit_file_t; -+systemd_unit_file(dhcpd_unit_file_t) + optional_policy(` +@@ -613,9 +625,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms; + allow hplip_t hplip_etc_t:file read_file_perms; + allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; + ++allow hplip_t cupsd_unit_file_t:file read_file_perms; + - type dhcpd_state_t; - files_type(dhcpd_state_t) + manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) + manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) -@@ -33,9 +36,9 @@ files_pid_file(dhcpd_var_run_t) - # Local policy - # ++manage_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) ++manage_fifo_files_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) ++manage_dirs_pattern(hplip_t, hplip_var_log_t,hplip_var_log_t) ++logging_log_filetrans(hplip_t,hplip_var_log_t,{ dir fifo_file file }) ++ + manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) + files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) --allow dhcpd_t self:capability { net_raw sys_resource }; -+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; - dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; --allow dhcpd_t self:process signal_perms; -+allow dhcpd_t self:process { getcap setcap signal_perms }; - allow dhcpd_t self:fifo_file rw_fifo_file_perms; - allow dhcpd_t self:unix_dgram_socket create_socket_perms; - allow dhcpd_t self:unix_stream_socket create_socket_perms; -@@ -61,7 +64,6 @@ kernel_read_system_state(dhcpd_t) - kernel_read_kernel_sysctls(dhcpd_t) - kernel_read_network_state(dhcpd_t) +@@ -627,7 +646,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + kernel_read_system_state(hplip_t) + kernel_read_kernel_sysctls(hplip_t) --corenet_all_recvfrom_unlabeled(dhcpd_t) - corenet_all_recvfrom_netlabel(dhcpd_t) - corenet_tcp_sendrecv_generic_if(dhcpd_t) - corenet_udp_sendrecv_generic_if(dhcpd_t) -@@ -80,7 +82,7 @@ corenet_tcp_connect_all_ports(dhcpd_t) - corenet_sendrecv_dhcpd_server_packets(dhcpd_t) - corenet_sendrecv_pxe_server_packets(dhcpd_t) - corenet_sendrecv_all_client_packets(dhcpd_t) --# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan) -+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t) - corenet_udp_bind_all_unreserved_ports(dhcpd_t) +-corenet_all_recvfrom_unlabeled(hplip_t) ++# for python ++corecmd_exec_bin(hplip_t) ++ + corenet_all_recvfrom_netlabel(hplip_t) + corenet_tcp_sendrecv_generic_if(hplip_t) + corenet_udp_sendrecv_generic_if(hplip_t) +@@ -644,12 +665,15 @@ corenet_sendrecv_hplip_client_packets(hplip_t) + corenet_receive_hplip_server_packets(hplip_t) + corenet_tcp_bind_hplip_port(hplip_t) + corenet_tcp_connect_hplip_port(hplip_t) ++corenet_tcp_bind_glance_port(hplip_t) ++corenet_tcp_connect_glance_port(hplip_t) - dev_read_sysfs(dhcpd_t) -@@ -94,7 +96,6 @@ corecmd_exec_bin(dhcpd_t) + corenet_sendrecv_ipp_client_packets(hplip_t) + corenet_tcp_connect_ipp_port(hplip_t) - domain_use_interactive_fds(dhcpd_t) + corenet_sendrecv_howl_server_packets(hplip_t) + corenet_udp_bind_howl_port(hplip_t) ++corenet_tcp_connect_ipp_port(hplip_t) --files_read_etc_files(dhcpd_t) - files_read_usr_files(dhcpd_t) - files_read_etc_runtime_files(dhcpd_t) - files_search_var_lib(dhcpd_t) -@@ -103,19 +104,26 @@ auth_use_nsswitch(dhcpd_t) + corecmd_exec_bin(hplip_t) - logging_send_syslog_msg(dhcpd_t) +@@ -662,23 +686,25 @@ dev_rw_usbfs(hplip_t) --miscfiles_read_localization(dhcpd_t) -- - sysnet_read_dhcp_config(dhcpd_t) + domain_use_interactive_fds(hplip_t) - userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) - userdom_dontaudit_search_user_home_dirs(dhcpd_t) +-files_read_etc_files(hplip_t) + files_read_etc_runtime_files(hplip_t) +-files_read_usr_files(hplip_t) ++files_dontaudit_write_usr_dirs(hplip_t) -+tunable_policy(`dhcpd_use_ldap',` -+ sysnet_use_ldap(dhcpd_t) -+') -+ - ifdef(`distro_gentoo',` - allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; - ') + fs_getattr_all_fs(hplip_t) + fs_search_auto_mountpoints(hplip_t) + fs_rw_anon_inodefs_files(hplip_t) --tunable_policy(`dhcpd_use_ldap',` -- sysnet_use_ldap(dhcpd_t) -+optional_policy(` -+ # used for dynamic DNS -+ bind_read_dnssec_keys(dhcpd_t) -+') -+ -+optional_policy(` -+ cobbler_dontaudit_rw_log(dhcpd_t) - ') +-logging_send_syslog_msg(hplip_t) ++term_use_ptmx(hplip_t) - optional_policy(` -diff --git a/dictd.if b/dictd.if -index a0d23ce..83a7ca5 100644 ---- a/dictd.if -+++ b/dictd.if -@@ -38,8 +38,11 @@ interface(`dictd_admin',` - type dictd_var_run_t, dictd_initrc_exec_t; - ') +-miscfiles_read_localization(hplip_t) ++auth_read_passwd(hplip_t) ++ ++logging_send_syslog_msg(hplip_t) -- allow $1 dictd_t:process { ptrace signal_perms }; -+ allow $1 dictd_t:process signal_perms; - ps_process_pattern($1, dictd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dictd_t:process ptrace; -+ ') + sysnet_dns_name_resolve(hplip_t) - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) -diff --git a/dictd.te b/dictd.te -index d2d9359..b14ece6 100644 ---- a/dictd.te -+++ b/dictd.te -@@ -45,7 +45,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) - kernel_read_system_state(dictd_t) - kernel_read_kernel_sysctls(dictd_t) + userdom_dontaudit_use_unpriv_user_fds(hplip_t) + userdom_dontaudit_search_user_home_dirs(hplip_t) + userdom_dontaudit_search_user_home_content(hplip_t) ++userdom_dbus_send_all_users(hplip_t) --corenet_all_recvfrom_unlabeled(dictd_t) - corenet_all_recvfrom_netlabel(dictd_t) - corenet_tcp_sendrecv_generic_if(dictd_t) - corenet_raw_sendrecv_generic_if(dictd_t) -@@ -66,30 +65,19 @@ fs_search_auto_mountpoints(dictd_t) + optional_policy(` + dbus_system_bus_client(hplip_t) +@@ -731,7 +757,6 @@ kernel_read_kernel_sysctls(ptal_t) + kernel_list_proc(ptal_t) + kernel_read_proc_symlinks(ptal_t) - domain_use_interactive_fds(dictd_t) +-corenet_all_recvfrom_unlabeled(ptal_t) + corenet_all_recvfrom_netlabel(ptal_t) + corenet_tcp_sendrecv_generic_if(ptal_t) + corenet_tcp_sendrecv_generic_node(ptal_t) +@@ -747,7 +772,6 @@ dev_rw_printer(ptal_t) --files_read_etc_files(dictd_t) - files_read_etc_runtime_files(dictd_t) - files_read_usr_files(dictd_t) - files_search_var_lib(dictd_t) - # for checking for nscd - files_dontaudit_search_pids(dictd_t) + domain_use_interactive_fds(ptal_t) --logging_send_syslog_msg(dictd_t) -- --miscfiles_read_localization(dictd_t) -+auth_use_nsswitch(dictd_t) +-files_read_etc_files(ptal_t) + files_read_etc_runtime_files(ptal_t) --sysnet_read_config(dictd_t) -+logging_send_syslog_msg(dictd_t) + fs_getattr_all_fs(ptal_t) +@@ -755,8 +779,6 @@ fs_search_auto_mountpoints(ptal_t) - userdom_dontaudit_use_unpriv_user_fds(dictd_t) + logging_send_syslog_msg(ptal_t) - optional_policy(` -- nis_use_ypbind(dictd_t) --') -- --optional_policy(` -- nscd_socket_use(dictd_t) --') +-miscfiles_read_localization(ptal_t) - --optional_policy(` - seutil_sigchld_newrole(dictd_t) - ') + sysnet_read_config(ptal_t) -diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc -new file mode 100644 -index 0000000..fdf5675 ---- /dev/null -+++ b/dirsrv-admin.fc -@@ -0,0 +1,15 @@ -+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) -+ -+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) -+ -+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) -+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) -+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) -+ -+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+ -+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) -+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) -+ -+/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0) -diff --git a/dirsrv-admin.if b/dirsrv-admin.if -new file mode 100644 -index 0000000..332a1c9 ---- /dev/null -+++ b/dirsrv-admin.if -@@ -0,0 +1,134 @@ -+## Administration Server for Directory Server, dirsrv-admin. -+ -+######################################## -+## -+## Exec dirsrv-admin programs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_run_exec',` -+ gen_require(` -+ type dirsrvadmin_exec_t; -+ ') -+ -+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms; -+ can_exec($1, dirsrvadmin_exec_t) -+') -+ -+######################################## -+## -+## Exec cgi programs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_run_httpd_script_exec',` -+ gen_require(` -+ type httpd_dirsrvadmin_script_exec_t; -+ ') -+ -+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; -+ can_exec($1, httpd_dirsrvadmin_script_exec_t) -+') -+ -+######################################## + userdom_dontaudit_use_unpriv_user_fds(ptal_t) +diff --git a/cvs.if b/cvs.if +index 9fa7ffb..fd3262c 100644 +--- a/cvs.if ++++ b/cvs.if +@@ -1,5 +1,23 @@ + ## Concurrent versions system. + ++###################################### +## -+## Manage dirsrv-adminserver configuration files. ++## Dontaudit Attempts to list the CVS data and metadata. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# -+interface(`dirsrvadmin_read_config',` -+ gen_require(` -+ type dirsrvadmin_config_t; -+ ') ++interface(`cvs_dontaudit_list_data',` ++ gen_require(` ++ type cvs_data_t; ++ ') + -+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t) ++ dontaudit $1 cvs_data_t:dir list_dir_perms; +') + -+######################################## -+## -+## Manage dirsrv-adminserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_manage_config',` -+ gen_require(` -+ type dirsrvadmin_config_t; + ######################################## + ## + ## Read CVS data and metadata content. +@@ -62,9 +80,14 @@ interface(`cvs_admin',` + type cvs_data_t, cvs_var_run_t; + ') + +- allow $1 cvs_t:process { ptrace signal_perms }; ++ allow $1 cvs_t:process signal_perms; + ps_process_pattern($1, cvs_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cvs_t:process ptrace; + ') + -+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms; -+ allow $1 dirsrvadmin_config_t:file manage_file_perms; -+') -+ -+####################################### -+## -+## Read dirsrv-adminserver tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_read_tmp',` -+ gen_require(` -+ type dirsrvadmin_tmp_t; -+ ') -+ -+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+') -+ -+######################################## -+## -+## Manage dirsrv-adminserver tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrvadmin_manage_tmp',` -+ gen_require(` -+ type dirsrvadmin_tmp_t; -+ ') ++ # Allow cvs_t to restart the apache service + init_labeled_script_domtrans($1, cvs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cvs_initrc_exec_t system_r; +diff --git a/cvs.te b/cvs.te +index 53fc3af..25b3285 100644 +--- a/cvs.te ++++ b/cvs.te +@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1) + ## password files. + ##

    + ## +-gen_tunable(allow_cvs_read_shadow, false) ++gen_tunable(cvs_read_shadow, false) + + type cvs_t; + type cvs_exec_t; +@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t) + corecmd_exec_bin(cvs_t) + corecmd_exec_shell(cvs_t) + ++corenet_all_recvfrom_netlabel(cvs_t) ++corenet_tcp_sendrecv_generic_if(cvs_t) ++corenet_udp_sendrecv_generic_if(cvs_t) ++corenet_tcp_sendrecv_generic_node(cvs_t) ++corenet_udp_sendrecv_generic_node(cvs_t) ++corenet_tcp_sendrecv_all_ports(cvs_t) ++corenet_udp_sendrecv_all_ports(cvs_t) + -+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+') + dev_read_urand(cvs_t) + + files_read_etc_runtime_files(cvs_t) +@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t) + + init_read_utmp(cvs_t) + ++init_dontaudit_read_utmp(cvs_t) + + logging_send_syslog_msg(cvs_t) + logging_send_audit_msgs(cvs_t) + +-miscfiles_read_localization(cvs_t) +- + mta_send_mail(cvs_t) + + userdom_dontaudit_search_user_home_dirs(cvs_t) + + # cjp: typeattribute doesnt work in conditionals yet + auth_can_read_shadow_passwords(cvs_t) +-tunable_policy(`allow_cvs_read_shadow',` ++tunable_policy(`cvs_read_shadow',` + allow cvs_t self:capability dac_override; + auth_tunable_read_shadow(cvs_t) + ') +@@ -103,4 +111,5 @@ optional_policy(` + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) + ') +diff --git a/cyphesis.te b/cyphesis.te +index 916427f..9d65864 100644 +--- a/cyphesis.te ++++ b/cyphesis.te +@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) + corecmd_search_bin(cyphesis_t) + corecmd_getattr_bin_files(cyphesis_t) + +-corenet_all_recvfrom_unlabeled(cyphesis_t) + corenet_tcp_sendrecv_generic_if(cyphesis_t) + corenet_tcp_sendrecv_generic_node(cyphesis_t) + corenet_tcp_bind_generic_node(cyphesis_t) +@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t) + + logging_send_syslog_msg(cyphesis_t) + +-miscfiles_read_localization(cyphesis_t) +- + sysnet_dns_name_resolve(cyphesis_t) + + optional_policy(` +diff --git a/cyrus.if b/cyrus.if +index 6508280..a2860e3 100644 +--- a/cyrus.if ++++ b/cyrus.if +@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` + manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) + ') + +####################################### +## -+## Execute admin cgi programs in caller domain. ++## Allow write cyrus data files. +## +## +## @@ -17774,300 +15627,762 @@ index 0000000..332a1c9 +## +## +# -+interface(`dirsrvadmin_domtrans_unconfined_script_t',` ++interface(`cyrus_write_data',` + gen_require(` -+ type dirsrvadmin_unconfined_script_t; -+ type dirsrvadmin_unconfined_script_exec_t; ++ type cyrus_var_lib_t; + ') + -+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t) -+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms; -+ ++ files_search_var_lib($1) ++ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) +') -diff --git a/dirsrv-admin.te b/dirsrv-admin.te -new file mode 100644 -index 0000000..a3d076f ---- /dev/null -+++ b/dirsrv-admin.te -@@ -0,0 +1,144 @@ -+policy_module(dirsrv-admin,1.0.0) -+ -+######################################## -+# -+# Declarations for the daemon -+# -+ -+type dirsrvadmin_t; -+type dirsrvadmin_exec_t; -+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t) -+role system_r types dirsrvadmin_t; -+ -+type dirsrvadmin_config_t; -+files_type(dirsrvadmin_config_t) -+ -+type dirsrvadmin_lock_t; -+files_lock_file(dirsrvadmin_lock_t) -+ -+type dirsrvadmin_tmp_t; -+files_tmp_file(dirsrvadmin_tmp_t) -+ -+type dirsrvadmin_unconfined_script_t; -+type dirsrvadmin_unconfined_script_exec_t; -+domain_type(dirsrvadmin_unconfined_script_t) -+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t) -+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t) -+role system_r types dirsrvadmin_unconfined_script_t; -+ -+######################################## -+# -+# Local policy for the daemon -+# -+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; -+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; -+allow dirsrvadmin_t self:process setrlimit; -+ -+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir }) -+ -+kernel_read_system_state(dirsrvadmin_t) -+ -+corecmd_exec_bin(dirsrvadmin_t) -+corecmd_read_bin_symlinks(dirsrvadmin_t) -+corecmd_search_bin(dirsrvadmin_t) -+corecmd_shell_entry_type(dirsrvadmin_t) -+ -+files_exec_etc_files(dirsrvadmin_t) -+ -+libs_exec_ld_so(dirsrvadmin_t) -+ -+logging_search_logs(dirsrvadmin_t) + + ######################################## + ## + ## Connect to Cyrus using a unix +@@ -63,9 +82,13 @@ interface(`cyrus_admin',` + type cyrus_var_run_t, cyrus_initrc_exec_t; + ') + +- allow $1 cyrus_t:process { ptrace signal_perms }; ++ allow $1 cyrus_t:process signal_perms; + ps_process_pattern($1, cyrus_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cyrus_t:process ptrace; ++ ') + -+# Needed for stop and restart scripts -+dirsrv_read_var_run(dirsrvadmin_t) + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cyrus_initrc_exec_t system_r; +diff --git a/cyrus.te b/cyrus.te +index 395f97c..f35fbae 100644 +--- a/cyrus.te ++++ b/cyrus.te +@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) + # Local policy + # + +-allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; ++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; + dontaudit cyrus_t self:capability sys_tty_config; + allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow cyrus_t self:process setrlimit; +@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t) + kernel_read_system_state(cyrus_t) + kernel_read_all_sysctls(cyrus_t) + +-corenet_all_recvfrom_unlabeled(cyrus_t) + corenet_all_recvfrom_netlabel(cyrus_t) + corenet_tcp_sendrecv_generic_if(cyrus_t) + corenet_tcp_sendrecv_generic_node(cyrus_t) +@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t) + corenet_sendrecv_lmtp_server_packets(cyrus_t) + corenet_tcp_bind_lmtp_port(cyrus_t) + ++corenet_sendrecv_innd_server_packets(cyrus_t) ++corenet_tcp_bind_innd_port(cyrus_t) + -+optional_policy(` -+ apache_domtrans(dirsrvadmin_t) -+ apache_signal(dirsrvadmin_t) + corenet_sendrecv_pop_server_packets(cyrus_t) + corenet_tcp_bind_pop_port(cyrus_t) + +@@ -90,7 +92,6 @@ domain_use_interactive_fds(cyrus_t) + + files_list_var_lib(cyrus_t) + files_read_etc_runtime_files(cyrus_t) +-files_read_usr_files(cyrus_t) + files_dontaudit_write_usr_dirs(cyrus_t) + + fs_getattr_all_fs(cyrus_t) +@@ -102,7 +103,6 @@ libs_exec_lib_files(cyrus_t) + + logging_send_syslog_msg(cyrus_t) + +-miscfiles_read_localization(cyrus_t) + miscfiles_read_generic_certs(cyrus_t) + + userdom_use_unpriv_users_fds(cyrus_t) +@@ -116,6 +116,10 @@ optional_policy(` + ') + + optional_policy(` ++ dirsrv_stream_connect(cyrus_t) +') + -+######################################## -+# -+# Local policy for the CGIs -+# -+# -+# -+# Create a domain for the CGI scripts -+ +optional_policy(` -+ apache_content_template(dirsrvadmin) -+ -+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; -+ -+ -+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) -+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) -+ -+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) -+ -+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) -+ -+ files_search_var_lib(httpd_dirsrvadmin_script_t) -+ -+ sysnet_read_config(httpd_dirsrvadmin_script_t) -+ -+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) + kerberos_keytab_template(cyrus, cyrus_t) + ') + +@@ -128,6 +132,7 @@ optional_policy(` + ') + + optional_policy(` ++ files_dontaudit_write_usr_dirs(cyrus_t) + snmp_read_snmp_var_lib_files(cyrus_t) + snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) + snmp_stream_connect(cyrus_t) +diff --git a/daemontools.if b/daemontools.if +index 3b3d9a0..6c8106a 100644 +--- a/daemontools.if ++++ b/daemontools.if +@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',` + allow $1 svc_svc_t:file manage_file_perms; + allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; + ') + -+ optional_policy(` -+ # The CGI scripts must be able to manage dirsrv-admin -+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) -+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) -+ dirsrv_domtrans(httpd_dirsrvadmin_script_t) -+ dirsrv_signal(httpd_dirsrvadmin_script_t) -+ dirsrv_signull(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_log(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) -+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) -+ dirsrv_manage_config(httpd_dirsrvadmin_script_t) -+ dirsrv_read_share(httpd_dirsrvadmin_script_t) -+ ') -+') +diff --git a/daemontools.te b/daemontools.te +index 0165962..8be5248 100644 +--- a/daemontools.te ++++ b/daemontools.te +@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; + allow svc_multilog_t svc_start_t:fd use; + allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms; + ++term_write_console(svc_multilog_t) + -+####################################### -+# -+# Local policy for the admin CGIs -+# -+# + init_use_fds(svc_multilog_t) ++init_dontaudit_use_script_fds(svc_multilog_t) + + logging_manage_generic_logs(svc_multilog_t) + +@@ -77,6 +80,8 @@ dev_read_urand(svc_run_t) + corecmd_exec_bin(svc_run_t) + corecmd_exec_shell(svc_run_t) + ++term_write_console(svc_run_t) + + files_read_etc_files(svc_run_t) + files_read_etc_runtime_files(svc_run_t) + files_search_pids(svc_run_t) +@@ -109,6 +114,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit }; + + can_exec(svc_start_t, svc_start_exec_t) + ++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) + domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t) + + kernel_read_kernel_sysctls(svc_start_t) +@@ -117,11 +123,14 @@ kernel_read_system_state(svc_start_t) + corecmd_exec_bin(svc_start_t) + corecmd_exec_shell(svc_start_t) + ++corenet_tcp_bind_generic_node(svc_start_t) ++corenet_tcp_bind_generic_port(svc_start_t) + -+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir }) ++term_write_console(svc_start_t) + -+# needed because of filetrans rules -+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t) -+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t) -+dirsrv_domtrans(dirsrvadmin_unconfined_script_t) -+dirsrv_signal(dirsrvadmin_unconfined_script_t) -+dirsrv_signull(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_log(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t) -+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t) -+dirsrv_manage_config(dirsrvadmin_unconfined_script_t) -+dirsrv_read_share(dirsrvadmin_unconfined_script_t) + files_read_etc_files(svc_start_t) + files_read_etc_runtime_files(svc_start_t) + files_search_var(svc_start_t) + files_search_pids(svc_start_t) + + logging_send_syslog_msg(svc_start_t) +- +-miscfiles_read_localization(svc_start_t) +diff --git a/dbadm.te b/dbadm.te +index a67870a..76435d4 100644 +--- a/dbadm.te ++++ b/dbadm.te +@@ -30,7 +30,7 @@ userdom_base_user_template(dbadm) + # Local policy + # + +-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; ++allow dbadm_t self:capability { dac_override dac_read_search }; + + files_dontaudit_search_all_dirs(dbadm_t) + files_delete_generic_locks(dbadm_t) +@@ -39,6 +39,7 @@ files_list_var(dbadm_t) + selinux_get_enforce_mode(dbadm_t) + + logging_send_syslog_msg(dbadm_t) ++logging_send_audit_msgs(dbadm_t) + + userdom_dontaudit_search_user_home_dirs(dbadm_t) + +@@ -60,3 +61,7 @@ optional_policy(` + optional_policy(` + postgresql_admin(dbadm_t, dbadm_r) + ') + +optional_policy(` -+ unconfined_domain(dirsrvadmin_unconfined_script_t) ++ sudo_role_template(dbadm, dbadm_r, dbadm_t) +') -+ -diff --git a/dirsrv.fc b/dirsrv.fc -new file mode 100644 -index 0000000..0ea1ebb ---- /dev/null -+++ b/dirsrv.fc -@@ -0,0 +1,23 @@ -+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) -+ -+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) -+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) -+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) -+ -+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) -+ -+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) -+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) -+ -+# BZ: -+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -+ -+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) -+ -+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) -+ -+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) -+ -+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) -diff --git a/dirsrv.if b/dirsrv.if -new file mode 100644 -index 0000000..b214253 ---- /dev/null -+++ b/dirsrv.if -@@ -0,0 +1,208 @@ -+## policy for dirsrv -+ -+######################################## -+## -+## Execute a domain transition to run dirsrv. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dirsrv_domtrans',` -+ gen_require(` -+ type dirsrv_t, dirsrv_exec_t; -+ ') -+ -+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) +diff --git a/dbskk.te b/dbskk.te +index 188e2e6..719583e 100644 +--- a/dbskk.te ++++ b/dbskk.te +@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t) + kernel_read_system_state(dbskkd_t) + kernel_read_network_state(dbskkd_t) + +-corenet_all_recvfrom_unlabeled(dbskkd_t) + corenet_all_recvfrom_netlabel(dbskkd_t) + corenet_tcp_sendrecv_generic_if(dbskkd_t) + corenet_udp_sendrecv_generic_if(dbskkd_t) +@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t) + + fs_getattr_xattr_fs(dbskkd_t) + +-files_read_etc_files(dbskkd_t) + + auth_use_nsswitch(dbskkd_t) + + logging_send_syslog_msg(dbskkd_t) +- +-miscfiles_read_localization(dbskkd_t) +diff --git a/dbus.fc b/dbus.fc +index dda905b..31f269b 100644 +--- a/dbus.fc ++++ b/dbus.fc +@@ -1,20 +1,26 @@ +-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) ++/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) + +-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) ++/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ifdef(`distro_redhat',` ++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') -+ -+ -+######################################## -+## -+## Allow caller to signal dirsrv. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_signal',` -+ gen_require(` -+ type dirsrv_t; -+ ') -+ -+ allow $1 dirsrv_t:process signal; + +-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + +-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ifdef(`distro_debian',` ++/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') -+ -+ -+######################################## -+## -+## Send a null signal to dirsrv. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_signull',` -+ gen_require(` -+ type dirsrv_t; -+ ') -+ -+ allow $1 dirsrv_t:process signull; + +-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++ifdef(`distro_gentoo',` ++/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++') + +-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) + +-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) +- +-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ++/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + ++ifdef(`distro_redhat',` + /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') +diff --git a/dbus.if b/dbus.if +index afcf3a2..126d543 100644 +--- a/dbus.if ++++ b/dbus.if +@@ -1,4 +1,4 @@ +-## Desktop messaging bus. ++## Desktop messaging bus + + ######################################## + ## +@@ -19,7 +19,7 @@ interface(`dbus_stub',` + + ######################################## + ## +-## Role access for dbus. ++## Role access for dbus + ## + ## + ## +@@ -41,59 +41,64 @@ interface(`dbus_stub',` + template(`dbus_role_template',` + gen_require(` + class dbus { send_msg acquire_svc }; +- attribute session_bus_type; +- type system_dbusd_t, dbusd_exec_t; +- type session_dbusd_tmp_t, session_dbusd_home_t; ++ attribute dbusd_unconfined, session_bus_type; ++ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ++ type $1_t; + ') + + ############################## + # +- # Declarations ++ # Delcarations + # + + type $1_dbusd_t, session_bus_type; +- domain_type($1_dbusd_t) +- domain_entry_file($1_dbusd_t, dbusd_exec_t) ++ application_domain($1_dbusd_t, dbusd_exec_t) + ubac_constrained($1_dbusd_t) +- + role $2 types $1_dbusd_t; + ++ kernel_read_system_state($1_dbusd_t) + -+####################################### -+## -+## Allow a domain to manage dirsrv logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_log',` -+ gen_require(` -+ type dirsrv_var_log_t; -+ ') ++ selinux_get_fs_mount($1_dbusd_t) + -+ allow $1 dirsrv_var_log_t:dir manage_dir_perms; -+ allow $1 dirsrv_var_log_t:file manage_file_perms; -+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; -+') ++ userdom_home_manager($1_dbusd_t) + -+####################################### -+## -+## Allow a domain to manage dirsrv /var/lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_var_lib',` -+ gen_require(` -+ type dirsrv_var_lib_t; -+ ') -+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms; -+ allow $1 dirsrv_var_lib_t:file manage_file_perms; + ############################## + # + # Local policy + # + ++ # For connecting to the bus + allow $3 $1_dbusd_t:unix_stream_socket connectto; +- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; +- allow $3 $1_dbusd_t:fd use; +- +- allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + +- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; +- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") ++ # SE-DBus specific permissions ++ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; ++ allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + + ps_process_pattern($3, $1_dbusd_t) +- allow $3 $1_dbusd_t:process { ptrace signal_perms }; ++ allow $3 $1_dbusd_t:process signal_perms; + +- allow $1_dbusd_t $3:process sigkill; ++ tunable_policy(`deny_ptrace',`',` ++ allow $3 $1_dbusd_t:process ptrace; ++ ') + +- corecmd_bin_domtrans($1_dbusd_t, $3) +- corecmd_shell_domtrans($1_dbusd_t, $3) ++ # cjp: this seems very broken ++ corecmd_bin_domtrans($1_dbusd_t, $1_t) ++ corecmd_shell_domtrans($1_dbusd_t, $1_t) ++ allow $1_dbusd_t $3:process sigkill; ++ allow $3 $1_dbusd_t:fd use; ++ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; + + auth_use_nsswitch($1_dbusd_t) + +- ifdef(`hide_broken_symptoms',` +- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; +- ') ++ logging_send_syslog_msg($1_dbusd_t) + ') + + ####################################### + ## + ## Template for creating connections to +-## the system bus. ++## the system DBUS. + ## + ## + ## +@@ -103,65 +108,29 @@ template(`dbus_role_template',` + # + interface(`dbus_system_bus_client',` + gen_require(` +- attribute dbusd_system_bus_client; +- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; ++ type system_dbusd_t, system_dbusd_t; ++ type system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; ++ attribute dbusd_unconfined; + ') + +- typeattribute $1 dbusd_system_bus_client; +- ++ # SE-DBus specific permissions + allow $1 { system_dbusd_t self }:dbus send_msg; +- allow system_dbusd_t $1:dbus send_msg; ++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; + +- files_search_var_lib($1) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ files_search_var_lib($1) + ++ # For connecting to the bus + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) +- + dbus_read_config($1) + ') + + ####################################### + ## +-## Acquire service on DBUS +-## session bus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_connect_session_bus',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.') +- dbus_connect_all_session_bus($1) +-') +- +-####################################### +-## +-## Acquire service on all DBUS +-## session busses. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_connect_all_session_bus',` +- gen_require(` +- attribute session_bus_type; +- class dbus acquire_svc; +- ') +- +- allow $1 session_bus_type:dbus acquire_svc; +-') +- +-####################################### +-## +-## Acquire service on specified +-## DBUS session bus. ++## Creating connections to specified ++## DBUS sessions. + ## + ## + ## +@@ -175,19 +144,21 @@ interface(`dbus_connect_all_session_bus',` + ## + ## + # +-interface(`dbus_connect_spec_session_bus',` ++interface(`dbus_session_client',` + gen_require(` ++ class dbus send_msg; + type $1_dbusd_t; +- class dbus acquire_svc; + ') + +- allow $2 $1_dbusd_t:dbus acquire_svc; ++ allow $2 $1_dbusd_t:fd use; ++ allow $2 { $1_dbusd_t self }:dbus send_msg; ++ allow $2 $1_dbusd_t:unix_stream_socket connectto; + ') + + ####################################### + ## +-## Creating connections to DBUS +-## session bus. ++## Template for creating connections to ++## a user DBUS. + ## + ## + ## +@@ -196,72 +167,23 @@ interface(`dbus_connect_spec_session_bus',` + ## + # + interface(`dbus_session_bus_client',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.') +- dbus_all_session_bus_client($1) +-') +- +-####################################### +-## +-## Creating connections to all +-## DBUS session busses. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_all_session_bus_client',` + gen_require(` +- attribute session_bus_type, dbusd_session_bus_client; ++ attribute session_bus_type; + class dbus send_msg; + ') + +- typeattribute $1 dbusd_session_bus_client; +- ++ # SE-DBus specific permissions + allow $1 { session_bus_type self }:dbus send_msg; +- allow session_bus_type $1:dbus send_msg; +- +- allow $1 session_bus_type:unix_stream_socket connectto; +- allow $1 session_bus_type:fd use; +-') +- +-####################################### +-## +-## Creating connections to specified +-## DBUS session bus. +-## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_spec_session_bus_client',` +- gen_require(` +- attribute dbusd_session_bus_client; +- type $1_dbusd_t; +- class dbus send_msg; +- ') + +- typeattribute $2 dbusd_session_bus_client; +- +- allow $2 { $1_dbusd_t self }:dbus send_msg; +- allow $1_dbusd_t $2:dbus send_msg; ++ # For connecting to the bus ++ allow $1 session_bus_type:unix_stream_socket connectto; + +- allow $2 $1_dbusd_t:unix_stream_socket connectto; +- allow $2 $1_dbusd_t:fd use; ++ allow session_bus_type $1:process sigkill; + ') + +-####################################### ++######################################## + ## +-## Send messages to DBUS session bus. ++## Send a message the session DBUS. + ## + ## + ## +@@ -270,59 +192,17 @@ interface(`dbus_spec_session_bus_client',` + ## + # + interface(`dbus_send_session_bus',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.') +- dbus_send_all_session_bus($1) +-') +- +-####################################### +-## +-## Send messages to all DBUS +-## session busses. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_send_all_session_bus',` + gen_require(` + attribute session_bus_type; + class dbus send_msg; + ') + +- allow $1 dbus_session_bus_type:dbus send_msg; +-') +- +-####################################### +-## +-## Send messages to specified +-## DBUS session busses. +-## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`dbus_send_spec_session_bus',` +- gen_require(` +- type $1_dbusd_t; +- class dbus send_msg; +- ') +- +- allow $2 $1_dbusd_t:dbus send_msg; ++ allow $1 session_bus_type:dbus send_msg; + ') + + ######################################## + ## +-## Read dbus configuration content. ++## Read dbus configuration. + ## + ## + ## +@@ -380,69 +260,32 @@ interface(`dbus_manage_lib_files',` + + ######################################## + ## +-## Allow a application domain to be +-## started by the specified session bus. +-## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## +-## +-## +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an +-## entry point to this domain. +-## +-## +-# +-interface(`dbus_session_domain',` +- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.') +- dbus_all_session_domain($1, $2) +-') +- +-######################################## +-## +-## Allow a application domain to be +-## started by the specified session bus. ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an +-## entry point to this domain. ++## Domain allowed access. + ## + ## + # +-interface(`dbus_all_session_domain',` ++interface(`dbus_connect_session_bus',` + gen_require(` +- type session_bus_type; ++ attribute session_bus_type; ++ class dbus acquire_svc; + ') + +- domtrans_pattern(session_bus_type, $2, $1) +- +- dbus_all_session_bus_client($1) +- dbus_connect_all_session_bus($1) ++ allow $1 session_bus_type:dbus acquire_svc; + ') + + ######################################## + ## +-## Allow a application domain to be +-## started by the specified session bus. ++## Allow a application domain to be started ++## by the session dbus. + ## +-## ++## + ## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). ++## User domain prefix to be used. + ## + ## + ## +@@ -457,20 +300,21 @@ interface(`dbus_all_session_domain',` + ## + ## + # +-interface(`dbus_spec_session_domain',` ++interface(`dbus_session_domain',` + gen_require(` + type $1_dbusd_t; + ') + + domtrans_pattern($1_dbusd_t, $2, $3) + +- dbus_spec_session_bus_client($1, $2) +- dbus_connect_spec_session_bus($1, $2) ++ dbus_session_bus_client($3) ++ dbus_connect_session_bus($3) + ') + + ######################################## + ## +-## Acquire service on the DBUS system bus. ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +@@ -489,7 +333,7 @@ interface(`dbus_connect_system_bus',` + + ######################################## + ## +-## Send messages to the DBUS system bus. ++## Send a message on the system DBUS. + ## + ## + ## +@@ -508,7 +352,7 @@ interface(`dbus_send_system_bus',` + + ######################################## + ## +-## Unconfined access to DBUS system bus. ++## Allow unconfined access to the system DBUS. + ## + ## + ## +@@ -527,8 +371,8 @@ interface(`dbus_system_bus_unconfined',` + + ######################################## + ## +-## Create a domain for processes which +-## can be started by the DBUS system bus. ++## Create a domain for processes ++## which can be started by the system dbus + ## + ## + ## +@@ -543,33 +387,57 @@ interface(`dbus_system_bus_unconfined',` + # + interface(`dbus_system_domain',` + gen_require(` ++ attribute system_bus_type; + type system_dbusd_t; + role system_r; + ') ++ typeattribute $1 system_bus_type; + + domain_type($1) + domain_entry_file($1, $2) + +- role system_r types $1; +- + domtrans_pattern(system_dbusd_t, $2, $1) +') -+ + +- dbus_system_bus_client($1) +- dbus_connect_system_bus($1) +- +- ps_process_pattern(system_dbusd_t, $1) +######################################## +## -+## Connect to dirsrv over a unix stream socket. ++## Use and inherit system DBUS file descriptors. +## +## +## @@ -18075,439 +16390,817 @@ index 0000000..b214253 +## +## +# -+interface(`dirsrv_stream_connect',` -+ gen_require(` -+ type dirsrv_t, dirsrv_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) -+') -+ -+####################################### -+## -+## Allow a domain to manage dirsrv /var/run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_var_run',` -+ gen_require(` -+ type dirsrv_var_run_t; -+ ') -+ allow $1 dirsrv_var_run_t:dir manage_dir_perms; -+ allow $1 dirsrv_var_run_t:file manage_file_perms; -+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms; -+') -+ -+###################################### -+## -+## Allow a domain to create dirsrv pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_pid_filetrans',` -+ gen_require(` -+ type dirsrv_var_run_t; -+ ') -+ # Allow creating a dir in /var/run with this type -+ files_pid_filetrans($1, dirsrv_var_run_t, dir) -+') -+ -+####################################### -+## -+## Allow a domain to read dirsrv /var/run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_read_var_run',` -+ gen_require(` -+ type dirsrv_var_run_t; -+ ') -+ allow $1 dirsrv_var_run_t:dir list_dir_perms; -+ allow $1 dirsrv_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Manage dirsrv configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dirsrv_manage_config',` ++interface(`dbus_use_system_bus_fds',` + gen_require(` -+ type dirsrv_config_t; ++ type system_dbusd_t; + ') -+ -+ allow $1 dirsrv_config_t:dir manage_dir_perms; -+ allow $1 dirsrv_config_t:file manage_file_perms; + +- userdom_read_all_users_state($1) ++ allow $1 system_dbusd_t:fd use; +') -+ + +- ifdef(`hide_broken_symptoms', ` +- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; +######################################## +## -+## Read dirsrv share files. ++## Allow unconfined access to the system DBUS. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dirsrv_read_share',` ++interface(`dbus_unconfined',` + gen_require(` -+ type dirsrv_share_t; -+ ') -+ -+ allow $1 dirsrv_share_t:dir list_dir_perms; -+ allow $1 dirsrv_share_t:file read_file_perms; -+ allow $1 dirsrv_share_t:lnk_file read; -+') -diff --git a/dirsrv.te b/dirsrv.te -new file mode 100644 -index 0000000..7f0b4f6 ---- /dev/null -+++ b/dirsrv.te -@@ -0,0 +1,193 @@ -+policy_module(dirsrv,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+# main daemon -+type dirsrv_t; -+type dirsrv_exec_t; -+domain_type(dirsrv_t) -+init_daemon_domain(dirsrv_t, dirsrv_exec_t) -+ -+type dirsrv_snmp_t; -+type dirsrv_snmp_exec_t; -+domain_type(dirsrv_snmp_t) -+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) -+ -+type dirsrv_var_lib_t; -+files_type(dirsrv_var_lib_t) -+ -+type dirsrv_var_log_t; -+logging_log_file(dirsrv_var_log_t) -+ -+type dirsrv_snmp_var_log_t; -+logging_log_file(dirsrv_snmp_var_log_t) -+ -+type dirsrv_var_run_t; -+files_pid_file(dirsrv_var_run_t) -+ -+type dirsrv_snmp_var_run_t; -+files_pid_file(dirsrv_snmp_var_run_t) -+ -+type dirsrv_var_lock_t; -+files_lock_file(dirsrv_var_lock_t) -+ -+type dirsrv_config_t; -+files_type(dirsrv_config_t) -+ -+type dirsrv_tmp_t; -+files_tmp_file(dirsrv_tmp_t) -+ -+type dirsrv_tmpfs_t; -+files_tmpfs_file(dirsrv_tmpfs_t) ++ attribute dbusd_unconfined; + ') + -+type dirsrv_share_t; -+files_type(dirsrv_share_t); ++ typeattribute $1 dbusd_unconfined; + ') + + ######################################## + ## +-## Use and inherit DBUS system bus +-## file descriptors. ++## Delete all dbus pid files + ## + ## + ## +@@ -577,18 +445,20 @@ interface(`dbus_system_domain',` + ## + ## + # +-interface(`dbus_use_system_bus_fds',` ++interface(`dbus_delete_pid_files',` + gen_require(` +- type system_dbusd_t; ++ type system_dbusd_var_run_t; + ') + +- allow $1 system_dbusd_t:fd use; ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write DBUS system bus TCP sockets. ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. + ## + ## + ## +@@ -596,28 +466,30 @@ interface(`dbus_use_system_bus_fds',` + ## + ## + # +-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ++interface(`dbus_dontaudit_stream_connect_session_bus',` + gen_require(` +- type system_dbusd_t; ++ attribute session_bus_type; + ') + +- dontaudit $1 system_dbusd_t:tcp_socket { read write }; ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; + ') + + ######################################## + ## +-## Unconfined access to DBUS. ++## Do not audit attempts to send dbus ++## messages to session bus types. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_unconfined',` ++interface(`dbus_dontaudit_chat_session_bus',` + gen_require(` +- attribute dbusd_unconfined; ++ attribute session_bus_type; ++ class dbus send_msg; + ') + +- typeattribute $1 dbusd_unconfined; ++ dontaudit $1 session_bus_type:dbus send_msg; + ') +diff --git a/dbus.te b/dbus.te +index 2c2e7e1..4dee5a0 100644 +--- a/dbus.te ++++ b/dbus.te +@@ -1,20 +1,18 @@ +-policy_module(dbus, 1.18.8) ++policy_module(dbus, 1.17.0) + + gen_require(` + class dbus all_dbus_perms; + ') + +-######################################## ++############################## + # +-# Declarations ++# Delcarations + # + + attribute dbusd_unconfined; ++attribute system_bus_type; + attribute session_bus_type; + +-attribute dbusd_system_bus_client; +-attribute dbusd_session_bus_client; +- + type dbusd_etc_t; + files_config_file(dbusd_etc_t) + +@@ -22,9 +20,6 @@ type dbusd_exec_t; + corecmd_executable_file(dbusd_exec_t) + typealias dbusd_exec_t alias system_dbusd_exec_t; + +-type session_dbusd_home_t; +-userdom_user_home_content(session_dbusd_home_t) +- + type session_dbusd_tmp_t; + typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; + typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; +@@ -41,7 +36,7 @@ files_type(system_dbusd_var_lib_t) + + type system_dbusd_var_run_t; + files_pid_file(system_dbusd_var_run_t) +-init_daemon_run_dir(system_dbusd_var_run_t, "dbus") ++init_sock_file(system_dbusd_var_run_t) + + ifdef(`enable_mcs',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) +@@ -51,59 +46,56 @@ ifdef(`enable_mls',` + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) + ') + +-######################################## ++############################## + # +-# Local policy ++# System bus local policy + # + ++# dac_override: /var/run/dbus is owned by messagebus on Debian ++# cjp: dac_override should probably go in a distro_debian + allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; + dontaudit system_dbusd_t self:capability sys_tty_config; + allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; + allow system_dbusd_t self:fifo_file rw_fifo_file_perms; + allow system_dbusd_t self:dbus { send_msg acquire_svc }; +-allow system_dbusd_t self:unix_stream_socket { accept connectto listen }; ++allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; ++allow system_dbusd_t self:unix_dgram_socket create_socket_perms; ++# Receive notifications of policy reloads and enforcing status changes. + allow system_dbusd_t self:netlink_selinux_socket { create bind read }; + ++can_exec(system_dbusd_t, dbusd_exec_t) + -+######################################## -+# -+# dirsrv local policy -+# -+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; -+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; -+allow dirsrv_t self:fifo_file manage_fifo_file_perms; -+allow dirsrv_t self:sem create_sem_perms; -+allow dirsrv_t self:tcp_socket create_stream_socket_perms; + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + + manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) + manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) ++files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + + read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + + manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) +-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) +- +-can_exec(system_dbusd_t, dbusd_exec_t) ++files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) + + kernel_read_system_state(system_dbusd_t) + kernel_read_kernel_sysctls(system_dbusd_t) + +-corecmd_list_bin(system_dbusd_t) +-corecmd_read_bin_pipes(system_dbusd_t) +-corecmd_read_bin_sockets(system_dbusd_t) +-corecmd_exec_shell(system_dbusd_t) +- + dev_read_urand(system_dbusd_t) + dev_read_sysfs(system_dbusd_t) + +-domain_use_interactive_fds(system_dbusd_t) +-domain_read_all_domains_state(system_dbusd_t) +- +-files_list_home(system_dbusd_t) +-files_read_usr_files(system_dbusd_t) ++files_rw_inherited_non_security_files(system_dbusd_t) + + fs_getattr_all_fs(system_dbusd_t) + fs_list_inotifyfs(system_dbusd_t) + fs_search_auto_mountpoints(system_dbusd_t) +-fs_search_cgroup_dirs(system_dbusd_t) + fs_dontaudit_list_nfs(system_dbusd_t) + ++storage_rw_inherited_fixed_disk_dev(system_dbusd_t) ++storage_rw_inherited_removable_device(system_dbusd_t) + -+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) -+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + mls_fd_use_all_levels(system_dbusd_t) + mls_rangetrans_target(system_dbusd_t) + mls_file_read_all_levels(system_dbusd_t) +@@ -123,66 +115,156 @@ term_dontaudit_use_console(system_dbusd_t) + auth_use_nsswitch(system_dbusd_t) + auth_read_pam_console_data(system_dbusd_t) + ++corecmd_list_bin(system_dbusd_t) ++corecmd_read_bin_pipes(system_dbusd_t) ++corecmd_read_bin_sockets(system_dbusd_t) ++# needed for system-tools-backends ++corecmd_exec_shell(system_dbusd_t) + -+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) -+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) ++domain_use_interactive_fds(system_dbusd_t) ++domain_read_all_domains_state(system_dbusd_t) + -+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) -+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) -+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) -+allow dirsrv_t dirsrv_var_log_t:dir { setattr }; -+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) ++files_list_home(system_dbusd_t) ++files_read_usr_files(system_dbusd_t) + -+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) + init_use_fds(system_dbusd_t) + init_use_script_ptys(system_dbusd_t) +-init_all_labeled_script_domtrans(system_dbusd_t) ++init_bin_domtrans_spec(system_dbusd_t) ++init_domtrans_script(system_dbusd_t) ++init_rw_stream_sockets(system_dbusd_t) ++init_status(system_dbusd_t) + + logging_send_audit_msgs(system_dbusd_t) + logging_send_syslog_msg(system_dbusd_t) + +-miscfiles_read_localization(system_dbusd_t) + miscfiles_read_generic_certs(system_dbusd_t) + + seutil_read_config(system_dbusd_t) + seutil_read_default_contexts(system_dbusd_t) ++seutil_sigchld_newrole(system_dbusd_t) + + userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) + userdom_dontaudit_search_user_home_dirs(system_dbusd_t) + ++userdom_home_reader(system_dbusd_t) + -+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) -+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) -+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file) -+files_setattr_lock_dirs(dirsrv_t) ++optional_policy(` ++ bind_domtrans(system_dbusd_t) ++') + -+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) -+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) -+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) + optional_policy(` + bluetooth_stream_connect(system_dbusd_t) + ') + + optional_policy(` +- policykit_read_lib(system_dbusd_t) ++ cpufreqselector_dbus_chat(system_dbusd_t) ++') + -+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) -+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) -+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) -+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; ++optional_policy(` ++ getty_start_services(system_dbusd_t) ++') + -+kernel_read_system_state(dirsrv_t) -+kernel_read_kernel_sysctls(dirsrv_t) ++optional_policy(` ++ gnome_exec_gconf(system_dbusd_t) ++ gnome_read_inherited_home_icc_data_files(system_dbusd_t) ++') + -+corecmd_search_bin(dirsrv_t) ++optional_policy(` ++ networkmanager_initrc_domtrans(system_dbusd_t) ++ networkmanager_systemctl(system_dbusd_t) ++') + -+corenet_all_recvfrom_netlabel(dirsrv_t) -+corenet_tcp_sendrecv_generic_if(dirsrv_t) -+corenet_tcp_sendrecv_generic_node(dirsrv_t) -+corenet_tcp_sendrecv_all_ports(dirsrv_t) -+corenet_tcp_bind_generic_node(dirsrv_t) -+corenet_tcp_bind_ldap_port(dirsrv_t) -+corenet_tcp_bind_dogtag_port(dirsrv_t) -+corenet_tcp_bind_all_rpc_ports(dirsrv_t) -+corenet_udp_bind_all_rpc_ports(dirsrv_t) -+corenet_tcp_connect_all_ports(dirsrv_t) -+corenet_sendrecv_ldap_server_packets(dirsrv_t) -+corenet_sendrecv_all_client_packets(dirsrv_t) ++optional_policy(` ++ policykit_dbus_chat(system_dbusd_t) ++ policykit_domtrans_auth(system_dbusd_t) ++ policykit_search_lib(system_dbusd_t) ++') + -+dev_read_sysfs(dirsrv_t) -+dev_read_urand(dirsrv_t) ++optional_policy(` ++ sysnet_domtrans_dhcpc(system_dbusd_t) + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) ++ systemd_use_fds_logind(system_dbusd_t) ++ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) ++ systemd_write_inhibit_pipes(system_dbusd_t) ++# These are caused by broken systemd patch ++ systemd_start_power_services(system_dbusd_t) ++ systemd_config_all_services(system_dbusd_t) ++ files_config_all_files(system_dbusd_t) + ') + + optional_policy(` + udev_read_db(system_dbusd_t) + ') + ++optional_policy(` ++ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc ++ xserver_read_inherited_xdm_lib_files(system_dbusd_t) ++') + -+files_read_etc_files(dirsrv_t) -+files_read_usr_symlinks(dirsrv_t) + ######################################## + # +-# Common session bus local policy ++# system_bus_type rules + # ++role system_r types system_bus_type; + -+fs_getattr_all_fs(dirsrv_t) ++fs_search_all(system_bus_type) + -+auth_use_pam(dirsrv_t) ++dbus_system_bus_client(system_bus_type) ++dbus_connect_system_bus(system_bus_type) + -+logging_send_syslog_msg(dirsrv_t) ++init_status(system_bus_type) ++init_stream_connect(system_bus_type) ++init_dgram_send(system_bus_type) ++init_use_fds(system_bus_type) ++init_rw_stream_sockets(system_bus_type) + -+sysnet_dns_name_resolve(dirsrv_t) ++ps_process_pattern(system_dbusd_t, system_bus_type) + -+optional_policy(` -+ apache_dontaudit_leaks(dirsrv_t) -+') ++userdom_dontaudit_search_admin_dir(system_bus_type) ++userdom_read_all_users_state(system_bus_type) + +optional_policy(` -+ dirsrvadmin_read_tmp(dirsrv_t) ++ abrt_stream_connect(system_bus_type) +') + -+ +optional_policy(` -+ kerberos_use(dirsrv_t) -+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0") -+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487") -+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55") ++ rpm_script_dbus_chat(system_bus_type) +') + -+# FIPS mode +optional_policy(` -+ prelink_exec(dirsrv_t) ++ unconfined_dbus_send(system_bus_type) +') -+ -+optional_policy(` -+ rpcbind_stream_connect(dirsrv_t) + ++ifdef(`hide_broken_symptoms',` ++ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') + +######################################## +# -+# dirsrv-snmp local policy ++# session_bus_type rules +# -+allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; -+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; -+ -+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++allow session_bus_type self:capability2 block_suspend; + dontaudit session_bus_type self:capability sys_resource; + allow session_bus_type self:process { getattr sigkill signal }; +-dontaudit session_bus_type self:process { ptrace setrlimit }; ++dontaudit session_bus_type self:process setrlimit; + allow session_bus_type self:file { getattr read write }; + allow session_bus_type self:fifo_file rw_fifo_file_perms; + allow session_bus_type self:dbus { send_msg acquire_svc }; +-allow session_bus_type self:unix_stream_socket { accept listen }; +-allow session_bus_type self:tcp_socket { accept listen }; ++allow session_bus_type self:unix_stream_socket create_stream_socket_perms; ++allow session_bus_type self:unix_dgram_socket create_socket_perms; ++allow session_bus_type self:tcp_socket create_stream_socket_perms; + allow session_bus_type self:netlink_selinux_socket create_socket_perms; + + allow session_bus_type dbusd_etc_t:dir list_dir_perms; + read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) + +-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) +-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") +- + manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) + manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) +-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) ++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) + +-kernel_read_system_state(session_bus_type) + kernel_read_kernel_sysctls(session_bus_type) + + corecmd_list_bin(session_bus_type) +@@ -191,20 +273,16 @@ corecmd_read_bin_files(session_bus_type) + corecmd_read_bin_pipes(session_bus_type) + corecmd_read_bin_sockets(session_bus_type) + +-corenet_all_recvfrom_unlabeled(session_bus_type) +-corenet_all_recvfrom_netlabel(session_bus_type) + corenet_tcp_sendrecv_generic_if(session_bus_type) + corenet_tcp_sendrecv_generic_node(session_bus_type) + corenet_tcp_sendrecv_all_ports(session_bus_type) + corenet_tcp_bind_generic_node(session_bus_type) +- +-corenet_sendrecv_all_server_packets(session_bus_type) + corenet_tcp_bind_reserved_port(session_bus_type) + + dev_read_urand(session_bus_type) + +-domain_read_all_domains_state(session_bus_type) + domain_use_interactive_fds(session_bus_type) ++domain_read_all_domains_state(session_bus_type) + + files_list_home(session_bus_type) + files_read_usr_files(session_bus_type) +@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type) + fs_list_inotifyfs(session_bus_type) + fs_dontaudit_list_nfs(session_bus_type) + +-selinux_get_fs_mount(session_bus_type) + selinux_validate_context(session_bus_type) + selinux_compute_access_vector(session_bus_type) + selinux_compute_create_context(session_bus_type) +@@ -225,18 +302,39 @@ selinux_compute_user_contexts(session_bus_type) + auth_read_pam_console_data(session_bus_type) + + logging_send_audit_msgs(session_bus_type) +-logging_send_syslog_msg(session_bus_type) +- +-miscfiles_read_localization(session_bus_type) + + seutil_read_config(session_bus_type) + seutil_read_default_contexts(session_bus_type) + +-term_use_all_terms(session_bus_type) ++term_use_all_inherited_terms(session_bus_type) + -+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++userdom_dontaudit_search_admin_dir(session_bus_type) ++userdom_manage_user_home_content_dirs(session_bus_type) ++userdom_manage_user_home_content_files(session_bus_type) ++userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) ++userdom_manage_tmpfs_files(session_bus_type, file) ++userdom_tmpfs_filetrans(session_bus_type, file) + + optional_policy(` ++ gnome_read_config(session_bus_type) ++ gnome_read_gconf_home_files(session_bus_type) ++') + -+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) ++optional_policy(` ++ hal_dbus_chat(session_bus_type) ++') + -+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) -+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) -+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++optional_policy(` ++ thumb_domtrans(session_bus_type) ++') + -+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); -+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) ++optional_policy(` ++ xserver_search_xdm_lib(session_bus_type) ++ xserver_use_xdm_fds(session_bus_type) ++ xserver_rw_xdm_pipes(session_bus_type) + xserver_use_xdm_fds(session_bus_type) + xserver_rw_xdm_pipes(session_bus_type) ++ xserver_append_xdm_home_files(session_bus_type) + ') + + ######################################## +@@ -244,5 +342,6 @@ optional_policy(` + # Unconfined access to this module + # + +-allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; +-allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; ++allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; ++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; ++allow session_bus_type dbusd_unconfined:dbus send_msg; +diff --git a/dcc.if b/dcc.if +index a5c21e0..4639421 100644 +--- a/dcc.if ++++ b/dcc.if +@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',` + type dcc_var_t, dccifd_var_run_t, dccifd_t; + ') + +- files_search_var($1) ++ files_search_pids($1) + stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) + ') +diff --git a/dcc.te b/dcc.te +index 15d908f..27463a3 100644 +--- a/dcc.te ++++ b/dcc.te +@@ -45,7 +45,7 @@ type dcc_var_t; + files_type(dcc_var_t) + + type dcc_var_run_t; +-files_type(dcc_var_run_t) ++files_pid_file(dcc_var_run_t) + + type dccd_t; + type dccd_exec_t; +@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms; + read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) + ++corenet_all_recvfrom_netlabel(cdcc_t) ++corenet_udp_sendrecv_generic_if(cdcc_t) ++corenet_udp_sendrecv_generic_node(cdcc_t) ++corenet_udp_sendrecv_all_ports(cdcc_t) + -+corenet_tcp_connect_agentx_port(dirsrv_snmp_t) + files_read_etc_runtime_files(cdcc_t) + + auth_use_nsswitch(cdcc_t) + + logging_send_syslog_msg(cdcc_t) + +-miscfiles_read_localization(cdcc_t) +- +-userdom_use_user_terminals(cdcc_t) ++userdom_use_inherited_user_terminals(cdcc_t) + + ######################################## + # +@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_client_t) + ++corenet_all_recvfrom_netlabel(dcc_client_t) ++corenet_udp_sendrecv_generic_if(dcc_client_t) ++corenet_udp_sendrecv_generic_node(dcc_client_t) ++corenet_udp_sendrecv_all_ports(dcc_client_t) ++corenet_udp_bind_generic_node(dcc_client_t) + -+dev_read_rand(dirsrv_snmp_t) -+dev_read_urand(dirsrv_snmp_t) + files_read_etc_runtime_files(dcc_client_t) + + fs_getattr_all_fs(dcc_client_t) +@@ -131,9 +140,7 @@ auth_use_nsswitch(dcc_client_t) + + logging_send_syslog_msg(dcc_client_t) + +-miscfiles_read_localization(dcc_client_t) +- +-userdom_use_user_terminals(dcc_client_t) ++userdom_use_inherited_user_terminals(dcc_client_t) + + optional_policy(` + amavis_read_spool_files(dcc_client_t) +@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_dbclean_t) + ++corenet_all_recvfrom_netlabel(dcc_dbclean_t) ++corenet_udp_sendrecv_generic_if(dcc_dbclean_t) ++corenet_udp_sendrecv_generic_node(dcc_dbclean_t) ++corenet_udp_sendrecv_all_ports(dcc_dbclean_t) + -+domain_use_interactive_fds(dirsrv_snmp_t) + files_read_etc_runtime_files(dcc_dbclean_t) + + auth_use_nsswitch(dcc_dbclean_t) + + logging_send_syslog_msg(dcc_dbclean_t) + +-miscfiles_read_localization(dcc_dbclean_t) +- +-userdom_use_user_terminals(dcc_dbclean_t) ++userdom_use_inherited_user_terminals(dcc_dbclean_t) + + ######################################## + # +@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) + kernel_read_system_state(dccd_t) + kernel_read_kernel_sysctls(dccd_t) + +-corenet_all_recvfrom_unlabeled(dccd_t) + corenet_all_recvfrom_netlabel(dccd_t) + corenet_udp_sendrecv_generic_if(dccd_t) + corenet_udp_sendrecv_generic_node(dccd_t) +@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t) + + logging_send_syslog_msg(dccd_t) + +-miscfiles_read_localization(dccd_t) +- + userdom_dontaudit_use_unpriv_user_fds(dccd_t) + userdom_dontaudit_search_user_home_dirs(dccd_t) + +@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) + kernel_read_system_state(dccifd_t) + kernel_read_kernel_sysctls(dccifd_t) + ++corenet_all_recvfrom_netlabel(dccifd_t) ++corenet_udp_sendrecv_generic_if(dccifd_t) ++corenet_udp_sendrecv_generic_node(dccifd_t) ++corenet_udp_sendrecv_all_ports(dccifd_t) + -+#files_manage_var_files(dirsrv_snmp_t) -+files_read_etc_files(dirsrv_snmp_t) -+files_read_usr_files(dirsrv_snmp_t) + dev_read_sysfs(dccifd_t) + + domain_use_interactive_fds(dccifd_t) +@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t) + + logging_send_syslog_msg(dccifd_t) + +-miscfiles_read_localization(dccifd_t) +- + userdom_dontaudit_use_unpriv_user_fds(dccifd_t) + userdom_dontaudit_search_user_home_dirs(dccifd_t) + +@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) + kernel_read_system_state(dccm_t) + kernel_read_kernel_sysctls(dccm_t) + ++corenet_all_recvfrom_netlabel(dccm_t) ++corenet_udp_sendrecv_generic_if(dccm_t) ++corenet_udp_sendrecv_generic_node(dccm_t) ++corenet_udp_sendrecv_all_ports(dccm_t) + -+fs_getattr_tmpfs(dirsrv_snmp_t) -+fs_search_tmpfs(dirsrv_snmp_t) + dev_read_sysfs(dccm_t) + + domain_use_interactive_fds(dccm_t) +@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t) + + logging_send_syslog_msg(dccm_t) + +-miscfiles_read_localization(dccm_t) +- + userdom_dontaudit_use_unpriv_user_fds(dccm_t) + userdom_dontaudit_search_user_home_dirs(dccm_t) + +diff --git a/ddclient.if b/ddclient.if +index 5606b40..cd18cf2 100644 +--- a/ddclient.if ++++ b/ddclient.if +@@ -70,9 +70,13 @@ interface(`ddclient_admin',` + type ddclient_var_run_t, ddclient_initrc_exec_t; + ') + +- allow $1 ddclient_t:process { ptrace signal_perms }; ++ allow $1 ddclient_t:process signal_perms; + ps_process_pattern($1, ddclient_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ddclient_t:process ptrace; ++ ') + + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ddclient_initrc_exec_t system_r; +diff --git a/ddclient.te b/ddclient.te +index 0b4b8b9..6f53812 100644 +--- a/ddclient.te ++++ b/ddclient.te +@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) + # Declarations + # + + -+sysnet_read_config(dirsrv_snmp_t) -+sysnet_dns_name_resolve(dirsrv_snmp_t) + dontaudit ddclient_t self:capability sys_tty_config; + allow ddclient_t self:process signal_perms; + allow ddclient_t self:fifo_file rw_fifo_file_perms; ++allow ddclient_t self:tcp_socket create_socket_perms; ++allow ddclient_t self:udp_socket create_socket_perms; ++allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; + + read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) + setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) +@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t) + corecmd_exec_shell(ddclient_t) + corecmd_exec_bin(ddclient_t) + +-corenet_all_recvfrom_unlabeled(ddclient_t) + corenet_all_recvfrom_netlabel(ddclient_t) + corenet_tcp_sendrecv_generic_if(ddclient_t) + corenet_udp_sendrecv_generic_if(ddclient_t) +@@ -83,6 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) + corenet_udp_sendrecv_generic_node(ddclient_t) + corenet_tcp_sendrecv_all_ports(ddclient_t) + corenet_udp_sendrecv_all_ports(ddclient_t) ++corenet_tcp_bind_generic_node(ddclient_t) ++corenet_udp_bind_generic_node(ddclient_t) ++corenet_tcp_connect_all_ports(ddclient_t) + + corenet_sendrecv_all_client_packets(ddclient_t) + corenet_tcp_connect_all_ports(ddclient_t) +@@ -99,9 +105,11 @@ files_read_usr_files(ddclient_t) + fs_getattr_all_fs(ddclient_t) + fs_search_auto_mountpoints(ddclient_t) + ++auth_read_passwd(ddclient_t) + -+optional_policy(` -+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_manage_var_lib_dirs(dirsrv_snmp_t) -+ snmp_manage_var_lib_files(dirsrv_snmp_t) -+ snmp_stream_connect(dirsrv_snmp_t) -+') -diff --git a/distcc.te b/distcc.te -index 54d93e8..16d2e18 100644 ---- a/distcc.te -+++ b/distcc.te -@@ -44,7 +44,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) - kernel_read_system_state(distccd_t) - kernel_read_kernel_sysctls(distccd_t) + logging_send_syslog_msg(ddclient_t) --corenet_all_recvfrom_unlabeled(distccd_t) - corenet_all_recvfrom_netlabel(distccd_t) - corenet_tcp_sendrecv_generic_if(distccd_t) - corenet_udp_sendrecv_generic_if(distccd_t) -@@ -73,8 +72,6 @@ libs_exec_lib_files(distccd_t) +-miscfiles_read_localization(ddclient_t) ++mta_send_mail(ddclient_t) + + sysnet_exec_ifconfig(ddclient_t) + sysnet_dns_name_resolve(ddclient_t) +diff --git a/denyhosts.if b/denyhosts.if +index a7326da..c87b5b7 100644 +--- a/denyhosts.if ++++ b/denyhosts.if +@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',` + ## Role allowed access. + ## + ## ++## + # + interface(`denyhosts_admin',` + gen_require(` +@@ -60,20 +61,24 @@ interface(`denyhosts_admin',` + type denyhosts_var_log_t, denyhosts_initrc_exec_t; + ') - logging_send_syslog_msg(distccd_t) +- allow $1 denyhosts_t:process { ptrace signal_perms }; ++ allow $1 denyhosts_t:process signal_perms; + ps_process_pattern($1, denyhosts_t) --miscfiles_read_localization(distccd_t) -- - sysnet_read_config(distccd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 denyhosts_t:process ptrace; ++ ') ++ + denyhosts_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 denyhosts_initrc_exec_t system_r; + allow $2 system_r; - userdom_dontaudit_use_unpriv_user_fds(distccd_t) -diff --git a/djbdns.if b/djbdns.if -index ade3079..41a21f1 100644 ---- a/djbdns.if -+++ b/djbdns.if -@@ -34,7 +34,6 @@ template(`djbdns_daemontools_domain_template',` - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, denyhosts_var_lib_t) -- corenet_all_recvfrom_unlabeled(djbdns_$1_t) - corenet_all_recvfrom_netlabel(djbdns_$1_t) - corenet_tcp_sendrecv_generic_if(djbdns_$1_t) - corenet_udp_sendrecv_generic_if(djbdns_$1_t) -diff --git a/djbdns.te b/djbdns.te -index 03b5286..62fbae1 100644 ---- a/djbdns.te -+++ b/djbdns.te -@@ -39,6 +39,9 @@ allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, denyhosts_var_log_t) - files_search_var(djbdns_axfrdns_t) +- files_search_locks($1) ++ files_list_locks($1) + admin_pattern($1, denyhosts_var_lock_t) + ') +diff --git a/denyhosts.te b/denyhosts.te +index bcb9770..bc1d203 100644 +--- a/denyhosts.te ++++ b/denyhosts.te +@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) + # + # Local policy + # ++# Bug #588563 ++allow denyhosts_t self:capability sys_tty_config; ++allow denyhosts_t self:fifo_file rw_fifo_file_perms; -+daemontools_ipc_domain(djbdns_axfrdns_t) -+daemontools_read_svc(djbdns_axfrdns_t) -+ - ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) + allow denyhosts_t self:capability sys_tty_config; + allow denyhosts_t self:fifo_file rw_fifo_file_perms; +@@ -44,11 +47,12 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) - ######################################## -diff --git a/dkim.fc b/dkim.fc -index bf4321a..1820764 100644 ---- a/dkim.fc -+++ b/dkim.fc -@@ -9,6 +9,7 @@ - /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) -+ - /var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + kernel_read_network_state(denyhosts_t) + kernel_read_system_state(denyhosts_t) ++kernel_read_network_state(denyhosts_t) - /var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) -diff --git a/dmidecode.te b/dmidecode.te -index d6356b5..5db989e 100644 ---- a/dmidecode.te -+++ b/dmidecode.te -@@ -27,4 +27,4 @@ files_list_usr(dmidecode_t) ++corecmd_exec_shell(denyhosts_t) + corecmd_exec_bin(denyhosts_t) + corecmd_exec_shell(denyhosts_t) - locallogin_use_fds(dmidecode_t) +-corenet_all_recvfrom_unlabeled(denyhosts_t) + corenet_all_recvfrom_netlabel(denyhosts_t) + corenet_tcp_sendrecv_generic_if(denyhosts_t) + corenet_tcp_sendrecv_generic_node(denyhosts_t) +@@ -59,11 +63,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t) --userdom_use_user_terminals(dmidecode_t) -+userdom_use_inherited_user_terminals(dmidecode_t) -diff --git a/dnsmasq.fc b/dnsmasq.fc -index b886676..fb3b2d6 100644 ---- a/dnsmasq.fc -+++ b/dnsmasq.fc -@@ -1,12 +1,14 @@ - /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) - /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + dev_read_urand(denyhosts_t) -+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) ++auth_use_nsswitch(denyhosts_t) + - /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - - /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) - /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - --/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) -+/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) + logging_read_generic_logs(denyhosts_t) + logging_send_syslog_msg(denyhosts_t) --/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -+/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) - /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff --git a/dnsmasq.if b/dnsmasq.if -index 9bd812b..53f895e 100644 ---- a/dnsmasq.if -+++ b/dnsmasq.if -@@ -10,7 +10,6 @@ - ## - ## - # --# - interface(`dnsmasq_domtrans',` - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; -@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',` - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) +-miscfiles_read_localization(denyhosts_t) +- + sysnet_dns_name_resolve(denyhosts_t) + sysnet_manage_config(denyhosts_t) + sysnet_etc_filetrans_config(denyhosts_t) +@@ -71,3 +75,7 @@ sysnet_etc_filetrans_config(denyhosts_t) + optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) ') - -+####################################### -+## -+## Execute dnsmasq server in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dnsmasq_exec',` -+ gen_require(` -+ type dnsmasq_exec_t; -+ ') + -+ can_exec($1, dnsmasq_exec_t) ++optional_policy(` ++ gnome_dontaudit_search_config(denyhosts_t) +') -+ +diff --git a/devicekit.if b/devicekit.if +index d294865..3b4f593 100644 +--- a/devicekit.if ++++ b/devicekit.if +@@ -1,4 +1,4 @@ +-## Devicekit modular hardware abstraction layer. ++## Devicekit modular hardware abstraction layer + ######################################## ## - ## Execute the dnsmasq init script in the init script domain. -@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',` +@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',` + type devicekit_t, devicekit_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, devicekit_exec_t, devicekit_t) + ') ######################################## ## -+## Execute dnsmasq server in the dnsmasq domain. ++## Execute a domain transition to run devicekit_disk. +## +## +## @@ -18515,80 +17208,39 @@ index 9bd812b..53f895e 100644 +## +## +# -+interface(`dnsmasq_systemctl',` ++interface(`devicekit_domtrans_disk',` + gen_require(` -+ type dnsmasq_unit_file_t; -+ type dnsmasq_t; ++ type devicekit_disk_t, devicekit_disk_exec_t; + ') + -+ systemd_exec_systemctl($1) -+ allow $1 dnsmasq_unit_file_t:file read_file_perms; -+ allow $1 dnsmasq_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, dnsmasq_t) ++ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) +') + +######################################## +## - ## Send dnsmasq a signal + ## Send to devicekit over a unix domain + ## datagram socket. ## - ## -@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',` - ## - ## +@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',` # --# - interface(`dnsmasq_delete_pid_files',` + interface(`devicekit_dgram_send',` gen_require(` - type dnsmasq_var_run_t; +- type devicekit_t, devicekit_var_run_t; ++ type devicekit_t; ') -+ files_search_pids($1) - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +- files_search_pids($1) +- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) ++ allow $1 devicekit_t:unix_dgram_socket sendto; ') ######################################## - ## --## Read dnsmasq pid files -+## Manage dnsmasq pid files - ## - ## - ## -@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',` - ## - ## - # -+interface(`dnsmasq_manage_pid_files',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -+') -+ -+######################################## -+## -+## Read dnsmasq pid files -+## -+## -+## -+## Domain allowed access. -+## -+## - # - interface(`dnsmasq_read_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - -+ files_search_pids($1) - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) - ') +@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',` ######################################## ## -+## Create dnsmasq pid dirs +-## Send generic signals to devicekit power. ++## Use file descriptors for devicekit_disk. +## +## +## @@ -18596,380 +17248,160 @@ index 9bd812b..53f895e 100644 +## +## +# -+interface(`dnsmasq_create_pid_dirs',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ create_dirs_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -+') -+ -+######################################## -+## -+## Transition to dnsmasq named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the directory for the object to be created. -+## -+## -+# -+interface(`dnsmasq_filetrans_named_content_fromdir',` ++interface(`devicekit_use_fds_disk',` + gen_require(` -+ type dnsmasq_var_run_t; ++ type devicekit_disk_t; + ') + -+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") -+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") ++ allow $1 devicekit_disk_t:fd use; +') + +######################################## +## -+## Transition to dnsmasq named content ++## Dontaudit Send and receive messages from ++## devicekit disk over dbus. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dnsmasq_filetrans_named_content',` ++interface(`devicekit_dontaudit_dbus_chat_disk',` + gen_require(` -+ type dnsmasq_var_run_t; ++ type devicekit_disk_t; ++ class dbus send_msg; + ') + -+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network") -+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid") -+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network") ++ dontaudit $1 devicekit_disk_t:dbus send_msg; ++ dontaudit devicekit_disk_t $1:dbus send_msg; +') + +######################################## +## - ## All of the rules required to administrate - ## an dnsmasq environment ++## Send signal devicekit power ## -@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',` - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t; -+ type dnsmasq_unit_file_t; - ') - -- allow $1 dnsmasq_t:process { ptrace signal_perms }; -+ allow $1 dnsmasq_t:process signal_perms; - ps_process_pattern($1, dnsmasq_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dnsmasq_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) -@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',` - - files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) -+ -+ dnsmasq_systemctl($1) -+ admin_pattern($1, dnsmasq_unit_file_t) -+ allow $1 dnsmasq_unit_file_t:service all_service_perms; + ## + ## +@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',` + allow devicekit_power_t $1:dbus send_msg; ') -diff --git a/dnsmasq.te b/dnsmasq.te -index fdaeeba..a29af29 100644 ---- a/dnsmasq.te -+++ b/dnsmasq.te -@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) - type dnsmasq_var_run_t; - files_pid_file(dnsmasq_var_run_t) -+type dnsmasq_unit_file_t; -+systemd_unit_file(dnsmasq_unit_file_t) -+ - ######################################## +-######################################## ++####################################### + ## +-## Create, read, write, and delete +-## devicekit log files. ++## Append inherited devicekit log files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## # - # Local policy -@@ -48,13 +51,15 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) - manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) - logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) - -+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) - manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) --files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) -+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) - - kernel_read_kernel_sysctls(dnsmasq_t) - kernel_read_system_state(dnsmasq_t) -+kernel_read_network_state(dnsmasq_t) -+kernel_request_load_module(dnsmasq_t) - --corenet_all_recvfrom_unlabeled(dnsmasq_t) - corenet_all_recvfrom_netlabel(dnsmasq_t) - corenet_tcp_sendrecv_generic_if(dnsmasq_t) - corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -76,7 +81,6 @@ dev_read_urand(dnsmasq_t) - - domain_use_interactive_fds(dnsmasq_t) - --files_read_etc_files(dnsmasq_t) - files_read_etc_runtime_files(dnsmasq_t) - - fs_getattr_all_fs(dnsmasq_t) -@@ -86,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t) - - logging_send_syslog_msg(dnsmasq_t) - --miscfiles_read_localization(dnsmasq_t) -- - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - -@@ -96,7 +98,21 @@ optional_policy(` - ') - - optional_policy(` -+ cron_manage_pid_files(dnsmasq_t) -+') -+ -+optional_policy(` - dbus_system_bus_client(dnsmasq_t) -+ dbus_connect_system_bus(dnsmasq_t) -+') -+ -+optional_policy(` -+ networkmanager_read_conf(dnsmasq_t) -+ networkmanager_read_pid_files(dnsmasq_t) -+') -+ -+optional_policy(` -+ ppp_read_pid_files(dnsmasq_t) - ') - - optional_policy(` -@@ -113,5 +129,7 @@ optional_policy(` +-interface(`devicekit_manage_log_files',` ++interface(`devicekit_append_inherited_log_files',` + gen_require(` + type devicekit_var_log_t; + ') - optional_policy(` - virt_manage_lib_files(dnsmasq_t) -+ virt_read_lib_files(dnsmasq_t) - virt_read_pid_files(dnsmasq_t) -+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) - ') -diff --git a/dnssec.fc b/dnssec.fc -new file mode 100644 -index 0000000..9e231a8 ---- /dev/null -+++ b/dnssec.fc -@@ -0,0 +1,3 @@ -+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) -+ -+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) -diff --git a/dnssec.if b/dnssec.if -new file mode 100644 -index 0000000..a952041 ---- /dev/null -+++ b/dnssec.if -@@ -0,0 +1,64 @@ -+ -+## policy for dnssec_trigger -+ -+######################################## -+## -+## Transition to dnssec_trigger. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dnssec_trigger_domtrans',` -+ gen_require(` -+ type dnssec_trigger_t, dnssec_trigger_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t) -+') -+######################################## -+## -+## Read dnssec_trigger PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dnssec_trigger_read_pid_files',` -+ gen_require(` -+ type dnssec_trigger_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 dnssec_trigger_var_run_t:file read_file_perms; +- logging_search_logs($1) +- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ allow $1 devicekit_var_log_t:file append_inherited_file_perms; +') + -+ -+######################################## ++####################################### +## -+## All of the rules required to administrate -+## an dnssec_trigger environment ++## Do not audit attempts to write the devicekit ++## log files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## +# -+interface(`dnssec_trigger_admin',` ++interface(`devicekit_dontaudit_rw_log',` + gen_require(` -+ type dnssec_trigger_t; -+ type dnssec_trigger_var_run_t; ++ type devicekit_var_log_t; + ') + -+ allow $1 dnssec_trigger_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dnssec_trigger_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, dnssec_trigger_var_run_t) -+') -diff --git a/dnssec.te b/dnssec.te -new file mode 100644 -index 0000000..25daf6c ---- /dev/null -+++ b/dnssec.te -@@ -0,0 +1,59 @@ -+policy_module(dnssec, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type dnssec_trigger_t; -+type dnssec_trigger_exec_t; -+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t) -+ -+type dnssec_trigger_var_run_t; -+files_pid_file(dnssec_trigger_var_run_t) -+ -+######################################## -+# -+# dnssec_trigger local policy -+# -+allow dnssec_trigger_t self:capability linux_immutable; -+allow dnssec_trigger_t self:process signal; -+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms; -+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms; -+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms; -+allow dnssec_trigger_t self:udp_socket create_socket_perms; -+ -+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) -+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) -+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) -+ -+kernel_read_system_state(dnssec_trigger_t) -+ -+corecmd_exec_bin(dnssec_trigger_t) -+corecmd_exec_shell(dnssec_trigger_t) -+ -+corenet_tcp_bind_generic_node(dnssec_trigger_t) -+corenet_tcp_bind_dnssec_port(dnssec_trigger_t) -+corenet_tcp_connect_rndc_port(dnssec_trigger_t) -+corenet_tcp_connect_http_port(dnssec_trigger_t) -+ -+dev_read_urand(dnssec_trigger_t) -+ -+domain_use_interactive_fds(dnssec_trigger_t) -+ -+files_read_etc_runtime_files(dnssec_trigger_t) -+files_read_etc_files(dnssec_trigger_t) -+ -+logging_send_syslog_msg(dnssec_trigger_t) -+ -+auth_read_passwd(dnssec_trigger_t) -+ -+sysnet_dns_name_resolve(dnssec_trigger_t) -+sysnet_manage_config(dnssec_trigger_t) -+ -+optional_policy(` -+ bind_read_config(dnssec_trigger_t) -+ bind_read_dnssec_keys(dnssec_trigger_t) -+') -+ -+ -diff --git a/dovecot.fc b/dovecot.fc -index 3a3ecb2..4448055 100644 ---- a/dovecot.fc -+++ b/dovecot.fc -@@ -2,7 +2,7 @@ - # - # /etc - # --/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0) -+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) - /etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) - /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - -@@ -24,12 +24,13 @@ ifdef(`distro_debian',` - - ifdef(`distro_debian', ` - /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') - - ifdef(`distro_redhat', ` - /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) - /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) --/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++ dontaudit $1 devicekit_var_log_t:file rw_file_perms; ') -@@ -37,6 +38,7 @@ ifdef(`distro_redhat', ` - # /var + ######################################## + ## +-## Relabel devicekit log files. ++## Allow the domain to read devicekit_power state files in /proc. + ## + ## + ## +@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',` + ## + ## # - /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) +-interface(`devicekit_relabel_log_files',` ++interface(`devicekit_read_state_power',` + gen_require(` +- type devicekit_var_log_t; ++ type devicekit_power_t; + ') - /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) +- logging_search_logs($1) +- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ kernel_search_proc($1) ++ ps_process_pattern($1, devicekit_power_t) + ') -diff --git a/dovecot.if b/dovecot.if -index e1d7dc5..66d42bb 100644 ---- a/dovecot.if -+++ b/dovecot.if -@@ -1,5 +1,46 @@ - ## Dovecot POP and IMAP mail server + ######################################## +@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',` -+###################################### -+## -+## Creates types and rules for a basic -+## dovecot daemon domain. -+## -+## -+## -+## Prefix for the domain. -+## + ######################################## + ## +-## Create, read, write, and delete ++## Do not audit attempts to read + ## devicekit PID files. + ## + ## + ## ++## Domain to not audit. ++## +## +# -+template(`dovecot_basic_types_template',` -+ gen_require(` -+ attribute dovecot_domain; ++interface(`devicekit_dontaudit_read_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; + ') + -+ type $1_t, dovecot_domain; -+ type $1_exec_t; ++ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; ++') + -+ kernel_read_system_state($1_t) ++ ++######################################## ++## ++## Manage devicekit PID files. ++## ++## ++## + ## Domain allowed access. + ## + ## +@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',` + ') + + files_search_pids($1) ++ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") +') + +####################################### +## -+## Connect to dovecot unix domain stream socket. ++## Relabel devicekit LOG files. +## +## +## @@ -18977,697 +17409,531 @@ index e1d7dc5..66d42bb 100644 +## +## +# -+interface(`dovecot_stream_connect',` ++interface(`devicekit_relabel_log_files',` + gen_require(` -+ type dovecot_t, dovecot_var_run_t; ++ type devicekit_var_log_t; + ') + -+ files_search_pids($1) -+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) -+') -+ - ######################################## - ## - ## Connect to dovecot auth unix domain stream socket. -@@ -16,6 +57,7 @@ interface(`dovecot_stream_connect_auth',` - type dovecot_auth_t, dovecot_var_run_t; - ') - -+ files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) - ') - -@@ -52,6 +94,7 @@ interface(`dovecot_manage_spool',` - type dovecot_spool_t; - ') - -+ files_search_spool($1) - manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) - manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) - ') -@@ -74,6 +117,25 @@ interface(`dovecot_dontaudit_unlink_lib_files',` - dontaudit $1 dovecot_var_lib_t:file unlink; ++ logging_search_logs($1) ++ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ') -+###################################### -+## -+## Allow attempts to write inherited -+## dovecot tmp files. -+## -+## -+## -+## Domain to not audit. -+## -+## + ######################################## + ## +-## All of the rules required to +-## administrate an devicekit environment. ++## Manage devicekit LOG files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# -+interface(`dovecot_write_inherited_tmp_files',` ++interface(`devicekit_manage_log_files',` + gen_require(` -+ type dovecot_tmp_t; ++ type devicekit_var_log_t; + ') + -+ allow $1 dovecot_tmp_t:file write; ++ logging_search_logs($1) ++ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") ++ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") +') + - ######################################## - ## - ## All of the rules required to administrate -@@ -93,16 +155,17 @@ interface(`dovecot_dontaudit_unlink_lib_files',` - # - interface(`dovecot_admin',` ++######################################## ++## ++## All of the rules required to administrate ++## an devicekit environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## +@@ -219,21 +347,48 @@ interface(`devicekit_admin',` gen_require(` -- type dovecot_t, dovecot_etc_t, dovecot_log_t; -- type dovecot_spool_t, dovecot_var_lib_t; -- type dovecot_var_run_t; -- -- type dovecot_cert_t, dovecot_passwd_t; -- type dovecot_initrc_exec_t; -+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; -+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; -+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; -+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; + type devicekit_t, devicekit_disk_t, devicekit_power_t; + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; +- type devicekit_var_log_t; ') -- allow $1 dovecot_t:process { ptrace signal_perms }; -+ allow $1 dovecot_t:process signal_perms; - ps_process_pattern($1, dovecot_t) +- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) ++ allow $1 devicekit_t:process signal_perms; ++ ps_process_pattern($1, devicekit_t) + tunable_policy(`deny_ptrace',`',` -+ allow $1 dovecot_t:process ptrace; ++ allow $1 devicekit_t:process ptrace; ++ allow $1 devicekit_disk_t:process ptrace; ++ allow $1 devicekit_power_t:process ptrace; + ') ++ ++ allow $1 devicekit_disk_t:process signal_perms; ++ ps_process_pattern($1, devicekit_disk_t) ++ ++ allow $1 devicekit_power_t:process signal_perms; ++ ps_process_pattern($1, devicekit_power_t) - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) -@@ -112,8 +175,11 @@ interface(`dovecot_admin',` - files_list_etc($1) - admin_pattern($1, dovecot_etc_t) - -- logging_list_logs($1) -- admin_pattern($1, dovecot_log_t) +- files_search_tmp($1) + admin_pattern($1, devicekit_tmp_t) + files_list_tmp($1) -+ admin_pattern($1, dovecot_auth_tmp_t) -+ admin_pattern($1, dovecot_tmp_t) -+ -+ admin_pattern($1, dovecot_keytab_t) - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) -@@ -121,6 +187,9 @@ interface(`dovecot_admin',` - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) +- files_search_var_lib($1) + admin_pattern($1, devicekit_var_lib_t) ++ files_list_var_lib($1) -+ logging_search_logs($1) -+ admin_pattern($1, dovecot_var_log_t) +- logging_search_logs($1) +- admin_pattern($1, devicekit_var_log_t) +- +- files_search_pids($1) + admin_pattern($1, devicekit_var_run_t) ++ files_list_pids($1) ++') + - files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) - -diff --git a/dovecot.te b/dovecot.te -index 2df7766..d4e008b 100644 ---- a/dovecot.te -+++ b/dovecot.te -@@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0) - # - # Declarations - # --type dovecot_t; --type dovecot_exec_t; -+attribute dovecot_domain; ++######################################## ++## ++## Transition to devicekit named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_filetrans_named_content',` ++ gen_require(` ++ type devicekit_var_run_t, devicekit_var_log_t; ++ ') + -+dovecot_basic_types_template(dovecot) - init_daemon_domain(dovecot_t, dovecot_exec_t) ++ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") ++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") ++ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") + ') +diff --git a/devicekit.te b/devicekit.te +index ff933af..feb84e0 100644 +--- a/devicekit.te ++++ b/devicekit.te +@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) --type dovecot_auth_t; --type dovecot_auth_exec_t; -+dovecot_basic_types_template(dovecot_auth) - domain_type(dovecot_auth_t) - domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) - role system_r types dovecot_auth_t; -@@ -18,14 +18,16 @@ type dovecot_auth_tmp_t; - files_tmp_file(dovecot_auth_tmp_t) + type devicekit_t; + type devicekit_exec_t; +-dbus_system_domain(devicekit_t, devicekit_exec_t) ++init_daemon_domain(devicekit_t, devicekit_exec_t) - type dovecot_cert_t; --files_type(dovecot_cert_t) -+miscfiles_cert_type(dovecot_cert_t) + type devicekit_power_t; + type devicekit_power_exec_t; +-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) ++init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) --type dovecot_deliver_t; --type dovecot_deliver_exec_t; -+dovecot_basic_types_template(dovecot_deliver) - domain_type(dovecot_deliver_t) - domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) - role system_r types dovecot_deliver_t; + type devicekit_disk_t; + type devicekit_disk_exec_t; +-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) ++init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) -+type dovecot_deliver_tmp_t; -+files_tmp_file(dovecot_deliver_tmp_t) -+ - type dovecot_etc_t; - files_config_file(dovecot_etc_t) + type devicekit_tmp_t; + files_tmp_file(devicekit_tmp_t) +@@ -45,11 +45,10 @@ kernel_read_system_state(devicekit_t) + dev_read_sysfs(devicekit_t) + dev_read_urand(devicekit_t) -@@ -36,7 +38,7 @@ type dovecot_passwd_t; - files_type(dovecot_passwd_t) +-files_read_etc_files(devicekit_t) - type dovecot_spool_t; --files_type(dovecot_spool_t) -+files_spool_file(dovecot_spool_t) +-miscfiles_read_localization(devicekit_t) - type dovecot_tmp_t; - files_tmp_file(dovecot_tmp_t) -@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t) - type dovecot_var_run_t; - files_pid_file(dovecot_var_run_t) + optional_policy(` ++ dbus_system_domain(devicekit_t, devicekit_exec_t) + dbus_system_bus_client(devicekit_t) -+####################################### -+# -+# dovecot domain local policy -+# -+ -+allow dovecot_domain self:capability2 block_suspend; -+ -+allow dovecot_domain self:unix_dgram_socket create_socket_perms; -+allow dovecot_domain self:fifo_file rw_fifo_file_perms; -+ -+kernel_read_all_sysctls(dovecot_domain) -+ -+corecmd_exec_bin(dovecot_domain) -+corecmd_exec_shell(dovecot_domain) -+ -+dev_read_sysfs(dovecot_domain) -+dev_read_rand(dovecot_domain) -+dev_read_urand(dovecot_domain) -+ -+# Dovecot now has quota support and it uses getmntent() to find the mountpoints. -+files_read_etc_runtime_files(dovecot_domain) -+ - ######################################## - # - # dovecot local policy + allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; +@@ -64,7 +63,8 @@ optional_policy(` + # Disk local policy # --allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; -+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; - dontaudit dovecot_t self:capability sys_tty_config; --allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; --allow dovecot_t self:fifo_file rw_fifo_file_perms; -+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; - allow dovecot_t self:tcp_socket create_stream_socket_perms; --allow dovecot_t self:unix_dgram_socket create_socket_perms; - allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; - - domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; - read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) - read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) - --allow dovecot_t dovecot_etc_t:file read_file_perms; -+allow dovecot_t dovecot_etc_t:dir list_dir_perms; -+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) -+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) - files_search_etc(dovecot_t) - - can_exec(dovecot_t, dovecot_exec_t) -@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - -+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) - manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) - manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) - manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) --files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) -- --kernel_read_kernel_sysctls(dovecot_t) --kernel_read_system_state(dovecot_t) -+manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) +-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; ++ + allow devicekit_disk_t self:process { getsched signal_perms }; + allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -81,7 +81,10 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; + manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) + files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) ++files_filetrans_named_content(devicekit_disk_t) --corenet_all_recvfrom_unlabeled(dovecot_t) - corenet_all_recvfrom_netlabel(dovecot_t) - corenet_tcp_sendrecv_generic_if(dovecot_t) - corenet_tcp_sendrecv_generic_node(dovecot_t) -@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) - corenet_tcp_bind_generic_node(dovecot_t) - corenet_tcp_bind_mail_port(dovecot_t) - corenet_tcp_bind_pop_port(dovecot_t) -+corenet_tcp_bind_lmtp_port(dovecot_t) - corenet_tcp_bind_sieve_port(dovecot_t) - corenet_tcp_connect_all_ports(dovecot_t) - corenet_tcp_connect_postgresql_port(dovecot_t) - corenet_sendrecv_pop_server_packets(dovecot_t) - corenet_sendrecv_all_client_packets(dovecot_t) ++kernel_list_unlabeled(devicekit_disk_t) ++kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) + kernel_getattr_message_if(devicekit_disk_t) + kernel_list_unlabeled(devicekit_disk_t) + kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) +@@ -98,6 +101,7 @@ corecmd_getattr_all_executables(devicekit_disk_t) --dev_read_sysfs(dovecot_t) --dev_read_urand(dovecot_t) -- - fs_getattr_all_fs(dovecot_t) - fs_getattr_all_dirs(dovecot_t) - fs_search_auto_mountpoints(dovecot_t) - fs_list_inotifyfs(dovecot_t) + dev_getattr_all_chr_files(devicekit_disk_t) + dev_getattr_mtrr_dev(devicekit_disk_t) ++dev_rw_generic_blk_files(devicekit_disk_t) + dev_getattr_usbfs_dirs(devicekit_disk_t) + dev_manage_generic_files(devicekit_disk_t) + dev_read_urand(devicekit_disk_t) +@@ -134,16 +138,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) + storage_raw_read_removable_device(devicekit_disk_t) + storage_raw_write_removable_device(devicekit_disk_t) --corecmd_exec_bin(dovecot_t) -- - domain_use_interactive_fds(dovecot_t) +-term_use_all_terms(devicekit_disk_t) ++term_use_all_inherited_terms(devicekit_disk_t) --files_read_etc_files(dovecot_t) - files_search_spool(dovecot_t) - files_search_tmp(dovecot_t) - files_dontaudit_list_default(dovecot_t) --# Dovecot now has quota support and it uses getmntent() to find the mountpoints. --files_read_etc_runtime_files(dovecot_t) -+files_dontaudit_search_all_dirs(dovecot_t) - files_search_all_mountpoints(dovecot_t) -+files_read_var_lib_files(dovecot_t) + auth_use_nsswitch(devicekit_disk_t) - init_getattr_utmp(dovecot_t) +-miscfiles_read_localization(devicekit_disk_t) ++logging_send_syslog_msg(devicekit_disk_t) - auth_use_nsswitch(dovecot_t) + userdom_read_all_users_state(devicekit_disk_t) + userdom_search_user_home_dirs(devicekit_disk_t) ++userdom_manage_user_tmp_dirs(devicekit_disk_t) --logging_send_syslog_msg(dovecot_t) -- - miscfiles_read_generic_certs(dovecot_t) --miscfiles_read_localization(dovecot_t) + optional_policy(` ++ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + dbus_system_bus_client(devicekit_disk_t) -+logging_send_syslog_msg(dovecot_t) -+ -+userdom_home_manager(dovecot_t) - userdom_dontaudit_use_unpriv_user_fds(dovecot_t) - userdom_manage_user_home_content_dirs(dovecot_t) - userdom_manage_user_home_content_files(dovecot_t) -@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t) - userdom_manage_user_home_content_sockets(dovecot_t) - userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) - --mta_manage_spool(dovecot_t) -+optional_policy(` -+ mta_manage_home_rw(dovecot_t) -+ mta_manage_spool(dovecot_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(dovecot_t, dovecot_t) -+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") -+') + allow devicekit_disk_t devicekit_t:dbus send_msg; +@@ -167,6 +173,7 @@ optional_policy(` optional_policy(` -- kerberos_keytab_template(dovecot, dovecot_t) -+ gnome_manage_data(dovecot_t) -+') -+ -+optional_policy(` -+ postfix_manage_private_sockets(dovecot_t) -+ postfix_search_spool(dovecot_t) + mount_domtrans(devicekit_disk_t) ++ mount_read_pid_files(devicekit_disk_t) ') optional_policy(` -@@ -164,6 +194,11 @@ optional_policy(` +@@ -180,6 +187,10 @@ optional_policy(` ') optional_policy(` -+ # Handle sieve scripts -+ sendmail_domtrans(dovecot_t) ++ systemd_read_logind_sessions_files(devicekit_disk_t) +') + +optional_policy(` - seutil_sigchld_newrole(dovecot_t) + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) + ') +@@ -188,17 +199,27 @@ optional_policy(` + virt_manage_images(devicekit_disk_t) ') -@@ -180,16 +215,17 @@ optional_policy(` - # dovecot auth local policy ++optional_policy(` ++ unconfined_domain(devicekit_t) ++ unconfined_domain(devicekit_power_t) ++ unconfined_domain(devicekit_disk_t) ++') ++ + ######################################## + # + # Power local policy # --allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; --allow dovecot_auth_t self:process { signal_perms getcap setcap }; --allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; --allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; -+allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; - allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; - - allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - - read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) +-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; ++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; ++allow devicekit_power_t self:capability2 compromise_kernel; + allow devicekit_power_t self:process { getsched signal_perms }; + allow devicekit_power_t self:fifo_file rw_fifo_file_perms; + allow devicekit_power_t self:unix_dgram_socket create_socket_perms; + allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; -+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) -+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) ++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) ++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) + - manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) - manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) - files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; - manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) - dovecot_stream_connect_auth(dovecot_auth_t) - --kernel_read_all_sysctls(dovecot_auth_t) --kernel_read_system_state(dovecot_auth_t) -- - logging_send_audit_msgs(dovecot_auth_t) --logging_send_syslog_msg(dovecot_auth_t) -- --dev_read_urand(dovecot_auth_t) + manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) + manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) + files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) +@@ -247,12 +268,13 @@ files_dontaudit_list_mnt(devicekit_power_t) - auth_domtrans_chk_passwd(dovecot_auth_t) - auth_use_nsswitch(dovecot_auth_t) + fs_getattr_all_fs(devicekit_power_t) + fs_list_inotifyfs(devicekit_power_t) ++fs_getattr_all_fs(devicekit_power_t) --files_read_etc_files(dovecot_auth_t) --files_read_etc_runtime_files(dovecot_auth_t) -+logging_send_syslog_msg(dovecot_auth_t) -+ - files_search_pids(dovecot_auth_t) - files_read_usr_files(dovecot_auth_t) - files_read_usr_symlinks(dovecot_auth_t) - files_read_var_lib_files(dovecot_auth_t) - files_search_tmp(dovecot_auth_t) --files_read_var_lib_files(dovecot_t) +-term_use_all_terms(devicekit_power_t) ++term_use_all_inherited_terms(devicekit_power_t) --init_rw_utmp(dovecot_auth_t) -+fs_getattr_xattr_fs(dovecot_auth_t) + auth_use_nsswitch(devicekit_power_t) --miscfiles_read_localization(dovecot_auth_t) -+init_rw_utmp(dovecot_auth_t) +-miscfiles_read_localization(devicekit_power_t) ++seutil_exec_setfiles(devicekit_power_t) --seutil_dontaudit_search_config(dovecot_auth_t) -+sysnet_use_ldap(dovecot_auth_t) + sysnet_domtrans_ifconfig(devicekit_power_t) + sysnet_domtrans_dhcpc(devicekit_power_t) +@@ -269,9 +291,11 @@ optional_policy(` optional_policy(` - kerberos_use(dovecot_auth_t) -@@ -236,6 +265,8 @@ optional_policy(` + cron_initrc_domtrans(devicekit_power_t) ++ cron_systemctl(devicekit_power_t) + ') + optional_policy(` - mysql_search_db(dovecot_auth_t) - mysql_stream_connect(dovecot_auth_t) -+ mysql_read_config(dovecot_auth_t) -+ mysql_tcp_connect(dovecot_auth_t) ++ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + dbus_system_bus_client(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; +@@ -302,8 +326,11 @@ optional_policy(` ') optional_policy(` -@@ -243,6 +274,8 @@ optional_policy(` ++ gnome_manage_home_config(devicekit_power_t) ++') ++ ++optional_policy(` + hal_domtrans_mac(devicekit_power_t) +- hal_manage_log(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) + ') +@@ -321,6 +348,7 @@ optional_policy(` ') optional_policy(` -+ postfix_manage_private_sockets(dovecot_auth_t) -+ postfix_rw_master_pipes(dovecot_deliver_t) - postfix_search_spool(dovecot_auth_t) ++ policykit_dbus_chat(devicekit_power_t) + policykit_domtrans_auth(devicekit_power_t) + policykit_read_lib(devicekit_power_t) + policykit_read_reload(devicekit_power_t) +@@ -341,3 +369,9 @@ optional_policy(` + optional_policy(` + vbetool_domtrans(devicekit_power_t) ') ++ ++optional_policy(` ++ corenet_tcp_connect_xserver_port(devicekit_power_t) ++ xserver_stream_connect(devicekit_power_t) ++') ++ +diff --git a/dhcp.fc b/dhcp.fc +index 7956248..5fee161 100644 +--- a/dhcp.fc ++++ b/dhcp.fc +@@ -1,4 +1,5 @@ + /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) ++/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) -@@ -250,25 +283,32 @@ optional_policy(` - # - # dovecot deliver local policy - # --allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - allow dovecot_deliver_t dovecot_t:process signull; +diff --git a/dhcp.if b/dhcp.if +index c697edb..31d45bf 100644 +--- a/dhcp.if ++++ b/dhcp.if +@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` + ') --allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; --allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; -+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) -+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) + sysnet_search_dhcp_state($1) +- allow $1 dhcpd_state_t:file setattr; ++ allow $1 dhcpd_state_t:file setattr_file_perms; + ') --kernel_read_all_sysctls(dovecot_deliver_t) --kernel_read_system_state(dovecot_deliver_t) -+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + ######################################## +@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',` --files_read_etc_files(dovecot_deliver_t) --files_read_etc_runtime_files(dovecot_deliver_t) -+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) + ######################################## + ## ++## Execute dhcpd server in the dhcpd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dhcpd_systemctl',` ++ gen_require(` ++ type dhcpd_unit_file_t; ++ type dhcpd_t; ++ ') + -+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) -+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) -+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) ++ systemd_exec_systemctl($1) ++ systemd_search_unit_dirs($1) ++ allow $1 dhcpd_unit_file_t:file read_file_perms; ++ allow $1 dhcpd_unit_file_t:service manage_service_perms; + -+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) -+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_stream_connect(dovecot_deliver_t) ++ ps_process_pattern($1, dhcpd_t) ++') + -+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) ++######################################## ++## + ## All of the rules required to + ## administrate an dhcpd environment. + ## +@@ -79,11 +103,16 @@ interface(`dhcpd_admin',` + gen_require(` + type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; ++ type dhcpd_unit_file_t; + ') - auth_use_nsswitch(dovecot_deliver_t) +- allow $1 dhcpd_t:process { ptrace signal_perms }; ++ allow $1 dhcpd_t:process signal_perms; + ps_process_pattern($1, dhcpd_t) -+logging_append_all_logs(dovecot_deliver_t) - logging_send_syslog_msg(dovecot_deliver_t) --logging_search_logs(dovecot_auth_t) -- --miscfiles_read_localization(dovecot_deliver_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dhcpd_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dhcpd_initrc_exec_t system_r; +@@ -97,4 +126,8 @@ interface(`dhcpd_admin',` - dovecot_stream_connect_auth(dovecot_deliver_t) + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) ++ ++ dhcpd_systemctl($1) ++ admin_pattern($1, dhcpd_unit_file_t) ++ allow $1 dhcpd_unit_file_t:service all_service_perms; + ') +diff --git a/dhcp.te b/dhcp.te +index c93c3db..1125f7d 100644 +--- a/dhcp.te ++++ b/dhcp.te +@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) + type dhcpd_initrc_exec_t; + init_script_file(dhcpd_initrc_exec_t) -@@ -283,24 +323,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) - userdom_manage_user_home_content_sockets(dovecot_deliver_t) - userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) ++type dhcpd_unit_file_t; ++systemd_unit_file(dhcpd_unit_file_t) ++ + type dhcpd_state_t; + files_type(dhcpd_state_t) --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(dovecot_deliver_t) -- fs_manage_nfs_files(dovecot_deliver_t) -- fs_manage_nfs_symlinks(dovecot_deliver_t) -- fs_manage_nfs_dirs(dovecot_t) -- fs_manage_nfs_files(dovecot_t) -- fs_manage_nfs_symlinks(dovecot_t) -+userdom_home_manager(dovecot_deliver_t) +@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t) + kernel_read_kernel_sysctls(dhcpd_t) + kernel_read_network_state(dhcpd_t) + +-corenet_all_recvfrom_unlabeled(dhcpd_t) + corenet_all_recvfrom_netlabel(dhcpd_t) + corenet_tcp_sendrecv_generic_if(dhcpd_t) + corenet_udp_sendrecv_generic_if(dhcpd_t) +@@ -102,8 +104,6 @@ auth_use_nsswitch(dhcpd_t) + + logging_send_syslog_msg(dhcpd_t) + +-miscfiles_read_localization(dhcpd_t) +- + sysnet_read_dhcp_config(dhcpd_t) + + userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) +@@ -113,6 +113,19 @@ tunable_policy(`dhcpd_use_ldap',` + sysnet_use_ldap(dhcpd_t) + ') + ++ifdef(`distro_gentoo',` ++ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; ++') + +optional_policy(` -+ gnome_manage_data(dovecot_deliver_t) ++ # used for dynamic DNS ++ bind_read_dnssec_keys(dhcpd_t) +') + +optional_policy(` -+ mta_mailserver_delivery(dovecot_deliver_t) -+ mta_read_queue(dovecot_deliver_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(dovecot_deliver_t) -- fs_manage_cifs_files(dovecot_deliver_t) -- fs_manage_cifs_symlinks(dovecot_deliver_t) -- fs_manage_cifs_dirs(dovecot_t) -- fs_manage_cifs_files(dovecot_t) -- fs_manage_cifs_symlinks(dovecot_t) -+optional_policy(` -+ postfix_use_fds_master(dovecot_deliver_t) - ') - ++ cobbler_dontaudit_rw_log(dhcpd_t) ++') ++ optional_policy(` -- mta_manage_spool(dovecot_deliver_t) -+ # Handle sieve scripts -+ sendmail_domtrans(dovecot_deliver_t) + bind_read_dnssec_keys(dhcpd_t) ') -diff --git a/dpkg.if b/dpkg.if -index 4d32b42..78736d8 100644 ---- a/dpkg.if -+++ b/dpkg.if -@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',` - # - interface(`dpkg_run',` - gen_require(` -- attribute_role dpkg_roles; -+ #attribute_role dpkg_roles; -+ type dpkg_t, dpkg_script_t; +diff --git a/dictd.if b/dictd.if +index 3cc3494..cb0a1f4 100644 +--- a/dictd.if ++++ b/dictd.if +@@ -38,8 +38,11 @@ interface(`dictd_admin',` + type dictd_var_run_t, dictd_initrc_exec_t; ') -+ #dpkg_domtrans($1) -+ #roleattribute $2 dpkg_roles; -+ - dpkg_domtrans($1) -- roleattribute $2 dpkg_roles; -+ role $2 types dpkg_t; -+ role $2 types dpkg_script_t; -+ seutil_run_loadpolicy(dpkg_script_t, $2) -+ - ') +- allow $1 dictd_t:process { ptrace signal_perms }; ++ allow $1 dictd_t:process signal_perms; + ps_process_pattern($1, dictd_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dictd_t:process ptrace; ++ ') - ######################################## -diff --git a/dpkg.te b/dpkg.te -index 52725c4..934ce11 100644 ---- a/dpkg.te -+++ b/dpkg.te -@@ -5,8 +5,8 @@ policy_module(dpkg, 1.10.0) - # Declarations - # + init_labeled_script_domtrans($1, dictd_initrc_exec_t) + domain_system_change_exemption($1) +diff --git a/dictd.te b/dictd.te +index fd4a602..43b800a 100644 +--- a/dictd.te ++++ b/dictd.te +@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) + kernel_read_system_state(dictd_t) + kernel_read_kernel_sysctls(dictd_t) --attribute_role dpkg_roles; --roleattribute system_r dpkg_roles; -+#attribute_role dpkg_roles; -+#roleattribute system_r dpkg_roles; - - type dpkg_t; - type dpkg_exec_t; -@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t) - domain_role_change_exemption(dpkg_t) - domain_system_change_exemption(dpkg_t) - domain_interactive_fd(dpkg_t) --role dpkg_roles types dpkg_t; -+#role dpkg_roles types dpkg_t; -+role system_r types dpkg_t; - - # lockfile - type dpkg_lock_t; -@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t) - domain_obj_id_change_exemption(dpkg_script_t) - domain_system_change_exemption(dpkg_script_t) - domain_interactive_fd(dpkg_script_t) --role dpkg_roles types dpkg_script_t; -+#role dpkg_roles types dpkg_script_t; -+role system_r types dpkg_script_t; - - type dpkg_script_tmp_t; - files_tmp_file(dpkg_script_tmp_t) -@@ -92,7 +94,6 @@ kernel_read_kernel_sysctls(dpkg_t) - corecmd_exec_all_executables(dpkg_t) - - # TODO: do we really need all networking? --corenet_all_recvfrom_unlabeled(dpkg_t) - corenet_all_recvfrom_netlabel(dpkg_t) - corenet_tcp_sendrecv_generic_if(dpkg_t) - corenet_raw_sendrecv_generic_if(dpkg_t) -@@ -152,9 +153,12 @@ files_exec_etc_files(dpkg_t) - init_domtrans_script(dpkg_t) - init_use_script_ptys(dpkg_t) - -+#libs_exec_ld_so(dpkg_t) -+#libs_exec_lib_files(dpkg_t) -+#libs_run_ldconfig(dpkg_t, dpkg_roles) - libs_exec_ld_so(dpkg_t) - libs_exec_lib_files(dpkg_t) --libs_run_ldconfig(dpkg_t, dpkg_roles) -+libs_domtrans_ldconfig(dpkg_t) - - logging_send_syslog_msg(dpkg_t) - -@@ -195,20 +199,30 @@ domain_signal_all_domains(dpkg_t) - domain_signull_all_domains(dpkg_t) - files_read_etc_runtime_files(dpkg_t) - files_exec_usr_files(dpkg_t) --miscfiles_read_localization(dpkg_t) --modutils_run_depmod(dpkg_t, dpkg_roles) --modutils_run_insmod(dpkg_t, dpkg_roles) --seutil_run_loadpolicy(dpkg_t, dpkg_roles) --seutil_run_setfiles(dpkg_t, dpkg_roles) -+#modutils_run_depmod(dpkg_t, dpkg_roles) -+#modutils_run_insmod(dpkg_t, dpkg_roles) -+#seutil_run_loadpolicy(dpkg_t, dpkg_roles) -+#seutil_run_setfiles(dpkg_t, dpkg_roles) - userdom_use_all_users_fds(dpkg_t) - optional_policy(` - mta_send_mail(dpkg_t) - ') -+ -+ - optional_policy(` -- usermanage_run_groupadd(dpkg_t, dpkg_roles) -- usermanage_run_useradd(dpkg_t, dpkg_roles) -+ modutils_domtrans_depmod(dpkg_t) -+ modutils_domtrans_insmod(dpkg_t) -+ seutil_domtrans_loadpolicy(dpkg_t) -+ seutil_domtrans_setfiles(dpkg_t) -+ usermanage_domtrans_groupadd(dpkg_t) -+ usermanage_domtrans_useradd(dpkg_t) - ') +-corenet_all_recvfrom_unlabeled(dictd_t) + corenet_all_recvfrom_netlabel(dictd_t) + corenet_tcp_sendrecv_generic_if(dictd_t) + corenet_tcp_sendrecv_generic_node(dictd_t) +@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t) + domain_use_interactive_fds(dictd_t) -+#optional_policy(` -+# usermanage_run_groupadd(dpkg_t, dpkg_roles) -+# usermanage_run_useradd(dpkg_t, dpkg_roles) -+#') -+ - ######################################## - # - # dpkg-script Local policy -@@ -296,21 +310,20 @@ init_use_script_fds(dpkg_script_t) + files_read_etc_runtime_files(dictd_t) +-files_read_usr_files(dictd_t) + files_search_var_lib(dictd_t) - libs_exec_ld_so(dpkg_script_t) - libs_exec_lib_files(dpkg_script_t) --libs_run_ldconfig(dpkg_script_t, dpkg_roles) -+libs_domtrans_ldconfig(dpkg_script_t) -+#libs_run_ldconfig(dpkg_script_t, dpkg_roles) + fs_getattr_xattr_fs(dictd_t) +@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t) - logging_send_syslog_msg(dpkg_script_t) + logging_send_syslog_msg(dictd_t) --miscfiles_read_localization(dpkg_script_t) +-miscfiles_read_localization(dictd_t) - --modutils_run_depmod(dpkg_script_t, dpkg_roles) --modutils_run_insmod(dpkg_script_t, dpkg_roles) -+#modutils_run_depmod(dpkg_script_t, dpkg_roles) -+#modutils_run_insmod(dpkg_script_t, dpkg_roles) - --seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) --seutil_run_setfiles(dpkg_script_t, dpkg_roles) -+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) -+#seutil_run_setfiles(dpkg_script_t, dpkg_roles) - - userdom_use_all_users_fds(dpkg_script_t) - --tunable_policy(`allow_execmem',` -+tunable_policy(`selinuxuser_execmem',` - allow dpkg_script_t self:process execmem; - ') - -@@ -319,9 +332,9 @@ optional_policy(` - apt_use_fds(dpkg_script_t) - ') - --optional_policy(` -- bootloader_run(dpkg_script_t, dpkg_roles) --') -+#optional_policy(` -+# bootloader_run(dpkg_script_t, dpkg_roles) -+#') + userdom_dontaudit_use_unpriv_user_fds(dictd_t) optional_policy(` - mta_send_mail(dpkg_script_t) -@@ -335,7 +348,7 @@ optional_policy(` - unconfined_domain(dpkg_script_t) - ') - --optional_policy(` -- usermanage_run_groupadd(dpkg_script_t, dpkg_roles) -- usermanage_run_useradd(dpkg_script_t, dpkg_roles) --') -+#optional_policy(` -+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles) -+# usermanage_run_useradd(dpkg_script_t, dpkg_roles) -+#') -diff --git a/drbd.fc b/drbd.fc +diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc new file mode 100644 -index 0000000..60c19b9 +index 0000000..fdf5675 --- /dev/null -+++ b/drbd.fc -@@ -0,0 +1,12 @@ -+ -+/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) -+/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) ++++ b/dirsrv-admin.fc +@@ -0,0 +1,15 @@ ++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) + -+/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) ++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) + -+/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) -+/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) ++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) + -+/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) ++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) + ++/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) ++/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) + -diff --git a/drbd.if b/drbd.if ++/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0) +diff --git a/dirsrv-admin.if b/dirsrv-admin.if new file mode 100644 -index 0000000..659d051 +index 0000000..332a1c9 --- /dev/null -+++ b/drbd.if -@@ -0,0 +1,127 @@ -+ -+## policy for drbd ++++ b/dirsrv-admin.if +@@ -0,0 +1,134 @@ ++## Administration Server for Directory Server, dirsrv-admin. + +######################################## +## -+## Execute a domain transition to run drbd. ++## Exec dirsrv-admin programs. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# -+interface(`drbd_domtrans',` ++interface(`dirsrvadmin_run_exec',` + gen_require(` -+ type drbd_t, drbd_exec_t; ++ type dirsrvadmin_exec_t; + ') + -+ domtrans_pattern($1, drbd_exec_t, drbd_t) ++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms; ++ can_exec($1, dirsrvadmin_exec_t) +') + +######################################## +## -+## Search drbd lib directories. ++## Exec cgi programs. +## +## +## @@ -19675,18 +17941,18 @@ index 0000000..659d051 +## +## +# -+interface(`drbd_search_lib',` ++interface(`dirsrvadmin_run_httpd_script_exec',` + gen_require(` -+ type drbd_var_lib_t; ++ type httpd_dirsrvadmin_script_exec_t; + ') + -+ allow $1 drbd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; ++ can_exec($1, httpd_dirsrvadmin_script_exec_t) +') + +######################################## +## -+## Read drbd lib files. ++## Manage dirsrv-adminserver configuration files. +## +## +## @@ -19694,19 +17960,17 @@ index 0000000..659d051 +## +## +# -+interface(`drbd_read_lib_files',` ++interface(`dirsrvadmin_read_config',` + gen_require(` -+ type drbd_var_lib_t; ++ type dirsrvadmin_config_t; + ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) ++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t) +') + +######################################## +## -+## Create, read, write, and delete -+## drbd lib files. ++## Manage dirsrv-adminserver configuration files. +## +## +## @@ -19714,255 +17978,356 @@ index 0000000..659d051 +## +## +# -+interface(`drbd_manage_lib_files',` ++interface(`dirsrvadmin_manage_config',` + gen_require(` -+ type drbd_var_lib_t; ++ type dirsrvadmin_config_t; + ') + -+ files_search_var_lib($1) -+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) ++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms; ++ allow $1 dirsrvadmin_config_t:file manage_file_perms; +') + -+######################################## ++####################################### +## -+## Manage drbd lib dirs files. ++## Read dirsrv-adminserver tmp files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`drbd_manage_lib_dirs',` -+ gen_require(` -+ type drbd_var_lib_t; -+ ') ++interface(`dirsrvadmin_read_tmp',` ++ gen_require(` ++ type dirsrvadmin_tmp_t; ++ ') + -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t) ++ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +') + -+ +######################################## +## -+## All of the rules required to administrate -+## an drbd environment ++## Manage dirsrv-adminserver tmp files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`drbd_admin',` -+ gen_require(` -+ type drbd_t; -+ type drbd_var_lib_t; -+ ') ++interface(`dirsrvadmin_manage_tmp',` ++ gen_require(` ++ type dirsrvadmin_tmp_t; ++ ') + -+ allow $1 drbd_t:process signal_perms; -+ ps_process_pattern($1, drbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 drbd_t:process ptrace; -+ ') ++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++') + -+ files_search_var_lib($1) -+ admin_pattern($1, drbd_var_lib_t) ++####################################### ++## ++## Execute admin cgi programs in caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_domtrans_unconfined_script_t',` ++ gen_require(` ++ type dirsrvadmin_unconfined_script_t; ++ type dirsrvadmin_unconfined_script_exec_t; ++ ') + -+') ++ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t) ++ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms; + -diff --git a/drbd.te b/drbd.te ++') +diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..2f3efe7 +index 0000000..a3d076f --- /dev/null -+++ b/drbd.te -@@ -0,0 +1,51 @@ -+policy_module(drbd, 1.0.0) ++++ b/dirsrv-admin.te +@@ -0,0 +1,144 @@ ++policy_module(dirsrv-admin,1.0.0) + +######################################## +# -+# Declarations ++# Declarations for the daemon +# + -+type drbd_t; -+type drbd_exec_t; -+init_daemon_domain(drbd_t, drbd_exec_t) ++type dirsrvadmin_t; ++type dirsrvadmin_exec_t; ++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t) ++role system_r types dirsrvadmin_t; ++ ++type dirsrvadmin_config_t; ++files_type(dirsrvadmin_config_t) ++ ++type dirsrvadmin_lock_t; ++files_lock_file(dirsrvadmin_lock_t) + -+type drbd_var_lib_t; -+files_type(drbd_var_lib_t) ++type dirsrvadmin_tmp_t; ++files_tmp_file(dirsrvadmin_tmp_t) + -+type drbd_lock_t; -+files_lock_file(drbd_lock_t) ++type dirsrvadmin_unconfined_script_t; ++type dirsrvadmin_unconfined_script_exec_t; ++domain_type(dirsrvadmin_unconfined_script_t) ++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t) ++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t) ++role system_r types dirsrvadmin_unconfined_script_t; + +######################################## +# -+# drbd local policy ++# Local policy for the daemon +# ++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; ++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; ++allow dirsrvadmin_t self:process setrlimit; + -+allow drbd_t self:capability { kill net_admin }; -+dontaudit drbd_t self:capability sys_tty_config; -+allow drbd_t self:fifo_file rw_fifo_file_perms; -+allow drbd_t self:unix_stream_socket create_stream_socket_perms; -+allow drbd_t self:netlink_socket create_socket_perms; -+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms; ++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir }) ++ ++kernel_read_system_state(dirsrvadmin_t) ++ ++corecmd_exec_bin(dirsrvadmin_t) ++corecmd_read_bin_symlinks(dirsrvadmin_t) ++corecmd_search_bin(dirsrvadmin_t) ++corecmd_shell_entry_type(dirsrvadmin_t) + -+manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -+manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -+manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -+files_var_lib_filetrans(drbd_t, drbd_var_lib_t, { dir file } ) ++files_exec_etc_files(dirsrvadmin_t) + -+manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) -+files_lock_filetrans(drbd_t, drbd_lock_t, file) ++libs_exec_ld_so(dirsrvadmin_t) + -+can_exec(drbd_t, drbd_exec_t) ++logging_search_logs(dirsrvadmin_t) + -+kernel_read_system_state(drbd_t) + -+dev_read_sysfs(drbd_t) -+dev_read_rand(drbd_t) -+dev_read_urand(drbd_t) ++# Needed for stop and restart scripts ++dirsrv_read_var_run(dirsrvadmin_t) + -+files_read_etc_files(drbd_t) ++optional_policy(` ++ apache_domtrans(dirsrvadmin_t) ++ apache_signal(dirsrvadmin_t) ++') + -+storage_raw_read_fixed_disk(drbd_t) ++######################################## ++# ++# Local policy for the CGIs ++# ++# ++# ++# Create a domain for the CGI scripts + ++optional_policy(` ++ apache_content_template(dirsrvadmin) + -+sysnet_dns_name_resolve(drbd_t) -diff --git a/dspam.fc b/dspam.fc -new file mode 100644 -index 0000000..4dc92b3 ---- /dev/null -+++ b/dspam.fc -@@ -0,0 +1,18 @@ ++ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; ++ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; ++ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; + -+/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0) + -+/usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0) ++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) ++ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) + -+/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) ++ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) + -+/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) ++ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) ++ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) + -+/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) ++ files_search_var_lib(httpd_dirsrvadmin_script_t) + -+# web ++ sysnet_read_config(httpd_dirsrvadmin_script_t) + -+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) -+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) -+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) ++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) + -+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0) -diff --git a/dspam.if b/dspam.if ++ optional_policy(` ++ # The CGI scripts must be able to manage dirsrv-admin ++ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) ++ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_domtrans(httpd_dirsrvadmin_script_t) ++ dirsrv_signal(httpd_dirsrvadmin_script_t) ++ dirsrv_signull(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_log(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) ++ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) ++ dirsrv_manage_config(httpd_dirsrvadmin_script_t) ++ dirsrv_read_share(httpd_dirsrvadmin_script_t) ++ ') ++') ++ ++####################################### ++# ++# Local policy for the admin CGIs ++# ++# ++ ++ ++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir }) ++ ++# needed because of filetrans rules ++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t) ++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t) ++dirsrv_domtrans(dirsrvadmin_unconfined_script_t) ++dirsrv_signal(dirsrvadmin_unconfined_script_t) ++dirsrv_signull(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_log(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t) ++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t) ++dirsrv_manage_config(dirsrvadmin_unconfined_script_t) ++dirsrv_read_share(dirsrvadmin_unconfined_script_t) ++ ++optional_policy(` ++ unconfined_domain(dirsrvadmin_unconfined_script_t) ++') ++ +diff --git a/dirsrv.fc b/dirsrv.fc new file mode 100644 -index 0000000..a446210 +index 0000000..0ea1ebb --- /dev/null -+++ b/dspam.if -@@ -0,0 +1,267 @@ ++++ b/dirsrv.fc +@@ -0,0 +1,23 @@ ++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) + -+## policy for dspam ++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) ++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) ++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) + ++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) ++ ++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) ++ ++# BZ: ++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++ ++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) ++ ++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) ++ ++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) ++ ++/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) +diff --git a/dirsrv.if b/dirsrv.if +new file mode 100644 +index 0000000..b214253 +--- /dev/null ++++ b/dirsrv.if +@@ -0,0 +1,208 @@ ++## policy for dirsrv + +######################################## +## -+## Execute a domain transition to run dspam. ++## Execute a domain transition to run dirsrv. +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`dspam_domtrans',` ++interface(`dirsrv_domtrans',` + gen_require(` -+ type dspam_t, dspam_exec_t; ++ type dirsrv_t, dirsrv_exec_t; + ') + -+ domtrans_pattern($1, dspam_exec_t, dspam_t) ++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) +') + + +######################################## +## -+## Execute dspam server in the dspam domain. ++## Allow caller to signal dirsrv. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_initrc_domtrans',` ++interface(`dirsrv_signal',` + gen_require(` -+ type dspam_initrc_exec_t; ++ type dirsrv_t; + ') + -+ init_labeled_script_domtrans($1, dspam_initrc_exec_t) ++ allow $1 dirsrv_t:process signal; +') + ++ +######################################## +## -+## Allow the specified domain to read dspam's log files. ++## Send a null signal to dirsrv. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`dspam_read_log',` ++interface(`dirsrv_signull',` + gen_require(` -+ type dspam_log_t; ++ type dirsrv_t; + ') + -+ logging_search_logs($1) -+ read_files_pattern($1, dspam_log_t, dspam_log_t) ++ allow $1 dirsrv_t:process signull; +') + -+######################################## ++####################################### +## -+## Allow the specified domain to append -+## dspam log files. ++## Allow a domain to manage dirsrv logs. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_append_log',` ++interface(`dirsrv_manage_log',` + gen_require(` -+ type dspam_log_t; ++ type dirsrv_var_log_t; + ') + -+ logging_search_logs($1) -+ append_files_pattern($1, dspam_log_t, dspam_log_t) ++ allow $1 dirsrv_var_log_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_log_t:file manage_file_perms; ++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; +') + -+######################################## ++####################################### +## -+## Allow domain to manage dspam log files ++## Allow a domain to manage dirsrv /var/lib files. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_manage_log',` -+ gen_require(` -+ type dspam_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t) -+ manage_files_pattern($1, dspam_log_t, dspam_log_t) -+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t) ++interface(`dirsrv_manage_var_lib',` ++ gen_require(` ++ type dirsrv_var_lib_t; ++ ') ++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_lib_t:file manage_file_perms; +') + +######################################## +## -+## Search dspam lib directories. ++## Connect to dirsrv over a unix stream socket. +## +## +## @@ -19970,1843 +18335,2077 @@ index 0000000..a446210 +## +## +# -+interface(`dspam_search_lib',` ++interface(`dirsrv_stream_connect',` + gen_require(` -+ type dspam_var_lib_t; ++ type dirsrv_t, dirsrv_var_run_t; + ') + -+ allow $1 dspam_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ files_search_pids($1) ++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) +') + -+######################################## ++####################################### +## -+## Read dspam lib files. ++## Allow a domain to manage dirsrv /var/run files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_read_lib_files',` ++interface(`dirsrv_manage_var_run',` + gen_require(` -+ type dspam_var_lib_t; ++ type dirsrv_var_run_t; + ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++ allow $1 dirsrv_var_run_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_run_t:file manage_file_perms; ++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms; +') + -+######################################## ++###################################### +## -+## Create, read, write, and delete -+## dspam lib files. ++## Allow a domain to create dirsrv pid directories. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_manage_lib_files',` -+ gen_require(` -+ type dspam_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++interface(`dirsrv_pid_filetrans',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ # Allow creating a dir in /var/run with this type ++ files_pid_filetrans($1, dirsrv_var_run_t, dir) +') + -+######################################## ++####################################### +## -+## Manage dspam lib dirs files. ++## Allow a domain to read dirsrv /var/run files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_manage_lib_dirs',` -+ gen_require(` -+ type dspam_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++interface(`dirsrv_read_var_run',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ allow $1 dirsrv_var_run_t:dir list_dir_perms; ++ allow $1 dirsrv_var_run_t:file read_file_perms; +') + -+ +######################################## +## -+## Read dspam PID files. ++## Manage dirsrv configuration files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_read_pid_files',` ++interface(`dirsrv_manage_config',` + gen_require(` -+ type dspam_var_run_t; ++ type dirsrv_config_t; + ') + -+ files_search_pids($1) -+ allow $1 dspam_var_run_t:file read_file_perms; ++ allow $1 dirsrv_config_t:dir manage_dir_perms; ++ allow $1 dirsrv_config_t:file manage_file_perms; +') + -+####################################### ++######################################## +## -+## Connect to DSPAM using a unix domain stream socket. ++## Read dirsrv share files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dspam_stream_connect',` -+ gen_require(` -+ type dspam_t, dspam_var_run_t, dspam_tmp_t; -+ ') ++interface(`dirsrv_read_share',` ++ gen_require(` ++ type dirsrv_share_t; ++ ') + -+ files_search_pids($1) -+ files_search_tmp($1) -+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) -+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t) ++ allow $1 dirsrv_share_t:dir list_dir_perms; ++ allow $1 dirsrv_share_t:file read_file_perms; ++ allow $1 dirsrv_share_t:lnk_file read; +') +diff --git a/dirsrv.te b/dirsrv.te +new file mode 100644 +index 0000000..7f0b4f6 +--- /dev/null ++++ b/dirsrv.te +@@ -0,0 +1,193 @@ ++policy_module(dirsrv,1.0.0) + +######################################## -+## -+## All of the rules required to administrate -+## an dspam environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## +# -+interface(`dspam_admin',` -+ gen_require(` -+ type dspam_t; -+ type dspam_initrc_exec_t; -+ type dspam_log_t; -+ type dspam_var_lib_t; -+ type dspam_var_run_t; -+ ') ++# Declarations ++# + -+ allow $1 dspam_t:process signal_perms; -+ ps_process_pattern($1, dspam_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dspam_t:process ptrace; -+ ') ++# main daemon ++type dirsrv_t; ++type dirsrv_exec_t; ++domain_type(dirsrv_t) ++init_daemon_domain(dirsrv_t, dirsrv_exec_t) + -+ dspam_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 dspam_initrc_exec_t system_r; -+ allow $2 system_r; ++type dirsrv_snmp_t; ++type dirsrv_snmp_exec_t; ++domain_type(dirsrv_snmp_t) ++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) + -+ logging_search_logs($1) -+ admin_pattern($1, dspam_log_t) ++type dirsrv_var_lib_t; ++files_type(dirsrv_var_lib_t) + -+ files_search_var_lib($1) -+ admin_pattern($1, dspam_var_lib_t) ++type dirsrv_var_log_t; ++logging_log_file(dirsrv_var_log_t) + -+ files_search_pids($1) -+ admin_pattern($1, dspam_var_run_t) ++type dirsrv_snmp_var_log_t; ++logging_log_file(dirsrv_snmp_var_log_t) + -+') -diff --git a/dspam.te b/dspam.te -new file mode 100644 -index 0000000..e6f0960 ---- /dev/null -+++ b/dspam.te -@@ -0,0 +1,113 @@ ++type dirsrv_var_run_t; ++files_pid_file(dirsrv_var_run_t) ++ ++type dirsrv_snmp_var_run_t; ++files_pid_file(dirsrv_snmp_var_run_t) ++ ++type dirsrv_var_lock_t; ++files_lock_file(dirsrv_var_lock_t) ++ ++type dirsrv_config_t; ++files_type(dirsrv_config_t) ++ ++type dirsrv_tmp_t; ++files_tmp_file(dirsrv_tmp_t) ++ ++type dirsrv_tmpfs_t; ++files_tmpfs_file(dirsrv_tmpfs_t) + -+policy_module(dspam, 1.0.0) ++type dirsrv_share_t; ++files_type(dirsrv_share_t); + +######################################## +# -+# Declarations ++# dirsrv local policy +# ++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; ++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; ++allow dirsrv_t self:fifo_file manage_fifo_file_perms; ++allow dirsrv_t self:sem create_sem_perms; ++allow dirsrv_t self:tcp_socket create_stream_socket_perms; + -+type dspam_t; -+type dspam_exec_t; -+init_daemon_domain(dspam_t, dspam_exec_t) ++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + -+type dspam_initrc_exec_t; -+init_script_file(dspam_initrc_exec_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) + -+type dspam_log_t; -+logging_log_file(dspam_log_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++allow dirsrv_t dirsrv_var_log_t:dir { setattr }; ++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) + -+type dspam_var_lib_t; -+files_type(dspam_var_lib_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) + -+type dspam_var_run_t; -+files_pid_file(dspam_var_run_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) ++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file) ++files_setattr_lock_dirs(dirsrv_t) + -+# FIXME -+# /tmp/dspam.sock -+type dspam_tmp_t; -+files_tmp_file(dspam_tmp_t) ++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) + -+######################################## -+# -+# dspam local policy -+# ++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) ++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) ++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; + -+allow dspam_t self:capability net_admin; ++kernel_read_system_state(dirsrv_t) ++kernel_read_kernel_sysctls(dirsrv_t) + -+allow dspam_t self:process { signal }; ++corecmd_search_bin(dirsrv_t) + -+allow dspam_t self:fifo_file rw_fifo_file_perms; -+allow dspam_t self:unix_stream_socket create_stream_socket_perms; ++corenet_all_recvfrom_netlabel(dirsrv_t) ++corenet_tcp_sendrecv_generic_if(dirsrv_t) ++corenet_tcp_sendrecv_generic_node(dirsrv_t) ++corenet_tcp_sendrecv_all_ports(dirsrv_t) ++corenet_tcp_bind_generic_node(dirsrv_t) ++corenet_tcp_bind_ldap_port(dirsrv_t) ++corenet_tcp_bind_dogtag_port(dirsrv_t) ++corenet_tcp_bind_all_rpc_ports(dirsrv_t) ++corenet_udp_bind_all_rpc_ports(dirsrv_t) ++corenet_tcp_connect_all_ports(dirsrv_t) ++corenet_sendrecv_ldap_server_packets(dirsrv_t) ++corenet_sendrecv_all_client_packets(dirsrv_t) + -+manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t) -+manage_files_pattern(dspam_t, dspam_log_t, dspam_log_t) ++dev_read_sysfs(dirsrv_t) ++dev_read_urand(dirsrv_t) + -+files_search_var_lib(dspam_t) -+manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) -+manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) ++files_read_etc_files(dirsrv_t) ++files_read_usr_symlinks(dirsrv_t) + -+manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -+manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -+manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -+files_pid_filetrans(dspam_t, dspam_var_run_t, dir, "dspam") ++fs_getattr_all_fs(dirsrv_t) + -+manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t) -+files_tmp_filetrans(dspam_t, dspam_tmp_t, sock_file) ++auth_use_pam(dirsrv_t) + -+corenet_tcp_connect_spamd_port(dspam_t) -+corenet_tcp_bind_spamd_port(dspam_t) ++logging_send_syslog_msg(dirsrv_t) + -+auth_use_nsswitch(dspam_t) ++sysnet_dns_name_resolve(dirsrv_t) + -+files_search_spool(dspam_t) ++optional_policy(` ++ apache_dontaudit_leaks(dirsrv_t) ++') + -+# for RHEL5 -+libs_use_ld_so(dspam_t) -+libs_use_shared_libs(dspam_t) -+libs_read_lib_files(dspam_t) ++optional_policy(` ++ dirsrvadmin_read_tmp(dirsrv_t) ++') + -+logging_send_syslog_msg(dspam_t) + +optional_policy(` -+ mysql_tcp_connect(dspam_t) -+ mysql_search_db(dspam_t) -+ mysql_stream_connect(dspam_t) ++ kerberos_use(dirsrv_t) ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0") ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487") ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55") +') + ++# FIPS mode +optional_policy(` -+ postgresql_tcp_connect(dspam_t) -+ postgresql_stream_connect(dspam_t) ++ prelink_exec(dirsrv_t) +') + -+####################################### ++optional_policy(` ++ rpcbind_stream_connect(dirsrv_t) ++') ++ ++######################################## +# -+# dspam web local policy. ++# dirsrv-snmp local policy +# ++allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; ++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; + -+optional_policy(` -+ apache_content_template(dspam) ++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) + -+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) ++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) + -+ files_search_var_lib(httpd_dspam_script_t) -+ list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) -+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) ++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) + -+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) ++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) ++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) ++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) + -+ term_dontaudit_search_ptys(httpd_dspam_script_t) -+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) -+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) ++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); ++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) + -+ init_read_utmp(httpd_dspam_script_t) ++corenet_tcp_connect_agentx_port(dirsrv_snmp_t) + -+ logging_send_syslog_msg(httpd_dspam_script_t) ++dev_read_rand(dirsrv_snmp_t) ++dev_read_urand(dirsrv_snmp_t) + -+ mta_send_mail(httpd_dspam_script_t) ++domain_use_interactive_fds(dirsrv_snmp_t) + -+ optional_policy(` -+ mysql_tcp_connect(httpd_dspam_script_t) -+ mysql_stream_connect(httpd_dspam_script_t) -+ ') ++#files_manage_var_files(dirsrv_snmp_t) ++files_read_etc_files(dirsrv_snmp_t) ++files_read_usr_files(dirsrv_snmp_t) ++ ++fs_getattr_tmpfs(dirsrv_snmp_t) ++fs_search_tmpfs(dirsrv_snmp_t) ++ ++ ++sysnet_read_config(dirsrv_snmp_t) ++sysnet_dns_name_resolve(dirsrv_snmp_t) ++ ++optional_policy(` ++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_manage_var_lib_dirs(dirsrv_snmp_t) ++ snmp_manage_var_lib_files(dirsrv_snmp_t) ++ snmp_stream_connect(dirsrv_snmp_t) +') -diff --git a/entropyd.te b/entropyd.te -index b6ac808..6235eb0 100644 ---- a/entropyd.te -+++ b/entropyd.te -@@ -33,7 +33,7 @@ manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) - files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) +diff --git a/distcc.te b/distcc.te +index b441a4d..83fb340 100644 +--- a/distcc.te ++++ b/distcc.te +@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) + kernel_read_system_state(distccd_t) + kernel_read_kernel_sysctls(distccd_t) - kernel_rw_kernel_sysctl(entropyd_t) --kernel_list_proc(entropyd_t) -+kernel_read_system_state(entropyd_t) - kernel_read_proc_symlinks(entropyd_t) +-corenet_all_recvfrom_unlabeled(distccd_t) + corenet_all_recvfrom_netlabel(distccd_t) + corenet_tcp_sendrecv_generic_if(distccd_t) + corenet_tcp_sendrecv_generic_node(distccd_t) +@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t) - dev_read_sysfs(entropyd_t) -@@ -42,7 +42,6 @@ dev_write_urand(entropyd_t) - dev_read_rand(entropyd_t) - dev_write_rand(entropyd_t) + logging_send_syslog_msg(distccd_t) --files_read_etc_files(entropyd_t) - files_read_usr_files(entropyd_t) +-miscfiles_read_localization(distccd_t) +- + userdom_dontaudit_use_unpriv_user_fds(distccd_t) + userdom_dontaudit_search_user_home_dirs(distccd_t) - fs_getattr_all_fs(entropyd_t) -@@ -52,7 +51,7 @@ domain_use_interactive_fds(entropyd_t) +diff --git a/djbdns.if b/djbdns.if +index 671d3c0..6d36c95 100644 +--- a/djbdns.if ++++ b/djbdns.if +@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',` - logging_send_syslog_msg(entropyd_t) + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; ++ ++ corenet_all_recvfrom_netlabel(djbdns_$1_t) ++ corenet_tcp_sendrecv_generic_if(djbdns_$1_t) ++ corenet_udp_sendrecv_generic_if(djbdns_$1_t) ++ corenet_tcp_sendrecv_generic_node(djbdns_$1_t) ++ corenet_udp_sendrecv_generic_node(djbdns_$1_t) ++ corenet_tcp_sendrecv_all_ports(djbdns_$1_t) ++ corenet_udp_sendrecv_all_ports(djbdns_$1_t) ++ corenet_tcp_bind_generic_node(djbdns_$1_t) ++ corenet_udp_bind_generic_node(djbdns_$1_t) ++ corenet_tcp_bind_dns_port(djbdns_$1_t) ++ corenet_udp_bind_dns_port(djbdns_$1_t) ++ corenet_udp_bind_generic_port(djbdns_$1_t) ++ corenet_sendrecv_dns_server_packets(djbdns_$1_t) ++ corenet_sendrecv_generic_server_packets(djbdns_$1_t) ++ ++ files_search_var(djbdns_$1_t) + ') --miscfiles_read_localization(entropyd_t) -+auth_use_nsswitch(entropyd_t) + ##################################### +diff --git a/djbdns.te b/djbdns.te +index 463d290..2f66c34 100644 +--- a/djbdns.te ++++ b/djbdns.te +@@ -48,11 +48,16 @@ corenet_udp_bind_generic_port(djbdns_domain) - userdom_dontaudit_use_unpriv_user_fds(entropyd_t) - userdom_dontaudit_search_user_home_dirs(entropyd_t) -diff --git a/evolution.te b/evolution.te -index 73cb712..2c6f3bc 100644 ---- a/evolution.te -+++ b/evolution.te -@@ -146,7 +146,6 @@ corecmd_exec_shell(evolution_t) - # Run various programs - corecmd_exec_bin(evolution_t) + files_search_var(djbdns_domain) --corenet_all_recvfrom_unlabeled(evolution_t) - corenet_all_recvfrom_netlabel(evolution_t) - corenet_tcp_sendrecv_generic_if(evolution_t) - corenet_udp_sendrecv_generic_if(evolution_t) -@@ -181,19 +180,17 @@ dev_read_urand(evolution_t) ++daemontools_ipc_domain(djbdns_axfrdns_t) ++daemontools_read_svc(djbdns_axfrdns_t) ++ ++ + ######################################## + # + # axfrdns local policy + # - domain_dontaudit_read_all_domains_state(evolution_t) ++ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) + allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms; + allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms; --files_read_etc_files(evolution_t) - files_read_usr_files(evolution_t) - files_read_usr_symlinks(evolution_t) - files_read_var_files(evolution_t) +diff --git a/dkim.fc b/dkim.fc +index 5818418..674367b 100644 +--- a/dkim.fc ++++ b/dkim.fc +@@ -9,7 +9,6 @@ - fs_search_auto_mountpoints(evolution_t) + /var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) --logging_send_syslog_msg(evolution_t) -+auth_use_nsswitch(evolution_t) +-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) + /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) --miscfiles_read_localization(evolution_t) -+logging_send_syslog_msg(evolution_t) +diff --git a/dmidecode.te b/dmidecode.te +index c947c2c..441d3f4 100644 +--- a/dmidecode.te ++++ b/dmidecode.te +@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t) - sysnet_read_config(evolution_t) --sysnet_dns_name_resolve(evolution_t) + locallogin_use_fds(dmidecode_t) - udev_read_state(evolution_t) +-userdom_use_user_terminals(dmidecode_t) ++userdom_use_inherited_user_terminals(dmidecode_t) +diff --git a/dnsmasq.fc b/dnsmasq.fc +index 23ab808..4a801b5 100644 +--- a/dnsmasq.fc ++++ b/dnsmasq.fc +@@ -2,6 +2,8 @@ -@@ -201,7 +198,7 @@ userdom_rw_user_tmp_files(evolution_t) - userdom_manage_user_tmp_dirs(evolution_t) - userdom_manage_user_tmp_sockets(evolution_t) - userdom_manage_user_tmp_files(evolution_t) --userdom_use_user_terminals(evolution_t) -+userdom_use_inherited_user_terminals(evolution_t) - # FIXME: suppress access to .local/.icons/.themes until properly implemented - # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) - # until properly implemented -@@ -357,12 +354,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; + /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) - dev_read_urand(evolution_alarm_t) ++/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) ++ + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) --files_read_etc_files(evolution_alarm_t) - files_read_usr_files(evolution_alarm_t) + /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) +diff --git a/dnsmasq.if b/dnsmasq.if +index 19aa0b8..b303b37 100644 +--- a/dnsmasq.if ++++ b/dnsmasq.if +@@ -10,7 +10,6 @@ + ## + ## + # +-# + interface(`dnsmasq_domtrans',` + gen_require(` + type dnsmasq_exec_t, dnsmasq_t; +@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',` + domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) + ') - fs_search_auto_mountpoints(evolution_alarm_t) ++####################################### ++## ++## Execute dnsmasq server in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnsmasq_exec',` ++ gen_require(` ++ type dnsmasq_exec_t; ++ ') ++ ++ can_exec($1, dnsmasq_exec_t) ++') ++ + ######################################## + ## + ## Execute the dnsmasq init script in +@@ -42,6 +59,29 @@ interface(`dnsmasq_initrc_domtrans',` --miscfiles_read_localization(evolution_alarm_t) -+auth_use_nsswitch(evolution_alarm_t) + ######################################## + ## ++## Execute dnsmasq server in the dnsmasq domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnsmasq_systemctl',` ++ gen_require(` ++ type dnsmasq_unit_file_t; ++ type dnsmasq_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 dnsmasq_unit_file_t:file read_file_perms; ++ allow $1 dnsmasq_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, dnsmasq_t) ++') + ++######################################## ++## + ## Send generic signals to dnsmasq. + ## + ## +@@ -145,12 +185,12 @@ interface(`dnsmasq_write_config',` + ## + ## + # +-# + interface(`dnsmasq_delete_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + ++ files_search_pids($1) + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + ') - # Access evolution home - userdom_search_user_home_dirs(evolution_alarm_t) -@@ -439,13 +436,13 @@ corecmd_exec_bin(evolution_exchange_t) +@@ -176,7 +216,7 @@ interface(`dnsmasq_manage_pid_files',` - dev_read_urand(evolution_exchange_t) + ######################################## + ## +-## Read dnsmasq pid files. ++## Read dnsmasq pid files + ## + ## + ## +@@ -184,12 +224,12 @@ interface(`dnsmasq_manage_pid_files',` + ## + ## + # +-# + interface(`dnsmasq_read_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') --files_read_etc_files(evolution_exchange_t) - files_read_usr_files(evolution_exchange_t) ++ files_search_pids($1) + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + ') - # Access evolution home - fs_search_auto_mountpoints(evolution_exchange_t) +@@ -214,37 +254,46 @@ interface(`dnsmasq_create_pid_dirs',` --miscfiles_read_localization(evolution_exchange_t) -+auth_use_nsswitch(evolution_exchange_t) -+ + ######################################## + ## +-## Create specified objects in specified +-## directories with a type transition to +-## the dnsmasq pid file type. ++## Transition to dnsmasq named content + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. + ## + ## +-## ++## + ## +-## Directory to transition on. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## The type of the directory for the object to be created. + ## + ## + # +-interface(`dnsmasq_spec_filetrans_pid',` ++interface(`dnsmasq_filetrans_named_content_fromdir',` + gen_require(` + type dnsmasq_var_run_t; + ') - userdom_write_user_tmp_sockets(evolution_exchange_t) - # Access evolution home -@@ -506,7 +503,6 @@ kernel_read_system_state(evolution_server_t) - corecmd_exec_shell(evolution_server_t) +- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) ++ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") ++ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") ++') ++ ++####################################### ++## ++## Transition to dnsmasq named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_filetrans_named_content',` ++ gen_require(` ++ type dnsmasq_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network") ++ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid") ++ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network") + ') - # Obtain weather data via http (read server name from xml file in /usr) --corenet_all_recvfrom_unlabeled(evolution_server_t) - corenet_all_recvfrom_netlabel(evolution_server_t) - corenet_tcp_sendrecv_generic_if(evolution_server_t) - corenet_tcp_sendrecv_generic_node(evolution_server_t) -@@ -519,19 +515,18 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t) + ######################################## +@@ -267,12 +316,17 @@ interface(`dnsmasq_spec_filetrans_pid',` + interface(`dnsmasq_admin',` + gen_require(` + type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; +- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; ++ type dnsmasq_initrc_exec_t; ++ type dnsmasq_unit_file_t; + ') - dev_read_urand(evolution_server_t) +- allow $1 dnsmasq_t:process { ptrace signal_perms }; ++ allow $1 dnsmasq_t:process signal_perms; + ps_process_pattern($1, dnsmasq_t) --files_read_etc_files(evolution_server_t) - # Obtain weather data via http (read server name from xml file in /usr) - files_read_usr_files(evolution_server_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dnsmasq_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dnsmasq_initrc_exec_t system_r; +@@ -286,4 +340,8 @@ interface(`dnsmasq_admin',` - fs_search_auto_mountpoints(evolution_server_t) + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) ++ ++ dnsmasq_systemctl($1) ++ admin_pattern($1, dnsmasq_unit_file_t) ++ allow $1 dnsmasq_unit_file_t:service all_service_perms; + ') +diff --git a/dnsmasq.te b/dnsmasq.te +index ba14bcf..f33d9f5 100644 +--- a/dnsmasq.te ++++ b/dnsmasq.te +@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) + type dnsmasq_var_run_t; + files_pid_file(dnsmasq_var_run_t) --miscfiles_read_localization(evolution_server_t) -+auth_use_nsswitch(evolution_server_t) ++type dnsmasq_unit_file_t; ++systemd_unit_file(dnsmasq_unit_file_t) + - # Look in /etc/pki - miscfiles_read_generic_certs(evolution_server_t) + ######################################## + # + # Local policy +@@ -56,7 +59,6 @@ kernel_read_network_state(dnsmasq_t) + kernel_read_system_state(dnsmasq_t) + kernel_request_load_module(dnsmasq_t) + +-corenet_all_recvfrom_unlabeled(dnsmasq_t) + corenet_all_recvfrom_netlabel(dnsmasq_t) + corenet_tcp_sendrecv_generic_if(dnsmasq_t) + corenet_udp_sendrecv_generic_if(dnsmasq_t) +@@ -88,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t) + + logging_send_syslog_msg(dnsmasq_t) + +-miscfiles_read_localization(dnsmasq_t) +- + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - # Talk to ldap (address book) - sysnet_read_config(evolution_server_t) --sysnet_dns_name_resolve(evolution_server_t) - sysnet_use_ldap(evolution_server_t) +@@ -98,11 +98,24 @@ optional_policy(` + ') - # Access evolution home -@@ -573,7 +568,6 @@ allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_per - allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; - fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + optional_policy(` ++ cron_manage_pid_files(dnsmasq_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(dnsmasq_t) + dbus_system_bus_client(dnsmasq_t) + ') --corenet_all_recvfrom_unlabeled(evolution_webcal_t) - corenet_all_recvfrom_netlabel(evolution_webcal_t) - corenet_tcp_sendrecv_generic_if(evolution_webcal_t) - corenet_raw_sendrecv_generic_if(evolution_webcal_t) -@@ -586,9 +580,9 @@ corenet_tcp_connect_http_port(evolution_webcal_t) - corenet_sendrecv_http_client_packets(evolution_webcal_t) - corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) + optional_policy(` ++ networkmanager_read_conf(dnsmasq_t) ++ networkmanager_read_pid_files(dnsmasq_t) ++') ++ ++optional_policy(` ++ ppp_read_pid_files(dnsmasq_t) ++') ++ ++optional_policy(` + networkmanager_read_pid_files(dnsmasq_t) + ') --# Networking capability - connect to website and handle ics link -+auth_use_nsswitch(evolution_webcal_t) -+ - sysnet_read_config(evolution_webcal_t) --sysnet_dns_name_resolve(evolution_webcal_t) +@@ -124,6 +137,7 @@ optional_policy(` - # Search home directory (?) - userdom_search_user_home_dirs(evolution_webcal_t) -diff --git a/exim.fc b/exim.fc -index 298f066..02c2561 100644 ---- a/exim.fc -+++ b/exim.fc -@@ -1,4 +1,9 @@ + optional_policy(` + virt_manage_lib_files(dnsmasq_t) ++ virt_read_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + ') +diff --git a/dnssec.fc b/dnssec.fc +new file mode 100644 +index 0000000..9e231a8 +--- /dev/null ++++ b/dnssec.fc +@@ -0,0 +1,3 @@ ++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) + -+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) ++/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) +diff --git a/dnssec.if b/dnssec.if +new file mode 100644 +index 0000000..a952041 +--- /dev/null ++++ b/dnssec.if +@@ -0,0 +1,64 @@ + - /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) -+/usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) ++## policy for dnssec_trigger + - /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) - /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) - /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) -diff --git a/exim.if b/exim.if -index 6bef7f8..ba138e8 100644 ---- a/exim.if -+++ b/exim.if -@@ -20,6 +20,49 @@ interface(`exim_domtrans',` - - ######################################## - ## -+## Execute the mailman program in the mailman domain. ++######################################## ++## ++## Transition to dnssec_trigger. +## +## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## The role to allow the mailman domain. -+## ++## ++## Domain allowed to transition. ++## +## -+## +# -+interface(`exim_run',` -+ gen_require(` -+ type exim_t; -+ ') ++interface(`dnssec_trigger_domtrans',` ++ gen_require(` ++ type dnssec_trigger_t, dnssec_trigger_exec_t; ++ ') + -+ exim_domtrans($1) -+ role $2 types exim_t; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t) +') -+ +######################################## +## -+## Execute exim in the exim domain. ++## Read dnssec_trigger PID files. +## +## +## -+## Domain allowed to transition. ++## Domain allowed access. +## +## +# -+interface(`exim_initrc_domtrans',` ++interface(`dnssec_trigger_read_pid_files',` + gen_require(` -+ type exim_initrc_exec_t; ++ type dnssec_trigger_var_run_t; + ') + -+ init_labeled_script_domtrans($1, exim_initrc_exec_t) ++ files_search_pids($1) ++ allow $1 dnssec_trigger_var_run_t:file read_file_perms; +') + -+######################################## -+## - ## Do not audit attempts to read, - ## exim tmp files - ## -@@ -194,3 +237,49 @@ interface(`exim_manage_spool_files',` - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) - ') + +######################################## +## +## All of the rules required to administrate -+## an exim environment. ++## an dnssec_trigger environment +## +## +## +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +# -+interface(`exim_admin',` ++interface(`dnssec_trigger_admin',` + gen_require(` -+ type exim_t, exim_initrc_exec_t, exim_log_t; -+ type exim_tmp_t, exim_spool_t, exim_var_run_t; ++ type dnssec_trigger_t; ++ type dnssec_trigger_var_run_t; + ') + -+ allow $1 exim_t:process signal_perms; -+ ps_process_pattern($1, exim_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 exim_t:process ptrace; -+ ') ++ allow $1 dnssec_trigger_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, dnssec_trigger_t) + -+ exim_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 exim_initrc_exec_t system_r; -+ allow $2 system_r; ++ files_search_pids($1) ++ admin_pattern($1, dnssec_trigger_var_run_t) ++') +diff --git a/dnssec.te b/dnssec.te +new file mode 100644 +index 0000000..25daf6c +--- /dev/null ++++ b/dnssec.te +@@ -0,0 +1,59 @@ ++policy_module(dnssec, 1.0.0) + -+ logging_list_logs($1) -+ admin_pattern($1, exim_log_t) ++######################################## ++# ++# Declarations ++# + -+ files_list_tmp($1) -+ admin_pattern($1, exim_tmp_t) ++type dnssec_trigger_t; ++type dnssec_trigger_exec_t; ++init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t) + -+ files_list_spool($1) -+ admin_pattern($1, exim_spool_t) ++type dnssec_trigger_var_run_t; ++files_pid_file(dnssec_trigger_var_run_t) + -+ files_list_pids($1) -+ admin_pattern($1, exim_var_run_t) ++######################################## ++# ++# dnssec_trigger local policy ++# ++allow dnssec_trigger_t self:capability linux_immutable; ++allow dnssec_trigger_t self:process signal; ++allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms; ++allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms; ++allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms; ++allow dnssec_trigger_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) ++manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) ++files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) ++ ++kernel_read_system_state(dnssec_trigger_t) ++ ++corecmd_exec_bin(dnssec_trigger_t) ++corecmd_exec_shell(dnssec_trigger_t) ++ ++corenet_tcp_bind_generic_node(dnssec_trigger_t) ++corenet_tcp_bind_dnssec_port(dnssec_trigger_t) ++corenet_tcp_connect_rndc_port(dnssec_trigger_t) ++corenet_tcp_connect_http_port(dnssec_trigger_t) ++ ++dev_read_urand(dnssec_trigger_t) ++ ++domain_use_interactive_fds(dnssec_trigger_t) ++ ++files_read_etc_runtime_files(dnssec_trigger_t) ++files_read_etc_files(dnssec_trigger_t) ++ ++logging_send_syslog_msg(dnssec_trigger_t) ++ ++auth_read_passwd(dnssec_trigger_t) ++ ++sysnet_dns_name_resolve(dnssec_trigger_t) ++sysnet_manage_config(dnssec_trigger_t) ++ ++optional_policy(` ++ bind_read_config(dnssec_trigger_t) ++ bind_read_dnssec_keys(dnssec_trigger_t) +') -diff --git a/exim.te b/exim.te -index f28f64b..91758d5 100644 ---- a/exim.te -+++ b/exim.te -@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t) - application_executable_file(exim_exec_t) - mta_agent_executable(exim_exec_t) - -+type exim_initrc_exec_t; -+init_script_file(exim_initrc_exec_t) + - type exim_log_t; - logging_log_file(exim_log_t) - - type exim_spool_t; --files_type(exim_spool_t) -+files_spool_file(exim_spool_t) - - type exim_tmp_t; - files_tmp_file(exim_tmp_t) -@@ -79,11 +82,10 @@ files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(exim_t) - kernel_read_network_state(exim_t) --kernel_dontaudit_read_system_state(exim_t) -+kernel_read_system_state(exim_t) ++ +diff --git a/dnssectrigger.te b/dnssectrigger.te +index ef36d73..fddd51f 100644 +--- a/dnssectrigger.te ++++ b/dnssectrigger.te +@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t) - corecmd_search_bin(exim_t) + logging_send_syslog_msg(dnssec_triggerd_t) --corenet_all_recvfrom_unlabeled(exim_t) - corenet_all_recvfrom_netlabel(exim_t) - corenet_tcp_sendrecv_generic_if(exim_t) - corenet_udp_sendrecv_generic_if(exim_t) -@@ -108,7 +110,7 @@ domain_use_interactive_fds(exim_t) +-miscfiles_read_localization(dnssec_triggerd_t) +- + sysnet_dns_name_resolve(dnssec_triggerd_t) + sysnet_manage_config(dnssec_triggerd_t) + sysnet_etc_filetrans_config(dnssec_triggerd_t) +diff --git a/dovecot.fc b/dovecot.fc +index c880070..4448055 100644 +--- a/dovecot.fc ++++ b/dovecot.fc +@@ -1,36 +1,48 @@ +-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) +-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - files_search_usr(exim_t) - files_search_var(exim_t) --files_read_etc_files(exim_t) -+files_read_usr_files(exim_t) - files_read_etc_runtime_files(exim_t) - files_getattr_all_mountpoints(exim_t) +-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) +-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) +- +-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) ++# ++# /etc ++# ++/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) ++/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) ++/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) -@@ -119,7 +121,6 @@ auth_use_nsswitch(exim_t) ++/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) + /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - logging_send_syslog_msg(exim_t) +-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) ++# Debian uses /etc/dovecot/ ++ifdef(`distro_debian',` ++/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) ++') --miscfiles_read_localization(exim_t) - miscfiles_read_generic_certs(exim_t) +-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ++# ++# /usr ++# ++/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) - userdom_dontaudit_search_user_home_dirs(exim_t) -@@ -162,6 +163,10 @@ optional_policy(` - ') +-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) ++/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ++/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) - optional_policy(` -+ dovecot_stream_connect(exim_t) +-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++ifdef(`distro_debian', ` + /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +') -+ -+optional_policy(` - kerberos_keytab_template(exim, exim_t) - ') - -@@ -171,6 +176,10 @@ optional_policy(` - ') - optional_policy(` -+ nagios_search_spool(exim_t) +-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++ifdef(`distro_redhat', ` ++/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) + /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +') -+ -+optional_policy(` - tunable_policy(`exim_can_connect_db',` - mysql_stream_connect(exim_t) - ') -@@ -184,6 +193,7 @@ optional_policy(` - optional_policy(` - procmail_domtrans(exim_t) -+ procmail_read_home_files(exim_t) - ') +-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++# ++# /var ++# ++/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) ++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - optional_policy(` -diff --git a/fail2ban.fc b/fail2ban.fc -index 0de2b83..6de0fca 100644 ---- a/fail2ban.fc -+++ b/fail2ban.fc -@@ -4,5 +4,5 @@ - /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) --/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) -+/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) - /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) -diff --git a/fail2ban.if b/fail2ban.if -index f590a1f..b1b13b0 100644 ---- a/fail2ban.if -+++ b/fail2ban.if -@@ -40,7 +40,26 @@ interface(`fail2ban_stream_connect',` +-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) +-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) ++/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) ++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - ######################################## - ## --## Read and write to an fail2ban unix stream socket. -+## Read and write inherited temporary files. +-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) ++/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +diff --git a/dovecot.if b/dovecot.if +index dbcac59..66d42bb 100644 +--- a/dovecot.if ++++ b/dovecot.if +@@ -1,29 +1,49 @@ +-## POP and IMAP mail server. ++## Dovecot POP and IMAP mail server ++ ++###################################### ++## ++## Creates types and rules for a basic ++## dovecot daemon domain. +## -+## -+## -+## Domain allowed access. -+## ++## ++## ++## Prefix for the domain. ++## +## +# -+interface(`fail2ban_rw_inherited_tmp_files',` ++template(`dovecot_basic_types_template',` + gen_require(` -+ type fail2ban_tmp_t; ++ attribute dovecot_domain; + ') + -+ files_search_tmp($1) -+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; -+') ++ type $1_t, dovecot_domain; ++ type $1_exec_t; + -+######################################## -+## -+## Read and write to an fail2ba unix stream socket. ++ kernel_read_system_state($1_t) ++') + + ####################################### + ## +-## Connect to dovecot using a unix +-## domain stream socket. ++## Connect to dovecot unix domain stream socket. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`dovecot_stream_connect',` +- gen_require(` +- type dovecot_t, dovecot_var_run_t; +- ') ++ gen_require(` ++ type dovecot_t, dovecot_var_run_t; ++ ') + +- files_search_pids($1) +- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) + ') + + ######################################## + ## +-## Connect to dovecot using a unix +-## domain stream socket. ++## Connect to dovecot auth unix domain stream socket. + ## + ## + ## +@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',` + + ######################################## + ## +-## Execute dovecot_deliver in the +-## dovecot_deliver domain. ++## Execute dovecot_deliver in the dovecot_deliver domain. ## ## ## -@@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',` +@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',` + type dovecot_deliver_t, dovecot_deliver_exec_t; ') - files_search_var_lib($1) -- allow $1 fail2ban_var_lib_t:file read_file_perms; -+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) +- corecmd_search_bin($1) + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) ') ######################################## -@@ -138,6 +157,26 @@ interface(`fail2ban_read_pid_files',` + ## +-## Create, read, write, and delete +-## dovecot spool files. ++## Create, read, write, and delete the dovecot spool files. + ## + ## + ## +@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',` + ') + + files_search_spool($1) +- allow $1 dovecot_spool_t:dir manage_dir_perms; +- allow $1 dovecot_spool_t:file manage_file_perms; +- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; ++ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ++ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) + ') ######################################## ## -+## dontaudit read and write an leaked file descriptors -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fail2ban_dontaudit_leaks',` -+ gen_require(` -+ type fail2ban_t; -+ ') -+ -+ dontaudit $1 fail2ban_t:tcp_socket { read write }; -+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; -+ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an fail2ban environment +-## Do not audit attempts to delete +-## dovecot lib files. ++## Do not audit attempts to delete dovecot lib files. + ## + ## + ## +@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',` + type dovecot_var_lib_t; + ') + +- dontaudit $1 dovecot_var_lib_t:file delete_file_perms; ++ dontaudit $1 dovecot_var_lib_t:file unlink; + ') + + ###################################### + ## +-## Write inherited dovecot tmp files. ++## Allow attempts to write inherited ++## dovecot tmp files. ## -@@ -155,12 +194,16 @@ interface(`fail2ban_read_pid_files',` + ## + ## +@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an dovecot environment. ++## All of the rules required to administrate ++## an dovecot environment + ## + ## + ## +@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the dovecot domain. + ## + ## + ## # - interface(`fail2ban_admin',` + interface(`dovecot_admin',` gen_require(` -- type fail2ban_t, fail2ban_log_t; -- type fail2ban_var_run_t, fail2ban_initrc_exec_t; -+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; -+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; -+ type fail2ban_client_t; +- type dovecot_t, dovecot_etc_t, dovecot_var_log_t; +- type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; +- type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; +- type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; ++ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t; ++ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t; ++ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t; ++ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') -- allow $1 fail2ban_t:process { ptrace signal_perms }; -- ps_process_pattern($1, fail2ban_t) -+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; -+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) +- allow $1 dovecot_t:process { ptrace signal_perms }; ++ allow $1 dovecot_t:process signal_perms; + ps_process_pattern($1, dovecot_t) + tunable_policy(`deny_ptrace',`',` -+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; ++ allow $1 dovecot_t:process ptrace; + ') - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) -@@ -172,4 +215,10 @@ interface(`fail2ban_admin',` +@@ -156,20 +175,25 @@ interface(`dovecot_admin',` + files_list_etc($1) + admin_pattern($1, dovecot_etc_t) - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, fail2ban_var_lib_t) -+ +- logging_list_logs($1) +- admin_pattern($1, dovecot_var_log_t) + files_list_tmp($1) -+ admin_pattern($1, fail2ban_tmp_t) - ') -diff --git a/fail2ban.te b/fail2ban.te -index 2a69e5e..5dccf2c 100644 ---- a/fail2ban.te -+++ b/fail2ban.te -@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) - type fail2ban_var_run_t; - files_pid_file(fail2ban_var_run_t) ++ admin_pattern($1, dovecot_auth_tmp_t) ++ admin_pattern($1, dovecot_tmp_t) ++ ++ admin_pattern($1, dovecot_keytab_t) + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + +- files_search_tmp($1) +- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) +- + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) -+type fail2ban_tmp_t; -+files_tmp_file(fail2ban_tmp_t) ++ logging_search_logs($1) ++ admin_pattern($1, dovecot_var_log_t) + -+type fail2ban_client_t; -+type fail2ban_client_exec_t; -+init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t) + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + +- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) ++ admin_pattern($1, dovecot_cert_t) + ++ admin_pattern($1, dovecot_passwd_t) + ') +diff --git a/dovecot.te b/dovecot.te +index a7bfaf0..6344853 100644 +--- a/dovecot.te ++++ b/dovecot.te +@@ -1,4 +1,4 @@ +-policy_module(dovecot, 1.15.6) ++policy_module(dovecot, 1.14.0) + ######################################## # --# fail2ban local policy -+# fail2ban server local policy +@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6) + + attribute dovecot_domain; + +-type dovecot_t, dovecot_domain; +-type dovecot_exec_t; ++dovecot_basic_types_template(dovecot) + init_daemon_domain(dovecot_t, dovecot_exec_t) + +-type dovecot_auth_t, dovecot_domain; +-type dovecot_auth_exec_t; ++dovecot_basic_types_template(dovecot_auth) + domain_type(dovecot_auth_t) + domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) + role system_r types dovecot_auth_t; +@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t) + type dovecot_cert_t; + miscfiles_cert_type(dovecot_cert_t) + +-type dovecot_deliver_t, dovecot_domain; +-type dovecot_deliver_exec_t; ++dovecot_basic_types_template(dovecot_deliver) + domain_type(dovecot_deliver_t) + domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) + role system_r types dovecot_deliver_t; +@@ -42,11 +39,12 @@ type dovecot_passwd_t; + files_type(dovecot_passwd_t) + + type dovecot_spool_t; +-files_type(dovecot_spool_t) ++files_spool_file(dovecot_spool_t) + + type dovecot_tmp_t; + files_tmp_file(dovecot_tmp_t) + ++# /var/lib/dovecot holds SSL parameters file + type dovecot_var_lib_t; + files_type(dovecot_var_lib_t) + +@@ -56,20 +54,17 @@ logging_log_file(dovecot_var_log_t) + type dovecot_var_run_t; + files_pid_file(dovecot_var_run_t) + +-######################################## ++####################################### + # +-# Common local policy ++# dovecot domain local policy # --allow fail2ban_t self:capability { sys_tty_config }; -+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; - allow fail2ban_t self:process signal; - allow fail2ban_t self:fifo_file rw_fifo_file_perms; - allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; - allow fail2ban_t self:tcp_socket create_stream_socket_perms; + allow dovecot_domain self:capability2 block_suspend; +-allow dovecot_domain self:fifo_file rw_fifo_file_perms; - # log files --allow fail2ban_t fail2ban_log_t:dir setattr; -+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms; - manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) - logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) +-allow dovecot_domain dovecot_etc_t:dir list_dir_perms; +-allow dovecot_domain dovecot_etc_t:file read_file_perms; +-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms; ++allow dovecot_domain self:unix_dgram_socket create_socket_perms; ++allow dovecot_domain self:fifo_file rw_fifo_file_perms; -@@ -50,12 +57,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) - manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) - files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) + kernel_read_all_sysctls(dovecot_domain) +-kernel_read_system_state(dovecot_domain) -+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) + corecmd_exec_bin(dovecot_domain) + corecmd_exec_shell(dovecot_domain) +@@ -78,37 +73,46 @@ dev_read_sysfs(dovecot_domain) + dev_read_rand(dovecot_domain) + dev_read_urand(dovecot_domain) + ++# Dovecot now has quota support and it uses getmntent() to find the mountpoints. + files_read_etc_runtime_files(dovecot_domain) + +-logging_send_syslog_msg(dovecot_domain) +- +-miscfiles_read_localization(dovecot_domain) +- + ######################################## + # +-# Local policy ++# dovecot local policy + # + +-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; ++allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot }; + dontaudit dovecot_t self:capability sys_tty_config; + allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; +-allow dovecot_t self:tcp_socket { accept listen }; +-allow dovecot_t self:unix_stream_socket { accept connectto listen }; ++allow dovecot_t self:tcp_socket create_stream_socket_perms; ++allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; + - kernel_read_system_state(fail2ban_t) ++domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) ++ ++allow dovecot_t dovecot_auth_t:process signal; - corecmd_exec_bin(fail2ban_t) - corecmd_exec_shell(fail2ban_t) + allow dovecot_t dovecot_cert_t:dir list_dir_perms; +-allow dovecot_t dovecot_cert_t:file read_file_perms; +-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; ++read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) ++read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) ++ ++allow dovecot_t dovecot_etc_t:dir list_dir_perms; ++read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) ++files_search_etc(dovecot_t) ++ ++can_exec(dovecot_t, dovecot_exec_t) --corenet_all_recvfrom_unlabeled(fail2ban_t) - corenet_all_recvfrom_netlabel(fail2ban_t) - corenet_tcp_sendrecv_generic_if(fail2ban_t) - corenet_tcp_sendrecv_generic_node(fail2ban_t) -@@ -66,8 +77,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) - dev_read_urand(fail2ban_t) + manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) + manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) + files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) + ++# Allow dovecot to create and read SSL parameters file + manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) ++files_search_var_lib(dovecot_t) ++files_read_var_symlinks(dovecot_t) + + manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) ++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) + logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) + + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -122,43 +126,33 @@ manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) + +-can_exec(dovecot_t, dovecot_exec_t) +- +-allow dovecot_t dovecot_auth_t:process signal; +- +-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) +- +-corenet_all_recvfrom_unlabeled(dovecot_t) + corenet_all_recvfrom_netlabel(dovecot_t) + corenet_tcp_sendrecv_generic_if(dovecot_t) + corenet_tcp_sendrecv_generic_node(dovecot_t) + corenet_tcp_sendrecv_all_ports(dovecot_t) + corenet_tcp_bind_generic_node(dovecot_t) +- +-corenet_sendrecv_mail_server_packets(dovecot_t) + corenet_tcp_bind_mail_port(dovecot_t) +-corenet_sendrecv_pop_server_packets(dovecot_t) + corenet_tcp_bind_pop_port(dovecot_t) +-corenet_sendrecv_sieve_server_packets(dovecot_t) ++corenet_tcp_bind_lmtp_port(dovecot_t) + corenet_tcp_bind_sieve_port(dovecot_t) +- +-corenet_sendrecv_all_client_packets(dovecot_t) + corenet_tcp_connect_all_ports(dovecot_t) + corenet_tcp_connect_postgresql_port(dovecot_t) ++corenet_sendrecv_pop_server_packets(dovecot_t) ++corenet_sendrecv_all_client_packets(dovecot_t) ++ ++fs_getattr_all_fs(dovecot_t) ++fs_getattr_all_dirs(dovecot_t) ++fs_search_auto_mountpoints(dovecot_t) ++fs_list_inotifyfs(dovecot_t) + + domain_use_interactive_fds(dovecot_t) + +-files_read_var_lib_files(dovecot_t) +-files_read_var_symlinks(dovecot_t) + files_search_spool(dovecot_t) ++files_search_tmp(dovecot_t) + files_dontaudit_list_default(dovecot_t) + files_dontaudit_search_all_dirs(dovecot_t) + files_search_all_mountpoints(dovecot_t) +- +-fs_getattr_all_fs(dovecot_t) +-fs_getattr_all_dirs(dovecot_t) +-fs_search_auto_mountpoints(dovecot_t) +-fs_list_inotifyfs(dovecot_t) ++files_read_var_lib_files(dovecot_t) + + init_getattr_utmp(dovecot_t) - domain_use_interactive_fds(fail2ban_t) -+domain_dontaudit_read_all_domains_state(fail2ban_t) +@@ -166,36 +160,29 @@ auth_use_nsswitch(dovecot_t) + + miscfiles_read_generic_certs(dovecot_t) + +-userdom_dontaudit_use_unpriv_user_fds(dovecot_t) +-userdom_use_user_terminals(dovecot_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(dovecot_t) +- fs_manage_nfs_files(dovecot_t) +- fs_manage_nfs_symlinks(dovecot_t) +-') ++logging_send_syslog_msg(dovecot_t) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(dovecot_t) +- fs_manage_cifs_files(dovecot_t) +- fs_manage_cifs_symlinks(dovecot_t) +-') ++userdom_home_manager(dovecot_t) ++userdom_dontaudit_use_unpriv_user_fds(dovecot_t) ++userdom_manage_user_home_content_dirs(dovecot_t) ++userdom_manage_user_home_content_files(dovecot_t) ++userdom_manage_user_home_content_symlinks(dovecot_t) ++userdom_manage_user_home_content_pipes(dovecot_t) ++userdom_manage_user_home_content_sockets(dovecot_t) ++userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) --files_read_etc_files(fail2ban_t) - files_read_etc_runtime_files(fail2ban_t) - files_read_usr_files(fail2ban_t) - files_list_var(fail2ban_t) -@@ -81,10 +92,11 @@ auth_use_nsswitch(fail2ban_t) - logging_read_all_logs(fail2ban_t) - logging_send_syslog_msg(fail2ban_t) + optional_policy(` +- kerberos_keytab_template(dovecot, dovecot_t) +- kerberos_manage_host_rcache(dovecot_t) +- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") ++ mta_manage_home_rw(dovecot_t) ++ mta_manage_spool(dovecot_t) + ') --miscfiles_read_localization(fail2ban_t) -- - mta_send_mail(fail2ban_t) + optional_policy(` +- mta_manage_spool(dovecot_t) +- mta_manage_mail_home_rw_content(dovecot_t) +- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") +- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") ++ kerberos_keytab_template(dovecot_t, dovecot_t) ++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") + ') -+sysnet_manage_config(fail2ban_t) -+sysnet_filetrans_named_content(fail2ban_t) -+ optional_policy(` - apache_read_log(fail2ban_t) +- postgresql_stream_connect(dovecot_t) ++ gnome_manage_data(dovecot_t) ') -@@ -94,5 +106,43 @@ optional_policy(` + + optional_policy(` +@@ -204,6 +191,11 @@ optional_policy(` ') optional_policy(` -+ gnome_dontaudit_search_config(fail2ban_t) ++ postgresql_stream_connect(dovecot_t) +') + +optional_policy(` - iptables_domtrans(fail2ban_t) ++ # Handle sieve scripts + sendmail_domtrans(dovecot_t) ') -+ -+optional_policy(` -+ libs_exec_ldconfig(fail2ban_t) -+') -+ -+optional_policy(` -+ shorewall_domtrans(fail2ban_t) -+') -+ -+######################################## -+# -+# fail2ban client local policy -+# -+ -+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) -+ -+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) -+ -+kernel_read_system_state(fail2ban_client_t) -+ -+# python -+corecmd_exec_bin(fail2ban_client_t) -+ -+# nsswitch.conf, passwd -+files_read_usr_files(fail2ban_client_t) -+files_search_pids(fail2ban_client_t) -+ -+auth_read_passwd(fail2ban_client_t) -+ -+ -+optional_policy(` -+ gnome_dontaudit_search_config(fail2ban_client_t) -+') -+ -diff --git a/fcoemon.fc b/fcoemon.fc -new file mode 100644 -index 0000000..83279fb ---- /dev/null -+++ b/fcoemon.fc -@@ -0,0 +1,5 @@ -+ -+/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0) -+ -+/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0) -+/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) -diff --git a/fcoemon.if b/fcoemon.if -new file mode 100644 -index 0000000..33508c1 ---- /dev/null -+++ b/fcoemon.if -@@ -0,0 +1,88 @@ -+ -+## policy for fcoemon -+ -+######################################## -+## -+## Transition to fcoemon. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`fcoemon_domtrans',` -+ gen_require(` -+ type fcoemon_t, fcoemon_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, fcoemon_exec_t, fcoemon_t) -+') -+ -+ -+######################################## -+## -+## Read fcoemon PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fcoemon_read_pid_files',` -+ gen_require(` -+ type fcoemon_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 fcoemon_var_run_t:file read_file_perms; -+') -+ -+####################################### -+## -+## Send to a fcoemon unix dgram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fcoemon_dgram_send',` -+ gen_require(` -+ type fcoemon_t; -+ ') -+ -+ allow $1 fcoemon_t:unix_dgram_socket sendto; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an fcoemon environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fcoemon_admin',` -+ gen_require(` -+ type fcoemon_t; -+ type fcoemon_var_run_t; -+ ') -+ -+ allow $1 fcoemon_t:process signal_perms; -+ ps_process_pattern($1, fcoemon_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 fcoemon_t:process ptrace; -+ ') -+ -+ files_search_pids($1) -+ admin_pattern($1, fcoemon_var_run_t) -+ -+') -+ -diff --git a/fcoemon.te b/fcoemon.te -new file mode 100644 -index 0000000..724ca0d ---- /dev/null -+++ b/fcoemon.te -@@ -0,0 +1,44 @@ -+policy_module(fcoemon, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type fcoemon_t; -+type fcoemon_exec_t; -+init_daemon_domain(fcoemon_t, fcoemon_exec_t) -+ -+type fcoemon_var_run_t; -+files_pid_file(fcoemon_var_run_t) -+ -+######################################## -+# -+# fcoemon local policy -+# -+ -+# dac_override -+# /var/rnn/fcm/fcm_clif socket is owned by root -+allow fcoemon_t self:capability { net_admin dac_override }; -+allow fcoemon_t self:capability { kill }; -+ -+allow fcoemon_t self:fifo_file rw_fifo_file_perms; -+allow fcoemon_t self:unix_stream_socket create_stream_socket_perms; -+allow fcoemon_t self:netlink_socket create_socket_perms; -+allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; -+ -+manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -+manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -+manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -+files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file sock_file }) -+ -+files_read_etc_files(fcoemon_t) -+ -+dev_read_sysfs(fcoemon_t) -+ -+logging_send_syslog_msg(fcoemon_t) -+ -+optional_policy(` -+ lldpad_dgram_send(fcoemon_t) -+') -+ -diff --git a/fetchmail.fc b/fetchmail.fc -index 39928d5..6c24c84 100644 ---- a/fetchmail.fc -+++ b/fetchmail.fc -@@ -1,3 +1,9 @@ -+# -+# /HOME -+# -+HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) -+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) -+ +@@ -221,46 +213,58 @@ optional_policy(` + + ######################################## # - # /etc -@@ -14,6 +20,7 @@ - # - # /var +-# Auth local policy ++# dovecot auth local policy # -+/var/log/fetchmail.* gen_context(system_u:object_r:fetchmail_log_t,s0) - /var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) - /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) - /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) -diff --git a/fetchmail.if b/fetchmail.if -index 6537214..406d62b 100644 ---- a/fetchmail.if -+++ b/fetchmail.if -@@ -15,14 +15,20 @@ - interface(`fetchmail_admin',` - gen_require(` - type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; -- type fetchmail_var_run_t; -+ type fetchmail_var_run_t, fetchmail_log_t; - ') -+ allow $1 fetchmail_t:process signal_perms; - ps_process_pattern($1, fetchmail_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 fetchmail_t:process ptrace; -+ ') + allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; + allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; +-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; ++allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) + read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) -+ admin_pattern($1, fetchmail_log_t) ++read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) + - admin_pattern($1, fetchmail_uidl_cache_t) + manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) + manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) + files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) - files_list_pids($1) -diff --git a/fetchmail.te b/fetchmail.te -index ac6626e..656f329 100644 ---- a/fetchmail.te -+++ b/fetchmail.te -@@ -10,6 +10,12 @@ type fetchmail_exec_t; - init_daemon_domain(fetchmail_t, fetchmail_exec_t) - application_executable_file(fetchmail_exec_t) + allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; + manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_stream_connect_auth(dovecot_auth_t) -+type fetchmail_home_t; -+userdom_user_home_content(fetchmail_home_t) +-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; ++logging_send_audit_msgs(dovecot_auth_t) + -+type fetchmail_log_t; -+logging_log_file(fetchmail_log_t) ++auth_domtrans_chk_passwd(dovecot_auth_t) ++auth_use_nsswitch(dovecot_auth_t) + - type fetchmail_var_run_t; - files_pid_file(fetchmail_var_run_t) - -@@ -37,10 +43,19 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms; - allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; - mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) ++logging_send_syslog_msg(dovecot_auth_t) -+manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -+logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file }) -+ - manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) - manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) - files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) + files_search_pids(dovecot_auth_t) + files_read_usr_files(dovecot_auth_t) ++files_read_usr_symlinks(dovecot_auth_t) + files_read_var_lib_files(dovecot_auth_t) ++files_search_tmp(dovecot_auth_t) -+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) -+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) -+userdom_search_user_home_dirs(fetchmail_t) -+userdom_search_admin_dir(fetchmail_t) -+ - kernel_read_kernel_sysctls(fetchmail_t) - kernel_list_proc(fetchmail_t) - kernel_getattr_proc_files(fetchmail_t) -@@ -51,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) - corecmd_exec_bin(fetchmail_t) - corecmd_exec_shell(fetchmail_t) +-auth_domtrans_chk_passwd(dovecot_auth_t) +-auth_use_nsswitch(dovecot_auth_t) ++fs_getattr_xattr_fs(dovecot_auth_t) --corenet_all_recvfrom_unlabeled(fetchmail_t) - corenet_all_recvfrom_netlabel(fetchmail_t) - corenet_tcp_sendrecv_generic_if(fetchmail_t) - corenet_udp_sendrecv_generic_if(fetchmail_t) -@@ -77,9 +91,10 @@ fs_search_auto_mountpoints(fetchmail_t) + init_rw_utmp(dovecot_auth_t) - domain_use_interactive_fds(fetchmail_t) +-logging_send_audit_msgs(dovecot_auth_t) +- +-seutil_dontaudit_search_config(dovecot_auth_t) +- + sysnet_use_ldap(dovecot_auth_t) -+auth_read_passwd(fetchmail_t) + optional_policy(` ++ kerberos_use(dovecot_auth_t) + - logging_send_syslog_msg(fetchmail_t) - --miscfiles_read_localization(fetchmail_t) - miscfiles_read_generic_certs(fetchmail_t) ++ # for gssapi (kerberos) + userdom_list_user_tmp(dovecot_auth_t) + userdom_read_user_tmp_files(dovecot_auth_t) + userdom_read_user_tmp_symlinks(dovecot_auth_t) + ') - sysnet_read_config(fetchmail_t) -@@ -88,6 +103,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) - userdom_dontaudit_search_user_home_dirs(fetchmail_t) + optional_policy(` ++ mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) + mysql_read_config(dovecot_auth_t) + mysql_tcp_connect(dovecot_auth_t) +@@ -272,14 +276,21 @@ optional_policy(` optional_policy(` -+ kerberos_use(fetchmail_t) -+') -+ -+optional_policy(` - procmail_domtrans(fetchmail_t) + postfix_manage_private_sockets(dovecot_auth_t) ++ postfix_rw_inherited_master_pipes(dovecot_deliver_t) + postfix_search_spool(dovecot_auth_t) ') -diff --git a/finger.te b/finger.te -index 9b7036a..864b94a 100644 ---- a/finger.te -+++ b/finger.te -@@ -46,7 +46,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) - kernel_read_kernel_sysctls(fingerd_t) - kernel_read_system_state(fingerd_t) + ######################################## + # +-# Deliver local policy ++# dovecot deliver local policy + # --corenet_all_recvfrom_unlabeled(fingerd_t) - corenet_all_recvfrom_netlabel(fingerd_t) - corenet_tcp_sendrecv_generic_if(fingerd_t) - corenet_udp_sendrecv_generic_if(fingerd_t) -@@ -66,6 +65,7 @@ term_getattr_all_ttys(fingerd_t) - term_getattr_all_ptys(fingerd_t) ++allow dovecot_deliver_t dovecot_t:process signull; ++ ++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; ++read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) ++ + allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; - auth_read_lastlog(fingerd_t) -+auth_use_nsswitch(fingerd_t) + append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) +@@ -289,31 +300,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t + files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) - corecmd_exec_bin(fingerd_t) - corecmd_exec_shell(fingerd_t) -@@ -73,7 +73,6 @@ corecmd_exec_shell(fingerd_t) - domain_use_interactive_fds(fingerd_t) + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; +-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; +- +-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) ++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) ++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_stream_connect(dovecot_deliver_t) - files_search_home(fingerd_t) --files_read_etc_files(fingerd_t) - files_read_etc_runtime_files(fingerd_t) + can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) - init_read_utmp(fingerd_t) -@@ -85,7 +84,6 @@ mta_getattr_spool(fingerd_t) +-allow dovecot_deliver_t dovecot_t:process signull; ++auth_use_nsswitch(dovecot_deliver_t) - sysnet_read_config(fingerd_t) +-fs_getattr_all_fs(dovecot_deliver_t) ++logging_append_all_logs(dovecot_deliver_t) ++logging_send_syslog_msg(dovecot_deliver_t) --miscfiles_read_localization(fingerd_t) +-auth_use_nsswitch(dovecot_deliver_t) ++dovecot_stream_connect_auth(dovecot_deliver_t) - # stop it accessing sub-directories, prevents checking a Maildir for new mail, - # have to change this when we create a type for Maildir -diff --git a/firewalld.fc b/firewalld.fc -new file mode 100644 -index 0000000..f440549 ---- /dev/null -+++ b/firewalld.fc -@@ -0,0 +1,13 @@ -+ -+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) -+ -+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) -+ -+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0) -+ -+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0) -+ -+/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0) +-logging_search_logs(dovecot_deliver_t) ++files_search_tmp(dovecot_deliver_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(dovecot_deliver_t) +- fs_manage_nfs_files(dovecot_deliver_t) +- fs_manage_nfs_symlinks(dovecot_deliver_t) +-') ++fs_getattr_all_fs(dovecot_deliver_t) + -+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0) -+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) -diff --git a/firewalld.if b/firewalld.if -new file mode 100644 -index 0000000..c4c7510 ---- /dev/null -+++ b/firewalld.if -@@ -0,0 +1,130 @@ -+## policy for firewalld ++userdom_manage_user_home_content_dirs(dovecot_deliver_t) ++userdom_manage_user_home_content_files(dovecot_deliver_t) ++userdom_manage_user_home_content_symlinks(dovecot_deliver_t) ++userdom_manage_user_home_content_pipes(dovecot_deliver_t) ++userdom_manage_user_home_content_sockets(dovecot_deliver_t) ++userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(dovecot_deliver_t) +- fs_manage_cifs_files(dovecot_deliver_t) +- fs_manage_cifs_symlinks(dovecot_deliver_t) ++userdom_home_manager(dovecot_deliver_t) + -+######################################## -+## -+## Execute a domain transition to run firewalld. ++optional_policy(` ++ gnome_manage_data(dovecot_deliver_t) + ') + + optional_policy(` +@@ -326,5 +340,6 @@ optional_policy(` + ') + + optional_policy(` ++ # Handle sieve scripts + sendmail_domtrans(dovecot_deliver_t) + ') +diff --git a/drbd.if b/drbd.if +index 9a21639..a09fb52 100644 +--- a/drbd.if ++++ b/drbd.if +@@ -2,12 +2,11 @@ + + ######################################## + ## +-## Execute a domain transition to +-## run drbd. ++## Execute a domain transition to run drbd. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +@@ -16,26 +15,97 @@ interface(`drbd_domtrans',` + type drbd_t, drbd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, drbd_exec_t, drbd_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an drbd environment. ++## Search drbd lib directories. +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# -+interface(`firewalld_domtrans',` ++interface(`drbd_search_lib',` + gen_require(` -+ type firewalld_t, firewalld_exec_t; ++ type drbd_var_lib_t; + ') + -+ domtrans_pattern($1, firewalld_exec_t, firewalld_t) ++ allow $1 drbd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) +') + -+ +######################################## +## -+## Execute firewalld server in the firewalld domain. ++## Read drbd lib files. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`firewalld_initrc_domtrans',` ++interface(`drbd_read_lib_files',` + gen_require(` -+ type firewalld_initrc_exec_t; ++ type drbd_var_lib_t; + ') + -+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) +') + +######################################## +## -+## Execute firewalld server in the firewalld domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## ++## Create, read, write, and delete ++## drbd lib files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# -+interface(`firewalld_systemctl',` ++interface(`drbd_manage_lib_files',` + gen_require(` -+ type firewalld_t; -+ type firewalld_unit_file_t; ++ type drbd_var_lib_t; + ') + -+ systemd_exec_systemctl($1) -+ allow $1 firewalld_unit_file_t:file read_file_perms; -+ allow $1 firewalld_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, firewalld_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) +') + +######################################## +## -+## Send and receive messages from -+## firewalld over dbus. ++## Manage drbd lib dirs files. +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. +## +## +# -+interface(`firewalld_dbus_chat',` ++interface(`drbd_manage_lib_dirs',` + gen_require(` -+ type firewalld_t; -+ class dbus send_msg; ++ type drbd_var_lib_t; + ') + -+ allow $1 firewalld_t:dbus send_msg; -+ allow firewalld_t $1:dbus send_msg; ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t) +') + ++ +######################################## +## +## All of the rules required to administrate -+## an firewalld environment ++## an drbd environment +## +## +## +## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`firewalld_admin',` -+ gen_require(` -+ type firewalld_t, firewalld_initrc_exec_t; -+ type firewall_etc_rw_t, firewalld_var_run_t; -+ type firewalld_var_log_t; -+ ') -+ -+ allow $1 firewalld_t:process signal_perms; -+ ps_process_pattern($1, firewalld_t) + ## + ## +-## + # + interface(`drbd_admin',` + gen_require(` +@@ -43,9 +113,13 @@ interface(`drbd_admin',` + type drbd_var_lib_t; + ') + +- allow $1 drbd_t:process { ptrace signal_perms }; ++ allow $1 drbd_t:process signal_perms; + ps_process_pattern($1, drbd_t) + + tunable_policy(`deny_ptrace',`',` -+ allow $1 firewalld_t:process ptrace; ++ allow $1 drbd_t:process ptrace; + ') + -+ firewalld_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 firewalld_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_pids($1) -+ admin_pattern($1, firewalld_var_run_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, firewalld_var_log_t) -+ -+ admin_pattern($1, firewall_etc_rw_t) -+ -+ admin_pattern($1, firewalld_unit_file_t) -+ firewalld_systemctl($1) -+ allow $1 firewalld_unit_file_t:service all_service_perms; -+') -diff --git a/firewalld.te b/firewalld.te -new file mode 100644 -index 0000000..90c8ee3 ---- /dev/null -+++ b/firewalld.te -@@ -0,0 +1,95 @@ -+ -+policy_module(firewalld,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type firewalld_t; -+type firewalld_exec_t; -+init_daemon_domain(firewalld_t, firewalld_exec_t) + init_labeled_script_domtrans($1, drbd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 drbd_initrc_exec_t system_r; +@@ -57,3 +131,4 @@ interface(`drbd_admin',` + files_search_var_lib($1) + admin_pattern($1, drbd_var_lib_t) + ') + -+type firewalld_initrc_exec_t; -+init_script_file(firewalld_initrc_exec_t) +diff --git a/drbd.te b/drbd.te +index 8e5ee54..6e11edb 100644 +--- a/drbd.te ++++ b/drbd.te +@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config; + allow drbd_t self:fifo_file rw_fifo_file_perms; + allow drbd_t self:unix_stream_socket create_stream_socket_perms; + allow drbd_t self:netlink_socket create_socket_perms; +-allow drbd_t self:netlink_route_socket nlmsg_write; ++allow drbd_t self:netlink_route_socket rw_netlink_socket_perms; + + manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) + manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +@@ -46,10 +46,6 @@ dev_read_rand(drbd_t) + dev_read_sysfs(drbd_t) + dev_read_urand(drbd_t) + +-files_read_etc_files(drbd_t) +- + storage_raw_read_fixed_disk(drbd_t) + +-miscfiles_read_localization(drbd_t) +- + sysnet_dns_name_resolve(drbd_t) +diff --git a/dspam.fc b/dspam.fc +index 5eddac5..c08c8f6 100644 +--- a/dspam.fc ++++ b/dspam.fc +@@ -5,8 +5,13 @@ + /usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) + + /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) +-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) + + /var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) + + /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) + -+type firewalld_etc_rw_t; -+files_config_file(firewalld_etc_rw_t) ++# web ++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) ++/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) + -+type firewalld_var_log_t; -+logging_log_file(firewalld_var_log_t) ++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0) +diff --git a/dspam.if b/dspam.if +index 18f2452..a446210 100644 +--- a/dspam.if ++++ b/dspam.if +@@ -1,13 +1,15 @@ +-## Content-based spam filter designed for multi-user enterprise systems. + -+type firewalld_var_run_t; -+files_pid_file(firewalld_var_run_t) ++## policy for dspam + -+type firewalld_unit_file_t; -+systemd_unit_file(firewalld_unit_file_t) + + ######################################## + ## + ## Execute a domain transition to run dspam. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`dspam_domtrans',` +@@ -15,35 +17,211 @@ interface(`dspam_domtrans',` + type dspam_t, dspam_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, dspam_exec_t, dspam_t) + ') + +-####################################### + +######################################## + ## +-## Connect to dspam using a unix +-## domain stream socket. ++## Execute dspam server in the dspam domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## +# -+# firewalld local policy -+# -+dontaudit firewalld_t self:capability sys_tty_config; -+allow firewalld_t self:fifo_file rw_fifo_file_perms; -+allow firewalld_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) -+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) -+ -+append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) -+create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) -+read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) -+setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) -+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) -+ -+# should be fixed to cooperate with systemd to create /var/run/firewalld directory -+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) -+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) -+can_exec(firewalld_t, firewalld_var_run_t) -+ -+kernel_read_network_state(firewalld_t) -+kernel_read_system_state(firewalld_t) -+ -+corecmd_exec_bin(firewalld_t) -+corecmd_exec_shell(firewalld_t) -+ -+dev_read_urand(firewalld_t) -+ -+domain_use_interactive_fds(firewalld_t) -+ -+files_read_etc_files(firewalld_t) -+files_read_usr_files(firewalld_t) -+ -+fs_getattr_xattr_fs(firewalld_t) -+ -+auth_use_nsswitch(firewalld_t) -+ -+logging_send_syslog_msg(firewalld_t) -+ -+sysnet_dns_name_resolve(firewalld_t) -+ -+sysnet_read_config(firewalld_t) -+ -+optional_policy(` -+ dbus_system_domain(firewalld_t, firewalld_exec_t) -+ -+ optional_policy(` -+ devicekit_dbus_chat_power(firewalld_t) -+ ') -+ -+ optional_policy(` -+ policykit_dbus_chat(firewalld_t) -+ ') ++interface(`dspam_initrc_domtrans',` ++ gen_require(` ++ type dspam_initrc_exec_t; ++ ') + -+ optional_policy(` -+ networkmanager_dbus_chat(firewalld_t) -+ ') ++ init_labeled_script_domtrans($1, dspam_initrc_exec_t) +') + -+optional_policy(` -+ iptables_domtrans(firewalld_t) -+') ++######################################## ++## ++## Allow the specified domain to read dspam's log files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`dspam_stream_connect',` ++interface(`dspam_read_log',` ++ gen_require(` ++ type dspam_log_t; ++ ') + -+optional_policy(` -+ modutils_domtrans_insmod(firewalld_t) ++ logging_search_logs($1) ++ read_files_pattern($1, dspam_log_t, dspam_log_t) +') -diff --git a/firewallgui.fc b/firewallgui.fc -new file mode 100644 -index 0000000..ce498b3 ---- /dev/null -+++ b/firewallgui.fc -@@ -0,0 +1,3 @@ -+ -+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --git a/firewallgui.if b/firewallgui.if -new file mode 100644 -index 0000000..2bd5790 ---- /dev/null -+++ b/firewallgui.if -@@ -0,0 +1,41 @@ ++######################################## ++## ++## Allow the specified domain to append ++## dspam log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dspam_append_log',` ++ gen_require(` ++ type dspam_log_t; ++ ') + -+## policy for firewallgui ++ logging_search_logs($1) ++ append_files_pattern($1, dspam_log_t, dspam_log_t) ++') + +######################################## +## -+## Send and receive messages from -+## firewallgui over dbus. ++## Allow domain to manage dspam log files +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`firewallgui_dbus_chat',` ++interface(`dspam_manage_log',` + gen_require(` -+ type firewallgui_t; -+ class dbus send_msg; ++ type dspam_log_t; + ') + -+ allow $1 firewallgui_t:dbus send_msg; -+ allow firewallgui_t $1:dbus send_msg; ++ logging_search_logs($1) ++ manage_dirs_pattern($1, dspam_log_t, dspam_log_t) ++ manage_files_pattern($1, dspam_log_t, dspam_log_t) ++ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t) +') + +######################################## +## -+## Read and write firewallgui unnamed pipes. ++## Search dspam lib directories. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`firewallgui_dontaudit_rw_pipes',` ++interface(`dspam_search_lib',` + gen_require(` -+ type firewallgui_t; ++ type dspam_var_lib_t; + ') + -+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 dspam_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) +') -diff --git a/firewallgui.te b/firewallgui.te -new file mode 100644 -index 0000000..6bd855e ---- /dev/null -+++ b/firewallgui.te -@@ -0,0 +1,73 @@ -+policy_module(firewallgui,1.0.0) + +######################################## ++## ++## Read dspam lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# Declarations -+# -+ -+type firewallgui_t; -+type firewallgui_exec_t; -+dbus_system_domain(firewallgui_t, firewallgui_exec_t) -+init_daemon_domain(firewallgui_t, firewallgui_exec_t) ++interface(`dspam_read_lib_files',` ++ gen_require(` ++ type dspam_var_lib_t; ++ ') + -+type firewallgui_tmp_t; -+files_tmp_file(firewallgui_tmp_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) ++') + +######################################## ++## ++## Create, read, write, and delete ++## dspam lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# firewallgui local policy -+# -+ -+allow firewallgui_t self:capability { net_admin sys_rawio } ; -+allow firewallgui_t self:fifo_file rw_fifo_file_perms; -+ -+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) -+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) -+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) -+ -+kernel_read_system_state(firewallgui_t) -+kernel_read_network_state(firewallgui_t) -+kernel_rw_net_sysctls(firewallgui_t) -+kernel_rw_kernel_sysctl(firewallgui_t) -+kernel_rw_vm_sysctls(firewallgui_t) -+ -+corecmd_exec_shell(firewallgui_t) -+corecmd_exec_bin(firewallgui_t) -+ -+dev_read_urand(firewallgui_t) -+dev_read_sysfs(firewallgui_t) -+ -+files_manage_system_conf_files(firewallgui_t) -+files_etc_filetrans_system_conf(firewallgui_t) -+files_read_usr_files(firewallgui_t) -+files_search_kernel_modules(firewallgui_t) -+files_list_kernel_modules(firewallgui_t) -+ -+auth_use_nsswitch(firewallgui_t) -+ -+ -+seutil_read_config(firewallgui_t) -+ -+userdom_dontaudit_search_user_home_dirs(firewallgui_t) ++interface(`dspam_manage_lib_files',` ++ gen_require(` ++ type dspam_var_lib_t; ++ ') + -+optional_policy(` -+ consoletype_exec(firewallgui_t) ++ files_search_var_lib($1) ++ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) +') + -+optional_policy(` -+ gnome_read_gconf_home_files(firewallgui_t) -+') ++######################################## ++## ++## Manage dspam lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_manage_lib_dirs',` + gen_require(` +- type dspam_t, dspam_var_run_t, dspam_tmp_t; ++ type dspam_var_lib_t; ++ ') + -+optional_policy(` -+ iptables_domtrans(firewallgui_t) -+ iptables_initrc_domtrans(firewallgui_t) -+ iptables_systemctl(firewallgui_t) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t) +') + -+optional_policy(` -+ modutils_getattr_module_deps(firewallgui_t) -+') + -+optional_policy(` -+ policykit_dbus_chat(firewallgui_t) -+') -diff --git a/firstboot.if b/firstboot.if -index 8fa451c..f3a67c9 100644 ---- a/firstboot.if -+++ b/firstboot.if -@@ -85,6 +85,25 @@ interface(`firstboot_dontaudit_use_fds',` - - ######################################## - ## -+## dontaudit read and write an leaked file descriptors ++######################################## ++## ++## Read dspam PID files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`firstboot_dontaudit_leaks',` ++interface(`dspam_read_pid_files',` + gen_require(` -+ type firstboot_t; -+ ') -+ -+ dontaudit $1 firstboot_t:socket_class_set { read write }; -+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms; ++ type dspam_var_run_t; + ') + + files_search_pids($1) ++ allow $1 dspam_var_run_t:file read_file_perms; +') + -+######################################## ++####################################### +## - ## Write to a firstboot unnamed pipe. ++## Connect to DSPAM using a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dspam_stream_connect',` ++ gen_require(` ++ type dspam_t, dspam_var_run_t, dspam_tmp_t; ++ ') ++ ++ files_search_pids($1) + files_search_tmp($1) +- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t) ++ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) ++ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an dspam environment. ++## All of the rules required to administrate ++## an dspam environment ## ## -@@ -98,6 +117,7 @@ interface(`firstboot_write_pipes',` - type firstboot_t; + ## +@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',` + # + interface(`dspam_admin',` + gen_require(` +- type dspam_t, dspam_initrc_exec_t, dspam_log_t; +- type dspam_var_lib_t, dspam_var_run_t; ++ type dspam_t; ++ type dspam_initrc_exec_t; ++ type dspam_log_t; ++ type dspam_var_lib_t; ++ type dspam_var_run_t; ') -+ allow $1 firstboot_t:fd use; - allow $1 firstboot_t:fifo_file write; - ') - -diff --git a/firstboot.te b/firstboot.te -index c4d8998..0647c46 100644 ---- a/firstboot.te -+++ b/firstboot.te -@@ -1,7 +1,7 @@ - policy_module(firstboot, 1.12.0) - - gen_require(` -- class passwd rootok; -+ class passwd { passwd chfn chsh rootok crontab }; - ') - - ######################################## -@@ -29,14 +29,16 @@ allow firstboot_t self:process setfscreate; - allow firstboot_t self:fifo_file rw_fifo_file_perms; - allow firstboot_t self:tcp_socket create_stream_socket_perms; - allow firstboot_t self:unix_stream_socket { connect create }; --allow firstboot_t self:passwd rootok; -+allow firstboot_t self:passwd { rootok passwd chfn chsh }; +- allow $1 dspam_t:process { ptrace signal_perms }; ++ allow $1 dspam_t:process signal_perms; + ps_process_pattern($1, dspam_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 dspam_t:process ptrace; ++ ') - allow firstboot_t firstboot_etc_t:file read_file_perms; +- init_labeled_script_domtrans($1, dspam_initrc_exec_t) ++ dspam_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 dspam_initrc_exec_t system_r; + allow $2 system_r; +@@ -79,4 +263,5 @@ interface(`dspam_admin',` -+files_manage_generic_tmp_dirs(firstboot_t) -+files_manage_generic_tmp_files(firstboot_t) + files_search_pids($1) + admin_pattern($1, dspam_var_run_t) + - kernel_read_system_state(firstboot_t) - kernel_read_kernel_sysctls(firstboot_t) - --corenet_all_recvfrom_unlabeled(firstboot_t) - corenet_all_recvfrom_netlabel(firstboot_t) - corenet_tcp_sendrecv_generic_if(firstboot_t) - corenet_tcp_sendrecv_generic_node(firstboot_t) -@@ -62,6 +64,8 @@ files_read_usr_files(firstboot_t) - files_manage_var_dirs(firstboot_t) - files_manage_var_files(firstboot_t) - files_manage_var_symlinks(firstboot_t) -+files_create_boot_flag(firstboot_t) -+files_delete_boot_flag(firstboot_t) - - init_domtrans_script(firstboot_t) - init_rw_utmp(firstboot_t) -@@ -73,14 +77,10 @@ locallogin_use_fds(firstboot_t) - - logging_send_syslog_msg(firstboot_t) - --miscfiles_read_localization(firstboot_t) -+sysnet_dns_name_resolve(firstboot_t) - --modutils_domtrans_insmod(firstboot_t) --modutils_domtrans_depmod(firstboot_t) --modutils_read_module_config(firstboot_t) --modutils_read_module_deps(firstboot_t) -+userdom_use_inherited_user_terminals(firstboot_t) - --userdom_use_user_terminals(firstboot_t) - # Add/remove user home directories - userdom_manage_user_home_content_dirs(firstboot_t) - userdom_manage_user_home_content_files(firstboot_t) -@@ -91,10 +91,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t) - userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) + ') +diff --git a/dspam.te b/dspam.te +index 266cb8f..dbbe097 100644 +--- a/dspam.te ++++ b/dspam.te +@@ -64,14 +64,33 @@ auth_use_nsswitch(dspam_t) - optional_policy(` -- consoletype_domtrans(firstboot_t) --') -- --optional_policy(` - dbus_system_bus_client(firstboot_t) + logging_send_syslog_msg(dspam_t) - optional_policy(` -@@ -103,7 +99,10 @@ optional_policy(` - ') +-miscfiles_read_localization(dspam_t) optional_policy(` -- nis_use_ypbind(firstboot_t) -+ modutils_domtrans_insmod(firstboot_t) -+ modutils_domtrans_depmod(firstboot_t) -+ modutils_read_module_config(firstboot_t) -+ modutils_read_module_deps(firstboot_t) - ') + apache_content_template(dspam) - optional_policy(` -@@ -113,18 +112,11 @@ optional_policy(` - optional_policy(` - unconfined_domtrans(firstboot_t) - # The big hammer -- unconfined_domain(firstboot_t) --') -- --optional_policy(` -- usermanage_domtrans_chfn(firstboot_t) -- usermanage_domtrans_groupadd(firstboot_t) -- usermanage_domtrans_passwd(firstboot_t) -- usermanage_domtrans_useradd(firstboot_t) -- usermanage_domtrans_admin_passwd(firstboot_t) -+ unconfined_domain_noaudit(firstboot_t) ++ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) ++ ++ files_search_var_lib(httpd_dspam_script_t) + list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) +- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) +- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) ++ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) ++ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) ++ ++ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) ++ ++ term_dontaudit_search_ptys(httpd_dspam_script_t) ++ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) ++ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) ++ ++ init_read_utmp(httpd_dspam_script_t) ++ ++ logging_send_syslog_msg(httpd_dspam_script_t) ++ ++ mta_send_mail(httpd_dspam_script_t) ++ ++ optional_policy(` ++ mysql_tcp_connect(httpd_dspam_script_t) ++ mysql_stream_connect(httpd_dspam_script_t) ++ ') ') optional_policy(` -+ gnome_admin_home_gconf_filetrans(firstboot_t, dir) - gnome_manage_config(firstboot_t) - ') +diff --git a/entropyd.te b/entropyd.te +index a0da189..d8bc9d5 100644 +--- a/entropyd.te ++++ b/entropyd.te +@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) + dev_read_rand(entropyd_t) + dev_write_rand(entropyd_t) -@@ -132,4 +124,5 @@ optional_policy(` - xserver_domtrans(firstboot_t) - xserver_rw_shm(firstboot_t) - xserver_unconfined(firstboot_t) -+ xserver_stream_connect(firstboot_t) - ') -diff --git a/fprintd.if b/fprintd.if -index ebad8c4..640293e 100644 ---- a/fprintd.if -+++ b/fprintd.if -@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',` - allow $1 fprintd_t:dbus send_msg; - allow fprintd_t $1:dbus send_msg; - ') +-files_read_etc_files(entropyd_t) +-files_read_usr_files(entropyd_t) - -diff --git a/fprintd.te b/fprintd.te -index 7df52c7..46499bd 100644 ---- a/fprintd.te -+++ b/fprintd.te -@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0) - - type fprintd_t; - type fprintd_exec_t; --dbus_system_domain(fprintd_t, fprintd_exec_t) -+init_daemon_domain(fprintd_t, fprintd_exec_t) - - type fprintd_var_lib_t; - files_type(fprintd_var_lib_t) -@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t) - # Local policy - # - --allow fprintd_t self:capability sys_ptrace; -+allow fprintd_t self:capability sys_nice; -+ - allow fprintd_t self:fifo_file rw_fifo_file_perms; --allow fprintd_t self:process { getsched signal }; -+allow fprintd_t self:process { getsched setsched signal sigkill }; - - manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) - manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -33,14 +34,12 @@ dev_list_usbfs(fprintd_t) - dev_rw_generic_usb_dev(fprintd_t) - dev_read_sysfs(fprintd_t) - --files_read_etc_files(fprintd_t) - files_read_usr_files(fprintd_t) - - fs_getattr_all_fs(fprintd_t) + fs_getattr_all_fs(entropyd_t) + fs_search_auto_mountpoints(entropyd_t) - auth_use_nsswitch(fprintd_t) +@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t) --miscfiles_read_localization(fprintd_t) + logging_send_syslog_msg(entropyd_t) - userdom_use_user_ptys(fprintd_t) - userdom_read_all_users_state(fprintd_t) -@@ -50,8 +49,17 @@ optional_policy(` - ') +-miscfiles_read_localization(entropyd_t) ++auth_use_nsswitch(entropyd_t) - optional_policy(` -+ dbus_system_domain(fprintd_t, fprintd_exec_t) -+') -+ -+optional_policy(` - policykit_read_reload(fprintd_t) - policykit_read_lib(fprintd_t) - policykit_dbus_chat(fprintd_t) - policykit_domtrans_auth(fprintd_t) -+ policykit_dbus_chat_auth(fprintd_t) -+') -+ -+optional_policy(` -+ xserver_read_state_xdm(fprintd_t) - ') -diff --git a/ftp.fc b/ftp.fc -index 69dcd2a..4d97da7 100644 ---- a/ftp.fc -+++ b/ftp.fc -@@ -6,6 +6,9 @@ - /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) + userdom_dontaudit_use_unpriv_user_fds(entropyd_t) + userdom_dontaudit_search_user_home_dirs(entropyd_t) +diff --git a/exim.if b/exim.if +index 6041113..ef3b449 100644 +--- a/exim.if ++++ b/exim.if +@@ -21,35 +21,51 @@ interface(`exim_domtrans',` -+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -+ - # - # /usr + ######################################## + ## +-## Execute exim in the exim domain, +-## and allow the specified role +-## the exim domain. ++## Execute the mailman program in the mailman domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + ## +-## +-## Role allowed access. +-## ++## ++## The role to allow the mailman domain. ++## + ## + ## # -@@ -29,3 +32,4 @@ - /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) - /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) - /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) -+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) -diff --git a/ftp.if b/ftp.if -index 9d3201b..6e75e3d 100644 ---- a/ftp.if -+++ b/ftp.if -@@ -1,5 +1,66 @@ - ## File transfer protocol service - -+###################################### -+## -+## Execute a domain transition to run ftpd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ftp_domtrans',` -+ gen_require(` -+ type ftpd_t, ftpd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1,ftpd_exec_t, ftpd_t) -+ -+') -+ -+####################################### -+## -+## Execute ftpd server in the ftpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`ftp_initrc_domtrans',` -+ gen_require(` -+ type ftpd_initrc_exec_t; -+ ') + interface(`exim_run',` ++ gen_require(` ++ type exim_t; ++ ') + -+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t) ++ exim_domtrans($1) ++ role $2 types exim_t; +') + +######################################## +## -+## Execute ftpd server in the ftpd domain. ++## Execute exim in the exim domain. +## +## +## @@ -21814,905 +20413,931 @@ index 9d3201b..6e75e3d 100644 +## +## +# -+interface(`ftp_systemctl',` -+ gen_require(` -+ type ftpd_unit_file_t; -+ type ftpd_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 ftpd_unit_file_t:file read_file_perms; -+ allow $1 ftpd_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, ftpd_t) -+') -+ - ####################################### - ## - ## Allow domain dyntransition to sftpd_anon domain. -@@ -174,10 +235,14 @@ interface(`ftp_admin',` - type ftpd_etc_t, ftpd_lock_t; - type ftpd_var_run_t, xferlog_t; - type ftpd_initrc_exec_t; -+ type ftpd_unit_file_t; ++interface(`exim_initrc_domtrans',` + gen_require(` +- attribute_role exim_roles; ++ type exim_initrc_exec_t; ') -- allow $1 ftpd_t:process { ptrace signal_perms }; -+ allow $1 ftpd_t:process signal_perms; - ps_process_pattern($1, ftpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ftpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -203,4 +268,8 @@ interface(`ftp_admin',` - - logging_list_logs($1) - admin_pattern($1, xferlog_t) -+ -+ ftp_systemctl($1) -+ admin_pattern($1, ftpd_unit_file_t) -+ allow $1 ftpd_unit_file_t:service all_service_perms; +- exim_domtrans($1) +- roleattribute $2 exim_roles; ++ init_labeled_script_domtrans($1, exim_initrc_exec_t) ') -diff --git a/ftp.te b/ftp.te -index 80026bb..30968b3 100644 ---- a/ftp.te -+++ b/ftp.te -@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0) - ## public_content_rw_t. - ##

    - ## --gen_tunable(allow_ftpd_anon_write, false) -+gen_tunable(ftpd_anon_write, false) - - ## - ##

    -@@ -20,7 +20,7 @@ gen_tunable(allow_ftpd_anon_write, false) - ## read/write all files on the system, governed by DAC. - ##

    - ##     --gen_tunable(allow_ftpd_full_access, false) -+gen_tunable(ftpd_full_access, false) - ## - ##

    -@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false) - ## used for public file transfer services. - ##

    - ##     --gen_tunable(allow_ftpd_use_cifs, false) -+gen_tunable(ftpd_use_cifs, false) + ######################################## + ## +-## Do not audit attempts to read exim +-## temporary tmp files. ++## Do not audit attempts to read, ++## exim tmp files + ## + ## + ## +@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',` - ## - ##

    -@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false) - ## used for public file transfer services. - ##

    - ##     --gen_tunable(allow_ftpd_use_nfs, false) -+gen_tunable(ftpd_use_nfs, false) -+ -+## -+##

    -+## Allow ftp servers to connect to mysql database ports -+##

    -+##     -+gen_tunable(ftpd_connect_db, false) -+ -+## -+##

    -+## Allow ftp servers to use bind to all unreserved ports for passive mode -+##

    -+##     -+gen_tunable(ftpd_use_passive_mode, false) -+ -+## -+##

    -+## Allow ftp servers to connect to all ports > 1023 -+##

    -+##     -+gen_tunable(ftpd_connect_all_unreserved, false) + ######################################## + ## +-## Read exim temporary files. ++## Allow domain to read, exim tmp files + ## + ## + ## +@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',` - ## - ##

    -@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false) - ## - gen_tunable(sftpd_full_access, false) + ######################################## + ##

    +-## Read exim pid files. ++## Read exim PID files. + ## + ## + ## +@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',` -+## -+##

    -+## Allow internal-sftp to read and write files -+## in the user ssh home directories. -+##

    -+##     -+gen_tunable(sftpd_write_ssh_home, false) -+ - type anon_sftpd_t; - typealias anon_sftpd_t alias sftpd_anon_t; - domain_type(anon_sftpd_t) -@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t) - type ftpd_initrc_exec_t; - init_script_file(ftpd_initrc_exec_t) + ######################################## + ## +-## Read exim log files. ++## Allow the specified domain to read exim's log files. + ## + ## + ## +@@ -125,7 +141,8 @@ interface(`exim_read_log',` -+type ftpd_unit_file_t; -+systemd_unit_file(ftpd_unit_file_t) -+ - type ftpd_lock_t; - files_lock_file(ftpd_lock_t) + ######################################## + ## +-## Append exim log files. ++## Allow the specified domain to append ++## exim log files. + ## + ## + ## +@@ -144,8 +161,7 @@ interface(`exim_append_log',` -@@ -115,6 +147,10 @@ ifdef(`enable_mcs',` - init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) - ') + ######################################## + ## +-## Create, read, write, and delete +-## exim log files. ++## Allow the specified domain to manage exim's log files. + ## + ## + ## +@@ -166,7 +182,7 @@ interface(`exim_manage_log',` + ######################################## + ## + ## Create, read, write, and delete +-## exim spool directories. ++## exim spool dirs. + ## + ## + ## +@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',` -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) -+') -+ ######################################## + ## +-## All of the rules required to +-## administrate an exim environment. ++## All of the rules required to administrate ++## an exim environment. + ## + ## + ## +@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',` + ## Role allowed access. + ## + ## +-## # - # anon-sftp local policy -@@ -133,7 +169,7 @@ tunable_policy(`sftpd_anon_write',` - # ftpd local policy - # + interface(`exim_admin',` + gen_require(` +- type exim_t, exim_spool_t, exim_log_t; +- type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; ++ type exim_t, exim_initrc_exec_t, exim_log_t; ++ type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') --allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; -+allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_chroot sys_admin sys_nice sys_resource }; - dontaudit ftpd_t self:capability sys_tty_config; - allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; - allow ftpd_t self:fifo_file rw_fifo_file_perms; -@@ -151,7 +187,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) +- allow $1 exim_t:process { ptrace signal_perms }; ++ allow $1 exim_t:process signal_perms; + ps_process_pattern($1, exim_t) - manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) - manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) --files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) +- init_labeled_script_domtrans($1, exim_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 exim_t:process ptrace; ++ ') ++ ++ exim_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 exim_initrc_exec_t system_r; + allow $2 system_r; +diff --git a/exim.te b/exim.te +index 19325ce..c41cedc 100644 +--- a/exim.te ++++ b/exim.te +@@ -49,7 +49,7 @@ type exim_log_t; + logging_log_file(exim_log_t) - manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) - manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -163,13 +198,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file - manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) - manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) - manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) --files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) -+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) - - # proftpd requires the client side to bind a socket so that - # it can stat the socket to perform access control decisions, - # since getsockopt with SO_PEERCRED is not available on all - # proftpd-supported OSs --allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; -+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; - - # Create and modify /var/log/xferlog. - manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -177,14 +212,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) + type exim_spool_t; +-files_type(exim_spool_t) ++files_spool_file(exim_spool_t) - kernel_read_kernel_sysctls(ftpd_t) - kernel_read_system_state(ftpd_t) --kernel_search_network_state(ftpd_t) -+kernel_read_network_state(ftpd_t) + type exim_tmp_t; + files_tmp_file(exim_tmp_t) +@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t) - dev_read_sysfs(ftpd_t) - dev_read_urand(ftpd_t) + kernel_read_kernel_sysctls(exim_t) + kernel_read_network_state(exim_t) +-kernel_dontaudit_read_system_state(exim_t) ++kernel_read_system_state(exim_t) - corecmd_exec_bin(ftpd_t) + corecmd_search_bin(exim_t) --corenet_all_recvfrom_unlabeled(ftpd_t) - corenet_all_recvfrom_netlabel(ftpd_t) - corenet_tcp_sendrecv_generic_if(ftpd_t) - corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -196,9 +230,8 @@ corenet_tcp_bind_generic_node(ftpd_t) - corenet_tcp_bind_ftp_port(ftpd_t) - corenet_tcp_bind_ftp_data_port(ftpd_t) - corenet_tcp_bind_generic_port(ftpd_t) --corenet_tcp_bind_all_unreserved_ports(ftpd_t) --corenet_dontaudit_tcp_bind_all_ports(ftpd_t) --corenet_tcp_connect_all_ports(ftpd_t) -+corenet_tcp_bind_all_ephemeral_ports(ftpd_t) -+corenet_tcp_connect_all_ephemeral_ports(ftpd_t) - corenet_sendrecv_ftp_server_packets(ftpd_t) +-corenet_all_recvfrom_unlabeled(exim_t) + corenet_all_recvfrom_netlabel(exim_t) + corenet_tcp_sendrecv_generic_if(exim_t) + corenet_udp_sendrecv_generic_if(exim_t) +@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t) - domain_use_interactive_fds(ftpd_t) -@@ -212,13 +245,11 @@ fs_search_auto_mountpoints(ftpd_t) - fs_getattr_all_fs(ftpd_t) - fs_search_fusefs(ftpd_t) - --auth_use_nsswitch(ftpd_t) --auth_domtrans_chk_passwd(ftpd_t) --# Append to /var/log/wtmp. --auth_append_login_records(ftpd_t) -+auth_use_pam(ftpd_t) - #kerberized ftp requires the following - auth_write_login_records(ftpd_t) - auth_rw_faillog(ftpd_t) -+auth_manage_var_auth(ftpd_t) - - init_rw_utmp(ftpd_t) - -@@ -226,42 +257,47 @@ logging_send_audit_msgs(ftpd_t) - logging_send_syslog_msg(ftpd_t) - logging_set_loginuid(ftpd_t) + logging_send_syslog_msg(exim_t) --miscfiles_read_localization(ftpd_t) - miscfiles_read_public_files(ftpd_t) +-miscfiles_read_localization(exim_t) + miscfiles_read_generic_certs(exim_t) --seutil_dontaudit_search_config(ftpd_t) -- - sysnet_read_config(ftpd_t) - sysnet_use_ldap(ftpd_t) + userdom_dontaudit_search_user_home_dirs(exim_t) +@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',` + corenet_sendrecv_mssql_client_packets(exim_t) + corenet_tcp_connect_mssql_port(exim_t) + corenet_tcp_sendrecv_mssql_port(exim_t) +- corenet_sendrecv_oracledb_client_packets(exim_t) +- corenet_tcp_connect_oracledb_port(exim_t) +- corenet_tcp_sendrecv_oracledb_port(exim_t) ++ corenet_sendrecv_oracle_client_packets(exim_t) ++ corenet_tcp_connect_oracle_port(exim_t) ++ corenet_tcp_sendrecv_oracle_port(exim_t) + ') - userdom_dontaudit_use_unpriv_user_fds(ftpd_t) - userdom_dontaudit_search_user_home_dirs(ftpd_t) + tunable_policy(`exim_read_user_files',` +@@ -218,6 +216,7 @@ optional_policy(` --tunable_policy(`allow_ftpd_anon_write',` -+tunable_policy(`ftpd_anon_write',` - miscfiles_manage_public_files(ftpd_t) + optional_policy(` + procmail_domtrans(exim_t) ++ procmail_read_home_files(exim_t) ') --tunable_policy(`allow_ftpd_use_cifs',` -+tunable_policy(`ftpd_use_cifs',` - fs_read_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) + optional_policy(` +diff --git a/fail2ban.if b/fail2ban.if +index 50d0084..6565422 100644 +--- a/fail2ban.if ++++ b/fail2ban.if +@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',` + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) ') --tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` -+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',` - fs_manage_cifs_files(ftpd_t) +-######################################## ++####################################### + ## +-## Execute the fail2ban client in +-## the fail2ban client domain. ++## Execute the fail2ban client in ++## the fail2ban client domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + # + interface(`fail2ban_domtrans_client',` +- gen_require(` +- type fail2ban_client_t, fail2ban_client_exec_t; +- ') ++ gen_require(` ++ type fail2ban_client_t, fail2ban_client_exec_t; ++ ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) ') --tunable_policy(`allow_ftpd_use_nfs',` -+tunable_policy(`ftpd_use_nfs',` - fs_read_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) +-######################################## ++####################################### + ## +-## Execute fail2ban client in the +-## fail2ban client domain, and allow +-## the specified role the fail2ban +-## client domain. ++## Execute fail2ban client in the ++## fail2ban client domain, and allow ++## the specified role the fail2ban ++## client domain. + ## + ## +-## +-## Domain allowed to transition. +-## ++## ++## Domain allowed to transition. ++## + ## + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## + # + interface(`fail2ban_run_client',` +- gen_require(` +- attribute_role fail2ban_client_roles; +- ') ++ gen_require(` ++ attribute_role fail2ban_client_roles; ++ ') + +- fail2ban_domtrans_client($1) +- roleattribute $2 fail2ban_client_roles; ++ fail2ban_domtrans_client($1) ++ roleattribute $2 fail2ban_client_roles; ') --tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` -+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',` - fs_manage_nfs_files(ftpd_t) + ##################################### + ## +-## Connect to fail2ban over a +-## unix domain stream socket. ++## Connect to fail2ban over a unix domain ++## stream socket. + ## + ## + ## +@@ -102,51 +102,12 @@ interface(`fail2ban_rw_inherited_tmp_files',` + ') + + files_search_tmp($1) +- allow $1 fail2ban_tmp_t:file { read write }; +-') +- +-######################################## +-## +-## Do not audit attempts to use +-## fail2ban file descriptors. +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`fail2ban_dontaudit_use_fds',` +- gen_require(` +- type fail2ban_t; +- ') +- +- dontaudit $1 fail2ban_t:fd use; +-') +- +-######################################## +-## +-## Do not audit attempts to read and +-## write fail2ban unix stream sockets +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`fail2ban_dontaudit_rw_stream_sockets',` +- gen_require(` +- type fail2ban_t; +- ') +- +- dontaudit $1 fail2ban_t:unix_stream_socket { read write }; ++ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; ') --tunable_policy(`allow_ftpd_full_access',` -+tunable_policy(`ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; -- files_manage_non_auth_files(ftpd_t) -+ files_manage_non_security_files(ftpd_t) -+') -+ -+tunable_policy(`ftpd_use_passive_mode',` -+ corenet_tcp_bind_all_unreserved_ports(ftpd_t) -+') -+ -+tunable_policy(`ftpd_connect_all_unreserved',` -+ corenet_tcp_connect_all_unreserved_ports(ftpd_t) + ######################################## + ## +-## Read and write fail2ban unix +-## stream sockets. ++## Read and write to an fail2ba unix stream socket. + ## + ## + ## +@@ -178,12 +139,12 @@ interface(`fail2ban_read_lib_files',` + ') + + files_search_var_lib($1) +- allow $1 fail2ban_var_lib_t:file read_file_perms; ++ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) ') - tunable_policy(`ftp_home_dir',` -@@ -270,10 +306,13 @@ tunable_policy(`ftp_home_dir',` - # allow access to /home - files_list_home(ftpd_t) - userdom_read_user_home_content_files(ftpd_t) -- userdom_manage_user_home_content_dirs(ftpd_t) -- userdom_manage_user_home_content_files(ftpd_t) -- userdom_manage_user_home_content_symlinks(ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) -+ userdom_manage_user_home_content(ftpd_t) -+ userdom_manage_user_tmp_files(ftpd_t) -+ userdom_tmp_filetrans_user_tmp(ftpd_t, file) -+',` -+ # Needed for permissive mode, to make sure everything gets labeled correctly -+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) -+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) + ######################################## + ## +-## Read fail2ban log files. ++## Allow the specified domain to read fail2ban's log files. + ## + ## + ## +@@ -198,12 +159,14 @@ interface(`fail2ban_read_log',` + ') + + logging_search_logs($1) ++ allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file read_file_perms; ') - tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -309,10 +348,35 @@ optional_policy(` + ######################################## + ## +-## Append fail2ban log files. ++## Allow the specified domain to append ++## fail2ban log files. + ## + ## + ## +@@ -217,12 +180,13 @@ interface(`fail2ban_append_log',` + ') + + logging_search_logs($1) ++ allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file append_file_perms; ') - optional_policy(` -+ fail2ban_read_lib_files(ftpd_t) -+') -+ -+optional_policy(` - selinux_validate_context(ftpd_t) + ######################################## + ## +-## Read fail2ban pid files. ++## Read fail2ban PID files. + ## + ## + ## +@@ -241,8 +205,28 @@ interface(`fail2ban_read_pid_files',` - kerberos_keytab_template(ftpd, ftpd_t) -- kerberos_manage_host_rcache(ftpd_t) -+ # this part of auth_use_pam -+ #kerberos_manage_host_rcache(ftpd_t) -+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") -+') -+ -+optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ mysql_stream_connect(ftpd_t) + ######################################## + ## +-## All of the rules required to +-## administrate an fail2ban environment. ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fail2ban_dontaudit_leaks',` ++ gen_require(` ++ type fail2ban_t; + ') -+') + -+optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ postgresql_stream_connect(ftpd_t) -+ ') ++ dontaudit $1 fail2ban_t:tcp_socket { read write }; ++ dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; ++ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + -+optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ mysql_tcp_connect(ftpd_t) -+ postgresql_tcp_connect(ftpd_t) ++######################################## ++## ++## All of the rules required to administrate ++## an fail2ban environment + ## + ## + ## +@@ -251,21 +235,25 @@ interface(`fail2ban_read_pid_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the fail2ban domain. + ## + ## + ## + # + interface(`fail2ban_admin',` + gen_require(` +- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; +- type fail2ban_var_run_t, fail2ban_initrc_exec_t; +- type fail2ban_var_lib_t, fail2ban_client_t; ++ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; ++ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; ++ type fail2ban_client_t; + ') + +- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; ++ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; + ') - ') ++ + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; +@@ -277,10 +265,10 @@ interface(`fail2ban_admin',` + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) - optional_policy(` -@@ -347,16 +411,17 @@ optional_policy(` +- files_search_var_lib($1) ++ files_list_var_lib($1) + admin_pattern($1, fail2ban_var_lib_t) - # Allow ftpdctl to talk to ftpd over a socket connection - stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) -+files_search_pids(ftpdctl_t) +- files_search_tmp($1) ++ files_list_tmp($1) + admin_pattern($1, fail2ban_tmp_t) - # ftpdctl creates a socket so that the daemon can perform - # access control decisions (see comments in ftpd_t rules above) --allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; -+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; - files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) + fail2ban_run_client($1, $2) +diff --git a/fail2ban.te b/fail2ban.te +index 0872e50..e985043 100644 +--- a/fail2ban.te ++++ b/fail2ban.te +@@ -60,12 +60,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) - # Allow ftpdctl to read config files - files_read_etc_files(ftpdctl_t) ++manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) ++manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) ++exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) ++files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) ++ + kernel_read_system_state(fail2ban_t) --userdom_use_user_terminals(ftpdctl_t) -+userdom_use_inherited_user_terminals(ftpdctl_t) + corecmd_exec_bin(fail2ban_t) + corecmd_exec_shell(fail2ban_t) - ######################################## - # -@@ -365,18 +430,34 @@ userdom_use_user_terminals(ftpdctl_t) +-corenet_all_recvfrom_unlabeled(fail2ban_t) + corenet_all_recvfrom_netlabel(fail2ban_t) + corenet_tcp_sendrecv_generic_if(fail2ban_t) + corenet_tcp_sendrecv_generic_node(fail2ban_t) +@@ -80,7 +84,6 @@ domain_use_interactive_fds(fail2ban_t) + domain_dontaudit_read_all_domains_state(fail2ban_t) - files_read_etc_files(sftpd_t) + files_read_etc_runtime_files(fail2ban_t) +-files_read_usr_files(fail2ban_t) + files_list_var(fail2ban_t) + files_dontaudit_list_tmp(fail2ban_t) +@@ -92,13 +95,14 @@ auth_use_nsswitch(fail2ban_t) + logging_read_all_logs(fail2ban_t) + logging_send_syslog_msg(fail2ban_t) + +-miscfiles_read_localization(fail2ban_t) +- + sysnet_manage_config(fail2ban_t) + sysnet_etc_filetrans_config(fail2ban_t) + + mta_send_mail(fail2ban_t) + ++sysnet_manage_config(fail2ban_t) ++sysnet_filetrans_named_content(fail2ban_t) + - # allow read access to /home by default - userdom_read_user_home_content_files(sftpd_t) - userdom_read_user_home_content_symlinks(sftpd_t) -+userdom_dontaudit_list_admin_dir(sftpd_t) -+ -+tunable_policy(`sftpd_full_access',` -+ allow sftpd_t self:capability { dac_override dac_read_search }; -+ fs_read_noxattr_fs_files(sftpd_t) -+ files_manage_non_security_files(sftpd_t) + optional_policy(` + apache_read_log(fail2ban_t) + ') +@@ -108,6 +112,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_search_config(fail2ban_t) +') + +optional_policy(` -+ tunable_policy(`sftpd_write_ssh_home',` -+ ssh_manage_home_files(sftpd_t) -+ ') -+') - - tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - - # allow access to /home - files_list_home(sftpd_t) -- userdom_manage_user_home_content_files(sftpd_t) -- userdom_manage_user_home_content_dirs(sftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) -+ userdom_read_user_home_content_files(sftpd_t) -+ userdom_manage_user_home_content(sftpd_t) -+',` -+ # Needed for permissive mode, to make sure everything gets labeled correctly -+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) + iptables_domtrans(fail2ban_t) ') - tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -394,19 +475,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` - tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) -- files_manage_non_auth_files(sftpd_t) -+ files_manage_non_security_files(sftpd_t) - ') +@@ -137,14 +145,10 @@ corecmd_exec_bin(fail2ban_client_t) --tunable_policy(`use_samba_home_dirs',` -- # allow read access to /home by default -- fs_list_cifs(sftpd_t) -- fs_read_cifs_files(sftpd_t) -- fs_read_cifs_symlinks(sftpd_t) --') -- --tunable_policy(`use_nfs_home_dirs',` -- # allow read access to /home by default -- fs_list_nfs(sftpd_t) -- fs_read_nfs_files(sftpd_t) -- fs_read_nfs_symlinks(ftpd_t) --') -+userdom_home_reader(sftpd_t) -diff --git a/games.te b/games.te -index b73d33c..ffacbd2 100644 ---- a/games.te -+++ b/games.te -@@ -75,8 +75,6 @@ init_use_script_ptys(games_srv_t) + domain_use_interactive_fds(fail2ban_client_t) - logging_send_syslog_msg(games_srv_t) +-files_read_etc_files(fail2ban_client_t) +-files_read_usr_files(fail2ban_client_t) + files_search_pids(fail2ban_client_t) --miscfiles_read_localization(games_srv_t) -- - userdom_dontaudit_use_unpriv_user_fds(games_srv_t) + logging_getattr_all_logs(fail2ban_client_t) + logging_search_all_logs(fail2ban_client_t) - userdom_dontaudit_search_user_home_dirs(games_srv_t) -@@ -120,7 +118,6 @@ kernel_read_system_state(games_t) +-miscfiles_read_localization(fail2ban_client_t) +- + userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) + userdom_use_user_terminals(fail2ban_client_t) +diff --git a/fetchmail.fc b/fetchmail.fc +index 2486e2a..ea07c4f 100644 +--- a/fetchmail.fc ++++ b/fetchmail.fc +@@ -1,4 +1,5 @@ + HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) ++/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) - corecmd_exec_bin(games_t) + /etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) --corenet_all_recvfrom_unlabeled(games_t) - corenet_all_recvfrom_netlabel(games_t) - corenet_tcp_sendrecv_generic_if(games_t) - corenet_udp_sendrecv_generic_if(games_t) -@@ -151,9 +148,6 @@ init_dontaudit_rw_utmp(games_t) +diff --git a/fetchmail.if b/fetchmail.if +index c3f7916..cab3954 100644 +--- a/fetchmail.if ++++ b/fetchmail.if +@@ -23,14 +23,16 @@ interface(`fetchmail_admin',` + type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; + ') - logging_dontaudit_search_logs(games_t) ++ ps_process_pattern($1, fetchmail_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 fetchmail_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fetchmail_initrc_exec_t system_r; + allow $2 system_r; --miscfiles_read_man_pages(games_t) --miscfiles_read_localization(games_t) +- allow $1 fetchmail_t:process { ptrace signal_perms }; +- ps_process_pattern($1, fetchmail_t) - - sysnet_read_config(games_t) - - userdom_manage_user_tmp_dirs(games_t) -@@ -163,7 +157,7 @@ userdom_manage_user_tmp_sockets(games_t) - # Suppress .icons denial until properly implemented - userdom_dontaudit_read_user_home_content_files(games_t) - --tunable_policy(`allow_execmem',` -+tunable_policy(`deny_execmem',`', ` - allow games_t self:process execmem; - ') + files_list_etc($1) + admin_pattern($1, fetchmail_etc_t) -diff --git a/gatekeeper.te b/gatekeeper.te -index 99a94de..8b84eda 100644 ---- a/gatekeeper.te -+++ b/gatekeeper.te -@@ -33,7 +33,7 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms; - allow gatekeeper_t self:tcp_socket create_stream_socket_perms; - allow gatekeeper_t self:udp_socket create_socket_perms; +diff --git a/fetchmail.te b/fetchmail.te +index f0388cb..73521ff 100644 +--- a/fetchmail.te ++++ b/fetchmail.te +@@ -50,10 +50,19 @@ logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file }) + allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; + mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) --allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read }; -+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms; - allow gatekeeper_t gatekeeper_etc_t:file read_file_perms; - files_search_etc(gatekeeper_t) ++manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) ++manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) ++logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file }) ++ + manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) + manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) + files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir) -@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) ++list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) ++read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) ++userdom_search_user_home_dirs(fetchmail_t) ++userdom_search_admin_dir(fetchmail_t) ++ + kernel_read_kernel_sysctls(fetchmail_t) + kernel_list_proc(fetchmail_t) + kernel_getattr_proc_files(fetchmail_t) +@@ -63,7 +72,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) + corecmd_exec_bin(fetchmail_t) + corecmd_exec_shell(fetchmail_t) - corecmd_list_bin(gatekeeper_t) +-corenet_all_recvfrom_unlabeled(fetchmail_t) + corenet_all_recvfrom_netlabel(fetchmail_t) + corenet_tcp_sendrecv_generic_if(fetchmail_t) + corenet_tcp_sendrecv_generic_node(fetchmail_t) +@@ -84,17 +92,20 @@ fs_search_auto_mountpoints(fetchmail_t) --corenet_all_recvfrom_unlabeled(gatekeeper_t) - corenet_all_recvfrom_netlabel(gatekeeper_t) - corenet_tcp_sendrecv_generic_if(gatekeeper_t) - corenet_udp_sendrecv_generic_if(gatekeeper_t) -@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(gatekeeper_t) + domain_use_interactive_fds(fetchmail_t) - logging_send_syslog_msg(gatekeeper_t) +-auth_use_nsswitch(fetchmail_t) ++auth_read_passwd(fetchmail_t) --miscfiles_read_localization(gatekeeper_t) -- - sysnet_read_config(gatekeeper_t) + logging_send_syslog_msg(fetchmail_t) - userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) -diff --git a/gift.te b/gift.te -index 4975343..1c20b64 100644 ---- a/gift.te -+++ b/gift.te -@@ -52,7 +52,6 @@ domtrans_pattern(gift_t, giftd_exec_t, giftd_t) - kernel_read_system_state(gift_t) - - # Connect to gift daemon --corenet_all_recvfrom_unlabeled(gift_t) - corenet_all_recvfrom_netlabel(gift_t) - corenet_tcp_sendrecv_generic_if(gift_t) - corenet_tcp_sendrecv_generic_node(gift_t) -@@ -67,17 +66,7 @@ sysnet_read_config(gift_t) - # giftui looks in .icons, .themes. - userdom_dontaudit_read_user_home_content_files(gift_t) +-miscfiles_read_localization(fetchmail_t) + miscfiles_read_generic_certs(fetchmail_t) --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(gift_t) -- fs_manage_nfs_files(gift_t) -- fs_manage_nfs_symlinks(gift_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(gift_t) -- fs_manage_cifs_files(gift_t) -- fs_manage_cifs_symlinks(gift_t) --') -+userdom_home_manager(gift_t) + userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) + userdom_search_user_home_dirs(fetchmail_t) optional_policy(` - nscd_socket_use(gift_t) -@@ -106,7 +95,6 @@ kernel_read_system_state(giftd_t) - kernel_read_kernel_sysctls(giftd_t) ++ kerberos_use(fetchmail_t) ++') ++ ++optional_policy(` + procmail_domtrans(fetchmail_t) + ') - # Serve content on various p2p networks. Ports can be random. --corenet_all_recvfrom_unlabeled(giftd_t) - corenet_all_recvfrom_netlabel(giftd_t) - corenet_tcp_sendrecv_generic_if(giftd_t) - corenet_udp_sendrecv_generic_if(giftd_t) -@@ -125,20 +113,8 @@ files_read_usr_files(giftd_t) - # Read /etc/mtab - files_read_etc_runtime_files(giftd_t) +diff --git a/finger.te b/finger.te +index af4b6d7..92245bf 100644 +--- a/finger.te ++++ b/finger.te +@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) + kernel_read_kernel_sysctls(fingerd_t) + kernel_read_system_state(fingerd_t) + +-corenet_all_recvfrom_unlabeled(fingerd_t) + corenet_all_recvfrom_netlabel(fingerd_t) + corenet_tcp_sendrecv_generic_if(fingerd_t) + corenet_tcp_sendrecv_generic_node(fingerd_t) +@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t) + domain_use_interactive_fds(fingerd_t) --miscfiles_read_localization(giftd_t) + files_read_etc_runtime_files(fingerd_t) ++files_search_home(fingerd_t) - sysnet_read_config(giftd_t) + fs_getattr_all_fs(fingerd_t) + fs_search_auto_mountpoints(fingerd_t) +@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t) + term_getattr_all_ptys(fingerd_t) --userdom_use_user_terminals(giftd_t) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(giftd_t) -- fs_manage_nfs_files(giftd_t) -- fs_manage_nfs_symlinks(giftd_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(giftd_t) -- fs_manage_cifs_files(giftd_t) -- fs_manage_cifs_symlinks(giftd_t) --') -+userdom_use_inherited_user_terminals(giftd_t) -+userdom_home_manager(gitd_t) -diff --git a/git.fc b/git.fc -index 13e72a7..a4dc0b9 100644 ---- a/git.fc -+++ b/git.fc -@@ -1,11 +1,15 @@ - HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) + auth_read_lastlog(fingerd_t) ++auth_use_nsswitch(fingerd_t) -+/srv/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) -+ - /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) + init_read_utmp(fingerd_t) + init_dontaudit_write_utmp(fingerd_t) +@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t) - /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) + mta_getattr_spool(fingerd_t) - /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) +-miscfiles_read_localization(fingerd_t) ++sysnet_read_config(fingerd_t) - /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) - /var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) - /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -diff --git a/git.if b/git.if -index b0242d9..407e79d 100644 ---- a/git.if -+++ b/git.if -@@ -15,9 +15,9 @@ - ## - ## - # --template(`git_role',` -+template(`git_session_role',` - gen_require(` -- type git_session_t, gitd_exec_t, git_user_content_t; -+ type git_session_t, gitd_exec_t; - ') + userdom_dontaudit_use_unpriv_user_fds(fingerd_t) - ######################################## -@@ -32,19 +32,495 @@ template(`git_role',` - # Policy - # +diff --git a/firewalld.fc b/firewalld.fc +index 21d7b84..0e272bd 100644 +--- a/firewalld.fc ++++ b/firewalld.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0) ++ + /etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) -- manage_dirs_pattern($2, git_user_content_t, git_user_content_t) -- relabel_dirs_pattern($2, git_user_content_t, git_user_content_t) -- -- exec_files_pattern($2, git_user_content_t, git_user_content_t) -- manage_files_pattern($2, git_user_content_t, git_user_content_t) -- relabel_files_pattern($2, git_user_content_t, git_user_content_t) -- -- allow $2 git_session_t:process { ptrace signal_perms }; -+ allow $2 git_session_t:process signal_perms; - ps_process_pattern($2, git_session_t) + /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) +diff --git a/firewalld.if b/firewalld.if +index 5cf6ac6..839999e 100644 +--- a/firewalld.if ++++ b/firewalld.if +@@ -2,6 +2,66 @@ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 git_session_t:process ptrace; -+ ') -+ - tunable_policy(`git_session_users',` - domtrans_pattern($2, gitd_exec_t, git_session_t) - ',` - can_exec($2, gitd_exec_t) - ') - ') -+ -+######################################## -+## -+## Create a set of derived types for Git -+## daemon shared repository content. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`git_content_template',` -+ gen_require(` -+ attribute git_system_content, git_content; -+ ') -+ -+ ######################################## -+ # -+ # Git daemon content shared declarations. -+ # -+ -+ type git_$1_content_t, git_system_content, git_content; -+ files_type(git_$1_content_t) -+') -+ -+######################################## -+## -+## Create a set of derived types for Git -+## daemon shared repository roles. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`git_role_template',` -+ gen_require(` -+ class context contains; -+ role system_r; -+ ') -+ -+ ######################################## -+ # -+ # Git daemon role shared declarations. -+ # -+ -+ attribute $1_usertype; -+ -+ type $1_t; -+ userdom_unpriv_usertype($1, $1_t) -+ domain_type($1_t) -+ -+ role $1_r types $1_t; -+ allow system_r $1_r; -+ -+ ######################################## -+ # -+ # Git daemon role shared policy. -+ # -+ -+ allow $1_t self:context contains; -+ allow $1_t self:fifo_file rw_fifo_file_perms; -+ -+ corecmd_exec_bin($1_t) -+ corecmd_bin_entry_type($1_t) -+ corecmd_shell_entry_type($1_t) -+ -+ domain_interactive_fd($1_t) -+ domain_user_exemption_target($1_t) -+ -+ kernel_read_system_state($1_t) -+ -+ files_read_etc_files($1_t) -+ files_dontaudit_search_home($1_t) -+ -+ -+ git_rwx_generic_system_content($1_t) -+ -+ ssh_rw_stream_sockets($1_t) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_exec_cifs_files($1_t) -+ fs_manage_cifs_dirs($1_t) -+ fs_manage_cifs_files($1_t) -+ ') -+ -+ tunable_policy(`git_system_use_nfs',` -+ fs_exec_nfs_files($1_t) -+ fs_manage_nfs_dirs($1_t) -+ fs_manage_nfs_files($1_t) -+ ') -+ -+ optional_policy(` -+ nscd_read_pid($1_t) -+ ') -+') -+ -+####################################### -+## -+## Allow specified domain access to the -+## specified Git daemon content. + ######################################## + ## ++## Execute a domain transition to run firewalld. +## +## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Type of the object that access is allowed to. -+## -+## -+# -+interface(`git_content_delegation',` -+ gen_require(` -+ type $1, $2; -+ ') -+ -+ exec_files_pattern($1, $2, $2) -+ manage_dirs_pattern($1, $2, $2) -+ manage_files_pattern($1, $2, $2) -+ files_search_var_lib($1) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_exec_cifs_files($1) -+ fs_manage_cifs_dirs($1) -+ fs_manage_cifs_files($1) -+ ') -+ -+ tunable_policy(`git_system_use_nfs',` -+ fs_exec_nfs_files($1) -+ fs_manage_nfs_dirs($1) -+ fs_manage_nfs_files($1) -+ ') -+') -+ -+######################################## +## -+## Allow the specified domain to manage -+## and execute all Git daemon content. -+## -+## -+## +## Domain allowed access. -+## ++## +## +# -+interface(`git_rwx_all_content',` ++interface(`firewalld_domtrans',` + gen_require(` -+ attribute git_content; -+ ') -+ -+ exec_files_pattern($1, git_content, git_content) -+ manage_dirs_pattern($1, git_content, git_content) -+ manage_files_pattern($1, git_content, git_content) -+ userdom_search_user_home_dirs($1) -+ files_search_var_lib($1) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_exec_cifs_files($1) -+ fs_manage_cifs_dirs($1) -+ fs_manage_cifs_files($1) ++ type firewalld_t, firewalld_exec_t; + ') + -+ tunable_policy(`git_system_use_nfs',` -+ fs_exec_nfs_files($1) -+ fs_manage_nfs_dirs($1) -+ fs_manage_nfs_files($1) -+ ') ++ domtrans_pattern($1, firewalld_exec_t, firewalld_t) +') + ++ +######################################## +## -+## Allow the specified domain to manage -+## and execute all Git daemon system content. ++## Execute firewalld server in the firewalld domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`git_rwx_all_system_content',` ++interface(`firewalld_initrc_domtrans',` + gen_require(` -+ attribute git_system_content; -+ ') -+ -+ exec_files_pattern($1, git_system_content, git_system_content) -+ manage_dirs_pattern($1, git_system_content, git_system_content) -+ manage_files_pattern($1, git_system_content, git_system_content) -+ files_search_var_lib($1) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_exec_cifs_files($1) -+ fs_manage_cifs_dirs($1) -+ fs_manage_cifs_files($1) ++ type firewalld_initrc_exec_t; + ') + -+ tunable_policy(`git_system_use_nfs',` -+ fs_exec_nfs_files($1) -+ fs_manage_nfs_dirs($1) -+ fs_manage_nfs_files($1) -+ ') ++ init_labeled_script_domtrans($1, firewalld_initrc_exec_t) +') + +######################################## +## -+## Allow the specified domain to manage -+## and execute Git daemon generic system content. ++## Execute firewalld server in the firewalld domain. +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`git_rwx_generic_system_content',` ++interface(`firewalld_systemctl',` + gen_require(` -+ type git_sys_content_t; ++ type firewalld_t; ++ type firewalld_unit_file_t; + ') + -+ exec_files_pattern($1, git_sys_content_t, git_sys_content_t) -+ manage_dirs_pattern($1, git_sys_content_t, git_sys_content_t) -+ manage_files_pattern($1, git_sys_content_t, git_sys_content_t) -+ files_search_var_lib($1) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_exec_cifs_files($1) -+ fs_manage_cifs_dirs($1) -+ fs_manage_cifs_files($1) -+ ') ++ systemd_exec_systemctl($1) ++ allow $1 firewalld_unit_file_t:file read_file_perms; ++ allow $1 firewalld_unit_file_t:service manage_service_perms; + -+ tunable_policy(`git_system_use_nfs',` -+ fs_exec_nfs_files($1) -+ fs_manage_nfs_dirs($1) -+ fs_manage_nfs_files($1) -+ ') ++ ps_process_pattern($1, firewalld_t) +') + +######################################## +## -+## Allow the specified domain to read -+## all Git daemon content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_read_all_content_files',` -+ gen_require(` -+ attribute git_content; + ## Send and receive messages from + ## firewalld over dbus. + ## +@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',` + + ######################################## + ## +-## All of the rules required to +-## administrate an firewalld environment. ++## All of the rules required to administrate ++## an firewalld environment + ## + ## + ## +@@ -45,10 +105,14 @@ interface(`firewalld_admin',` + type firewalld_var_log_t; + ') + +- allow $1 firewalld_t:process { ptrace signal_perms }; ++ allow $1 firewalld_t:process signal_perms; + ps_process_pattern($1, firewalld_t) + +- init_labeled_script_domtrans($1, firewalld_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 firewalld_t:process ptrace; + ') + -+ list_dirs_pattern($1, git_content, git_content) -+ read_files_pattern($1, git_content, git_content) -+ userdom_search_user_home_dirs($1) -+ files_search_var_lib($1) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_list_cifs($1) -+ fs_read_cifs_files($1) -+ ') ++ firewalld_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 firewalld_initrc_exec_t system_r; + allow $2 system_r; +@@ -59,6 +123,9 @@ interface(`firewalld_admin',` + logging_search_logs($1) + admin_pattern($1, firewalld_var_log_t) + +- files_search_etc($1) + admin_pattern($1, firewall_etc_rw_t) + -+ tunable_policy(`git_system_use_nfs',` -+ fs_list_nfs($1) -+ fs_read_nfs_files($1) -+ ') -+') ++ admin_pattern($1, firewalld_unit_file_t) ++ firewalld_systemctl($1) ++ allow $1 firewalld_unit_file_t:service all_service_perms; + ') +diff --git a/firewalld.te b/firewalld.te +index c8014f8..646818a 100644 +--- a/firewalld.te ++++ b/firewalld.te +@@ -21,6 +21,9 @@ logging_log_file(firewalld_var_log_t) + type firewalld_var_run_t; + files_pid_file(firewalld_var_run_t) + ++type firewalld_unit_file_t; ++systemd_unit_file(firewalld_unit_file_t) + -+######################################## + ######################################## + # + # Local policy +@@ -42,6 +45,7 @@ logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) + + manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) + files_pid_filetrans(firewalld_t, firewalld_var_run_t, file) ++can_exec(firewalld_t, firewalld_var_run_t) + + kernel_read_network_state(firewalld_t) + kernel_read_system_state(firewalld_t) +@@ -53,20 +57,17 @@ dev_read_urand(firewalld_t) + + domain_use_interactive_fds(firewalld_t) + +-files_read_etc_files(firewalld_t) +-files_read_usr_files(firewalld_t) ++files_dontaudit_access_check_tmp(firewalld_t) + files_dontaudit_list_tmp(firewalld_t) + + fs_getattr_xattr_fs(firewalld_t) ++fs_dontaudit_all_access_check(firewalld_t) + +-logging_send_syslog_msg(firewalld_t) +- +-miscfiles_read_localization(firewalld_t) ++auth_use_nsswitch(firewalld_t) + +-seutil_exec_setfiles(firewalld_t) +-seutil_read_file_contexts(firewalld_t) ++logging_send_syslog_msg(firewalld_t) + +-sysnet_read_config(firewalld_t) ++sysnet_dns_name_resolve(firewalld_t) + + optional_policy(` + dbus_system_domain(firewalld_t, firewalld_exec_t) +diff --git a/firewallgui.if b/firewallgui.if +index e6866d1..941f4ef 100644 +--- a/firewallgui.if ++++ b/firewallgui.if +@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',` + type firewallgui_t; + ') + +- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; + ') +diff --git a/firewallgui.te b/firewallgui.te +index c5ceab1..0d9c1ce 100644 +--- a/firewallgui.te ++++ b/firewallgui.te +@@ -36,8 +36,11 @@ corecmd_exec_shell(firewallgui_t) + dev_read_sysfs(firewallgui_t) + dev_read_urand(firewallgui_t) + +-files_list_kernel_modules(firewallgui_t) ++files_manage_system_conf_files(firewallgui_t) ++files_etc_filetrans_system_conf(firewallgui_t) + files_read_usr_files(firewallgui_t) ++files_search_kernel_modules(firewallgui_t) ++files_list_kernel_modules(firewallgui_t) + + auth_use_nsswitch(firewallgui_t) + +@@ -60,12 +63,13 @@ optional_policy(` + ') + + optional_policy(` +- gnome_read_generic_gconf_home_content(firewallgui_t) ++ gnome_read_gconf_home_files(firewallgui_t) + ') + + optional_policy(` + iptables_domtrans(firewallgui_t) + iptables_initrc_domtrans(firewallgui_t) ++ iptables_systemctl(firewallgui_t) + ') + + optional_policy(` +diff --git a/firstboot.fc b/firstboot.fc +index 12c782c..ba614e4 100644 +--- a/firstboot.fc ++++ b/firstboot.fc +@@ -1,5 +1,3 @@ +-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) ++/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) + +-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) +- +-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) ++/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) +diff --git a/firstboot.if b/firstboot.if +index 280f875..f3a67c9 100644 +--- a/firstboot.if ++++ b/firstboot.if +@@ -1,4 +1,7 @@ +-## Initial system configuration utility. +## -+## Allow the specified domain to read -+## Git daemon session content files. ++## Final system configuration run during the first boot ++## after installation of Red Hat/Fedora systems. +## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_read_session_content_files',` -+ gen_require(` -+ type git_user_content_t; -+ ') -+ -+ list_dirs_pattern($1, git_user_content_t, git_user_content_t) -+ read_files_pattern($1, git_user_content_t, git_user_content_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+####################################### -+## -+## Dontaudit the specified domain to read -+## Git daemon session content files. + + ######################################## + ## +@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',` + type firstboot_t, firstboot_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, firstboot_exec_t, firstboot_t) + ') + + ######################################## + ## +-## Execute firstboot in the firstboot +-## domain, and allow the specified role +-## the firstboot domain. ++## Execute firstboot in the firstboot domain, and ++## allow the specified role the firstboot domain. + ## + ## + ## +@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',` + # + interface(`firstboot_run',` + gen_require(` +- attribute_role firstboot_roles; ++ type firstboot_t; + ') + + firstboot_domtrans($1) +- roleattribute $2 firstboot_roles; ++ role $2 types firstboot_t; + ') + + ######################################## + ## +-## Inherit and use firstboot file descriptors. ++## Inherit and use a file descriptor from firstboot. + ## + ## + ## +@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',` + + ######################################## + ## +-## Do not audit attempts to inherit +-## firstboot file descriptors. ++## Do not audit attempts to inherit a ++## file descriptor from firstboot. + ## + ## + ## +@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',` + + ######################################## + ## +-## Write firstboot unnamed pipes. ++## dontaudit read and write an leaked file descriptors +## +## +## @@ -22720,364 +21345,782 @@ index b0242d9..407e79d 100644 +## +## +# -+interface(`git_dontaudit_read_session_content_files',` ++interface(`firstboot_dontaudit_leaks',` + gen_require(` -+ type git_user_content_t; ++ type firstboot_t; + ') + -+ dontaudit $1 git_user_content_t:file read_file_perms; ++ dontaudit $1 firstboot_t:socket_class_set { read write }; ++ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## -+## Allow the specified domain to read -+## all Git daemon system content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_read_all_system_content_files',` -+ gen_require(` -+ attribute git_system_content; -+ ') -+ -+ list_dirs_pattern($1, git_system_content, git_system_content) -+ read_files_pattern($1, git_system_content, git_system_content) -+ files_search_var_lib($1) -+ -+ tunable_policy(`git_system_use_cifs',` -+ fs_list_cifs($1) -+ fs_read_cifs_files($1) -+ ') ++## Write to a firstboot unnamed pipe. + ## + ## + ## +@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',` + type firstboot_t; + ') + ++ allow $1 firstboot_t:fd use; + allow $1 firstboot_t:fifo_file write; + ') + + ######################################## + ## +-## Read and Write firstboot unnamed pipes. ++## Read and Write to a firstboot unnamed pipe. + ## + ## + ## +@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',` + + ######################################## + ## +-## Do not audit attemps to read and +-## write firstboot unnamed pipes. ++## Do not audit attemps to read and write to a firstboot unnamed pipe. + ## + ## + ## +@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',` + + ######################################## + ## +-## Do not audit attemps to read and +-## write firstboot unix domain +-## stream sockets. ++## Do not audit attemps to read and write to a firstboot ++## unix domain stream socket. + ## + ## + ## +diff --git a/firstboot.te b/firstboot.te +index c12c067..0647c46 100644 +--- a/firstboot.te ++++ b/firstboot.te +@@ -1,7 +1,7 @@ +-policy_module(firstboot, 1.12.3) ++policy_module(firstboot, 1.12.0) + + gen_require(` +- class passwd { passwd chfn chsh rootok }; ++ class passwd { passwd chfn chsh rootok crontab }; + ') + + ######################################## +@@ -9,17 +9,12 @@ gen_require(` + # Declarations + # + +-attribute_role firstboot_roles; +- + type firstboot_t; + type firstboot_exec_t; + init_system_domain(firstboot_t, firstboot_exec_t) + domain_obj_id_change_exemption(firstboot_t) + domain_subj_id_change_exemption(firstboot_t) +-role firstboot_roles types firstboot_t; +- +-type firstboot_initrc_exec_t; +-init_script_file(firstboot_initrc_exec_t) ++role system_r types firstboot_t; + + type firstboot_etc_t; + files_config_file(firstboot_etc_t) +@@ -32,18 +27,36 @@ files_config_file(firstboot_etc_t) + allow firstboot_t self:capability { dac_override setgid }; + allow firstboot_t self:process setfscreate; + allow firstboot_t self:fifo_file rw_fifo_file_perms; +-allow firstboot_t self:tcp_socket { accept listen }; ++allow firstboot_t self:tcp_socket create_stream_socket_perms; ++allow firstboot_t self:unix_stream_socket { connect create }; + allow firstboot_t self:passwd { rootok passwd chfn chsh }; + + allow firstboot_t firstboot_etc_t:file read_file_perms; + ++files_manage_generic_tmp_dirs(firstboot_t) ++files_manage_generic_tmp_files(firstboot_t) + -+ tunable_policy(`git_system_use_nfs',` -+ fs_list_nfs($1) -+ fs_read_nfs_files($1) -+ ') -+') + kernel_read_system_state(firstboot_t) + kernel_read_kernel_sysctls(firstboot_t) + +-corecmd_exec_all_executables(firstboot_t) ++corenet_all_recvfrom_netlabel(firstboot_t) ++corenet_tcp_sendrecv_generic_if(firstboot_t) ++corenet_tcp_sendrecv_generic_node(firstboot_t) ++corenet_tcp_sendrecv_all_ports(firstboot_t) + + dev_read_urand(firstboot_t) + ++selinux_get_fs_mount(firstboot_t) ++selinux_validate_context(firstboot_t) ++selinux_compute_access_vector(firstboot_t) ++selinux_compute_create_context(firstboot_t) ++selinux_compute_relabel_context(firstboot_t) ++selinux_compute_user_contexts(firstboot_t) + -+######################################## -+## -+## Allow the specified domain to read -+## Git daemon generic system content files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_read_generic_system_content_files',` -+ gen_require(` -+ type git_sys_content_t; -+ ') ++auth_dontaudit_getattr_shadow(firstboot_t) + -+ list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) -+ read_files_pattern($1, git_sys_content_t, git_sys_content_t) -+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) -+ files_search_var_lib($1) ++corecmd_exec_all_executables(firstboot_t) + -+ tunable_policy(`git_system_use_cifs',` -+ fs_list_cifs($1) -+ fs_read_cifs_files($1) -+ ') + files_exec_etc_files(firstboot_t) + files_manage_etc_files(firstboot_t) + files_manage_etc_runtime_files(firstboot_t) +@@ -54,15 +67,6 @@ files_manage_var_symlinks(firstboot_t) + files_create_boot_flag(firstboot_t) + files_delete_boot_flag(firstboot_t) + +-selinux_get_fs_mount(firstboot_t) +-selinux_validate_context(firstboot_t) +-selinux_compute_access_vector(firstboot_t) +-selinux_compute_create_context(firstboot_t) +-selinux_compute_relabel_context(firstboot_t) +-selinux_compute_user_contexts(firstboot_t) +- +-auth_dontaudit_getattr_shadow(firstboot_t) +- + init_domtrans_script(firstboot_t) + init_rw_utmp(firstboot_t) + +@@ -73,11 +77,11 @@ locallogin_use_fds(firstboot_t) + + logging_send_syslog_msg(firstboot_t) + +-miscfiles_read_localization(firstboot_t) +- + sysnet_dns_name_resolve(firstboot_t) + +-userdom_use_user_terminals(firstboot_t) ++userdom_use_inherited_user_terminals(firstboot_t) + -+ tunable_policy(`git_system_use_nfs',` -+ fs_list_nfs($1) -+ fs_read_nfs_files($1) -+ ') ++# Add/remove user home directories + userdom_manage_user_home_content_dirs(firstboot_t) + userdom_manage_user_home_content_files(firstboot_t) + userdom_manage_user_home_content_symlinks(firstboot_t) +@@ -102,20 +106,18 @@ optional_policy(` + ') + + optional_policy(` +- nis_use_ypbind(firstboot_t) +-') +- +-optional_policy(` + samba_rw_config(firstboot_t) + ') + + optional_policy(` + unconfined_domtrans(firstboot_t) +- unconfined_domain(firstboot_t) ++ # The big hammer ++ unconfined_domain_noaudit(firstboot_t) + ') + + optional_policy(` +- gnome_manage_generic_home_content(firstboot_t) ++ gnome_admin_home_gconf_filetrans(firstboot_t, dir) ++ gnome_manage_config(firstboot_t) + ') + + optional_policy(` +diff --git a/fprintd.te b/fprintd.te +index c81b6e8..5794a7b 100644 +--- a/fprintd.te ++++ b/fprintd.te +@@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t) + dev_read_sysfs(fprintd_t) + dev_rw_generic_usb_dev(fprintd_t) + +-files_read_usr_files(fprintd_t) +- + fs_getattr_all_fs(fprintd_t) + + auth_use_nsswitch(fprintd_t) + +-miscfiles_read_localization(fprintd_t) +- + userdom_use_user_ptys(fprintd_t) + userdom_read_all_users_state(fprintd_t) + +@@ -55,7 +51,17 @@ optional_policy(` + ') + + optional_policy(` +- policykit_domtrans_auth(fprintd_t) ++ dbus_system_domain(fprintd_t, fprintd_exec_t) +') + -+######################################## -+## -+## Allow the specified domain to relabel -+## all Git daemon content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_relabel_all_content',` -+ gen_require(` -+ attribute git_content; -+ ') -+ -+ relabel_dirs_pattern($1, git_content, git_content) -+ relabel_files_pattern($1, git_content, git_content) -+ userdom_search_user_home_dirs($1) -+ files_search_var_lib($1) ++optional_policy(` + policykit_read_reload(fprintd_t) + policykit_read_lib(fprintd_t) ++ policykit_dbus_chat(fprintd_t) ++ policykit_domtrans_auth(fprintd_t) ++ policykit_dbus_chat_auth(fprintd_t) +') + -+######################################## ++optional_policy(` ++ xserver_read_state_xdm(fprintd_t) + ') +diff --git a/ftp.fc b/ftp.fc +index ddb75c1..44f74e6 100644 +--- a/ftp.fc ++++ b/ftp.fc +@@ -1,5 +1,8 @@ + /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) + ++/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ + /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + + /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) +diff --git a/ftp.if b/ftp.if +index d062080..e098a40 100644 +--- a/ftp.if ++++ b/ftp.if +@@ -1,5 +1,66 @@ + ## File transfer protocol service. + ++###################################### +## -+## Allow the specified domain to relabel -+## all Git daemon system content. ++## Execute a domain transition to run ftpd. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`git_relabel_all_system_content',` -+ gen_require(` -+ attribute git_system_content; -+ ') ++interface(`ftp_domtrans',` ++ gen_require(` ++ type ftpd_t, ftpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,ftpd_exec_t, ftpd_t) + -+ relabel_dirs_pattern($1, git_system_content, git_system_content) -+ relabel_files_pattern($1, git_system_content, git_system_content) -+ files_search_var_lib($1) +') + -+######################################## ++####################################### +## -+## Allow the specified domain to relabel -+## Git daemon generic system content. ++## Execute ftpd server in the ftpd domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`git_relabel_generic_system_content',` -+ gen_require(` -+ type git_sys_content_t; -+ ') ++interface(`ftp_initrc_domtrans',` ++ gen_require(` ++ type ftpd_initrc_exec_t; ++ ') + -+ relabel_dirs_pattern($1, git_sys_content_t, git_sys_content_t) -+ relabel_files_pattern($1, git_sys_content_t, git_sys_content_t) -+ files_search_var_lib($1) ++ init_labeled_script_domtrans($1, ftpd_initrc_exec_t) +') + +######################################## +## -+## Allow the specified domain to relabel -+## Git daemon session content. ++## Execute ftpd server in the ftpd domain. +## +## +## -+## Domain allowed access. ++## Domain allowed to transition. +## +## +# -+interface(`git_relabel_session_content',` ++interface(`ftp_systemctl',` + gen_require(` -+ type git_user_content_t; ++ type ftpd_unit_file_t; ++ type ftpd_t; + ') + -+ relabel_dirs_pattern($1, git_user_content_t, git_user_content_t) -+ relabel_files_pattern($1, git_user_content_t, git_user_content_t) -+ userdom_search_user_home_dirs($1) ++ systemd_exec_systemctl($1) ++ allow $1 ftpd_unit_file_t:file read_file_perms; ++ allow $1 ftpd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ftpd_t) +') + -+######################################## -+## -+## Create Git user content with a -+## named file transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`git_filetrans_user_content',` -+ gen_require(` -+ type git_user_content_t; + ####################################### + ## + ## Execute a dyntransition to run anon sftpd. +@@ -178,8 +239,11 @@ interface(`ftp_admin',` + type ftpd_initrc_exec_t, ftpdctl_tmp_t; + ') + +- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; ++ allow $1 ftpd_t:process signal_perms; + ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process ptrace; + ') + + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -203,5 +267,9 @@ interface(`ftp_admin',` + logging_list_logs($1) + admin_pattern($1, xferlog_t) + ++ ftp_systemctl($1) ++ admin_pattern($1, ftpd_unit_file_t) ++ allow $1 ftpd_unit_file_t:service all_service_perms; + -+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") -+') -diff --git a/git.te b/git.te -index 6e8e1f3..decdda3 100644 ---- a/git.te -+++ b/git.te -@@ -31,20 +31,21 @@ gen_tunable(git_cgi_use_nfs, false) + ftp_run_ftpdctl($1, $2) + ') +diff --git a/ftp.te b/ftp.te +index e50f33c..fd43185 100644 +--- a/ftp.te ++++ b/ftp.te +@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) + ## be labeled public_content_rw_t. + ##

    + ## +-gen_tunable(allow_ftpd_anon_write, false) ++gen_tunable(ftpd_anon_write, false) ## ##

    --## Determine whether calling user domains --## can execute Git daemon in the --## git_session_t domain. -+## Determine whether Git session daemon -+## can bind TCP sockets to all -+## unreserved ports. +@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false) + ## all files on the system, governed by DAC. ##

    ##     --gen_tunable(git_session_users, false) -+gen_tunable(git_session_bind_all_unreserved_ports, false) +-gen_tunable(allow_ftpd_full_access, false) ++gen_tunable(ftpd_full_access, false) ## ##

    --## Determine whether Git session daemons --## can send syslog messages. -+## Determine whether calling user domains -+## can execute Git daemon in the -+## git_session_t domain. +@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false) + ## used for public file transfer services. ##

    ##     --gen_tunable(git_session_send_syslog_msg, false) -+gen_tunable(git_session_users, false) +-gen_tunable(allow_ftpd_use_cifs, false) ++gen_tunable(ftpd_use_cifs, false) + + ## + ##

    +@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false) + ## used for public file transfer services. + ##

    + ##     +-gen_tunable(allow_ftpd_use_nfs, false) ++gen_tunable(ftpd_use_nfs, false) ## ##

    -@@ -71,6 +72,10 @@ gen_tunable(git_system_use_cifs, false) - gen_tunable(git_system_use_nfs, false) +@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t) + type ftpd_initrc_exec_t; + init_script_file(ftpd_initrc_exec_t) + ++type ftpd_unit_file_t; ++systemd_unit_file(ftpd_unit_file_t) ++ + type ftpd_lock_t; + files_lock_file(ftpd_lock_t) + +@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; + allow ftpd_t ftpd_lock_t:file manage_file_perms; + files_lock_filetrans(ftpd_t, ftpd_lock_t, file) + ++manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) ++manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) ++ + manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) +@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) + + kernel_read_kernel_sysctls(ftpd_t) + kernel_read_system_state(ftpd_t) +-kernel_search_network_state(ftpd_t) ++kernel_read_network_state(ftpd_t) + + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) + + corecmd_exec_bin(ftpd_t) + +-corenet_all_recvfrom_unlabeled(ftpd_t) + corenet_all_recvfrom_netlabel(ftpd_t) + corenet_tcp_sendrecv_generic_if(ftpd_t) + corenet_udp_sendrecv_generic_if(ftpd_t) +@@ -223,6 +228,10 @@ corenet_tcp_bind_ftp_port(ftpd_t) + + corenet_sendrecv_ftp_data_server_packets(ftpd_t) + corenet_tcp_bind_ftp_data_port(ftpd_t) ++corenet_tcp_bind_generic_port(ftpd_t) ++corenet_tcp_bind_all_ephemeral_ports(ftpd_t) ++corenet_tcp_connect_all_ephemeral_ports(ftpd_t) ++corenet_sendrecv_ftp_server_packets(ftpd_t) + + domain_use_interactive_fds(ftpd_t) + +@@ -245,7 +254,6 @@ logging_send_audit_msgs(ftpd_t) + logging_send_syslog_msg(ftpd_t) + logging_set_loginuid(ftpd_t) + +-miscfiles_read_localization(ftpd_t) + miscfiles_read_public_files(ftpd_t) + + seutil_dontaudit_search_config(ftpd_t) +@@ -255,31 +263,39 @@ sysnet_use_ldap(ftpd_t) + userdom_dontaudit_use_unpriv_user_fds(ftpd_t) + userdom_dontaudit_search_user_home_dirs(ftpd_t) + +-tunable_policy(`allow_ftpd_anon_write',` ++tunable_policy(`ftpd_anon_write',` + miscfiles_manage_public_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_cifs',` ++tunable_policy(`ftpd_use_cifs',` + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) + ') - attribute git_daemon; -+attribute git_system_content; -+attribute git_content; +-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` ++tunable_policy(`ftpd_use_cifs && ftpd_anon_write',` + fs_manage_cifs_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_nfs',` ++tunable_policy(`ftpd_use_nfs',` + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` ++tunable_policy(`ftpd_use_nfs && ftpd_anon_write',` + fs_manage_nfs_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_full_access',` ++tunable_policy(`ftpd_full_access',` + allow ftpd_t self:capability { dac_override dac_read_search }; +- files_manage_non_auth_files(ftpd_t) ++ files_manage_non_security_files(ftpd_t) ++') ++ ++tunable_policy(`ftpd_use_passive_mode',` ++ corenet_tcp_bind_all_unreserved_ports(ftpd_t) ++') + -+role git_shell_r; ++tunable_policy(`ftpd_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(ftpd_t) + ') + + tunable_policy(`ftpd_use_passive_mode',` +@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',` + corenet_sendrecv_mssql_client_packets(ftpd_t) + corenet_tcp_connect_mssql_port(ftpd_t) + corenet_tcp_sendrecv_mssql_port(ftpd_t) +- corenet_sendrecv_oracledb_client_packets(ftpd_t) +- corenet_tcp_connect_oracledb_port(ftpd_t) +- corenet_tcp_sendrecv_oracledb_port(ftpd_t) ++ corenet_sendrecv_oracle_client_packets(ftpd_t) ++ corenet_tcp_connect_oracle_port(ftpd_t) ++ corenet_tcp_sendrecv_oracle_port(ftpd_t) + ') + + tunable_policy(`ftp_home_dir',` +@@ -360,7 +376,7 @@ optional_policy(` + selinux_validate_context(ftpd_t) - apache_content_template(git) + kerberos_keytab_template(ftpd, ftpd_t) +- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") + ') -@@ -79,13 +84,16 @@ type gitd_exec_t; - inetd_service_domain(git_system_t, gitd_exec_t) + optional_policy(` +@@ -410,6 +426,7 @@ optional_policy(` + # - type git_session_t, git_daemon; --userdom_user_application_domain(git_session_t, gitd_exec_t) -+application_domain(git_session_t, gitd_exec_t) -+ubac_constrained(git_session_t) + stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) ++files_search_pids(ftpdctl_t) --type git_sys_content_t; -+type git_sys_content_t, git_content, git_system_content; - files_type(git_sys_content_t) -+typealias git_sys_content_t alias { git_data_t git_system_content_t }; + allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) +@@ -417,7 +434,7 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) + files_read_etc_files(ftpdctl_t) + files_search_pids(ftpdctl_t) --type git_user_content_t; -+type git_user_content_t, git_content; - userdom_user_home_content(git_user_content_t) -+typealias git_user_content_t alias git_session_content_t; +-userdom_use_user_terminals(ftpdctl_t) ++userdom_use_inherited_user_terminals(ftpdctl_t) ######################################## # -@@ -98,8 +106,9 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +@@ -441,6 +458,19 @@ files_read_etc_files(sftpd_t) + + userdom_read_user_home_content_files(sftpd_t) + userdom_read_user_home_content_symlinks(sftpd_t) ++userdom_dontaudit_list_admin_dir(sftpd_t) ++ ++tunable_policy(`sftpd_full_access',` ++ allow sftpd_t self:capability { dac_override dac_read_search }; ++ fs_read_noxattr_fs_files(sftpd_t) ++ files_manage_non_security_files(sftpd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`sftpd_write_ssh_home',` ++ ssh_manage_home_files(sftpd_t) ++ ') ++') + + tunable_policy(`sftpd_enable_homedirs',` + allow sftpd_t self:capability { dac_override dac_read_search }; +@@ -475,21 +505,11 @@ tunable_policy(`sftpd_anon_write',` + tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) +- files_manage_non_auth_files(sftpd_t) ++ files_manage_non_security_files(sftpd_t) + ') + ++userdom_home_reader(sftpd_t) ++ + tunable_policy(`sftpd_write_ssh_home',` + ssh_manage_home_files(sftpd_t) + ') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_list_cifs(sftpd_t) +- fs_read_cifs_files(sftpd_t) +- fs_read_cifs_symlinks(sftpd_t) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_list_nfs(sftpd_t) +- fs_read_nfs_files(sftpd_t) +- fs_read_nfs_symlinks(ftpd_t) +-') +diff --git a/games.te b/games.te +index 572fb12..9c05eee 100644 +--- a/games.te ++++ b/games.te +@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) + + logging_send_syslog_msg(games_srv_t) + +-miscfiles_read_localization(games_srv_t) +- + userdom_dontaudit_use_unpriv_user_fds(games_srv_t) + + userdom_dontaudit_search_user_home_dirs(games_srv_t) +@@ -120,7 +118,6 @@ kernel_read_system_state(games_t) + + corecmd_exec_bin(games_t) + +-corenet_all_recvfrom_unlabeled(games_t) + corenet_all_recvfrom_netlabel(games_t) + corenet_tcp_sendrecv_generic_if(games_t) + corenet_tcp_sendrecv_generic_node(games_t) +@@ -151,7 +148,6 @@ init_dontaudit_rw_utmp(games_t) + logging_dontaudit_search_logs(games_t) + + miscfiles_read_man_pages(games_t) +-miscfiles_read_localization(games_t) + + sysnet_dns_name_resolve(games_t) + +@@ -161,7 +157,7 @@ userdom_manage_user_tmp_symlinks(games_t) + userdom_manage_user_tmp_sockets(games_t) + userdom_dontaudit_read_user_home_content_files(games_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`', ` + allow games_t self:process execmem; + ') + +diff --git a/gatekeeper.te b/gatekeeper.te +index fc3b036..10a1bbe 100644 +--- a/gatekeeper.te ++++ b/gatekeeper.te +@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) + + corecmd_list_bin(gatekeeper_t) + +-corenet_all_recvfrom_unlabeled(gatekeeper_t) + corenet_all_recvfrom_netlabel(gatekeeper_t) + corenet_tcp_sendrecv_generic_if(gatekeeper_t) + corenet_udp_sendrecv_generic_if(gatekeeper_t) +@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t) + + domain_use_interactive_fds(gatekeeper_t) + +-files_read_etc_files(gatekeeper_t) +- + fs_getattr_all_fs(gatekeeper_t) + fs_search_auto_mountpoints(gatekeeper_t) + + logging_send_syslog_msg(gatekeeper_t) + +-miscfiles_read_localization(gatekeeper_t) +- + sysnet_read_config(gatekeeper_t) + + userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +diff --git a/gift.te b/gift.te +index 395238e..af76abb 100644 +--- a/gift.te ++++ b/gift.te +@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t) + + userdom_dontaudit_read_user_home_content_files(gift_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(gift_t) +- fs_manage_nfs_files(gift_t) +- fs_manage_nfs_symlinks(gift_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(gift_t) +- fs_manage_cifs_files(gift_t) +- fs_manage_cifs_symlinks(gift_t) +-') ++userdom_home_manager(gift_t) + + optional_policy(` + xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) +@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t) + corenet_tcp_connect_all_ports(giftd_t) + + files_read_etc_runtime_files(giftd_t) +-files_read_usr_files(giftd_t) +- +-miscfiles_read_localization(giftd_t) + + sysnet_dns_name_resolve(giftd_t) + +-userdom_use_user_terminals(giftd_t) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(giftd_t) +- fs_manage_nfs_files(giftd_t) +- fs_manage_nfs_symlinks(giftd_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(giftd_t) +- fs_manage_cifs_files(giftd_t) +- fs_manage_cifs_symlinks(giftd_t) +-') ++userdom_use_inherited_user_terminals(giftd_t) ++userdom_home_manager(gitd_t) +diff --git a/git.if b/git.if +index 1e29af1..9f159d1 100644 +--- a/git.if ++++ b/git.if +@@ -79,3 +79,21 @@ interface(`git_read_generic_sys_content_files',` + fs_read_nfs_files($1) + ') + ') ++ ++####################################### ++##

    ++## Create Git user content with a ++## named file transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`git_filetrans_user_content',` ++ gen_require(` ++ type git_user_content_t; ++ ') ++ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git" ++') +diff --git a/git.te b/git.te +index 93b0301..8561970 100644 +--- a/git.te ++++ b/git.te +@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) + + ## + ##

    +-## Determine whether Git session daemons +-## can send syslog messages. +-##

    +-##     +-gen_tunable(git_session_send_syslog_msg, false) +- +-## +-##

    + ## Determine whether Git system daemon + ## can search home directories. + ##

    +@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) +kernel_read_system_state(git_session_t) + corenet_all_recvfrom_netlabel(git_session_t) --corenet_all_recvfrom_unlabeled(git_session_t) + corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) - corenet_tcp_sendrecv_generic_if(git_session_t) - corenet_tcp_sendrecv_generic_node(git_session_t) -@@ -112,10 +121,13 @@ auth_use_nsswitch(git_session_t) - - userdom_use_user_terminals(git_session_t) +@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` + corenet_tcp_sendrecv_all_ports(git_session_t) + ') -tunable_policy(`git_session_send_syslog_msg',` - logging_send_syslog_msg(git_session_t) -+tunable_policy(`git_session_bind_all_unreserved_ports',` -+ corenet_tcp_bind_all_unreserved_ports(git_session_t) -+ corenet_sendrecv_generic_server_packets(git_session_t) - ') - +-') +logging_send_syslog_msg(git_session_t) -+ - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(git_session_t) - ',` -@@ -133,10 +145,12 @@ tunable_policy(`use_samba_home_dirs',` - # Git system policy - # --list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) --read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) -+list_dirs_pattern(git_system_t, git_content, git_content) -+read_files_pattern(git_system_t, git_content, git_content) - files_search_var_lib(git_system_t) + tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(git_session_t) +@@ -157,6 +149,8 @@ tunable_policy(`use_samba_home_dirs',` + list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) + read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) +kernel_read_system_state(git_system_t) + - auth_use_nsswitch(git_system_t) - - logging_send_syslog_msg(git_system_t) -@@ -174,8 +188,8 @@ tunable_policy(`git_system_use_nfs',` - # Git CGI policy - # - --list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) --read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -+list_dirs_pattern(httpd_git_script_t, git_content, git_content) -+read_files_pattern(httpd_git_script_t, git_content, git_content) - files_search_var_lib(httpd_git_script_t) + files_search_var_lib(git_system_t) - files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) -@@ -217,12 +231,16 @@ tunable_policy(`git_cgi_use_nfs',` + auth_use_nsswitch(git_system_t) +@@ -255,12 +249,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; -kernel_read_system_state(git_daemon) -- - corecmd_exec_bin(git_daemon) ++#kernel_read_system_state(git_daemon) - files_read_usr_files(git_daemon) + corecmd_exec_bin(git_daemon) +-files_read_usr_files(git_daemon) +- fs_search_auto_mountpoints(git_daemon) -miscfiles_read_localization(git_daemon) -+ -+######################################## -+# -+# Git-shell private policy. -+# -+git_role_template(git_shell) -+gen_user(git_shell_u, user, git_shell_r, s0, s0) -diff --git a/gitosis.fc b/gitosis.fc -index 24f6441..4de3a6b 100644 ---- a/gitosis.fc -+++ b/gitosis.fc -@@ -6,4 +6,4 @@ ifdef(`distro_debian',` - /usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) - - /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) --/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) -+/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) diff --git a/gitosis.te b/gitosis.te -index 0eb75f4..3607a5b 100644 +index 3194b76..d3acb1a 100644 --- a/gitosis.te +++ b/gitosis.te -@@ -5,6 +5,13 @@ policy_module(gitosis, 1.3.0) - # Declarations - # +@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t) -+## -+##

    -+## Allow gitisis daemon to send mail -+##

    -+##     -+gen_tunable(gitosis_can_sendmail, false) -+ - type gitosis_t; - type gitosis_exec_t; - application_domain(gitosis_t, gitosis_exec_t) -@@ -36,6 +43,11 @@ files_read_etc_files(gitosis_t) - files_read_usr_files(gitosis_t) + dev_read_urand(gitosis_t) + +-files_read_etc_files(gitosis_t) +-files_read_usr_files(gitosis_t) files_search_var_lib(gitosis_t) -miscfiles_read_localization(gitosis_t) - +- sysnet_read_config(gitosis_t) -+ -+corenet_tcp_bind_all_ports(gitosis_t) -+ -+tunable_policy(`gitosis_can_sendmail',` -+ mta_send_mail(gitosis_t) -+') + + tunable_policy(`gitosis_can_sendmail',` diff --git a/glance.if b/glance.if -index 7ff9d6d..b1c97f2 100644 +index 9eacb2c..229782f 100644 --- a/glance.if +++ b/glance.if -@@ -1,5 +1,27 @@ - ## policy for glance +@@ -1,5 +1,30 @@ + ## OpenStack image registry and delivery service. +####################################### +## @@ -23099,13 +22142,16 @@ index 7ff9d6d..b1c97f2 100644 + type $1_exec_t; + + kernel_read_system_state($1_t) ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ corenet_all_recvfrom_netlabel($1_t) +') + ######################################## ## - ## Transition to glance registry. -@@ -24,9 +46,9 @@ interface(`glance_domtrans_registry',` - ## Transition to glance api. + ## Execute a domain transition to +@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',` + ## run glance api. ## ## -## @@ -23116,22 +22162,27 @@ index 7ff9d6d..b1c97f2 100644 ## # interface(`glance_domtrans_api',` -@@ -238,6 +260,10 @@ interface(`glance_admin',` +@@ -242,8 +267,13 @@ interface(`glance_admin',` + type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; + ') - allow $1 glance_registry_t:process signal_perms; - ps_process_pattern($1, glance_registry_t) +- allow $1 { glance_api_t glance_registry_t }:process signal_perms; +- ps_process_pattern($1, { glance_api_t glance_registry_t }) ++ allow $1 glance_registry_t:process signal_perms; ++ ps_process_pattern($1, glance_registry_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 glance_registry_t:process ptrace; + allow $1 glance_api_t:process ptrace; + ') - allow $1 glance_api_t:process signal_perms; - ps_process_pattern($1, glance_api_t) + init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) + domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index 4afb81f..efff577 100644 +index e0a4f46..8892bda 100644 --- a/glance.te +++ b/glance.te -@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0) +@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) attribute glance_domain; @@ -23154,94 +22205,99 @@ index 4afb81f..efff577 100644 init_daemon_domain(glance_api_t, glance_api_exec_t) type glance_api_initrc_exec_t; -@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) -kernel_read_system_state(glance_domain) - - corecmd_exec_bin(glance_domain) -+corecmd_exec_shell(glance_domain) +-corenet_all_recvfrom_unlabeled(glance_domain) +-corenet_all_recvfrom_netlabel(glance_domain) + corenet_tcp_sendrecv_generic_if(glance_domain) + corenet_tcp_sendrecv_generic_node(glance_domain) + corenet_tcp_sendrecv_all_ports(glance_domain) +@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain) dev_read_urand(glance_domain) - files_read_etc_files(glance_domain) - files_read_usr_files(glance_domain) +-files_read_etc_files(glance_domain) +-files_read_usr_files(glance_domain) ++auth_read_passwd(glance_domain) + + libs_exec_ldconfig(glance_domain) -miscfiles_read_localization(glance_domain) -+auth_read_passwd(glance_domain) -+ -+libs_exec_ldconfig(glance_domain) -+ +- + sysnet_dns_name_resolve(glance_domain) - optional_policy(` - sysnet_dns_name_resolve(glance_domain) -@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm + ######################################## +@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) - files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) + files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) +manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) +manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) +fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file }) + - corenet_tcp_bind_generic_node(glance_registry_t) ++corenet_tcp_bind_generic_node(glance_registry_t) + corenet_sendrecv_glance_registry_server_packets(glance_registry_t) corenet_tcp_bind_glance_registry_port(glance_registry_t) +corenet_tcp_connect_mysqld_port(glance_registry_t) +corenet_tcp_connect_all_ephemeral_ports(glance_registry_t) -+ -+logging_send_syslog_msg(glance_registry_t) -+ -+optional_policy(` -+ mysql_stream_connect(glance_registry_t) -+') - ######################################## - # -@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t) - corecmd_exec_shell(glance_api_t) + logging_send_syslog_msg(glance_registry_t) + +@@ -108,8 +109,12 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) + files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) + can_exec(glance_api_t, glance_tmp_t) - corenet_tcp_bind_generic_node(glance_api_t) +-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t) +-corenet_tcp_bind_armtechdaemon_port(glance_api_t) ++corenet_tcp_bind_generic_node(glance_api_t) ++ +corenet_tcp_bind_glance_port(glance_api_t) - corenet_tcp_bind_hplip_port(glance_api_t) - corenet_tcp_connect_glance_registry_port(glance_api_t) ++corenet_tcp_connect_glance_registry_port(glance_api_t) ++ +corenet_tcp_connect_all_ephemeral_ports(glance_api_t) - dev_read_urand(glance_api_t) + corenet_sendrecv_hplip_server_packets(glance_api_t) + corenet_tcp_bind_hplip_port(glance_api_t) +@@ -118,3 +123,7 @@ corenet_sendrecv_glance_registry_client_packets(glance_api_t) + corenet_tcp_connect_glance_registry_port(glance_api_t) fs_getattr_xattr_fs(glance_api_t) - --libs_exec_ldconfig(glance_api_t) ++ +optional_policy(` + mysql_stream_connect(glance_api_t) +') diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..6418e39 +index 0000000..4bd6ade --- /dev/null +++ b/glusterd.fc @@ -0,0 +1,16 @@ ++/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + -+/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) ++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) + -+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0) -+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0) -+ -+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) -+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + -+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) ++/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) + -+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) -+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) + ++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if new file mode 100644 -index 0000000..e15bbb0 +index 0000000..1ed97fe --- /dev/null +++ b/glusterd.if -@@ -0,0 +1,146 @@ +@@ -0,0 +1,150 @@ + +## policy for glusterd + @@ -23368,12 +22424,16 @@ index 0000000..e15bbb0 + type glusterd_initrc_exec_t; + type glusterd_log_t; + type glusterd_tmp_t; -+ type glusterd_etc_t; ++ type glusterd_conf_t; + ') + -+ allow $1 glusterd_t:process { ptrace signal_perms }; ++ allow $1 glusterd_t:process { signal_perms }; + ps_process_pattern($1, glusterd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 glusterd_t:process ptrace; ++ ') ++ + glusterd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 glusterd_initrc_exec_t system_r; @@ -23384,17 +22444,17 @@ index 0000000..e15bbb0 + + admin_pattern($1, glusterd_tmp_t) + -+ admin_pattern($1, glusterd_etc_t) ++ admin_pattern($1, glusterd_conf_t) + +') + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..d35f2b0 +index 0000000..8f595f8 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,101 @@ -+policy_module(glusterd, 1.0.0) +@@ -0,0 +1,102 @@ ++policy_module(glusterfs, 1.0.1) + +######################################## +# @@ -23405,15 +22465,15 @@ index 0000000..d35f2b0 +type glusterd_exec_t; +init_daemon_domain(glusterd_t, glusterd_exec_t) + -+type glusterd_etc_t; -+files_type(glusterd_etc_t) -+ -+type glusterd_tmp_t; -+files_tmp_file(glusterd_tmp_t) ++type glusterd_conf_t; ++files_type(glusterd_conf_t) + +type glusterd_initrc_exec_t; +init_script_file(glusterd_initrc_exec_t) + ++type glusterd_tmp_t; ++files_tmp_file(glusterd_tmp_t) ++ +type glusterd_log_t; +logging_log_file(glusterd_log_t) + @@ -23423,32 +22483,31 @@ index 0000000..d35f2b0 +type glusterd_var_lib_t; +files_type(glusterd_var_lib_t); + -+ +######################################## +# -+# glusterd local policy ++# Local policy +# + -+allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner }; ++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; +allow glusterd_t self:process { setrlimit signal }; -+allow glusterd_t self:capability sys_resource; -+ +allow glusterd_t self:fifo_file rw_fifo_file_perms; -+allow glusterd_t self:netlink_route_socket r_netlink_socket_perms; -+allow glusterd_t self:tcp_socket create_stream_socket_perms; -+allow glusterd_t self:udp_socket create_socket_perms; -+allow glusterd_t self:unix_stream_socket create_stream_socket_perms; -+allow glusterd_t self:unix_dgram_socket create_socket_perms; ++allow glusterd_t self:tcp_socket { accept listen }; ++allow glusterd_t self:unix_stream_socket { accept listen }; ++ ++manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) ++manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) ++files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs") + +manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) -+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) -+userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) ++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) + +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file }) ++append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++logging_log_filetrans(glusterd_t, glusterd_log_t, dir) + +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) @@ -23456,11 +22515,7 @@ index 0000000..d35f2b0 + +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) -+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t) -+manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t) -+files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs") ++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) + +can_exec(glusterd_t, glusterd_exec_t) + @@ -23469,46 +22524,264 @@ index 0000000..d35f2b0 +corecmd_exec_bin(glusterd_t) +corecmd_exec_shell(glusterd_t) + -+domain_use_interactive_fds(glusterd_t) -+ ++corenet_all_recvfrom_unlabeled(glusterd_t) ++corenet_all_recvfrom_netlabel(glusterd_t) ++corenet_tcp_sendrecv_generic_if(glusterd_t) ++corenet_udp_sendrecv_generic_if(glusterd_t) ++corenet_tcp_sendrecv_generic_node(glusterd_t) ++corenet_udp_sendrecv_generic_node(glusterd_t) ++corenet_tcp_sendrecv_all_ports(glusterd_t) ++corenet_udp_sendrecv_all_ports(glusterd_t) +corenet_tcp_bind_generic_node(glusterd_t) -+corenet_tcp_bind_generic_port(glusterd_t) ++corenet_udp_bind_generic_node(glusterd_t) ++ ++# Too coarse? ++corenet_sendrecv_all_server_packets(glusterd_t) +corenet_tcp_bind_all_reserved_ports(glusterd_t) +corenet_udp_bind_all_rpc_ports(glusterd_t) -+corenet_tcp_connect_unreserved_ports(glusterd_t) -+corenet_udp_bind_generic_node(glusterd_t) +corenet_udp_bind_ipp_port(glusterd_t) + ++corenet_sendrecv_all_client_packets(glusterd_t) ++corenet_tcp_connect_all_unreserved_ports(glusterd_t) ++ +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) + -+files_read_usr_files(glusterd_t) -+files_rw_pid_dirs(glusterd_t) -+ -+# Why is this needed -+#files_manage_urandom_seed(glusterd_t) ++domain_use_interactive_fds(glusterd_t) + +auth_use_nsswitch(glusterd_t) + +logging_send_syslog_msg(glusterd_t) + -+sysnet_read_config(glusterd_t) ++miscfiles_read_localization(glusterd_t) + +userdom_manage_user_home_dirs(glusterd_t) +diff --git a/glusterfs.fc b/glusterfs.fc +deleted file mode 100644 +index 4bd6ade..0000000 +--- a/glusterfs.fc ++++ /dev/null +@@ -1,16 +0,0 @@ +-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +- +-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +- +-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +- +-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +- +-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) +- +-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +- +-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +diff --git a/glusterfs.if b/glusterfs.if +deleted file mode 100644 +index 05233c8..0000000 +--- a/glusterfs.if ++++ /dev/null +@@ -1,71 +0,0 @@ +-## Cluster File System binary, daemon and command line. +- +-######################################## +-## +-## All of the rules required to +-## administrate an glusterfs environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`glusterd_admin',` +- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.') +- glusterfs_admin($1, $2) +-') +- +-######################################## +-## +-## All of the rules required to +-## administrate an glusterfs environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`glusterfs_admin',` +- gen_require(` +- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; +- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; +- type glusterd_var_run_t; +- ') +- +- init_labeled_script_domtrans($1, glusterd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 glusterd_initrc_exec_t system_r; +- allow $2 system_r; +- +- allow $1 glusterd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, glusterd_t) +- +- files_search_etc($1) +- admin_pattern($1, glusterd_conf_t) +- +- logging_search_logs($1) +- admin_pattern($1, glusterd_log_t) +- +- files_search_tmp($1) +- admin_pattern($1, glusterd_tmp_t) +- +- files_search_var_lib($1) +- admin_pattern($1, glusterd_var_lib_t) +- +- files_search_pids($1) +- admin_pattern($1, glusterd_var_run_t) +-') +diff --git a/glusterfs.te b/glusterfs.te +deleted file mode 100644 +index fd02acc..0000000 +--- a/glusterfs.te ++++ /dev/null +@@ -1,102 +0,0 @@ +-policy_module(glusterfs, 1.0.1) +- +-######################################## +-# +-# Declarations +-# +- +-type glusterd_t; +-type glusterd_exec_t; +-init_daemon_domain(glusterd_t, glusterd_exec_t) +- +-type glusterd_conf_t; +-files_type(glusterd_conf_t) +- +-type glusterd_initrc_exec_t; +-init_script_file(glusterd_initrc_exec_t) +- +-type glusterd_tmp_t; +-files_tmp_file(glusterd_tmp_t) +- +-type glusterd_log_t; +-logging_log_file(glusterd_log_t) +- +-type glusterd_var_run_t; +-files_pid_file(glusterd_var_run_t) +- +-type glusterd_var_lib_t; +-files_type(glusterd_var_lib_t); +- +-######################################## +-# +-# Local policy +-# +- +-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner }; +-allow glusterd_t self:process { setrlimit signal }; +-allow glusterd_t self:fifo_file rw_fifo_file_perms; +-allow glusterd_t self:tcp_socket { accept listen }; +-allow glusterd_t self:unix_stream_socket { accept listen }; +- +-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) +-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) +-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir) +- +-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) +-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) +- +-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +-logging_log_filetrans(glusterd_t, glusterd_log_t, dir) +- +-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) +- +-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) +- +-can_exec(glusterd_t, glusterd_exec_t) +- +-kernel_read_system_state(glusterd_t) +- +-corecmd_exec_bin(glusterd_t) +-corecmd_exec_shell(glusterd_t) +- +-corenet_all_recvfrom_unlabeled(glusterd_t) +-corenet_all_recvfrom_netlabel(glusterd_t) +-corenet_tcp_sendrecv_generic_if(glusterd_t) +-corenet_udp_sendrecv_generic_if(glusterd_t) +-corenet_tcp_sendrecv_generic_node(glusterd_t) +-corenet_udp_sendrecv_generic_node(glusterd_t) +-corenet_tcp_sendrecv_all_ports(glusterd_t) +-corenet_udp_sendrecv_all_ports(glusterd_t) +-corenet_tcp_bind_generic_node(glusterd_t) +-corenet_udp_bind_generic_node(glusterd_t) +- +-# Too coarse? +-corenet_sendrecv_all_server_packets(glusterd_t) +-corenet_tcp_bind_all_reserved_ports(glusterd_t) +-corenet_udp_bind_all_rpc_ports(glusterd_t) +-corenet_udp_bind_ipp_port(glusterd_t) +- +-corenet_sendrecv_all_client_packets(glusterd_t) +-corenet_tcp_connect_all_unreserved_ports(glusterd_t) +- +-dev_read_sysfs(glusterd_t) +-dev_read_urand(glusterd_t) +- +-domain_use_interactive_fds(glusterd_t) +- +-files_read_usr_files(glusterd_t) +- +-auth_use_nsswitch(glusterd_t) +- +-logging_send_syslog_msg(glusterd_t) +- +-miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index 00a19e3..52e5a3a 100644 +index e39de43..52e5a3a 100644 --- a/gnome.fc +++ b/gnome.fc -@@ -1,9 +1,57 @@ --HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +@@ -1,15 +1,57 @@ +-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) +-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) +HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0) - HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) - HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) ++HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0) @@ -23522,7 +22795,8 @@ index 00a19e3..52e5a3a 100644 +HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) -+ + +-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) +/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) +/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) @@ -23542,16 +22816,17 @@ index 00a19e3..52e5a3a 100644 +/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) +/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) +/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) - - /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) ++ ++/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) --/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) + -+/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) -+ + /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) + +-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + @@ -23560,30 +22835,38 @@ index 00a19e3..52e5a3a 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..69577c7 100644 +index d03fd43..2d6e6bb 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,44 +1,1048 @@ - ## GNU network object model environment (GNOME) +@@ -1,123 +1,155 @@ +-## GNU network object model environment. ++## GNU network object model environment (GNOME) --############################################################ +-######################################## +########################################################### ## --## Role access for gnome +-## Role access for gnome. (Deprecated) +## Role access for gnome ## ## +-## +-## Role allowed access. +-## +## +## Role allowed access +## -+## -+## + ## + ## +-## +-## User domain for the role. +-## +## +## User domain for the role +## -+## -+# -+interface(`gnome_role',` + ## + # + interface(`gnome_role',` +- refpolicywarn(`$0($*) has been deprecated') + gen_require(` + type gconfd_t, gconfd_exec_t; + type gconf_tmp_t; @@ -23601,28 +22884,61 @@ index f5afe78..69577c7 100644 + #gnome_stream_connect_gconf_template($1, $2) + read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) + allow $2 gconfd_t:unix_stream_socket connectto; -+') -+ + ') + +-####################################### +###################################### -+## + ## +-## The role template for gnome. +## The role template for the gnome-keyring-daemon. -+## + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +## +## +## The user prefix. +## -+## -+## + ## + ## +-## +-## The role associated with the user domain. +-## +## +## The user role. +## -+## -+## + ## + ## +-## +-## The type of the user domain. +-## +## +## The user domain associated with the role. +## -+## -+# + ## + # +-template(`gnome_role_template',` +- gen_require(` +- attribute gnomedomain, gkeyringd_domain; +- attribute_role gconfd_roles; +- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; +- type gconfd_t, gconfd_exec_t, gconf_tmp_t; +- type gconf_home_t; +- ') +- +- ######################################## +- # +- # Gconf declarations +- # +- +- roleattribute $2 gconfd_roles; +- +- ######################################## +- # +- # Gkeyringd declarations +- # +interface(`gnome_role_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; @@ -23631,48 +22947,80 @@ index f5afe78..69577c7 100644 + type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; + class dbus send_msg; + ') -+ -+ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; + + type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; +- userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) + typealias $1_gkeyringd_t alias gkeyringd_$1_t; + application_domain($1_gkeyringd_t, gkeyringd_exec_t) + ubac_constrained($1_gkeyringd_t) -+ domain_user_exemption_target($1_gkeyringd_t) -+ + domain_user_exemption_target($1_gkeyringd_t) + +- role $2 types $1_gkeyringd_t; + userdom_home_manager($1_gkeyringd_t) -+ + +- ######################################## +- # +- # Gconf policy +- # + role $2 types $1_gkeyringd_t; -+ + +- domtrans_pattern($3, gconfd_exec_t, gconfd_t) + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) -+ + +- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; +- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") +- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") + allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; + allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; -+ + +- allow $3 gconfd_t:process { ptrace signal_perms }; +- ps_process_pattern($3, gconfd_t) + allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; + allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; -+ + +- ######################################## +- # +- # Gkeyringd policy +- # + corecmd_bin_domtrans($1_gkeyringd_t, $1_t) + corecmd_shell_domtrans($1_gkeyringd_t, $1_t) + allow $1_gkeyringd_t $3:process sigkill; + allow $3 $1_gkeyringd_t:fd use; + allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; -+ + +- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + kernel_read_system_state($1_gkeyringd_t) -+ + +- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; +- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; + ps_process_pattern($1_gkeyringd_t, $3) -+ + +- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") +- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") +- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") +- +- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") + auth_use_nsswitch($1_gkeyringd_t) -+ + +- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + logging_send_syslog_msg($1_gkeyringd_t) -+ -+ ps_process_pattern($3, $1_gkeyringd_t) + + ps_process_pattern($3, $1_gkeyringd_t) +- allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + allow $3 $1_gkeyringd_t:process signal_perms; + dontaudit $3 gkeyringd_exec_t:file entrypoint; -+ + +- corecmd_bin_domtrans($1_gkeyringd_t, $3) +- corecmd_shell_domtrans($1_gkeyringd_t, $3) +- +- gnome_stream_connect_gkeyringd($1, $3) + stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) -+ + + allow $1_gkeyringd_t $3:dbus send_msg; + allow $3 $1_gkeyringd_t:dbus send_msg; -+ optional_policy(` + optional_policy(` +- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_bus_client($1_gkeyringd_t) + gnome_home_dir_filetrans($1_gkeyringd_t) @@ -23685,7 +23033,8 @@ index f5afe78..69577c7 100644 + ') + ') +') -+ + +- gnome_dbus_chat_gkeyringd($1, $3) +####################################### +## +## Allow domain to run gkeyring in the $1_gkeyringd_t domain. @@ -23710,136 +23059,206 @@ index f5afe78..69577c7 100644 + gen_require(` + type $1_gkeyringd_t; + type gkeyringd_exec_t; -+ ') + ') + role $2 types $1_gkeyringd_t; + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute gconf in the caller domain. +## gconf connection template. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -125,18 +157,18 @@ template(`gnome_role_template',` + ## + ## + # +-interface(`gnome_exec_gconf',` +interface(`gnome_stream_connect_gconf',` -+ gen_require(` + gen_require(` +- type gconfd_exec_t; + type gconfd_t, gconf_tmp_t; -+ ') -+ + ') + +- corecmd_search_bin($1) +- can_exec($1, gconfd_exec_t) + read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) + allow $1 gconfd_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read gconf configuration content. +## Connect to gkeyringd with a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',` + ## + ## + # +-interface(`gnome_read_gconf_config',` +interface(`gnome_stream_connect_gkeyringd',` -+ gen_require(` + gen_require(` +- type gconf_etc_t; + attribute gkeyringd_domain; + type gkeyringd_tmp_t; + type gconf_tmp_t; + type cache_home_t; -+ ') -+ + ') + +- files_search_etc($1) +- allow $1 gconf_etc_t:dir list_dir_perms; +- allow $1 gconf_etc_t:file read_file_perms; +- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; + allow $1 gconf_tmp_t:dir search_dir_perms; + userdom_search_user_tmp_dirs($1) + stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) + stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read +-## inherited gconf configuration files. +## Run gconfd in gconfd domain. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`gnome_dontaudit_read_inherited_gconf_config_files',` +interface(`gnome_domtrans_gconfd',` -+ gen_require(` + gen_require(` +- type gconf_etc_t; + type gconfd_t, gconfd_exec_t; -+ ') -+ + ') + +- dontaudit $1 gconf_etc_t:file read; + domtrans_pattern($1, gconfd_exec_t, gconfd_t) -+') -+ + ') + +-####################################### +######################################## -+## + ## +-## Create, read, write, and delete +-## gconf configuration content. +## Dontaudit read gnome homedir content (.config) -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`gnome_manage_gconf_config',` +interface(`gnome_dontaudit_read_config',` -+ gen_require(` + gen_require(` +- type gconf_etc_t; + attribute gnome_home_type; -+ ') -+ + ') + +- files_search_etc($1) +- allow $1 gconf_etc_t:dir manage_dir_perms; +- allow $1 gconf_etc_t:file manage_file_perms; +- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; + dontaudit $1 gnome_home_type:dir read_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to gconf using a unix +-## domain stream socket. +## Dontaudit search gnome homedir content (.config) -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`gnome_stream_connect_gconf',` +interface(`gnome_dontaudit_search_config',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconf_tmp_t; + attribute gnome_home_type; -+ ') -+ + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) + dontaudit $1 gnome_home_type:dir search_dir_perms; -+') + ') + + ######################################## + ## +-## Run gconfd in gconfd domain. ++## Dontaudit write gnome homedir content (.config) + ## + ## + ## +-## Domain allowed to transition. ++## Domain to not audit. + ## + ## + # +-interface(`gnome_domtrans_gconfd',` ++interface(`gnome_dontaudit_append_config_files',` + gen_require(` +- type gconfd_t, gconfd_exec_t; ++ attribute gnome_home_type; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, gconfd_exec_t, gconfd_t) ++ dontaudit $1 gnome_home_type:file append; + ') + + -+######################################## -+## + ######################################## + ## +-## Create generic gnome home directories. +## Dontaudit write gnome homedir content (.config) -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`gnome_create_generic_home_dirs',` +interface(`gnome_dontaudit_write_config_files',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + attribute gnome_home_type; -+ ') -+ + ') + +- allow $1 gnome_home_t:dir create_dir_perms; + dontaudit $1 gnome_home_type:file write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set attributes of generic gnome +-## user home directories. (Deprecated) +## manage gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',` + ## + ## + # +-interface(`gnome_setattr_config_dirs',` +- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.') +- gnome_setattr_generic_home_dirs($1) +interface(`gnome_manage_config',` + gen_require(` + attribute gnome_home_type; @@ -23850,37 +23269,44 @@ index f5afe78..69577c7 100644 + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; + allow $1 gnome_home_type:sock_file manage_sock_file_perms; + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set attributes of generic gnome +-## user home directories. +## Send general signals to all gconf domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',` + ## + ## + # +-interface(`gnome_setattr_generic_home_dirs',` +interface(`gnome_signal_all',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + attribute gnomedomain; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) + allow $1 gnomedomain:process signal; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic gnome user home content. (Deprecated) +## Create objects in a Gnome cache home directory +## with an automatic type transition to +## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## The type of the object to create. @@ -23896,7 +23322,10 @@ index f5afe78..69577c7 100644 +## The name of the object being created. +## +## -+# + # +-interface(`gnome_read_config',` +- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.') +- gnome_read_generic_home_content($1) +interface(`gnome_cache_filetrans',` + gen_require(` + type cache_home_t; @@ -23904,19 +23333,20 @@ index f5afe78..69577c7 100644 + + filetrans_pattern($1, cache_home_t, $2, $3, $4) + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic gnome home content. +## Create objects in a Gnome cache home directory +## with an automatic type transition to +## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## The type of the object to create. @@ -23932,26 +23362,38 @@ index f5afe78..69577c7 100644 +## The name of the object being created. +## +## -+# + # +-interface(`gnome_read_generic_home_content',` +interface(`gnome_config_filetrans',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type config_home_t; -+ ') -+ + ') + + filetrans_pattern($1, config_home_t, $2, $3, $4) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + userdom_search_user_home_dirs($1) +- allow $1 gnome_home_t:dir list_dir_perms; +- allow $1 gnome_home_t:file read_file_perms; +- allow $1 gnome_home_t:fifo_file read_fifo_file_perms; +- allow $1 gnome_home_t:lnk_file read_lnk_file_perms; +- allow $1 gnome_home_t:sock_file read_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic gnome user home content. (Deprecated) +## Read generic cache home files (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',` + ## + ## + # +-interface(`gnome_manage_config',` +- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.') +- gnome_manage_generic_home_content($1) +interface(`gnome_read_generic_cache_files',` + gen_require(` + type cache_home_t; @@ -23959,186 +23401,258 @@ index f5afe78..69577c7 100644 + + read_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic gnome home content. +## Set attributes of cache home dir (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -354,22 +422,18 @@ interface(`gnome_manage_config',` + ## + ## + # +-interface(`gnome_manage_generic_home_content',` +interface(`gnome_setattr_cache_home_dir',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type cache_home_t; -+ ') -+ + ') + + setattr_dirs_pattern($1, cache_home_t, cache_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## -+## Manage cache home dir (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + userdom_search_user_home_dirs($1) +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; +- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; +- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; +- allow $1 gnome_home_t:sock_file manage_sock_file_perms; + ') + + ######################################## + ## +-## Search generic gnome home directories. ++## Manage cache home dir (.cache) + ## + ## + ## +@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',` + ## + ## + # +-interface(`gnome_search_generic_home',` +interface(`gnome_manage_cache_home_dir',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type cache_home_t; -+ ') -+ + ') + + manage_dirs_pattern($1, cache_home_t, cache_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + userdom_search_user_home_dirs($1) +- allow $1 gnome_home_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create objects in gnome user home +-## directories with a private type. +## append to generic cache home files (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Private file type. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`gnome_home_filetrans',` +interface(`gnome_append_generic_cache_files',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type cache_home_t; -+ ') -+ + ') + + append_files_pattern($1, cache_home_t, cache_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + userdom_search_user_home_dirs($1) +- filetrans_pattern($1, gnome_home_t, $2, $3, $4) + ') + + ######################################## + ## +-## Create generic gconf home directories. +## write to generic cache home files (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',` + ## + ## + # +-interface(`gnome_create_generic_gconf_home_dirs',` +interface(`gnome_write_generic_cache_files',` -+ gen_require(` + gen_require(` +- type gconf_home_t; + type cache_home_t; -+ ') -+ + ') + +- allow $1 gconf_home_t:dir create_dir_perms; + write_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic gconf home content. +## Manage a sock_file in the generic cache home files (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -449,46 +498,36 @@ interface(`gnome_create_generic_gconf_home_dirs',` + ## + ## + # +-interface(`gnome_read_generic_gconf_home_content',` +interface(`gnome_manage_generic_cache_sockets',` -+ gen_require(` + gen_require(` +- type gconf_home_t; + type cache_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) + ') + + userdom_search_user_home_dirs($1) +- allow $1 gconf_home_t:dir list_dir_perms; +- allow $1 gconf_home_t:file read_file_perms; +- allow $1 gconf_home_t:fifo_file read_fifo_file_perms; +- allow $1 gconf_home_t:lnk_file read_lnk_file_perms; +- allow $1 gconf_home_t:sock_file read_sock_file_perms; + manage_sock_files_pattern($1, cache_home_t, cache_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic gconf home content. +## Dontaudit read/write to generic cache home files (.cache) -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`gnome_manage_generic_gconf_home_content',` +interface(`gnome_dontaudit_rw_generic_cache_files',` -+ gen_require(` + gen_require(` +- type gconf_home_t; + type cache_home_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 gconf_home_t:dir manage_dir_perms; +- allow $1 gconf_home_t:file manage_file_perms; +- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; +- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; +- allow $1 gconf_home_t:sock_file manage_sock_file_perms; + dontaudit $1 cache_home_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search generic gconf home directories. +## read gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -496,29 +535,35 @@ interface(`gnome_manage_generic_gconf_home_content',` + ## + ## + # +-interface(`gnome_search_generic_gconf_home',` +interface(`gnome_read_config',` -+ gen_require(` + gen_require(` +- type gconf_home_t; + attribute gnome_home_type; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 gconf_home_t:dir search_dir_perms; + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic gconf +-## home type. +## Create objects in a Gnome gconf home directory +## with an automatic type transition to +## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## The type of the object to create. +## +## -+## -+## + ## + ## +-## Class of the object being created. +## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# + ## + ## + ## +@@ -527,62 +572,125 @@ interface(`gnome_search_generic_gconf_home',` + ## + ## + # +-interface(`gnome_home_filetrans_gconf_home',` +interface(`gnome_data_filetrans',` -+ gen_require(` + gen_require(` +- type gconf_home_t; + type data_home_t; -+ ') -+ + ') + +- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) + filetrans_pattern($1, data_home_t, $2, $3, $4) + gnome_search_gconf($1) -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Create objects in user home +-## directories with the generic gnome +-## home type. +## Read generic data home files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`gnome_read_generic_data_home_files',` + gen_require(` @@ -24171,10 +23685,12 @@ index f5afe78..69577c7 100644 +## Manage gconf data home files +## +## -+## + ## +-## Class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`gnome_manage_data',` + gen_require(` @@ -24193,32 +23709,39 @@ index f5afe78..69577c7 100644 +## Read icc data home content. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`gnome_home_filetrans_gnome_home',` +interface(`gnome_read_home_icc_data_content',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type icc_data_home_t, gconf_home_t, data_home_t; -+ ') -+ + ') + +- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) + userdom_search_user_home_dirs($1) + allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; + list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) + read_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in gnome gconf home +-## directories with a private type. +## Read inherited icc data home files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`gnome_read_inherited_home_icc_data_files',` + gen_require(` @@ -24233,63 +23756,86 @@ index f5afe78..69577c7 100644 +## Create gconf_home_t objects in the /root directory +##     +## -+## + ## +-## Private file type. +## Domain allowed access. -+## -+## -+## -+## + ## + ## + ## + ## +-## Class of the object being created. +## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# + ## + ## + ## +@@ -591,65 +699,76 @@ interface(`gnome_home_filetrans_gnome_home',` + ##     + ## + # +-interface(`gnome_gconf_home_filetrans',` +interface(`gnome_admin_home_gconf_filetrans',` -+ gen_require(` -+ type gconf_home_t; -+ ') -+ + gen_require(` + type gconf_home_t; + ') + +- userdom_search_user_home_dirs($1) +- filetrans_pattern($1, gconf_home_t, $2, $3, $4) + userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic gnome keyring home files. +## Do not audit attempts to read +## inherited gconf config files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`gnome_read_keyring_home_files',` +interface(`gnome_dontaudit_read_inherited_gconf_config_files',` -+ gen_require(` + gen_require(` +- type gnome_home_t, gnome_keyring_home_t; + type gconf_etc_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) + dontaudit $1 gconf_etc_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Send and receive messages from +-## gnome keyring daemon over dbus. +## read gconf config files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_dbus_chat_gkeyringd',` +interface(`gnome_read_gconf_config',` -+ gen_require(` + gen_require(` +- type $1_gkeyringd_t; +- class dbus send_msg; + type gconf_etc_t; -+ ') -+ + ') + +- allow $2 $1_gkeyringd_t:dbus send_msg; +- allow $1_gkeyringd_t $2:dbus send_msg; + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) + files_search_etc($1) @@ -24312,58 +23858,82 @@ index f5afe78..69577c7 100644 + + allow $1 gconf_etc_t:dir list_dir_perms; + manage_files_pattern($1, gconf_etc_t, gconf_etc_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Send and receive messages from all +-## gnome keyring daemon over dbus. +## Execute gconf programs in +## in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -657,46 +776,36 @@ interface(`gnome_dbus_chat_gkeyringd',` + ## + ## + # +-interface(`gnome_dbus_chat_all_gkeyringd',` +interface(`gnome_exec_gconf',` -+ gen_require(` + gen_require(` +- attribute gkeyringd_domain; +- class dbus send_msg; + type gconfd_exec_t; -+ ') -+ + ') + +- allow $1 gkeyringd_domain:dbus send_msg; +- allow gkeyringd_domain $1:dbus send_msg; + can_exec($1, gconfd_exec_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to gnome keyring daemon +-## with a unix stream socket. +## Execute gnome keyringd in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_stream_connect_gkeyringd',` +interface(`gnome_exec_keyringd',` -+ gen_require(` + gen_require(` +- type $1_gkeyringd_t, gnome_keyring_tmp_t; + type gkeyringd_exec_t; -+ ') -+ + ') + +- files_search_tmp($2) +- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) + can_exec($1, gkeyringd_exec_t) + corecmd_search_bin($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to all gnome keyring daemon +-## with a unix stream socket. +## Read gconf home files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -704,12 +813,772 @@ interface(`gnome_stream_connect_gkeyringd',` + ## + ## + # +-interface(`gnome_stream_connect_all_gkeyringd',` +interface(`gnome_read_gconf_home_files',` -+ gen_require(` + gen_require(` +- attribute gkeyringd_domain; +- type gnome_keyring_tmp_t; + type gconf_home_t; + type data_home_t; + ') @@ -24390,9 +23960,10 @@ index f5afe78..69577c7 100644 +interface(`gnome_search_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) + ') + + files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) + allow $1 gkeyringd_tmp_t:dir search_dir_perms; +') + @@ -24533,11 +24104,10 @@ index f5afe78..69577c7 100644 +## manage gconf home files +##     +## - ## --## Role allowed access ++## +## Domain allowed access. - ## - ## ++## ++## +# +interface(`gnome_manage_gconf_home_files',` + gen_require(` @@ -24552,27 +24122,22 @@ index f5afe78..69577c7 100644 +## +## Connect to gnome over a unix stream socket. +## - ## - ## --## User domain for the role ++## ++## +## Domain allowed access. +## +## +## +## +## The type of the user domain. - ## - ## - # --interface(`gnome_role',` ++## ++## ++# +interface(`gnome_stream_connect',` - gen_require(` -- type gconfd_t, gconfd_exec_t; -- type gconf_tmp_t; ++ gen_require(` + attribute gnome_home_type; - ') - -- role $1 types gconfd_t; ++ ') ++ + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) +') @@ -24591,15 +24156,10 @@ index f5afe78..69577c7 100644 + gen_require(` + type config_home_t; + ') - -- domain_auto_trans($2, gconfd_exec_t, gconfd_t) -- allow gconfd_t $2:fd use; -- allow gconfd_t $2:fifo_file write; -- allow gconfd_t $2:unix_stream_socket connectto; ++ + allow $1 config_home_t:dir list_dir_perms; +') - -- ps_process_pattern($2, gconfd_t) ++ +######################################## +## +## Set attributes of gnome homedir content (.config) @@ -24614,34 +24174,26 @@ index f5afe78..69577c7 100644 + gen_require(` + type config_home_t; + ') - -- #gnome_stream_connect_gconf_template($1, $2) -- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) -- allow $2 gconfd_t:unix_stream_socket connectto; ++ + setattr_dirs_pattern($1, config_home_t, config_home_t) + userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Execute gconf programs in --## in the caller domain. ++') ++ ++######################################## ++## +## read gnome homedir content (.config) - ## - ## - ## -@@ -46,37 +1050,91 @@ interface(`gnome_role',` - ## - ## - # --interface(`gnome_exec_gconf',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_read_home_config',` - gen_require(` -- type gconfd_exec_t; ++ gen_require(` + type config_home_t; - ') - -- can_exec($1, gconfd_exec_t) ++ ') ++ + list_dirs_pattern($1, config_home_t, config_home_t) + read_files_pattern($1, config_home_t, config_home_t) + read_lnk_files_pattern($1, config_home_t, config_home_t) @@ -24681,36 +24233,28 @@ index f5afe78..69577c7 100644 + ') + + setattr_dirs_pattern($1, config_home_t, config_home_t) - ') - - ######################################## - ## --## Read gconf config files. ++') ++ ++######################################## ++## +## manage gnome homedir content (.config) - ## --## ++## +## - ## - ## Domain allowed access. - ## - ## - # --template(`gnome_read_gconf_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_manage_home_config',` - gen_require(` -- type gconf_etc_t; ++ gen_require(` + type config_home_t; - ') - -- allow $1 gconf_etc_t:dir list_dir_perms; -- read_files_pattern($1, gconf_etc_t, gconf_etc_t) -- files_search_etc($1) ++ ') ++ + manage_files_pattern($1, config_home_t, config_home_t) - ') - - ####################################### - ## --## Create, read, write, and delete gconf config files. ++') ++ ++####################################### ++## +## delete gnome homedir content (.config) +## +## @@ -24730,46 +24274,36 @@ index f5afe78..69577c7 100644 +######################################## +## +## manage gnome homedir content (.config) - ## - ## - ## -@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',` - ## - ## - # --interface(`gnome_manage_gconf_config',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_manage_home_config_dirs',` - gen_require(` -- type gconf_etc_t; ++ gen_require(` + type config_home_t; - ') - -- manage_files_pattern($1, gconf_etc_t, gconf_etc_t) -- files_search_etc($1) ++ ') ++ + manage_dirs_pattern($1, config_home_t, config_home_t) - ') - - ######################################## - ## --## gconf connection template. ++') ++ ++######################################## ++## +## manage gstreamer home content files. - ## --## ++## +## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_stream_connect_gconf',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_manage_gstreamer_home_files',` - gen_require(` -- type gconfd_t, gconf_tmp_t; ++ gen_require(` + type gstreamer_home_t; - ') - -- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) -- allow $1 gconfd_t:unix_stream_socket connectto; ++ ') ++ + manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) + manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) + gnome_filetrans_gstreamer_home_content($1) @@ -24843,33 +24377,28 @@ index f5afe78..69577c7 100644 + ') + + manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) - ') - - ######################################## - ## --## Run gconfd in gconfd domain. ++') ++ ++######################################## ++## +## Read/Write all inherited gnome home config - ## - ## - ## -@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',` - ## - ## - # --interface(`gnome_domtrans_gconfd',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_rw_inherited_config',` - gen_require(` -- type gconfd_t, gconfd_exec_t; ++ gen_require(` + attribute gnome_home_type; - ') - -- domtrans_pattern($1, gconfd_exec_t, gconfd_t) ++ ') ++ + allow $1 gnome_home_type:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Set attributes of Gnome config dirs. ++') ++ ++######################################## ++## +## Dontaudit Read/Write all inherited gnome home config +## +## @@ -24890,68 +24419,54 @@ index f5afe78..69577c7 100644 +## +## Send and receive messages from +## gconf system service over dbus. - ## - ## - ## -@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',` - ## - ## - # --interface(`gnome_setattr_config_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_dbus_chat_gconfdefault',` - gen_require(` -- type gnome_home_t; ++ gen_require(` + type gconfdefaultsm_t; + class dbus send_msg; - ') - -- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) -- files_search_home($1) ++ ') ++ + allow $1 gconfdefaultsm_t:dbus send_msg; + allow gconfdefaultsm_t $1:dbus send_msg; - ') - - ######################################## - ## --## Read gnome homedir content (.config) ++') ++ ++######################################## ++## +## Send and receive messages from +## gkeyringd over dbus. - ## --## ++## +## - ## - ## Domain allowed access. - ## - ## - # --template(`gnome_read_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_dbus_chat_gkeyringd',` - gen_require(` -- type gnome_home_t; ++ gen_require(` + attribute gkeyringd_domain; + class dbus send_msg; - ') - -- list_dirs_pattern($1, gnome_home_t, gnome_home_t) -- read_files_pattern($1, gnome_home_t, gnome_home_t) -- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) ++ ') ++ + allow $1 gkeyringd_domain:dbus send_msg; + allow gkeyringd_domain $1:dbus send_msg; - ') - - ######################################## - ## --## manage gnome homedir content (.config) ++') ++ ++######################################## ++## +## Send signull signal to gkeyringd processes. - ## --## ++## +## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_manage_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_signull_gkeyringd',` + gen_require(` + attribute gkeyringd_domain; @@ -24990,15 +24505,13 @@ index f5afe78..69577c7 100644 +## +# +interface(`gnome_home_dir_filetrans',` - gen_require(` - type gnome_home_t; - ') - -- allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; ++ gen_require(` ++ type gnome_home_t; ++ ') ++ + userdom_user_home_dir_filetrans($1, gnome_home_t, dir) - userdom_search_user_home_dirs($1) - ') ++ userdom_search_user_home_dirs($1) ++') + +###################################### +## @@ -25188,15 +24701,23 @@ index f5afe78..69577c7 100644 + allow $2 gkeyringd_exec_t:file entrypoint; + domain_transition_pattern($1, gkeyringd_exec_t, $2) + type_transition $1 gkeyringd_exec_t:process $2; -+') + ') diff --git a/gnome.te b/gnome.te -index 783c5fb..7757943 100644 +index 20f726b..3a0a272 100644 --- a/gnome.te +++ b/gnome.te -@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0) +@@ -1,18 +1,36 @@ +-policy_module(gnome, 2.2.5) ++policy_module(gnome, 2.2.0) + + ############################## + # + # Declarations # +-attribute gkeyringd_domain; attribute gnomedomain; +-attribute_role gconfd_roles; +attribute gnome_home_type; +attribute gkeyringd_domain; @@ -25226,9 +24747,11 @@ index 783c5fb..7757943 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -28,12 +48,33 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; +@@ -29,107 +47,233 @@ type gconfd_exec_t; + typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) +-role gconfd_roles types gconfd_t; -type gnome_home_t; +type gnome_home_t, gnome_home_type; @@ -25241,12 +24764,17 @@ index 783c5fb..7757943 100644 +type config_usr_t; +files_type(config_usr_t) + -+type gkeyringd_exec_t; + type gkeyringd_exec_t; +-application_executable_file(gkeyringd_exec_t) +corecmd_executable_file(gkeyringd_exec_t) -+ + +-type gnome_keyring_home_t; +-userdom_user_home_content(gnome_keyring_home_t) +type gkeyringd_gnome_home_t; +userdom_user_home_content(gkeyringd_gnome_home_t) -+ + +-type gnome_keyring_tmp_t; +-userdom_user_tmp_file(gnome_keyring_tmp_t) +type gkeyringd_tmp_t; +userdom_user_tmp_content(gkeyringd_tmp_t) + @@ -25257,37 +24785,83 @@ index 783c5fb..7757943 100644 +type gnomesystemmm_t; +type gnomesystemmm_exec_t; +init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) -+ + ############################## # - # Local Policy -@@ -57,7 +98,6 @@ dev_read_urand(gconfd_t) +-# Common local Policy ++# Local Policy + # - files_read_etc_files(gconfd_t) +-allow gnomedomain self:process { getsched signal }; +-allow gnomedomain self:fifo_file rw_fifo_file_perms; ++allow gconfd_t self:process getsched; ++allow gconfd_t self:fifo_file rw_fifo_file_perms; --miscfiles_read_localization(gconfd_t) +-dev_read_urand(gnomedomain) ++manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) ++manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) ++userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) + +-domain_use_interactive_fds(gnomedomain) ++manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) ++manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) ++userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) ++ ++allow gconfd_t gconf_etc_t:dir list_dir_perms; ++read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) ++ ++dev_read_urand(gconfd_t) ++ ++files_read_etc_files(gconfd_t) - logging_send_syslog_msg(gconfd_t) +-files_read_etc_files(gnomedomain) -@@ -73,3 +113,163 @@ optional_policy(` - xserver_use_xdm_fds(gconfd_t) - xserver_rw_xdm_pipes(gconfd_t) +-miscfiles_read_localization(gnomedomain) ++logging_send_syslog_msg(gconfd_t) + +-logging_send_syslog_msg(gnomedomain) ++userdom_manage_user_tmp_sockets(gconfd_t) ++userdom_manage_user_tmp_dirs(gconfd_t) ++userdom_tmp_filetrans_user_tmp(gconfd_t, dir) + +-userdom_use_user_terminals(gnomedomain) ++optional_policy(` ++ nscd_dontaudit_search_pid(gconfd_t) ++') + + optional_policy(` +- xserver_rw_xdm_pipes(gnomedomain) +- xserver_use_xdm_fds(gnomedomain) ++ xserver_use_xdm_fds(gconfd_t) ++ xserver_rw_xdm_pipes(gconfd_t) ') -+ + +-############################## +####################################### -+# + # +-# Conf daemon local Policy +# gconf-defaults-mechanisms local policy -+# -+ + # + +-allow gconfd_t gconf_etc_t:dir list_dir_perms; +-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) +allow gconfdefaultsm_t self:capability { dac_override sys_nice }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; -+ + +-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) +corecmd_search_bin(gconfdefaultsm_t) -+ + +-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +files_read_etc_files(gconfdefaultsm_t) +files_read_usr_files(gconfdefaultsm_t) -+ + +-userdom_manage_user_tmp_dirs(gconfd_t) +-userdom_tmp_filetrans_user_tmp(gconfd_t, dir) + +gnome_manage_gconf_home_files(gconfdefaultsm_t) +gnome_manage_gconf_config(gconfdefaultsm_t) @@ -25296,11 +24870,13 @@ index 783c5fb..7757943 100644 +userdom_search_user_home_dirs(gconfdefaultsm_t) + +userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) -+ -+optional_policy(` + + optional_policy(` +- nscd_dontaudit_search_pid(gconfd_t) + consolekit_dbus_chat(gconfdefaultsm_t) -+') -+ + ') + +-############################## +optional_policy(` + dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) +') @@ -25319,7 +24895,8 @@ index 783c5fb..7757943 100644 +userdom_home_manager(gconfdefaultsm_t) + +####################################### -+# + # +-# Keyring-daemon local policy +# gnome-system-monitor-mechanisms local policy +# + @@ -25376,55 +24953,73 @@ index 783c5fb..7757943 100644 +###################################### +# +# gnome-keyring-daemon local policy -+# -+ -+allow gkeyringd_domain self:capability ipc_lock; + # + + allow gkeyringd_domain self:capability ipc_lock; +-allow gkeyringd_domain self:process { getcap setcap }; +allow gkeyringd_domain self:process { getcap getsched setcap signal }; +allow gkeyringd_domain self:fifo_file rw_fifo_file_perms; -+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; -+ + allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; + +-allow gkeyringd_domain gnome_home_t:dir create_dir_perms; +-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") +allow gkeyringd_domain config_home_t:file write; -+ + +-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) +-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") +manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) +manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) -+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir) -+ ++allow gkeyringd_domain data_home_t:dir create_dir_perms; ++allow gkeyringd_domain gconf_home_t:dir create_dir_perms; ++filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share") ++filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") ++filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings") + +-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) +-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) +manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) +manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) +files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) +userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir }) -+ -+kernel_read_crypto_sysctls(gkeyringd_domain) -+ + +-kernel_read_system_state(gkeyringd_domain) + kernel_read_crypto_sysctls(gkeyringd_domain) + +corecmd_search_bin(gkeyringd_domain) + -+dev_read_rand(gkeyringd_domain) + dev_read_rand(gkeyringd_domain) +dev_read_urand(gkeyringd_domain) -+dev_read_sysfs(gkeyringd_domain) -+ + dev_read_sysfs(gkeyringd_domain) + +files_read_etc_files(gkeyringd_domain) -+files_read_usr_files(gkeyringd_domain) + files_read_usr_files(gkeyringd_domain) +# for nscd? +files_search_pids(gkeyringd_domain) -+ + +-fs_getattr_all_fs(gkeyringd_domain) +fs_getattr_xattr_fs(gkeyringd_domain) +fs_getattr_tmpfs(gkeyringd_domain) -+ -+userdom_user_home_dir_filetrans(gkeyringd_domain, gnome_home_t, dir) -+ -+optional_policy(` + +-selinux_getattr_fs(gkeyringd_domain) ++userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local") + + optional_policy(` +- ssh_read_user_home_files(gkeyringd_domain) + xserver_append_xdm_home_files(gkeyringd_domain) + xserver_read_xdm_home_files(gkeyringd_domain) + xserver_use_xdm_fds(gkeyringd_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- telepathy_mission_control_read_state(gkeyringd_domain) + gnome_read_home_config(gkeyringd_domain) + gnome_read_generic_cache_files(gkeyringd_domain) + gnome_write_generic_cache_files(gkeyringd_domain) + gnome_manage_cache_home_dir(gkeyringd_domain) + gnome_manage_generic_cache_sockets(gkeyringd_domain) -+') + ') + +optional_policy(` + ssh_read_user_home_files(gkeyringd_domain) @@ -25434,253 +25029,500 @@ index 783c5fb..7757943 100644 + +userdom_use_inherited_user_terminals(gnomedomain) diff --git a/gnomeclock.fc b/gnomeclock.fc -index 462de63..5d92f4e 100644 +index b687443..5d92f4e 100644 --- a/gnomeclock.fc +++ b/gnomeclock.fc -@@ -1,2 +1,7 @@ +@@ -1,5 +1,7 @@ +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+ + +-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --git a/gnomeclock.if b/gnomeclock.if -index 671d8fd..25c7ab8 100644 +index 3f55702..25c7ab8 100644 --- a/gnomeclock.if +++ b/gnomeclock.if -@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',` - allow $1 gnomeclock_t:dbus send_msg; - allow gnomeclock_t $1:dbus send_msg; +@@ -2,8 +2,7 @@ + + ######################################## + ## +-## Execute a domain transition to +-## run gnomeclock. ++## Execute a domain transition to run gnomeclock. + ## + ## + ## +@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',` + type gnomeclock_t, gnomeclock_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) ') -+ -+######################################## -+## + + ######################################## + ## +-## Execute gnomeclock in the gnomeclock +-## domain, and allow the specified +-## role the gnomeclock domain. ++## Execute gnomeclock in the gnomeclock domain, and ++## allow the specified role the gnomeclock domain. + ## + ## + ## +@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',` + # + interface(`gnomeclock_run',` + gen_require(` +- attribute_role gnomeclock_roles; ++ type gnomeclock_t; + ') + + gnomeclock_domtrans($1) +- roleattribute $2 gnomeclock_roles; ++ role $2 types gnomeclock_t; + ') + + ######################################## +@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',` + + ######################################## + ## +-## Do not audit attempts to send and +-## receive messages from gnomeclock +-## over dbus. +## Do not audit send and receive messages from +## gnomeclock over dbus. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`gnomeclock_dontaudit_dbus_chat',` -+ gen_require(` -+ type gnomeclock_t; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 gnomeclock_t:dbus send_msg; -+ dontaudit gnomeclock_t $1:dbus send_msg; -+') + ## + ## + ## diff --git a/gnomeclock.te b/gnomeclock.te -index 4fde46b..d58acfc 100644 +index 6d79eb5..d58acfc 100644 --- a/gnomeclock.te +++ b/gnomeclock.te -@@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0) +@@ -1,86 +1,91 @@ +-policy_module(gnomeclock, 1.0.5) ++policy_module(gnomeclock, 1.0.0) + ######################################## + # + # Declarations + # + +-attribute_role gnomeclock_roles; +- type gnomeclock_t; type gnomeclock_exec_t; --dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +-init_system_domain(gnomeclock_t, gnomeclock_exec_t) +-role gnomeclock_roles types gnomeclock_t; +init_daemon_domain(gnomeclock_t, gnomeclock_exec_t) ######################################## # - # gnomeclock local policy +-# Local policy ++# gnomeclock local policy # --allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; --allow gnomeclock_t self:process { getattr getsched }; +-allow gnomeclock_t self:capability { sys_nice sys_time }; +allow gnomeclock_t self:capability { sys_nice sys_time dac_override }; -+allow gnomeclock_t self:process { getattr getsched signal }; + allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; - allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; +-allow gnomeclock_t self:unix_stream_socket { accept listen }; ++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; +allow gnomeclock_t self:unix_dgram_socket create_socket_perms; -+ -+kernel_read_system_state(gnomeclock_t) + + kernel_read_system_state(gnomeclock_t) corecmd_exec_bin(gnomeclock_t) -+corecmd_exec_shell(gnomeclock_t) + corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) -+ + +-corenet_all_recvfrom_unlabeled(gnomeclock_t) +-corenet_all_recvfrom_netlabel(gnomeclock_t) +-corenet_tcp_sendrecv_generic_if(gnomeclock_t) +-corenet_tcp_sendrecv_generic_node(gnomeclock_t) +- +-# tcp:37 (time) +-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) +-corenet_tcp_connect_inetd_child_port(gnomeclock_t) +-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t) +corenet_tcp_connect_time_port(gnomeclock_t) -+ -+dev_rw_realtime_clock(gnomeclock_t) + +-dev_read_sysfs(gnomeclock_t) +-dev_read_urand(gnomeclock_t) + dev_rw_realtime_clock(gnomeclock_t) +dev_read_urand(gnomeclock_t) +dev_write_kmsg(gnomeclock_t) +dev_read_sysfs(gnomeclock_t) --files_read_etc_files(gnomeclock_t) +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) -+fs_getattr_xattr_fs(gnomeclock_t) -+ + fs_getattr_xattr_fs(gnomeclock_t) + auth_use_nsswitch(gnomeclock_t) --clock_domtrans(gnomeclock_t) +init_dbus_chat(gnomeclock_t) + +logging_stream_connect_syslog(gnomeclock_t) -+logging_send_syslog_msg(gnomeclock_t) + logging_send_syslog_msg(gnomeclock_t) --miscfiles_read_localization(gnomeclock_t) +-miscfiles_etc_filetrans_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) - miscfiles_etc_filetrans_localization(gnomeclock_t) +-miscfiles_read_localization(gnomeclock_t) ++miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` +- chronyd_initrc_domtrans(gnomeclock_t) + chronyd_systemctl(gnomeclock_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + clock_read_adjtime(gnomeclock_t) -+ clock_domtrans(gnomeclock_t) -+') -+ -+optional_policy(` - consolekit_dbus_chat(gnomeclock_t) + clock_domtrans(gnomeclock_t) ') optional_policy(` -+ consoletype_exec(gnomeclock_t) +- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++ consolekit_dbus_chat(gnomeclock_t) +') + +optional_policy(` ++ consoletype_exec(gnomeclock_t) ++') + +- optional_policy(` +- consolekit_dbus_chat(gnomeclock_t) +- ') ++optional_policy(` +dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +') -+ + +- optional_policy(` +- policykit_dbus_chat(gnomeclock_t) +- ') +optional_policy(` + gnome_manage_usr_config(gnomeclock_t) + gnome_manage_home_config(gnomeclock_t) -+') -+ -+optional_policy(` -+ ntp_domtrans_ntpdate(gnomeclock_t) -+ ntp_initrc_domtrans(gnomeclock_t) + ') + + optional_policy(` + ntp_domtrans_ntpdate(gnomeclock_t) + ntp_initrc_domtrans(gnomeclock_t) + init_dontaudit_getattr_all_script_files(gnomeclock_t) + init_dontaudit_getattr_exec(gnomeclock_t) + ntp_systemctl(gnomeclock_t) -+') -+ -+optional_policy(` - policykit_dbus_chat(gnomeclock_t) + ') + + optional_policy(` ++ policykit_dbus_chat(gnomeclock_t) policykit_domtrans_auth(gnomeclock_t) policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) diff --git a/gpg.fc b/gpg.fc -index 5207fc2..c02fa56 100644 +index 888cd2c..c02fa56 100644 --- a/gpg.fc +++ b/gpg.fc -@@ -1,10 +1,13 @@ - HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) - HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0) - +@@ -1,10 +1,14 @@ +-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) ++HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) ++HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0) ++ +/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0) + +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) -+ + /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) - /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) +-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) ++/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) --/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) ++/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/gpg.if b/gpg.if -index 6d50300..2f0feca 100644 +index 180f1b7..951b790 100644 --- a/gpg.if +++ b/gpg.if -@@ -54,15 +54,16 @@ interface(`gpg_role',` - manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) - relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) +@@ -2,57 +2,75 @@ -+ allow gpg_pinentry_t $2:fifo_file { read write }; + ############################################################ + ## +-## Role access for gpg. ++## Role access for gpg + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`gpg_role',` + gen_require(` +- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; +- type gpg_t, gpg_exec_t, gpg_agent_t; +- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; +- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t; ++ type gpg_t, gpg_exec_t; ++ type gpg_agent_t, gpg_agent_exec_t; ++ type gpg_agent_tmp_t; ++ type gpg_helper_t, gpg_pinentry_t; ++ type gpg_pinentry_tmp_t; + ') + +- roleattribute $1 gpg_roles; +- roleattribute $1 gpg_agent_roles; +- roleattribute $1 gpg_helper_roles; +- roleattribute $1 gpg_pinentry_roles; ++ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; + ++ # transition from the userdomain to the derived domain + domtrans_pattern($2, gpg_exec_t, gpg_t) +- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) + +- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; +- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) ++ # allow ps to show gpg ++ ps_process_pattern($2, gpg_t) ++ allow $2 gpg_t:process { signull sigstop signal sigkill }; + +- allow gpg_pinentry_t $2:process signull; ++ # communicate with the user + allow gpg_helper_t $2:fd use; +- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; ++ allow gpg_helper_t $2:fifo_file write; ++ ++ # allow ps to show gpg-agent ++ ps_process_pattern($2, gpg_agent_t) + +- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; +- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") +- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg") ++ # Allow the user shell to signal the gpg-agent program. ++ allow $2 gpg_agent_t:process { signal sigkill }; ++ ++ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) ++ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) ++ ++ # Transition from the user domain to the agent domain. ++ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) ++ ++ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) ++ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + ++ allow gpg_pinentry_t $2:fifo_file { read write }; + optional_policy(` gpg_pinentry_dbus_chat($2) ') - ++ + allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; - ifdef(`hide_broken_symptoms',` - #Leaked File Descriptors -- dontaudit gpg_t $2:socket_class_set { getattr read write }; - dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; -- dontaudit gpg_agent_t $2:socket_class_set { getattr read write }; - dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; - ') ++ ifdef(`hide_broken_symptoms',` ++ #Leaked File Descriptors ++ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; ++ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; ++ ') ') -@@ -85,13 +86,13 @@ interface(`gpg_domtrans',` + + ######################################## + ## +-## Execute the gpg in the gpg domain. ++## Transition to a user gpg domain. + ## + ## + ## +@@ -65,13 +83,12 @@ interface(`gpg_domtrans',` + type gpg_t, gpg_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, gpg_exec_t, gpg_t) ') -######################################## +###################################### ## --## Execute the gpg application without transitioning +-## Execute the gpg in the caller domain. +## Execute gpg in the caller domain. ## ## ## --## Domain allowed to execute gpg -+## Domain allowed access. - ## - ## - # -@@ -100,9 +101,47 @@ interface(`gpg_exec',` - type gpg_exec_t; - ') - -+ corecmd_search_bin($1) +@@ -88,76 +105,46 @@ interface(`gpg_exec',` can_exec($1, gpg_exec_t) ') -+###################################### -+## +-######################################## +-## +-## Execute gpg in a specified domain. +-## +-## +-##

    +-## Execute gpg in a specified domain. +-##

    +-##

    +-## No interprocess communication (signals, pipes, +-## etc.) is provided by this interface since +-## the domains are not owned by this module. +-##

    +-##     +-## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Domain to transition to. +-## +-## +-# +-interface(`gpg_spec_domtrans',` +- gen_require(` +- type gpg_exec_t; +- ') +- +- corecmd_search_bin($1) +- domain_auto_trans($1, gpg_exec_t, $2) +-') +- + ###################################### + ## +-## Execute gpg in the gpg web domain. (Deprecated) +## Transition to a gpg web domain. -+## -+## + ##     + ## +-## +-## Domain allowed to transition. +-## +## +## Domain allowed access. +## -+## -+# -+interface(`gpg_domtrans_web',` + ## + # + interface(`gpg_domtrans_web',` +- refpolicywarn(`$0($*) has been deprecated.') + gen_require(` + type gpg_web_t, gpg_exec_t; + ') + + domtrans_pattern($1, gpg_exec_t, gpg_web_t) -+') -+ -+###################################### -+## + ') + + ###################################### + ## +-## Make gpg executable files an +-## entrypoint for the specified domain. +## Make gpg an entrypoint for +## the specified domain. -+## -+## + ## + ## +-## +-## The domain for which gpg_exec_t is an entrypoint. +-## +## +## The domain for which cifs_t is an entrypoint. +## -+## -+# -+interface(`gpg_entry_type',` + ## + # + interface(`gpg_entry_type',` +- gen_require(` +- type gpg_exec_t; +- ') + gen_require(` + type gpg_exec_t; + ') -+ + +- domain_entry_file($1, gpg_exec_t) + domain_entry_file($1, gpg_exec_t) -+') -+ + ') + + ######################################## + ## +-## Send generic signals to gpg. ++## Send generic signals to user gpg processes. + ## + ## + ## +@@ -175,7 +162,7 @@ interface(`gpg_signal',` + + ######################################## + ## +-## Read and write gpg agent pipes. ++## Read and write GPG agent pipes. + ## + ## + ## +@@ -184,6 +171,7 @@ interface(`gpg_signal',` + ## + # + interface(`gpg_rw_agent_pipes',` ++ # Just wants read/write could this be a leak? + gen_require(` + type gpg_agent_t; + ') +@@ -193,8 +181,8 @@ interface(`gpg_rw_agent_pipes',` + + ######################################## + ## +-## Send messages to and from gpg +-## pinentry over DBUS. ++## Send messages to and from GPG ++## Pinentry over DBUS. + ## + ## + ## +@@ -214,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',` + ######################################## ## - ## Send generic signals to user gpg processes. -@@ -179,3 +218,21 @@ interface(`gpg_list_user_secrets',` +-## List gpg user secrets. ++## List Gnu Privacy Guard user secrets. + ## + ## + ## +@@ -230,3 +218,39 @@ interface(`gpg_list_user_secrets',` list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) userdom_search_user_home_dirs($1) ') ++########################### ++## ++## Allow to manage gpg named home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_manage_home_content',` ++ gen_require(` ++ type gpg_secret_t; ++ ') + ++ manage_files_pattern($1, gpg_secret_t, gpg_secret_t) ++ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t) ++ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") ++') +######################################## +## +## Transition to gpg named home content @@ -25699,22 +25541,41 @@ index 6d50300..2f0feca 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 72a113e..29063e5 100644 +index 44cf341..29063e5 100644 --- a/gpg.te +++ b/gpg.te -@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0) +@@ -1,47 +1,47 @@ +-policy_module(gpg, 2.7.3) ++policy_module(gpg, 2.6.0) + + ######################################## # # Declarations # +attribute gpgdomain; ## - ##

    -@@ -13,23 +14,34 @@ policy_module(gpg, 2.6.0) +-##

    +-## Determine whether GPG agent can manage +-## generic user home content files. This is +-## required by the --write-env-file option. +-##

    ++##

    ++## Allow usage of the gpg-agent --write-env-file option. ++## This also allows gpg-agent to manage user files. ++##

    ##     gen_tunable(gpg_agent_env_file, false) --type gpg_t; +-attribute_role gpg_roles; +-roleattribute system_r gpg_roles; +- +-attribute_role gpg_agent_roles; +- +-attribute_role gpg_helper_roles; +-roleattribute system_r gpg_helper_roles; +- +-attribute_role gpg_pinentry_roles; +## +##

    +## Allow gpg web domain to modify public files @@ -25722,21 +25583,24 @@ index 72a113e..29063e5 100644 +##

    +##     +gen_tunable(gpg_web_anon_write, false) -+ + +-type gpg_t; +type gpg_t, gpgdomain; type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -userdom_user_application_domain(gpg_t, gpg_exec_t) +-role gpg_roles types gpg_t; +application_domain(gpg_t, gpg_exec_t) +ubac_constrained(gpg_t) - role system_r types gpg_t; ++role system_r types gpg_t; type gpg_agent_t; type gpg_agent_exec_t; typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; -userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) +-role gpg_agent_roles types gpg_agent_t; +application_domain(gpg_agent_t, gpg_agent_exec_t) +ubac_constrained(gpg_agent_t) @@ -25749,20 +25613,22 @@ index 72a113e..29063e5 100644 type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -@@ -40,32 +52,43 @@ type gpg_helper_t; +@@ -52,112 +52,112 @@ type gpg_helper_t; type gpg_helper_exec_t; typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; -userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) +-role gpg_helper_roles types gpg_helper_t; +application_domain(gpg_helper_t, gpg_helper_exec_t) +ubac_constrained(gpg_helper_t) - role system_r types gpg_helper_t; ++role system_r types gpg_helper_t; type gpg_pinentry_t; type pinentry_exec_t; typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; -userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) +-role gpg_pinentry_roles types gpg_pinentry_t; +application_domain(gpg_pinentry_t, pinentry_exec_t) +ubac_constrained(gpg_pinentry_t) @@ -25775,7 +25641,10 @@ index 72a113e..29063e5 100644 -userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) +files_tmpfs_file(gpg_pinentry_tmpfs_t) +ubac_constrained(gpg_pinentry_tmpfs_t) -+ + +-optional_policy(` +- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) +-') +type gpg_web_t; +domain_type(gpg_web_t) +gpg_entry_type(gpg_web_t) @@ -25783,33 +25652,44 @@ index 72a113e..29063e5 100644 ######################################## # - # GPG local policy +-# Local policy ++# GPG local policy # -allow gpg_t self:capability { ipc_lock setuid }; --# setrlimit is for ulimit -c 0 --allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; +-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; +-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; +-allow gpg_t self:fifo_file rw_fifo_file_perms; +-allow gpg_t self:tcp_socket { accept listen }; +allow gpgdomain self:capability { ipc_lock setuid }; +allow gpgdomain self:process { getsched setsched }; +#at setrlimit is for ulimit -c 0 +allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; +dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms; - --allow gpg_t self:fifo_file rw_fifo_file_perms; --allow gpg_t self:tcp_socket create_stream_socket_perms; ++ +allow gpgdomain self:fifo_file rw_fifo_file_perms; +allow gpgdomain self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -@@ -77,16 +100,16 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) - allow gpg_t gpg_secret_t:dir create_dir_perms; -+manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) ++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) ++ ++# transition from the gpg domain to the helper domain ++domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) ++ ++allow gpg_t gpg_secret_t:dir create_dir_perms; + manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +- +-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) +- +-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) +-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") kernel_read_sysctl(gpg_t) @@ -25820,25 +25700,44 @@ index 72a113e..29063e5 100644 -corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) - corenet_udp_sendrecv_generic_if(gpg_t) -@@ -106,7 +129,6 @@ fs_list_inotifyfs(gpg_t) ++corenet_udp_sendrecv_generic_if(gpg_t) + corenet_tcp_sendrecv_generic_node(gpg_t) +- +-corenet_sendrecv_all_client_packets(gpg_t) +-corenet_tcp_connect_all_ports(gpg_t) ++corenet_udp_sendrecv_generic_node(gpg_t) + corenet_tcp_sendrecv_all_ports(gpg_t) ++corenet_udp_sendrecv_all_ports(gpg_t) ++corenet_tcp_connect_all_ports(gpg_t) ++corenet_sendrecv_all_client_packets(gpg_t) - domain_use_interactive_fds(gpg_t) +-dev_read_generic_usb_dev(gpg_t) + dev_read_rand(gpg_t) + dev_read_urand(gpg_t) +- +-files_read_usr_files(gpg_t) +-files_dontaudit_search_var(gpg_t) ++dev_read_generic_usb_dev(gpg_t) --files_read_etc_files(gpg_t) - files_read_usr_files(gpg_t) - files_dontaudit_search_var(gpg_t) + fs_getattr_xattr_fs(gpg_t) + fs_list_inotifyfs(gpg_t) + + domain_use_interactive_fds(gpg_t) -@@ -114,24 +136,23 @@ auth_use_nsswitch(gpg_t) ++files_read_usr_files(gpg_t) ++files_dontaudit_search_var(gpg_t) ++ + auth_use_nsswitch(gpg_t) logging_send_syslog_msg(gpg_t) -miscfiles_read_localization(gpg_t) - -userdom_use_user_terminals(gpg_t) -+userdom_use_inherited_user_terminals(gpg_t) - # sign/encrypt user files +- -userdom_manage_user_tmp_files(gpg_t) ++userdom_use_inherited_user_terminals(gpg_t) ++# sign/encrypt user files +userdom_manage_all_user_tmp_content(gpg_t) +#userdom_manage_user_home_content(gpg_t) userdom_manage_user_home_content_files(gpg_t) @@ -25846,39 +25745,49 @@ index 72a113e..29063e5 100644 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) +userdom_stream_connect(gpg_t) --mta_write_config(gpg_t) -+mta_manage_config(gpg_t) -+mta_read_spool(gpg_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) -') -+userdom_home_manager(gpg_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -+optional_policy(` +-') ++mta_manage_config(gpg_t) ++mta_read_spool(gpg_t) + +-optional_policy(` +- gnome_read_generic_home_content(gpg_t) +- gnome_stream_connect_all_gkeyringd(gpg_t) +-') ++userdom_home_manager(gpg_t) + + optional_policy(` +- mozilla_dontaudit_rw_user_home_files(gpg_t) + gnome_read_config(gpg_t) + gnome_stream_connect_gkeyringd(gpg_t) ') optional_policy(` -@@ -140,15 +161,19 @@ optional_policy(` +- mta_read_spool_files(gpg_t) +- mta_write_config(gpg_t) ++ mozilla_read_user_home_files(gpg_t) ++ mozilla_write_user_home_files(gpg_t) ') optional_policy(` -- xserver_use_xdm_fds(gpg_t) -- xserver_rw_xdm_pipes(gpg_t) -+ spamassassin_read_spamd_tmp_files(gpg_t) +@@ -165,37 +165,49 @@ optional_policy(` ') optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -+ xserver_use_xdm_fds(gpg_t) -+ xserver_rw_xdm_pipes(gpg_t) +-') +- +-optional_policy(` + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) ') +#optional_policy(` @@ -25888,21 +25797,40 @@ index 72a113e..29063e5 100644 + ######################################## # - # GPG helper local policy -@@ -166,7 +191,6 @@ allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; +-# Helper local policy ++# GPG helper local policy + # - dontaudit gpg_helper_t gpg_secret_t:file read; + allow gpg_helper_t self:process { getsched setsched }; ++ ++# for helper programs (which automatically fetch keys) ++# Note: this is only tested with the hkp interface. If you use eg the ++# mail interface you will likely need additional permissions. ++ + allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; ++allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; ++allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; + +-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms; ++dontaudit gpg_helper_t gpg_secret_t:file read; -corenet_all_recvfrom_unlabeled(gpg_helper_t) corenet_all_recvfrom_netlabel(gpg_helper_t) corenet_tcp_sendrecv_generic_if(gpg_helper_t) - corenet_raw_sendrecv_generic_if(gpg_helper_t) -@@ -180,11 +204,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t) - corenet_udp_bind_generic_node(gpg_helper_t) ++corenet_raw_sendrecv_generic_if(gpg_helper_t) ++corenet_udp_sendrecv_generic_if(gpg_helper_t) + corenet_tcp_sendrecv_generic_node(gpg_helper_t) ++corenet_udp_sendrecv_generic_node(gpg_helper_t) ++corenet_raw_sendrecv_generic_node(gpg_helper_t) + corenet_tcp_sendrecv_all_ports(gpg_helper_t) +- +-corenet_sendrecv_all_client_packets(gpg_helper_t) ++corenet_udp_sendrecv_all_ports(gpg_helper_t) ++corenet_tcp_bind_generic_node(gpg_helper_t) ++corenet_udp_bind_generic_node(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) --files_read_etc_files(gpg_helper_t) - ++ auth_use_nsswitch(gpg_helper_t) -userdom_use_user_terminals(gpg_helper_t) @@ -25910,42 +25838,57 @@ index 72a113e..29063e5 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -198,15 +221,17 @@ tunable_policy(`use_samba_home_dirs',` +@@ -207,29 +219,33 @@ tunable_policy(`use_samba_home_dirs',` + + ######################################## # - # GPG agent local policy +-# Agent local policy ++# GPG agent local policy # +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - # rlimit: gpg-agent wants to prevent coredumps ++# rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; - --allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; +-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ +allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ; allow gpg_agent_t self:fifo_file rw_fifo_file_perms; - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) ++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -+manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -@@ -223,43 +248,34 @@ corecmd_read_bin_symlinks(gpg_agent_t) - corecmd_search_bin(gpg_agent_t) - corecmd_exec_shell(gpg_agent_t) ++# Allow the gpg-agent to manage its tmp files (socket) + manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) + +-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") +- +-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) +- +-kernel_dontaudit_search_sysctl(gpg_agent_t) ++# allow gpg to connect to the gpg agent ++stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) -+dev_read_rand(gpg_agent_t) - dev_read_urand(gpg_agent_t) ++corecmd_read_bin_symlinks(gpg_agent_t) ++corecmd_search_bin(gpg_agent_t) + corecmd_exec_shell(gpg_agent_t) - domain_use_interactive_fds(gpg_agent_t) + dev_read_rand(gpg_agent_t) +@@ -239,32 +255,27 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) -miscfiles_read_localization(gpg_agent_t) - # Write to the user domain tty. -userdom_use_user_terminals(gpg_agent_t) ++# Write to the user domain tty. +userdom_use_inherited_user_terminals(gpg_agent_t) - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) ++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) userdom_search_user_home_dirs(gpg_agent_t) ifdef(`hide_broken_symptoms',` @@ -25954,13 +25897,13 @@ index 72a113e..29063e5 100644 ') tunable_policy(`gpg_agent_env_file',` - # write ~/.gpg-agent-info or a similar to the users home dir - # or subdir (gpg-agent --write-env-file option) - # -- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) ++ # write ~/.gpg-agent-info or a similar to the users home dir ++ # or subdir (gpg-agent --write-env-file option) ++ # + userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file }) userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) +- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) ') -tunable_policy(`use_nfs_home_dirs',` @@ -25978,39 +25921,71 @@ index 72a113e..29063e5 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -294,10 +310,10 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) - # read /proc/meminfo +@@ -277,8 +288,17 @@ optional_policy(` + + allow gpg_pinentry_t self:process { getcap getsched setsched signal }; + allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; ++allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; + allow gpg_pinentry_t self:shm create_shm_perms; +-allow gpg_pinentry_t self:tcp_socket { accept listen }; ++allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; ++allow gpg_pinentry_t self:unix_dgram_socket sendto; ++allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; ++ ++can_exec(gpg_pinentry_t, pinentry_exec_t) ++ ++# we need to allow gpg-agent to call pinentry so it can get the passphrase ++# from the user. ++domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) + + manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) +@@ -287,53 +307,91 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) + manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) + fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) + +-can_exec(gpg_pinentry_t, pinentry_exec_t) +- ++# read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) -+corecmd_exec_shell(gpg_pinentry_t) + corecmd_exec_shell(gpg_pinentry_t) corecmd_exec_bin(gpg_pinentry_t) corenet_all_recvfrom_netlabel(gpg_pinentry_t) -corenet_all_recvfrom_unlabeled(gpg_pinentry_t) - corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) - corenet_tcp_bind_generic_node(gpg_pinentry_t) - corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) -@@ -310,7 +326,6 @@ dev_read_rand(gpg_pinentry_t) ++corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) ++corenet_tcp_bind_generic_node(gpg_pinentry_t) ++corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) + corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) + corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) ++corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) + dev_read_urand(gpg_pinentry_t) + dev_read_rand(gpg_pinentry_t) + +-domain_use_interactive_fds(gpg_pinentry_t) +- files_read_usr_files(gpg_pinentry_t) - # read /etc/X11/qtrc --files_read_etc_files(gpg_pinentry_t) ++# read /etc/X11/qtrc fs_dontaudit_list_inotifyfs(gpg_pinentry_t) - fs_getattr_tmpfs(gpg_pinentry_t) -@@ -320,18 +335,19 @@ auth_use_nsswitch(gpg_pinentry_t) ++fs_getattr_tmpfs(gpg_pinentry_t) + + auth_use_nsswitch(gpg_pinentry_t) + logging_send_syslog_msg(gpg_pinentry_t) miscfiles_read_fonts(gpg_pinentry_t) -miscfiles_read_localization(gpg_pinentry_t) - # for .Xauthority - userdom_read_user_home_content_files(gpg_pinentry_t) - userdom_read_user_tmpfs_files(gpg_pinentry_t) ++# for .Xauthority ++userdom_read_user_home_content_files(gpg_pinentry_t) ++userdom_read_user_tmpfs_files(gpg_pinentry_t) +# Bug: user pulseaudio files need open,read and unlink: +allow gpg_pinentry_t user_tmpfs_t:file unlink; +userdom_signull_unpriv_users(gpg_pinentry_t) -+userdom_use_user_terminals(gpg_pinentry_t) + userdom_use_user_terminals(gpg_pinentry_t) -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) @@ -26024,20 +25999,25 @@ index 72a113e..29063e5 100644 ') optional_policy(` -@@ -340,6 +356,12 @@ optional_policy(` +- dbus_all_session_bus_client(gpg_pinentry_t) ++ dbus_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) ') optional_policy(` +- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) + gnome_write_generic_cache_files(gpg_pinentry_t) + gnome_read_generic_cache_files(gpg_pinentry_t) + gnome_read_gconf_home_files(gpg_pinentry_t) +') + +optional_policy(` - pulseaudio_exec(gpg_pinentry_t) - pulseaudio_rw_home_files(gpg_pinentry_t) - pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -349,4 +371,27 @@ optional_policy(` ++ pulseaudio_exec(gpg_pinentry_t) ++ pulseaudio_rw_home_files(gpg_pinentry_t) ++ pulseaudio_setattr_home_dir(gpg_pinentry_t) ++ pulseaudio_stream_connect(gpg_pinentry_t) ++ pulseaudio_signull(gpg_pinentry_t) + ') optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -26065,52 +26045,12 @@ index 72a113e..29063e5 100644 +tunable_policy(`gpg_web_anon_write',` + miscfiles_manage_public_files(gpg_web_t) ') -diff --git a/gpm.if b/gpm.if -index 7d97298..d6b2959 100644 ---- a/gpm.if -+++ b/gpm.if -@@ -16,8 +16,8 @@ interface(`gpm_stream_connect',` - type gpmctl_t, gpm_t; - ') - -- allow $1 gpmctl_t:sock_file rw_sock_file_perms; -- allow $1 gpm_t:unix_stream_socket connectto; -+ dev_list_all_dev_nodes($1) -+ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) - ') - - ######################################## -@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',` - ') - - dev_list_all_dev_nodes($1) -- allow $1 gpmctl_t:sock_file getattr; -+ allow $1 gpmctl_t:sock_file getattr_sock_file_perms; - ') - - ######################################## -@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',` - type gpmctl_t; - ') - -- dontaudit $1 gpmctl_t:sock_file getattr; -+ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; - ') - - ######################################## -@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',` - ') - - dev_list_all_dev_nodes($1) -- allow $1 gpmctl_t:sock_file setattr; -+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms; - ') diff --git a/gpm.te b/gpm.te -index a627b34..0120907 100644 +index 3226f52..bc3f49e 100644 --- a/gpm.te +++ b/gpm.te -@@ -10,7 +10,7 @@ type gpm_exec_t; - init_daemon_domain(gpm_t, gpm_exec_t) +@@ -13,7 +13,7 @@ type gpm_initrc_exec_t; + init_script_file(gpm_initrc_exec_t) type gpm_conf_t; -files_type(gpm_conf_t) @@ -26118,12 +26058,13 @@ index a627b34..0120907 100644 type gpm_tmp_t; files_tmp_file(gpm_tmp_t) -@@ -65,10 +65,9 @@ domain_use_interactive_fds(gpm_t) +@@ -68,11 +68,9 @@ domain_use_interactive_fds(gpm_t) logging_send_syslog_msg(gpm_t) -miscfiles_read_localization(gpm_t) - +-userdom_use_user_terminals(gpm_t) userdom_dontaudit_use_unpriv_user_fds(gpm_t) userdom_dontaudit_search_user_home_dirs(gpm_t) +userdom_use_inherited_user_terminals(gpm_t) @@ -26131,36 +26072,12 @@ index a627b34..0120907 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index 03742d8..4fefc6e 100644 +index 25f09ae..61d3e29 100644 --- a/gpsd.te +++ b/gpsd.te -@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t) - # gpsd local policy - # - --allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; --allow gpsd_t self:process setsched; -+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -+dontaudit gpsd_t self:capability { dac_read_search dac_override }; -+allow gpsd_t self:process { setsched signal_perms }; - allow gpsd_t self:shm create_shm_perms; - allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; - allow gpsd_t self:tcp_socket create_stream_socket_perms; -@@ -38,22 +39,34 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) - manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) - files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) - --corenet_all_recvfrom_unlabeled(gpsd_t) -+kernel_list_proc(gpsd_t) -+kernel_request_load_module(gpsd_t) -+ - corenet_all_recvfrom_netlabel(gpsd_t) - corenet_tcp_sendrecv_generic_if(gpsd_t) - corenet_tcp_sendrecv_generic_node(gpsd_t) - corenet_tcp_sendrecv_all_ports(gpsd_t) --corenet_tcp_bind_all_nodes(gpsd_t) -+corenet_tcp_bind_generic_node(gpsd_t) - corenet_tcp_bind_gpsd_port(gpsd_t) +@@ -60,14 +60,25 @@ dev_rw_realtime_clock(gpsd_t) + + domain_dontaudit_read_all_domains_state(gpsd_t) +dev_read_sysfs(gpsd_t) +dev_rw_realtime_clock(gpsd_t) @@ -26170,6 +26087,7 @@ index 03742d8..4fefc6e 100644 term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) +term_use_usb_ttys(gpsd_t) ++term_setattr_usb_ttys(gpsd_t) auth_use_nsswitch(gpsd_t) @@ -26183,383 +26101,41 @@ index 03742d8..4fefc6e 100644 +') optional_policy(` - dbus_system_bus_client(gpsd_t) + chronyd_rw_shm(gpsd_t) diff --git a/guest.te b/guest.te -index 1cb7311..1de82b2 100644 +index d928711..93d2d83 100644 --- a/guest.te +++ b/guest.te -@@ -9,9 +9,15 @@ role guest_r; - - userdom_restricted_user_template(guest) - -+kernel_read_system_state(guest_t) -+ - ######################################## - # - # Local policy - # - --#gen_user(guest_u,, guest_r, s0, s0) -+optional_policy(` -+ apache_role(guest_r, guest_t) -+') -+ -+gen_user(guest_u, user, guest_r, s0, s0) -diff --git a/hadoop.if b/hadoop.if -index 2d0b4e1..6649814 100644 ---- a/hadoop.if -+++ b/hadoop.if -@@ -89,7 +89,6 @@ template(`hadoop_domain_template',` - corecmd_exec_bin(hadoop_$1_t) - corecmd_exec_shell(hadoop_$1_t) - -- corenet_all_recvfrom_unlabeled(hadoop_$1_t) - corenet_all_recvfrom_netlabel(hadoop_$1_t) - corenet_tcp_bind_all_nodes(hadoop_$1_t) - corenet_tcp_sendrecv_generic_if(hadoop_$1_t) -@@ -120,7 +119,6 @@ template(`hadoop_domain_template',` - logging_send_audit_msgs(hadoop_$1_t) - logging_send_syslog_msg(hadoop_$1_t) - -- miscfiles_read_localization(hadoop_$1_t) - - sysnet_read_config(hadoop_$1_t) - -@@ -191,7 +189,6 @@ template(`hadoop_domain_template',` - logging_send_syslog_msg(hadoop_$1_initrc_t) - logging_send_audit_msgs(hadoop_$1_initrc_t) - -- miscfiles_read_localization(hadoop_$1_initrc_t) - - userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) - -@@ -224,14 +221,21 @@ interface(`hadoop_role',` - hadoop_domtrans($2) - role $1 types hadoop_t; - -- allow $2 hadoop_t:process { ptrace signal_perms }; -+ allow $2 hadoop_t:process signal_perms; - ps_process_pattern($2, hadoop_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 hadoop_t:process ptrace; -+ ') - - hadoop_domtrans_zookeeper_client($2) - role $1 types zookeeper_t; - -- allow $2 zookeeper_t:process { ptrace signal_perms }; -+ allow $2 zookeeper_t:process signal_perms; - ps_process_pattern($2, zookeeper_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 zookeeper_t:process ptrace; -+ ') -+ - ') - - ######################################## -diff --git a/hadoop.te b/hadoop.te -index c81c58a..86e3d1d 100644 ---- a/hadoop.te -+++ b/hadoop.te -@@ -123,7 +123,6 @@ kernel_read_system_state(hadoop_t) - corecmd_exec_bin(hadoop_t) - corecmd_exec_shell(hadoop_t) - --corenet_all_recvfrom_unlabeled(hadoop_t) - corenet_all_recvfrom_netlabel(hadoop_t) - corenet_tcp_sendrecv_generic_if(hadoop_t) - corenet_udp_sendrecv_generic_if(hadoop_t) -@@ -151,20 +150,22 @@ dev_read_urand(hadoop_t) - domain_use_interactive_fds(hadoop_t) - - files_dontaudit_search_spool(hadoop_t) --files_read_etc_files(hadoop_t) - files_read_usr_files(hadoop_t) - - fs_getattr_xattr_fs(hadoop_t) - --miscfiles_read_localization(hadoop_t) -+auth_use_nsswitch(hadoop_t) - --sysnet_read_config(hadoop_t) - --userdom_use_user_terminals(hadoop_t) -+userdom_use_inherited_user_terminals(hadoop_t) - --java_exec(hadoop_t) -+optional_policy(` -+ java_exec(hadoop_t) -+') - --kerberos_use(hadoop_t) -+optional_policy(` -+ kerberos_use(hadoop_t) -+') - - optional_policy(` - nis_use_ypbind(hadoop_t) -@@ -311,7 +312,6 @@ kernel_read_system_state(zookeeper_t) - corecmd_exec_bin(zookeeper_t) - corecmd_exec_shell(zookeeper_t) - --corenet_all_recvfrom_unlabeled(zookeeper_t) - corenet_all_recvfrom_netlabel(zookeeper_t) - corenet_tcp_sendrecv_generic_if(zookeeper_t) - corenet_udp_sendrecv_generic_if(zookeeper_t) -@@ -333,20 +333,18 @@ dev_read_urand(zookeeper_t) - - domain_use_interactive_fds(zookeeper_t) - --files_read_etc_files(zookeeper_t) - files_read_usr_files(zookeeper_t) - --miscfiles_read_localization(zookeeper_t) -+auth_use_nsswitch(zookeeper_t) -+ - - sysnet_read_config(zookeeper_t) - --userdom_use_user_terminals(zookeeper_t) -+userdom_use_inherited_user_terminals(zookeeper_t) - userdom_dontaudit_search_user_home_dirs(zookeeper_t) - --java_exec(zookeeper_t) -- - optional_policy(` -- nscd_socket_use(zookeeper_t) -+ java_exec(zookeeper_t) - ') - - ######################################## -@@ -393,7 +391,6 @@ kernel_read_system_state(zookeeper_server_t) - corecmd_exec_bin(zookeeper_server_t) - corecmd_exec_shell(zookeeper_server_t) - --corenet_all_recvfrom_unlabeled(zookeeper_server_t) - corenet_all_recvfrom_netlabel(zookeeper_server_t) - corenet_tcp_sendrecv_generic_if(zookeeper_server_t) - corenet_udp_sendrecv_generic_if(zookeeper_server_t) -@@ -421,15 +418,14 @@ dev_read_rand(zookeeper_server_t) - dev_read_sysfs(zookeeper_server_t) - dev_read_urand(zookeeper_server_t) - --files_read_etc_files(zookeeper_server_t) - files_read_usr_files(zookeeper_server_t) - - fs_getattr_xattr_fs(zookeeper_server_t) - - logging_send_syslog_msg(zookeeper_server_t) - --miscfiles_read_localization(zookeeper_server_t) -- - sysnet_read_config(zookeeper_server_t) - --java_exec(zookeeper_server_t) -+optional_policy(` -+ java_exec(zookeeper_server_t) -+') -diff --git a/hal.if b/hal.if -index 7cf6763..9d2be6b 100644 ---- a/hal.if -+++ b/hal.if -@@ -69,7 +69,9 @@ interface(`hal_ptrace',` - type hald_t; - ') - -- allow $1 hald_t:process ptrace; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 hald_t:process ptrace; -+ ') - ') - - ######################################## -@@ -431,3 +433,22 @@ interface(`hal_manage_pid_files',` - files_search_pids($1) - manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +@@ -20,4 +20,4 @@ optional_policy(` + apache_role(guest_r, guest_t) ') -+ -+####################################### -+## -+## Do not audit attempts to read -+## hald PID files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`hal_dontaudit_read_pid_files',` -+ gen_require(` -+ type hald_var_run_t; -+ ') -+ -+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms; -+') -diff --git a/hal.te b/hal.te -index e0476cb..0caa5ba 100644 ---- a/hal.te -+++ b/hal.te -@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) - type hald_var_lib_t; - files_type(hald_var_lib_t) - -+typealias hald_log_t alias pmtools_log_t; -+typealias hald_var_run_t alias pmtools_var_run_t; -+ - ######################################## - # - # Local policy -@@ -61,7 +64,7 @@ files_type(hald_var_lib_t) - - # execute openvt which needs setuid - allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; --dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; -+dontaudit hald_t self:capability sys_tty_config; - allow hald_t self:process { getsched getattr signal_perms }; - allow hald_t self:fifo_file rw_fifo_file_perms; - allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -99,6 +102,7 @@ kernel_read_fs_sysctls(hald_t) - kernel_rw_irq_sysctls(hald_t) - kernel_rw_vm_sysctls(hald_t) - kernel_write_proc_files(hald_t) -+kernel_rw_net_sysctls(hald_t) - kernel_search_network_sysctl(hald_t) - kernel_setsched(hald_t) - kernel_request_load_module(hald_t) -@@ -107,7 +111,6 @@ auth_read_pam_console_data(hald_t) - - corecmd_exec_all_executables(hald_t) - --corenet_all_recvfrom_unlabeled(hald_t) - corenet_all_recvfrom_netlabel(hald_t) - corenet_tcp_sendrecv_generic_if(hald_t) - corenet_udp_sendrecv_generic_if(hald_t) -@@ -139,7 +142,6 @@ domain_read_all_domains_state(hald_t) - domain_dontaudit_ptrace_all_domains(hald_t) - - files_exec_etc_files(hald_t) --files_read_etc_files(hald_t) - files_rw_etc_runtime_files(hald_t) - files_manage_mnt_dirs(hald_t) - files_manage_mnt_files(hald_t) -@@ -201,7 +203,6 @@ logging_send_audit_msgs(hald_t) - logging_send_syslog_msg(hald_t) - logging_search_logs(hald_t) - --miscfiles_read_localization(hald_t) - miscfiles_read_hwdata(hald_t) - - modutils_domtrans_insmod(hald_t) -@@ -372,7 +373,6 @@ dev_setattr_generic_usb_dev(hald_acl_t) - dev_setattr_usbfs_files(hald_acl_t) - - files_read_usr_files(hald_acl_t) --files_read_etc_files(hald_acl_t) - - fs_getattr_all_fs(hald_acl_t) - -@@ -385,8 +385,6 @@ auth_use_nsswitch(hald_acl_t) - - logging_send_syslog_msg(hald_acl_t) - --miscfiles_read_localization(hald_acl_t) -- - optional_policy(` - policykit_dbus_chat(hald_acl_t) - policykit_domtrans_auth(hald_acl_t) -@@ -418,14 +416,11 @@ dev_write_raw_memory(hald_mac_t) - dev_read_sysfs(hald_mac_t) - - files_read_usr_files(hald_mac_t) --files_read_etc_files(hald_mac_t) - - auth_use_nsswitch(hald_mac_t) - - logging_send_syslog_msg(hald_mac_t) - --miscfiles_read_localization(hald_mac_t) -- - ######################################## - # - # Local hald sonypic policy -@@ -446,7 +441,6 @@ write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t) - - files_read_usr_files(hald_sonypic_t) - --miscfiles_read_localization(hald_sonypic_t) - - ######################################## - # -@@ -465,10 +459,8 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) - - dev_rw_input_dev(hald_keymap_t) - --files_read_etc_files(hald_keymap_t) - files_read_usr_files(hald_keymap_t) - --miscfiles_read_localization(hald_keymap_t) - - ######################################## - # -@@ -504,7 +496,6 @@ kernel_search_network_sysctl(hald_dccm_t) - dev_read_urand(hald_dccm_t) - --corenet_all_recvfrom_unlabeled(hald_dccm_t) - corenet_all_recvfrom_netlabel(hald_dccm_t) - corenet_tcp_sendrecv_generic_if(hald_dccm_t) - corenet_udp_sendrecv_generic_if(hald_dccm_t) -@@ -518,14 +509,12 @@ corenet_udp_bind_dhcpc_port(hald_dccm_t) - corenet_tcp_bind_ftp_port(hald_dccm_t) - corenet_tcp_bind_dccm_port(hald_dccm_t) - --logging_send_syslog_msg(hald_dccm_t) -- - files_read_usr_files(hald_dccm_t) - --miscfiles_read_localization(hald_dccm_t) -- - hal_dontaudit_rw_dgram_sockets(hald_dccm_t) - -+logging_send_syslog_msg(hald_dccm_t) -+ - optional_policy(` - dbus_system_bus_client(hald_dccm_t) - ') +-#gen_user(guest_u, user, guest_r, s0, s0) ++gen_user(guest_u, user, guest_r, s0, s0) diff --git a/hddtemp.if b/hddtemp.if -index 87b4531..901d905 100644 +index 1728071..77e71ea 100644 --- a/hddtemp.if +++ b/hddtemp.if -@@ -60,8 +60,11 @@ interface(`hddtemp_admin',` +@@ -60,9 +60,13 @@ interface(`hddtemp_admin',` type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; ') - allow $1 hddtemp_t:process { ptrace signal_perms }; + allow $1 hddtemp_t:process signal_perms; ps_process_pattern($1, hddtemp_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 hddtemp_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) domain_system_change_exemption($1) -@@ -69,9 +72,5 @@ interface(`hddtemp_admin',` - allow $2 system_r; - - admin_pattern($1, hddtemp_etc_t) -- files_search_etc($1) -- -- allow $1 hddtemp_t:dir list_dir_perms; -- read_lnk_files_pattern($1, hddtemp_t, hddtemp_t) -- kernel_search_proc($1) -+ files_list_etc($1) - ') + role_transition $2 hddtemp_initrc_exec_t system_r; diff --git a/hddtemp.te b/hddtemp.te -index c234b32..41d985d 100644 +index 18d76bb..588c964 100644 --- a/hddtemp.te +++ b/hddtemp.te -@@ -28,7 +28,6 @@ allow hddtemp_t self:udp_socket create_socket_perms; +@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen }; allow hddtemp_t hddtemp_etc_t:file read_file_perms; @@ -26567,29 +26143,26 @@ index c234b32..41d985d 100644 corenet_all_recvfrom_netlabel(hddtemp_t) corenet_tcp_sendrecv_generic_if(hddtemp_t) corenet_tcp_sendrecv_generic_node(hddtemp_t) -@@ -38,12 +37,13 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) +@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) corenet_sendrecv_hddtemp_server_packets(hddtemp_t) corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) -files_search_etc(hddtemp_t) -+files_read_etc_files(hddtemp_t) - files_read_usr_files(hddtemp_t) - - storage_raw_read_fixed_disk(hddtemp_t) +-files_read_usr_files(hddtemp_t) - -+storage_raw_read_removable_device(hddtemp_t) + storage_raw_read_fixed_disk(hddtemp_t) + storage_raw_read_removable_device(hddtemp_t) + +@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t) + logging_send_syslog_msg(hddtemp_t) -miscfiles_read_localization(hddtemp_t) -- -+optional_policy(` -+ sysnet_dns_name_resolve(hddtemp_t) -+') diff --git a/howl.te b/howl.te -index 6ad2d3c..b23d54a 100644 +index e207823..4e0f8ba 100644 --- a/howl.te +++ b/howl.te -@@ -33,7 +33,6 @@ kernel_request_load_module(howl_t) +@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t) kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) @@ -26597,35 +26170,41 @@ index 6ad2d3c..b23d54a 100644 corenet_all_recvfrom_netlabel(howl_t) corenet_tcp_sendrecv_generic_if(howl_t) corenet_udp_sendrecv_generic_if(howl_t) -@@ -60,8 +59,6 @@ init_rw_utmp(howl_t) +@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t) logging_send_syslog_msg(howl_t) -miscfiles_read_localization(howl_t) - - sysnet_read_config(howl_t) - userdom_dontaudit_use_unpriv_user_fds(howl_t) + userdom_dontaudit_search_user_home_dirs(howl_t) + diff --git a/i18n_input.te b/i18n_input.te -index 5fc89c4..087c2d0 100644 +index 3bed8fa..a738d7f 100644 --- a/i18n_input.te +++ b/i18n_input.te -@@ -36,7 +36,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) +@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) kernel_read_kernel_sysctls(i18n_input_t) kernel_read_system_state(i18n_input_t) -corenet_all_recvfrom_unlabeled(i18n_input_t) corenet_all_recvfrom_netlabel(i18n_input_t) corenet_tcp_sendrecv_generic_if(i18n_input_t) - corenet_udp_sendrecv_generic_if(i18n_input_t) -@@ -68,22 +67,11 @@ init_stream_connect_script(i18n_input_t) + corenet_tcp_sendrecv_generic_node(i18n_input_t) +@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t) + fs_search_auto_mountpoints(i18n_input_t) + + files_read_etc_runtime_files(i18n_input_t) +-files_read_usr_files(i18n_input_t) + + auth_use_nsswitch(i18n_input_t) + +@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t) logging_send_syslog_msg(i18n_input_t) -miscfiles_read_localization(i18n_input_t) - - sysnet_read_config(i18n_input_t) - userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) userdom_read_user_home_content_files(i18n_input_t) - @@ -26643,88 +26222,49 @@ index 5fc89c4..087c2d0 100644 optional_policy(` canna_stream_connect(i18n_input_t) diff --git a/icecast.if b/icecast.if -index ecab47a..6eddc6d 100644 +index 580b533..c267cea 100644 --- a/icecast.if +++ b/icecast.if -@@ -173,7 +173,11 @@ interface(`icecast_admin',` - type icecast_t, icecast_initrc_exec_t; +@@ -176,6 +176,14 @@ interface(`icecast_admin',` + type icecast_var_run_t; ') + allow $1 icecast_t:process signal_perms; - ps_process_pattern($1, icecast_t) ++ ps_process_pattern($1, icecast_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 icecast_t:process ptrace; + ') - - # Allow icecast_t to restart the apache service ++ ++ # Allow icecast_t to restart the apache service icecast_initrc_domtrans($1) -@@ -184,5 +188,4 @@ interface(`icecast_admin',` - icecast_manage_pid_files($1) - - icecast_manage_log($1) -- - ') + domain_system_change_exemption($1) + role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te -index fdb7e9a..b910581 100644 +index ac6f9d5..73f5015 100644 --- a/icecast.te +++ b/icecast.te -@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0) - # Declarations - # - -+## -+##

    -+## Allow icecast to connect to all ports, not just -+## sound ports. -+##

    -+##     -+gen_tunable(icecast_connect_any, false) -+ - type icecast_t; - type icecast_exec_t; - init_daemon_domain(icecast_t, icecast_exec_t) -@@ -39,18 +47,24 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) - - kernel_read_system_state(icecast_t) +@@ -65,12 +65,12 @@ dev_read_sysfs(icecast_t) + dev_read_urand(icecast_t) + dev_read_rand(icecast_t) -+dev_read_sysfs(icecast_t) -+dev_read_urand(icecast_t) -+dev_read_rand(icecast_t) ++auth_use_nsswitch(icecast_t) + - corenet_tcp_bind_soundd_port(icecast_t) -+corenet_tcp_connect_soundd_port(icecast_t) -+ -+tunable_policy(`icecast_connect_any',` -+ corenet_tcp_connect_all_ports(icecast_t) -+ corenet_tcp_bind_all_ports(icecast_t) -+ corenet_sendrecv_all_client_packets(icecast_t) -+') - - # Init script handling domain_use_interactive_fds(icecast_t) --files_read_etc_files(icecast_t) -- auth_use_nsswitch(icecast_t) -miscfiles_read_localization(icecast_t) - --sysnet_dns_name_resolve(icecast_t) - - optional_policy(` - apache_read_sys_content(icecast_t) + tunable_policy(`icecast_use_any_tcp_ports',` + corenet_tcp_connect_all_ports(icecast_t) + corenet_sendrecv_all_client_packets(icecast_t) diff --git a/ifplugd.if b/ifplugd.if -index dfb4232..35343f8 100644 +index 8999899..96909ae 100644 --- a/ifplugd.if +++ b/ifplugd.if -@@ -113,11 +113,11 @@ interface(`ifplugd_read_pid_files',` - # - interface(`ifplugd_admin',` - gen_require(` -- type ifplugd_t, ifplugd_etc_t; -- type ifplugd_var_run_t, ifplugd_initrc_exec_t; -+ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; -+ type ifplugd_initrc_exec_t; +@@ -119,7 +119,7 @@ interface(`ifplugd_admin',` + type ifplugd_initrc_exec_t; ') - allow $1 ifplugd_t:process { ptrace signal_perms }; @@ -26733,35 +26273,23 @@ index dfb4232..35343f8 100644 init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff --git a/ifplugd.te b/ifplugd.te -index 978c32f..05927a7 100644 +index 6910e49..c4a9fcb 100644 --- a/ifplugd.te +++ b/ifplugd.te -@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t) +@@ -10,7 +10,7 @@ type ifplugd_exec_t; + init_daemon_domain(ifplugd_t, ifplugd_exec_t) - # config files type ifplugd_etc_t; -files_type(ifplugd_etc_t) +files_config_file(ifplugd_etc_t) type ifplugd_initrc_exec_t; init_script_file(ifplugd_initrc_exec_t) -@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t) - # - - allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; --dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; -+dontaudit ifplugd_t self:capability sys_tty_config; - allow ifplugd_t self:process { signal signull }; - allow ifplugd_t self:fifo_file rw_fifo_file_perms; - allow ifplugd_t self:tcp_socket create_stream_socket_perms; -@@ -54,15 +54,14 @@ corecmd_exec_bin(ifplugd_t) - # reading of hardware information +@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t) dev_read_sysfs(ifplugd_t) -+#domain_read_all_domains_state(ifplugd_t) domain_read_confined_domains_state(ifplugd_t) -domain_dontaudit_read_all_domains_state(ifplugd_t) -+#domain_dontaudit_read_all_domains_state(ifplugd_t) auth_use_nsswitch(ifplugd_t) @@ -26770,53 +26298,31 @@ index 978c32f..05927a7 100644 -miscfiles_read_localization(ifplugd_t) - netutils_domtrans(ifplugd_t) - # transition to ifconfig & dhcpc - sysnet_domtrans_ifconfig(ifplugd_t) -diff --git a/imaze.fc b/imaze.fc -index 8d455ba..58729cb 100644 ---- a/imaze.fc -+++ b/imaze.fc -@@ -1,4 +1,4 @@ - /usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) - /usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) --/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0) -+/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0) + sysnet_domtrans_ifconfig(ifplugd_t) diff --git a/imaze.te b/imaze.te -index 0778af8..66fb4ae 100644 +index 05387d1..08a489c 100644 --- a/imaze.te +++ b/imaze.te -@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(imazesrv_t) - kernel_list_proc(imazesrv_t) +@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t) + kernel_read_kernel_sysctls(imazesrv_t) kernel_read_proc_symlinks(imazesrv_t) -corenet_all_recvfrom_unlabeled(imazesrv_t) corenet_all_recvfrom_netlabel(imazesrv_t) corenet_tcp_sendrecv_generic_if(imazesrv_t) corenet_udp_sendrecv_generic_if(imazesrv_t) -@@ -79,8 +78,6 @@ fs_search_auto_mountpoints(imazesrv_t) +@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t) logging_send_syslog_msg(imazesrv_t) -miscfiles_read_localization(imazesrv_t) - - sysnet_read_config(imazesrv_t) - userdom_use_unpriv_users_fds(imazesrv_t) -diff --git a/inetd.fc b/inetd.fc -index 39d5baa..4288778 100644 ---- a/inetd.fc -+++ b/inetd.fc -@@ -7,6 +7,6 @@ - /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) - --/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) -+/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0) - - /var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) + userdom_dontaudit_search_user_home_dirs(imazesrv_t) + diff --git a/inetd.if b/inetd.if -index df48e5e..161814e 100644 +index fbb54e7..b347964 100644 --- a/inetd.if +++ b/inetd.if @@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',` @@ -26831,10 +26337,10 @@ index df48e5e..161814e 100644 ######################################## diff --git a/inetd.te b/inetd.te -index 10f25d3..ec4cd54 100644 +index 1a5ed62..5eebf38 100644 --- a/inetd.te +++ b/inetd.te -@@ -38,9 +38,9 @@ ifdef(`enable_mcs',` +@@ -37,9 +37,9 @@ ifdef(`enable_mcs',` # Local policy # @@ -26844,120 +26350,78 @@ index 10f25d3..ec4cd54 100644 -allow inetd_t self:process { setsched setexec setrlimit }; +allow inetd_t self:process { setsched setexec }; allow inetd_t self:fifo_file rw_fifo_file_perms; - allow inetd_t self:tcp_socket create_stream_socket_perms; - allow inetd_t self:udp_socket create_socket_perms; -@@ -65,7 +65,6 @@ kernel_tcp_recvfrom_unlabeled(inetd_t) - corecmd_bin_domtrans(inetd_t, inetd_child_t) - - # base networking: --corenet_all_recvfrom_unlabeled(inetd_t) - corenet_all_recvfrom_netlabel(inetd_t) - corenet_tcp_sendrecv_generic_if(inetd_t) - corenet_udp_sendrecv_generic_if(inetd_t) -@@ -89,16 +88,19 @@ corenet_tcp_bind_ftp_port(inetd_t) - corenet_udp_bind_ftp_port(inetd_t) + allow inetd_t self:tcp_socket { accept listen }; + allow inetd_t self:fd use; +@@ -98,6 +98,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) + +corenet_tcp_bind_echo_port(inetd_t) +corenet_udp_bind_echo_port(inetd_t) +corenet_tcp_bind_time_port(inetd_t) +corenet_udp_bind_time_port(inetd_t) ++ + corenet_sendrecv_ircd_server_packets(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) - corenet_udp_bind_ktalkd_port(inetd_t) --corenet_tcp_bind_pop_port(inetd_t) - corenet_tcp_bind_printer_port(inetd_t) - corenet_udp_bind_rlogind_port(inetd_t) - corenet_udp_bind_rsh_port(inetd_t) - corenet_tcp_bind_rsh_port(inetd_t) - corenet_tcp_bind_rsync_port(inetd_t) - corenet_udp_bind_rsync_port(inetd_t) --corenet_tcp_bind_stunnel_port(inetd_t) -+#corenet_tcp_bind_stunnel_port(inetd_t) - corenet_tcp_bind_swat_port(inetd_t) - corenet_udp_bind_swat_port(inetd_t) - corenet_tcp_bind_telnetd_port(inetd_t) -@@ -119,7 +121,7 @@ corenet_sendrecv_ktalkd_server_packets(inetd_t) - corenet_sendrecv_printer_server_packets(inetd_t) - corenet_sendrecv_rsh_server_packets(inetd_t) - corenet_sendrecv_rsync_server_packets(inetd_t) --corenet_sendrecv_stunnel_server_packets(inetd_t) -+#corenet_sendrecv_stunnel_server_packets(inetd_t) - corenet_sendrecv_swat_server_packets(inetd_t) - corenet_sendrecv_tftp_server_packets(inetd_t) - -@@ -137,20 +139,20 @@ corecmd_read_bin_symlinks(inetd_t) - - domain_use_interactive_fds(inetd_t) - --files_read_etc_files(inetd_t) - files_read_etc_runtime_files(inetd_t) - - auth_use_nsswitch(inetd_t) + +@@ -157,13 +162,13 @@ auth_use_nsswitch(inetd_t) logging_send_syslog_msg(inetd_t) -miscfiles_read_localization(inetd_t) - - # xinetd needs MLS override privileges to work mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) -+mls_net_outbound_all_levels(inetd_t) + mls_net_outbound_all_levels(inetd_t) mls_process_set_level(inetd_t) +#706086 +mls_net_outbound_all_levels(inetd_t) - sysnet_read_config(inetd_t) - -@@ -177,6 +179,10 @@ optional_policy(` + userdom_dontaudit_use_unpriv_user_fds(inetd_t) + userdom_dontaudit_search_user_home_dirs(inetd_t) +@@ -188,7 +193,7 @@ optional_policy(` ') optional_policy(` +- tftp_read_config_files(inetd_t) + tftp_read_config(inetd_t) -+') -+ -+optional_policy(` - udev_read_db(inetd_t) ') -@@ -210,7 +216,6 @@ kernel_read_kernel_sysctls(inetd_child_t) - kernel_read_system_state(inetd_child_t) + optional_policy(` +@@ -220,6 +225,14 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) + kernel_read_system_state(inetd_child_t) --corenet_all_recvfrom_unlabeled(inetd_child_t) - corenet_all_recvfrom_netlabel(inetd_child_t) - corenet_tcp_sendrecv_generic_if(inetd_child_t) - corenet_udp_sendrecv_generic_if(inetd_child_t) -@@ -223,15 +228,12 @@ dev_read_urand(inetd_child_t) ++corenet_all_recvfrom_netlabel(inetd_child_t) ++corenet_tcp_sendrecv_generic_if(inetd_child_t) ++corenet_udp_sendrecv_generic_if(inetd_child_t) ++corenet_tcp_sendrecv_generic_node(inetd_child_t) ++corenet_udp_sendrecv_generic_node(inetd_child_t) ++corenet_tcp_sendrecv_all_ports(inetd_child_t) ++corenet_udp_sendrecv_all_ports(inetd_child_t) ++ + dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) - --files_read_etc_files(inetd_child_t) - files_read_etc_runtime_files(inetd_child_t) - - auth_use_nsswitch(inetd_child_t) +@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) -miscfiles_read_localization(inetd_child_t) -- - sysnet_read_config(inetd_child_t) ++sysnet_read_config(inetd_child_t) ++ ++optional_policy(` ++ kerberos_use(inetd_child_t) ++') optional_policy(` + unconfined_domain(inetd_child_t) diff --git a/inn.if b/inn.if -index ebc9e0d..617f52f 100644 +index eb87f23..8e11e4b 100644 --- a/inn.if +++ b/inn.if -@@ -13,7 +13,7 @@ - # - interface(`inn_exec',` - gen_require(` -- type innd_t; -+ type innd_exec_t; - ') - - can_exec($1, innd_exec_t) -@@ -93,6 +93,7 @@ interface(`inn_read_config',` +@@ -124,6 +124,7 @@ interface(`inn_read_config',` type innd_etc_t; ') @@ -26965,15 +26429,15 @@ index ebc9e0d..617f52f 100644 allow $1 innd_etc_t:dir list_dir_perms; allow $1 innd_etc_t:file read_file_perms; allow $1 innd_etc_t:lnk_file read_lnk_file_perms; -@@ -113,6 +114,7 @@ interface(`inn_read_news_lib',` +@@ -144,6 +145,7 @@ interface(`inn_read_news_lib',` type innd_var_lib_t; ') + files_search_var_lib($1) allow $1 innd_var_lib_t:dir list_dir_perms; allow $1 innd_var_lib_t:file read_file_perms; - allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms; -@@ -133,6 +135,7 @@ interface(`inn_read_news_spool',` + ') +@@ -163,6 +165,7 @@ interface(`inn_read_news_spool',` type news_spool_t; ') @@ -26981,7 +26445,7 @@ index ebc9e0d..617f52f 100644 allow $1 news_spool_t:dir list_dir_perms; allow $1 news_spool_t:file read_file_perms; allow $1 news_spool_t:lnk_file read_lnk_file_perms; -@@ -195,12 +198,15 @@ interface(`inn_domtrans',` +@@ -226,8 +229,15 @@ interface(`inn_domtrans',` interface(`inn_admin',` gen_require(` type innd_t, innd_etc_t, innd_log_t; @@ -26989,30 +26453,21 @@ index ebc9e0d..617f52f 100644 - type innd_var_run_t, innd_initrc_exec_t; + type news_spool_t, innd_var_lib_t, innd_var_run_t; + type innd_initrc_exec_t; - ') - -- allow $1 innd_t:process { ptrace signal_perms }; ++ ') ++ + allow $1 innd_t:process signal_perms; - ps_process_pattern($1, innd_t) ++ ps_process_pattern($1, innd_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 innd_t:process ptrace; -+ ') + ') init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) diff --git a/inn.te b/inn.te -index 7311364..28012eb 100644 +index 5aab5d0..e694d0f 100644 --- a/inn.te +++ b/inn.te -@@ -4,6 +4,7 @@ policy_module(inn, 1.10.0) - # - # Declarations - # -+ - type innd_t; - type innd_exec_t; - init_daemon_domain(innd_t, innd_exec_t) -@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t) +@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t) type news_spool_t; files_mountpoint(news_spool_t) @@ -27020,22 +26475,16 @@ index 7311364..28012eb 100644 ######################################## # - # Local policy - # -+ - allow innd_t self:capability { dac_override kill setgid setuid }; - dontaudit innd_t self:capability sys_tty_config; - allow innd_t self:process { setsched signal_perms }; -@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) - can_exec(innd_t, innd_exec_t) - - manage_files_pattern(innd_t, innd_log_t, innd_log_t) --allow innd_t innd_log_t:dir setattr; -+allow innd_t innd_log_t:dir setattr_dir_perms; - logging_log_filetrans(innd_t, innd_log_t, file) +@@ -43,6 +44,8 @@ allow innd_t self:tcp_socket { accept listen }; + read_files_pattern(innd_t, innd_etc_t, innd_etc_t) + read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) - manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) ++can_exec(innd_t, innd_exec_t) ++ + allow innd_t innd_log_t:dir setattr_dir_perms; + append_files_pattern(innd_t, innd_log_t, innd_log_t) + create_files_pattern(innd_t, innd_log_t, innd_log_t) +@@ -54,7 +57,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -27044,23 +26493,21 @@ index 7311364..28012eb 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -65,7 +68,6 @@ manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) +@@ -65,7 +68,6 @@ can_exec(innd_t, innd_exec_t) kernel_read_kernel_sysctls(innd_t) kernel_read_system_state(innd_t) -corenet_all_recvfrom_unlabeled(innd_t) corenet_all_recvfrom_netlabel(innd_t) corenet_tcp_sendrecv_generic_if(innd_t) - corenet_udp_sendrecv_generic_if(innd_t) -@@ -97,14 +99,11 @@ files_read_usr_files(innd_t) + corenet_tcp_sendrecv_generic_node(innd_t) +@@ -97,12 +99,11 @@ auth_use_nsswitch(innd_t) logging_send_syslog_msg(innd_t) -miscfiles_read_localization(innd_t) - --seutil_dontaudit_search_config(innd_t) -- - sysnet_read_config(innd_t) + seutil_dontaudit_search_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -27068,87 +26515,63 @@ index 7311364..28012eb 100644 mta_send_mail(innd_t) -diff --git a/irc.fc b/irc.fc -index 65ece18..7e7873c 100644 ---- a/irc.fc -+++ b/irc.fc -@@ -2,10 +2,15 @@ - # /home - # - HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) -+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0) -+HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irssi_home_t,s0) -+ -+/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0) - - # - # /usr - # - /usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0) - /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) -+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0) - /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --git a/irc.if b/irc.if -index 4f9dc90..2af9361 100644 +index ac00fb0..06cb083 100644 --- a/irc.if +++ b/irc.if -@@ -18,9 +18,11 @@ - interface(`irc_role',` - gen_require(` - type irc_t, irc_exec_t; +@@ -20,6 +20,7 @@ interface(`irc_role',` + attribute_role irc_roles; + type irc_t, irc_exec_t, irc_home_t; + type irc_tmp_t, irc_log_home_t; + type irssi_t, irssi_exec_t, irssi_home_t; ') - role $1 types irc_t; -+ role $1 types irssi_t; - - # Transition from the user domain to the derived domain. - domtrans_pattern($2, irc_exec_t, irc_t) -@@ -28,4 +30,39 @@ interface(`irc_role',` - # allow ps to show irc + ######################################## +@@ -39,10 +40,33 @@ interface(`irc_role',` ps_process_pattern($2, irc_t) - allow $2 irc_t:process signal; -+ + allow $2 irc_t:process { ptrace signal_perms }; + +- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi") +- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd") +- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs") + domtrans_pattern($2, irssi_exec_t, irssi_t) + -+ allow $2 irssi_t:process signal_perms; -+ ps_process_pattern($2, irssi_t) -+ -+ manage_dirs_pattern($2, irssi_home_t, irssi_home_t) -+ manage_files_pattern($2, irssi_home_t, irssi_home_t) -+ manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ++ allow $2 irssi_t:process signal_perms; ++ ps_process_pattern($2, irssi_t) + -+ relabel_dirs_pattern($2, irssi_home_t, irssi_home_t) -+ relabel_files_pattern($2, irssi_home_t, irssi_home_t) -+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms }; ++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms }; ++ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + + irc_filetrans_home_content($2) +') + -+######################################## ++####################################### +## -+## Transition to alsa named content ++## Transition to alsa named content +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# +interface(`irc_filetrans_home_content',` -+ gen_require(` -+ type irc_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") -+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") -+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs") ++ gen_require(` ++ type irc_home_t; ++ ') ++ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") ++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") ++ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index 6e2dbd2..73e129e 100644 +index ecad9c7..8cbe5cf 100644 --- a/irc.te +++ b/irc.te -@@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t) +@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t) type irc_tmp_t; typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; @@ -27172,6 +26595,7 @@ index 6e2dbd2..73e129e 100644 +type irssi_exec_t; +application_domain(irssi_t, irssi_exec_t) +ubac_constrained(irssi_t) ++role irc_roles types irssi_t; + +type irssi_etc_t; +files_config_file(irssi_etc_t) @@ -27181,37 +26605,50 @@ index 6e2dbd2..73e129e 100644 ######################################## # -@@ -33,7 +57,7 @@ allow irc_t self:udp_socket create_socket_perms; +@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms; manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) manage_files_pattern(irc_t, irc_home_t, irc_home_t) manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) --userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file }) +-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi") +-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd") +- +-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t) +-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) +-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) +-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs") +irc_filetrans_home_content(irc_t) - # access files under /tmp manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) -@@ -45,7 +69,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) + manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) +@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) - kernel_read_proc_symlinks(irc_t) + kernel_read_system_state(irc_t) -corenet_all_recvfrom_unlabeled(irc_t) corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t) - corenet_udp_sendrecv_generic_if(irc_t) -@@ -75,7 +98,6 @@ term_list_ptys(irc_t) + corenet_tcp_sendrecv_generic_node(irc_t) +@@ -106,7 +124,6 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) -miscfiles_read_localization(irc_t) - # Inherit and use descriptors from newrole. - seutil_use_newrole_fds(irc_t) -@@ -83,20 +105,74 @@ seutil_use_newrole_fds(irc_t) - sysnet_read_config(irc_t) + userdom_use_user_terminals(irc_t) - # Write to the user domain tty. --userdom_use_user_terminals(irc_t) +@@ -114,6 +131,9 @@ userdom_manage_user_home_content_dirs(irc_t) + userdom_manage_user_home_content_files(irc_t) + userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) + ++# Write to the user domain tty. +userdom_use_inherited_user_terminals(irc_t) ++ + tunable_policy(`irc_use_any_tcp_ports',` + corenet_sendrecv_all_server_packets(irc_t) + corenet_tcp_bind_all_unreserved_ports(irc_t) +@@ -122,18 +142,72 @@ tunable_policy(`irc_use_any_tcp_ports',` + corenet_tcp_sendrecv_all_ports(irc_t) + ') -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(irc_t) @@ -27288,35 +26725,34 @@ index 6e2dbd2..73e129e 100644 +userdom_home_manager(irssi_t) + optional_policy(` -- nis_use_ypbind(irc_t) -+ automount_dontaudit_getattr_tmp_dirs(irssi_t) + seutil_use_newrole_fds(irc_t) ') diff --git a/ircd.te b/ircd.te -index 75ab1e2..603ea55 100644 +index e9f746e..40e440c 100644 --- a/ircd.te +++ b/ircd.te -@@ -49,7 +49,6 @@ kernel_read_kernel_sysctls(ircd_t) +@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t) - corecmd_search_bin(ircd_t) + corecmd_exec_bin(ircd_t) -corenet_all_recvfrom_unlabeled(ircd_t) corenet_all_recvfrom_netlabel(ircd_t) corenet_tcp_sendrecv_generic_if(ircd_t) - corenet_udp_sendrecv_generic_if(ircd_t) -@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(ircd_t) + corenet_tcp_sendrecv_generic_node(ircd_t) +@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t) logging_send_syslog_msg(ircd_t) -miscfiles_read_localization(ircd_t) - - sysnet_read_config(ircd_t) - userdom_dontaudit_use_unpriv_user_fds(ircd_t) + userdom_dontaudit_search_user_home_dirs(ircd_t) + diff --git a/irqbalance.te b/irqbalance.te -index 9aeeaf9..a91de65 100644 +index c5a8112..947efe0 100644 --- a/irqbalance.te +++ b/irqbalance.te -@@ -19,6 +19,12 @@ files_pid_file(irqbalance_var_run_t) +@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t) allow irqbalance_t self:capability { setpcap net_admin }; dontaudit irqbalance_t self:capability sys_tty_config; @@ -27329,7 +26765,15 @@ index 9aeeaf9..a91de65 100644 allow irqbalance_t self:process { getcap setcap signal_perms }; allow irqbalance_t self:udp_socket create_socket_perms; -@@ -42,8 +48,6 @@ domain_use_interactive_fds(irqbalance_t) +@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t) + + dev_read_sysfs(irqbalance_t) + +-files_read_etc_files(irqbalance_t) + files_read_etc_runtime_files(irqbalance_t) + + fs_getattr_all_fs(irqbalance_t) +@@ -45,8 +50,6 @@ domain_use_interactive_fds(irqbalance_t) logging_send_syslog_msg(irqbalance_t) @@ -27338,70 +26782,38 @@ index 9aeeaf9..a91de65 100644 userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_user_home_dirs(irqbalance_t) -diff --git a/iscsi.fc b/iscsi.fc -index 14d9670..e94b352 100644 ---- a/iscsi.fc -+++ b/iscsi.fc -@@ -1,7 +1,17 @@ - /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) - /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - - /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) -+ - /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) --/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) -+ -+/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) -+/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) -+ - /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -+/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -+ -+/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) diff --git a/iscsi.te b/iscsi.te -index 8bcfa2f..f71614d 100644 +index 57304e4..3dba77f 100644 --- a/iscsi.te +++ b/iscsi.te -@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) +@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t) # allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; - allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -66,8 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - - kernel_read_network_state(iscsid_t) + allow iscsid_t self:unix_stream_socket { accept connectto listen }; +@@ -68,7 +67,6 @@ kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) -+kernel_setsched(iscsid_t) + kernel_setsched(iscsid_t) -corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -75,14 +74,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t) - corenet_tcp_connect_http_port(iscsid_t) - corenet_tcp_connect_iscsi_port(iscsid_t) +@@ -85,6 +83,10 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) -+corenet_tcp_connect_winshadow_port(iscsid_t) + corenet_tcp_sendrecv_isns_port(iscsid_t) ++corenet_sendrecv_winshadow_client_packets(iscsid_t) ++corenet_tcp_connect_winshadow_port(iscsid_t) ++corenet_tcp_sendrecv_winshadow_port(iscsid_t) ++ + dev_read_raw_memory(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) -+dev_read_raw_memory(iscsid_t) -+dev_write_raw_memory(iscsid_t) - - domain_use_interactive_fds(iscsid_t) - domain_dontaudit_read_all_domains_state(iscsid_t) - --files_read_etc_files(iscsid_t) - - auth_use_nsswitch(iscsid_t) - -@@ -90,8 +91,6 @@ init_stream_connect_script(iscsid_t) +@@ -99,8 +101,6 @@ init_stream_connect_script(iscsid_t) logging_send_syslog_msg(iscsid_t) @@ -27410,303 +26822,69 @@ index 8bcfa2f..f71614d 100644 optional_policy(` tgtd_manage_semaphores(iscsid_t) ') -diff --git a/isnsd.fc b/isnsd.fc -new file mode 100644 -index 0000000..3e29080 ---- /dev/null -+++ b/isnsd.fc -@@ -0,0 +1,8 @@ -+/etc/rc\.d/init\.d/isnsd -- gen_context(system_u:object_r:isnsd_initrc_exec_t,s0) -+ -+/usr/sbin/isnsd -- gen_context(system_u:object_r:isnsd_exec_t,s0) -+ -+/var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0) -+ -+/var/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0) -+/var/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0) -diff --git a/isnsd.if b/isnsd.if -new file mode 100644 -index 0000000..1b3514a ---- /dev/null -+++ b/isnsd.if -@@ -0,0 +1,181 @@ -+ -+## policy for isnsd -+ -+ -+######################################## -+## -+## Transition to isnsd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`isnsd_domtrans',` -+ gen_require(` -+ type isnsd_t, isnsd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, isnsd_exec_t, isnsd_t) -+') -+ -+ -+######################################## -+## -+## Execute isnsd server in the isnsd domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`isnsd_initrc_domtrans',` -+ gen_require(` -+ type isnsd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, isnsd_initrc_exec_t) -+') -+ -+ -+######################################## -+## -+## Search isnsd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`isnsd_search_lib',` -+ gen_require(` -+ type isnsd_var_lib_t; -+ ') -+ -+ allow $1 isnsd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read isnsd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`isnsd_read_lib_files',` -+ gen_require(` -+ type isnsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage isnsd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`isnsd_manage_lib_files',` -+ gen_require(` -+ type isnsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t) -+') -+ -+######################################## -+## -+## Manage isnsd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`isnsd_manage_lib_dirs',` -+ gen_require(` -+ type isnsd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, isnsd_var_lib_t, isnsd_var_lib_t) -+') -+ -+ -+######################################## -+## -+## Read isnsd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`isnsd_read_pid_files',` -+ gen_require(` -+ type isnsd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 isnsd_var_run_t:file read_file_perms; -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an isnsd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`isnsd_admin',` -+ gen_require(` -+ type isnsd_t; -+ type isnsd_initrc_exec_t; -+ type isnsd_var_lib_t; -+ type isnsd_var_run_t; -+ ') -+ -+ allow $1 isnsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, isnsd_t) -+ -+ isnsd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 isnsd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, isnsd_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, isnsd_var_run_t) -+ -+') -+ -diff --git a/isnsd.te b/isnsd.te -new file mode 100644 -index 0000000..951fbae ---- /dev/null -+++ b/isnsd.te -@@ -0,0 +1,52 @@ -+policy_module(isnsd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type isnsd_t; -+type isnsd_exec_t; -+init_daemon_domain(isnsd_t, isnsd_exec_t) -+ -+type isnsd_initrc_exec_t; -+init_script_file(isnsd_initrc_exec_t) -+ -+type isnsd_var_lib_t; -+files_type(isnsd_var_lib_t) -+ -+type isnsd_var_run_t; -+files_pid_file(isnsd_var_run_t) -+ -+######################################## -+# -+# isnsd local policy -+# -+ -+allow isnsd_t self:capability { kill }; -+allow isnsd_t self:process { signal }; -+ -+allow isnsd_t self:fifo_file rw_fifo_file_perms; -+allow isnsd_t self:tcp_socket { listen }; -+allow isnsd_t self:udp_socket { listen }; -+allow isnsd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) -+manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) -+files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -+manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -+manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -+files_pid_filetrans(isnsd_t, isnsd_var_run_t, { dir file sock_file }) -+ -+corenet_tcp_bind_generic_node(isnsd_t) -+corenet_tcp_bind_isns_port(isnsd_t) -+ -+domain_use_interactive_fds(isnsd_t) -+ -+files_read_etc_files(isnsd_t) -+ -+logging_send_syslog_msg(isnsd_t) -+ -+sysnet_dns_name_resolve(isnsd_t) +diff --git a/isns.te b/isns.te +index bc11034..e393434 100644 +--- a/isns.te ++++ b/isns.te +@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t) + corenet_sendrecv_isns_server_packets(isnsd_t) + corenet_tcp_bind_isns_port(isnsd_t) + +-files_read_etc_files(isnsd_t) +- + logging_send_syslog_msg(isnsd_t) + + miscfiles_read_localization(isnsd_t) diff --git a/jabber.fc b/jabber.fc -index da6f4b4..bd02cc8 100644 +index 59ad3b3..bd02cc8 100644 --- a/jabber.fc +++ b/jabber.fc -@@ -1,10 +1,18 @@ --/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) +@@ -1,25 +1,18 @@ +-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) --/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) --/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) --/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) --/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) +-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) --/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) --/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0) +# pyicq-t -+ + +-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) -+ + +-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) +-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) +/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0) -+ + +-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/jabber.if b/jabber.if -index 9878499..01673a4 100644 +index 16b1666..01673a4 100644 --- a/jabber.if +++ b/jabber.if -@@ -1,8 +1,114 @@ - ## Jabber instant messaging server - --######################################## +@@ -1,29 +1,76 @@ +-## Jabber instant messaging servers. ++## Jabber instant messaging server ++ +##################################### +## +## Creates types and rules for a basic @@ -27738,27 +26916,38 @@ index 9878499..01673a4 100644 + + logging_send_syslog_msg($1_t) +') -+ -+####################################### -+## + + ####################################### + ## +-## The template to define a jabber domain. +## Execute a domain transition to run jabberd services -+## + ## +-## +## -+## + ## +-## Domain prefix to be used. +## Domain allowed to transition. -+## -+## -+# + ## + ## + # +-template(`jabber_domain_template',` +interface(`jabber_domtrans_jabberd',` -+ gen_require(` + gen_require(` +- attribute jabberd_domain; + type jabberd_t, jabberd_exec_t; -+ ') -+ + ') + +- type $1_t, jabberd_domain; +- type $1_exec_t; +- init_daemon_domain($1_t, $1_exec_t) + domtrans_pattern($1, jabberd_exec_t, jabberd_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Create, read, write, and delete +-## jabber lib files. +## Execute a domain transition to run jabberd router service +## +## @@ -27778,22 +26967,25 @@ index 9878499..01673a4 100644 +####################################### +## +## Read jabberd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -31,18 +78,37 @@ template(`jabber_domain_template',` + ## + ## + # +-interface(`jabber_manage_lib_files',` +interface(`jabberd_read_lib_files',` -+ gen_require(` -+ type jabberd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) + gen_require(` + type jabberd_var_lib_t; + ') + + files_search_var_lib($1) +- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) + read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) -+') -+ + ') + +-######################################## +####################################### +## +## Dontaudit inherited read jabberd lib files. @@ -27820,7 +27012,7 @@ index 9878499..01673a4 100644 ## ## ## -@@ -10,8 +116,13 @@ +@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',` ## ## # @@ -27836,19 +27028,37 @@ index 9878499..01673a4 100644 ') ######################################## -@@ -33,24 +144,25 @@ interface(`jabber_tcp_connect',` + ## +-## All of the rules required to +-## administrate an jabber environment. ++## All of the rules required to administrate ++## an jabber environment + ## + ## + ## +@@ -66,38 +137,32 @@ interface(`jabber_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the jabber domain. + ## + ## + ## # interface(`jabber_admin',` gen_require(` -- type jabberd_t, jabberd_log_t, jabberd_var_lib_t; -- type jabberd_var_run_t, jabberd_initrc_exec_t; +- attribute jabberd_domain; +- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; +- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; + type jabberd_t, jabberd_var_lib_t; + type jabberd_initrc_exec_t, jabberd_router_t; ') -- allow $1 jabberd_t:process { ptrace signal_perms }; +- allow $1 jabberd_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, jabberd_domain) + allow $1 jabberd_t:process signal_perms; - ps_process_pattern($1, jabberd_t) ++ ps_process_pattern($1, jabberd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 jabberd_t:process ptrace; + allow $1 jabberd_router_t:process ptrace; @@ -27862,43 +27072,50 @@ index 9878499..01673a4 100644 role_transition $2 jabberd_initrc_exec_t system_r; allow $2 system_r; -- logging_list_logs($1) +- files_search_locks($1)) +- admin_pattern($1, jabberd_lock_t) +- +- logging_search_logs($1) - admin_pattern($1, jabberd_log_t) - - files_list_var_lib($1) +- files_search_spool($1) +- admin_pattern($1, jabberd_spool_t) +- +- files_search_var_lib($1) ++ files_list_var_lib($1) admin_pattern($1, jabberd_var_lib_t) - -- files_list_pids($1) +- files_search_pids($1) - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index 53e53ca..c1ce1b7 100644 +index bb12c90..c1ce1b7 100644 --- a/jabber.te +++ b/jabber.te -@@ -1,94 +1,146 @@ --policy_module(jabber, 1.9.0) +@@ -1,4 +1,4 @@ +-policy_module(jabber, 1.9.1) +policy_module(jabber, 1.8.0) ######################################## # - # Declarations - # +@@ -9,129 +9,138 @@ attribute jabberd_domain; --type jabberd_t; --type jabberd_exec_t; --init_daemon_domain(jabberd_t, jabberd_exec_t) -+attribute jabberd_domain; -+ -+jabber_domain_template(jabberd) -+jabber_domain_template(jabberd_router) + jabber_domain_template(jabberd) + jabber_domain_template(jabberd_router) +jabber_domain_template(pyicqt) type jabberd_initrc_exec_t; init_script_file(jabberd_initrc_exec_t) +-type jabberd_lock_t; +-files_lock_file(jabberd_lock_t) +- -type jabberd_log_t; -logging_log_file(jabberd_log_t) - +-type jabberd_spool_t; +-files_type(jabberd_spool_t) +- +# type which includes log/pid files pro jabberd components type jabberd_var_lib_t; files_type(jabberd_var_lib_t) @@ -27910,159 +27127,167 @@ index 53e53ca..c1ce1b7 100644 +logging_log_file(pyicqt_log_t); -######################################## +-# +-# Common local policy +-# +type pyicqt_var_spool_t; +files_spool_file(pyicqt_var_spool_t) -+ + +-allow jabberd_domain self:process signal_perms; +-allow jabberd_domain self:fifo_file rw_fifo_file_perms; +-allow jabberd_domain self:tcp_socket { accept listen }; +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) -+ + +-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) +###################################### - # --# Local policy ++# +# Local policy for jabberd-router and c2s components - # ++# --allow jabberd_t self:capability dac_override; --dontaudit jabberd_t self:capability sys_tty_config; --allow jabberd_t self:process signal_perms; --allow jabberd_t self:fifo_file read_fifo_file_perms; --allow jabberd_t self:tcp_socket create_stream_socket_perms; --allow jabberd_t self:udp_socket create_socket_perms; +-kernel_read_system_state(jabberd_domain) +allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; --manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) --files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) -- --manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) --logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) -- --manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) --files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) -- --kernel_read_kernel_sysctls(jabberd_t) --kernel_list_proc(jabberd_t) --kernel_read_proc_symlinks(jabberd_t) -- --corenet_all_recvfrom_unlabeled(jabberd_t) --corenet_all_recvfrom_netlabel(jabberd_t) --corenet_tcp_sendrecv_generic_if(jabberd_t) --corenet_udp_sendrecv_generic_if(jabberd_t) --corenet_tcp_sendrecv_generic_node(jabberd_t) --corenet_udp_sendrecv_generic_node(jabberd_t) --corenet_tcp_sendrecv_all_ports(jabberd_t) --corenet_udp_sendrecv_all_ports(jabberd_t) --corenet_tcp_bind_generic_node(jabberd_t) --corenet_tcp_bind_jabber_client_port(jabberd_t) --corenet_tcp_bind_jabber_interserver_port(jabberd_t) --corenet_sendrecv_jabber_client_server_packets(jabberd_t) --corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +-corenet_all_recvfrom_unlabeled(jabberd_domain) +-corenet_all_recvfrom_netlabel(jabberd_domain) +-corenet_tcp_sendrecv_generic_if(jabberd_domain) +-corenet_tcp_sendrecv_generic_node(jabberd_domain) +-corenet_tcp_bind_generic_node(jabberd_domain) +manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) -+ + +-dev_read_urand(jabberd_domain) +-dev_read_sysfs(jabberd_domain) +kernel_read_network_state(jabberd_router_t) -+ + +-fs_getattr_all_fs(jabberd_domain) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_router_port(jabberd_router_t) +corenet_tcp_connect_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) --dev_read_sysfs(jabberd_t) --# For SSL --dev_read_rand(jabberd_t) +-logging_send_syslog_msg(jabberd_domain) +fs_getattr_all_fs(jabberd_router_t) --domain_use_interactive_fds(jabberd_t) +-miscfiles_read_localization(jabberd_domain) +miscfiles_read_generic_certs(jabberd_router_t) --files_read_etc_files(jabberd_t) --files_read_etc_runtime_files(jabberd_t) -+optional_policy(` + optional_policy(` +- nis_use_ypbind(jabberd_domain) + kerberos_use(jabberd_router_t) -+') + ') --fs_getattr_all_fs(jabberd_t) --fs_search_auto_mountpoints(jabberd_t) -+optional_policy(` + optional_policy(` +- seutil_sigchld_newrole(jabberd_domain) + nis_use_ypbind(jabberd_router_t) -+') + ') --logging_send_syslog_msg(jabberd_t) +-######################################## +##################################### -+# + # +-# Local policy +# Local policy for other jabberd components -+# + # --miscfiles_read_localization(jabberd_t) +-allow jabberd_t self:capability dac_override; +-dontaudit jabberd_t self:capability sys_tty_config; +-allow jabberd_t self:tcp_socket create_socket_perms; +-allow jabberd_t self:udp_socket create_socket_perms; +manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) --sysnet_read_config(jabberd_t) +-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_router_port(jabberd_t) - userdom_dontaudit_use_unpriv_user_fds(jabberd_t) - userdom_dontaudit_search_user_home_dirs(jabberd_t) +-allow jabberd_t jabberd_log_t:dir setattr_dir_perms; +-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) +-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) ++userdom_dontaudit_use_unpriv_user_fds(jabberd_t) ++userdom_dontaudit_search_user_home_dirs(jabberd_t) - optional_policy(` -- nis_use_ypbind(jabberd_t) +-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) ++optional_policy(` + seutil_sigchld_newrole(jabberd_t) - ') ++') - optional_policy(` -- seutil_sigchld_newrole(jabberd_t) +-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) ++optional_policy(` + udev_read_db(jabberd_t) +') -+ + +-kernel_read_kernel_sysctls(jabberd_t) +###################################### +# +# Local policy for pyicq-t +# -+ + +-corenet_sendrecv_jabber_client_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_client_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_client_port(jabberd_t) +# need for /var/log/pyicq-t.log +manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t) +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) -+ + +-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_interserver_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t); -+ + +-dev_read_rand(jabberd_t) +files_search_spool(pyicqt_t) +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); -+ + +-domain_use_interactive_fds(jabberd_t) +corenet_tcp_bind_jabber_router_port(pyicqt_t) +corenet_tcp_connect_jabber_router_port(pyicqt_t) -+ + +-files_read_etc_files(jabberd_t) +-files_read_etc_runtime_files(jabberd_t) +corecmd_exec_bin(pyicqt_t) -+ + +-fs_search_auto_mountpoints(jabberd_t) +dev_read_urand(pyicqt_t); -+ + +-sysnet_read_config(jabberd_t) +files_read_usr_files(pyicqt_t) -+ + +-userdom_dontaudit_use_unpriv_user_fds(jabberd_t) +-userdom_dontaudit_search_user_home_dirs(jabberd_t) +auth_use_nsswitch(pyicqt_t); -+ + +# for RHEL5 +libs_use_ld_so(pyicqt_t) +libs_use_shared_libs(pyicqt_t) + +# needed for pyicq-t-mysql -+optional_policy(` + optional_policy(` +- udev_read_db(jabberd_t) + corenet_tcp_connect_mysqld_port(pyicqt_t) ') - optional_policy(` -- udev_read_db(jabberd_t) +-######################################## ++optional_policy(` + sysnet_use_ldap(pyicqt_t) - ') ++') + +####################################### -+# + # +-# Router local policy +# Local policy for jabberd domains -+# -+ + # + +-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +allow jabberd_domain self:process signal_perms; +allow jabberd_domain self:fifo_file rw_fifo_file_perms; +allow jabberd_domain self:tcp_socket create_stream_socket_perms; +allow jabberd_domain self:udp_socket create_socket_perms; -+ + +-kernel_read_network_state(jabberd_router_t) +corenet_tcp_sendrecv_generic_if(jabberd_domain) +corenet_udp_sendrecv_generic_if(jabberd_domain) +corenet_tcp_sendrecv_generic_node(jabberd_domain) @@ -28070,66 +27295,46 @@ index 53e53ca..c1ce1b7 100644 +corenet_tcp_sendrecv_all_ports(jabberd_domain) +corenet_udp_sendrecv_all_ports(jabberd_domain) +corenet_tcp_bind_generic_node(jabberd_domain) -+ + +-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) +-corenet_tcp_bind_jabber_client_port(jabberd_router_t) +-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t) +dev_read_urand(jabberd_domain) +dev_read_urand(jabberd_domain) +dev_read_sysfs(jabberd_domain) -+ + +-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +-# corenet_tcp_bind_jabber_router_port(jabberd_router_t) +-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) +-# corenet_tcp_connect_jabber_router_port(jabberd_router_t) +-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) +files_read_etc_files(jabberd_domain) +files_read_etc_runtime_files(jabberd_domain) -+ -+sysnet_read_config(jabberd_domain) -diff --git a/java.fc b/java.fc -index bc1a419..f630930 100644 ---- a/java.fc -+++ b/java.fc -@@ -28,8 +28,6 @@ - /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) --/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -- - /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) - - ifdef(`distro_redhat',` +-auth_use_nsswitch(jabberd_router_t) ++sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te -index ff52c16..bdb4610 100644 +index b3fcfbb..b2c5451 100644 --- a/java.te +++ b/java.te -@@ -10,7 +10,7 @@ policy_module(java, 2.6.0) - ## Allow java executable stack - ##

    +@@ -11,7 +11,7 @@ policy_module(java, 2.6.3) + ## its stack executable. + ##

    ## -gen_tunable(allow_java_execstack, false) +gen_tunable(java_execstack, false) - type java_t; - type java_exec_t; -@@ -62,7 +62,6 @@ kernel_read_system_state(java_t) - # Search bin directory under java for java executable - corecmd_search_bin(java_t) - --corenet_all_recvfrom_unlabeled(java_t) - corenet_all_recvfrom_netlabel(java_t) - corenet_tcp_sendrecv_generic_if(java_t) - corenet_udp_sendrecv_generic_if(java_t) -@@ -91,7 +90,6 @@ fs_dontaudit_rw_tmpfs_files(java_t) - - logging_send_syslog_msg(java_t) + attribute java_domain; --miscfiles_read_localization(java_t) - # Read global fonts and font config - miscfiles_read_fonts(java_t) +@@ -112,7 +112,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s -@@ -108,7 +106,7 @@ userdom_manage_user_home_content_sockets(java_t) - userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) - userdom_write_user_tmp_sockets(java_t) + userdom_write_user_tmp_sockets(java_domain) -tunable_policy(`allow_java_execstack',` +tunable_policy(`java_execstack',` - allow java_t self:process execstack; + allow java_domain self:process { execmem execstack }; - allow java_t java_tmp_t:file execute; + libs_legacy_use_shared_libs(java_domain) diff --git a/jetty.fc b/jetty.fc new file mode 100644 index 0000000..1725b7e @@ -28450,24 +27655,12 @@ index 0000000..af510ea +# + +# No local policy. This module just contains type definitions -diff --git a/jockey.fc b/jockey.fc -new file mode 100644 -index 0000000..a59ad8d ---- /dev/null -+++ b/jockey.fc -@@ -0,0 +1,6 @@ -+/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0) -+ -+/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0) -+ -+/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0) -+/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0) diff --git a/jockey.if b/jockey.if -new file mode 100644 -index 0000000..868c7d0 ---- /dev/null +index 2fb7a20..c6ba007 100644 +--- a/jockey.if +++ b/jockey.if -@@ -0,0 +1,126 @@ +@@ -1 +1,131 @@ +-## Jockey driver manager. + +## policy for jockey + @@ -28582,6 +27775,7 @@ index 0000000..868c7d0 + gen_require(` + type jockey_t; + type jockey_cache_t; ++ type jockey_var_log_t; + ') + + allow $1 jockey_t:process { ptrace signal_perms }; @@ -28589,79 +27783,39 @@ index 0000000..868c7d0 + + files_search_var($1) + admin_pattern($1, jockey_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, jockey_var_log_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/jockey.te b/jockey.te -new file mode 100644 -index 0000000..03a01b4 ---- /dev/null +index d59ec10..1b5410d 100644 +--- a/jockey.te +++ b/jockey.te -@@ -0,0 +1,62 @@ -+policy_module(jockey, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type jockey_t; -+type jockey_exec_t; -+init_daemon_domain(jockey_t, jockey_exec_t) -+ -+type jockey_cache_t; -+files_type(jockey_cache_t) -+ -+type jockey_var_log_t; -+logging_log_file(jockey_var_log_t) -+ -+######################################## -+# -+# jockey local policy -+# -+allow jockey_t self:fifo_file rw_fifo_file_perms; -+ -+manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t) -+manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) -+manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t) -+files_var_filetrans(jockey_t, jockey_cache_t, { dir file }) -+ -+manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) -+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) -+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) -+ -+kernel_read_system_state(jockey_t) -+ -+corecmd_exec_bin(jockey_t) -+corecmd_exec_shell(jockey_t) -+ -+dev_read_rand(jockey_t) -+dev_read_urand(jockey_t) -+ -+dev_read_sysfs(jockey_t) -+ -+domain_use_interactive_fds(jockey_t) -+ -+files_read_etc_files(jockey_t) -+files_read_usr_files(jockey_t) -+ +@@ -47,13 +47,18 @@ domain_use_interactive_fds(jockey_t) + files_read_etc_files(jockey_t) + files_read_usr_files(jockey_t) + +-miscfiles_read_localization(jockey_t) +auth_read_passwd(jockey_t) -+ -+optional_policy(` -+ dbus_system_domain(jockey_t, jockey_exec_t) -+') -+ -+optional_policy(` + + optional_policy(` + dbus_system_domain(jockey_t, jockey_exec_t) + ') + + optional_policy(` + gnome_dontaudit_search_config(jockey_t) +') + +optional_policy(` -+ modutils_domtrans_insmod(jockey_t) -+ modutils_read_module_config(jockey_t) + modutils_domtrans_insmod(jockey_t) + modutils_read_module_config(jockey_t) + modutils_list_module_config(jockey_t) -+') + ') diff --git a/kde.fc b/kde.fc new file mode 100644 index 0000000..25e4b68 @@ -28699,10 +27853,10 @@ index 0000000..cf65577 +') diff --git a/kde.te b/kde.te new file mode 100644 -index 0000000..7b4b5ff +index 0000000..dbe3f03 --- /dev/null +++ b/kde.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,41 @@ +policy_module(kde,1.0.0) + +######################################## @@ -28718,6 +27872,7 @@ index 0000000..7b4b5ff +# +# backlighthelper local policy +# ++ +allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; + +kernel_read_system_state(kdebacklighthelper_t) @@ -28725,9 +27880,7 @@ index 0000000..7b4b5ff +# r/w brightness values +dev_rw_sysfs(kdebacklighthelper_t) + -+files_read_etc_files(kdebacklighthelper_t) +files_read_etc_runtime_files(kdebacklighthelper_t) -+files_read_usr_files(kdebacklighthelper_t) + +fs_getattr_all_fs(kdebacklighthelper_t) + @@ -28746,25 +27899,40 @@ index 0000000..7b4b5ff +') + diff --git a/kdump.fc b/kdump.fc -index c66934f..1906ffe 100644 +index a49ae4e..1906ffe 100644 --- a/kdump.fc +++ b/kdump.fc -@@ -3,3 +3,11 @@ +@@ -1,13 +1,13 @@ + /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) ++/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) - /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) -+ -+ +-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) ++/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) ++/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + +-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) + +-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) +/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0) -+ + +-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) +/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) -+ + +-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) diff --git a/kdump.if b/kdump.if -index 4198ff5..15d521b 100644 +index 3a00b3a..15d521b 100644 --- a/kdump.if +++ b/kdump.if +@@ -1,4 +1,4 @@ +-## Kernel crash dumping mechanism. ++## Kernel crash dumping mechanism + + ###################################### + ## @@ -19,6 +19,26 @@ interface(`kdump_domtrans',` domtrans_pattern($1, kdump_exec_t, kdump_t) ') @@ -28792,7 +27960,7 @@ index 4198ff5..15d521b 100644 ####################################### ## ## Execute kdump in the kdump domain. -@@ -37,6 +57,30 @@ interface(`kdump_initrc_domtrans',` +@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',` init_labeled_script_domtrans($1, kdump_initrc_exec_t) ') @@ -28822,8 +27990,12 @@ index 4198ff5..15d521b 100644 + ##################################### ## - ## Read kdump configuration file. -@@ -56,6 +100,24 @@ interface(`kdump_read_config',` +-## Read kdump configuration files. ++## Read kdump configuration file. + ## + ## + ## +@@ -56,10 +100,27 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -28847,8 +28019,13 @@ index 4198ff5..15d521b 100644 + #################################### ## - ## Manage kdump configuration file. -@@ -75,6 +137,27 @@ interface(`kdump_manage_config',` +-## Create, read, write, and delete +-## kdmup configuration files. ++## Manage kdump configuration file. + ## + ## + ## +@@ -76,10 +137,31 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -28875,162 +28052,206 @@ index 4198ff5..15d521b 100644 + ###################################### ## - ## All of the rules required to administrate -@@ -96,10 +179,14 @@ interface(`kdump_admin',` +-## All of the rules required to +-## administrate an kdump environment. ++## All of the rules required to administrate ++## an kdump environment + ## + ## + ## +@@ -88,19 +170,23 @@ interface(`kdump_manage_config',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the kdump domain. + ## + ## + ## + # + interface(`kdump_admin',` gen_require(` - type kdump_t, kdump_etc_t; - type kdump_initrc_exec_t; +- type kdump_t, kdump_etc_t, kdumpctl_tmp_t; +- type kdump_initrc_exec_t, kdumpctl_t; ++ type kdump_t, kdump_etc_t; ++ type kdump_initrc_exec_t; + type kdump_unit_file_t; ') -- allow $1 kdump_t:process { ptrace signal_perms }; +- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { kdump_t kdumpctl_t }) + allow $1 kdump_t:process signal_perms; - ps_process_pattern($1, kdump_t) ++ ps_process_pattern($1, kdump_t) + tunable_policy(`deny_ptrace',`',` + allow $1 kdump_t:process ptrace; + ') init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -108,4 +195,8 @@ interface(`kdump_admin',` - +@@ -110,6 +196,7 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) -+ + +- files_search_tmp($1) +- admin_pattern($1, kdumpctl_tmp_t) + kdump_systemctl($1) + admin_pattern($1, kdump_unit_file_t) + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index b29d8e2..6b6a6c4 100644 +index 70f3007..6b6a6c4 100644 --- a/kdump.te +++ b/kdump.te -@@ -15,15 +15,28 @@ files_config_file(kdump_etc_t) +@@ -1,4 +1,4 @@ +-policy_module(kdump, 1.2.3) ++policy_module(kdump, 1.2.0) + + ####################################### + # +@@ -15,30 +15,34 @@ files_config_file(kdump_etc_t) type kdump_initrc_exec_t; init_script_file(kdump_initrc_exec_t) +type kdump_unit_file_t alias kdumpctl_unit_file_t; +systemd_unit_file(kdump_unit_file_t) + -+type kdumpctl_t; -+type kdumpctl_exec_t; -+init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) + type kdumpctl_t; + type kdumpctl_exec_t; + init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) +-application_executable_file(kdumpctl_exec_t) +init_initrc_domain(kdumpctl_t) -+ -+type kdumpctl_tmp_t; -+files_tmp_file(kdumpctl_tmp_t) -+ + + type kdumpctl_tmp_t; + files_tmp_file(kdumpctl_tmp_t) + ##################################### # - # kdump local policy +-# Local policy ++# kdump local policy # allow kdump_t self:capability { sys_boot dac_override }; +allow kdump_t self:capability2 compromise_kernel; - read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) +-allow kdump_t kdump_etc_t:file read_file_perms; ++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) -+files_read_etc_files(kdump_t) + files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) -@@ -36,3 +49,89 @@ dev_read_framebuffer(kdump_t) - dev_read_sysfs(kdump_t) ++kernel_read_system_state(kdump_t) + kernel_read_core_if(kdump_t) + kernel_read_debugfs(kdump_t) +-kernel_read_system_state(kdump_t) + kernel_request_load_module(kdump_t) - term_use_console(kdump_t) -+ -+####################################### -+# + dev_read_framebuffer(kdump_t) +@@ -48,22 +52,27 @@ term_use_console(kdump_t) + + ####################################### + # +-# Ctl local policy +# kdumpctl local policy -+# -+ + # + +#cjp:almost all rules are needed by dracut + +kdump_domtrans(kdumpctl_t) + -+allow kdumpctl_t self:capability { dac_override sys_chroot }; -+allow kdumpctl_t self:process setfscreate; -+ + allow kdumpctl_t self:capability { dac_override sys_chroot }; + allow kdumpctl_t self:process setfscreate; +-allow kdumpctl_t self:fifo_file rw_fifo_file_perms; +-allow kdumpctl_t self:unix_stream_socket { accept listen }; + +-allow kdumpctl_t kdump_etc_t:file read_file_perms; +allow kdumpctl_t self:fifo_file rw_fifo_file_perms; +allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) + + manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -+manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -+manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) -+files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) + manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) + manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) + files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) +can_exec(kdumpctl_t, kdumpctl_tmp_t) -+ + +-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) +read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) -+ -+kernel_read_system_state(kdumpctl_t) -+ -+corecmd_exec_bin(kdumpctl_t) -+corecmd_exec_shell(kdumpctl_t) -+ -+dev_read_sysfs(kdumpctl_t) + + kernel_read_system_state(kdumpctl_t) + +@@ -71,6 +80,7 @@ corecmd_exec_bin(kdumpctl_t) + corecmd_exec_shell(kdumpctl_t) + + dev_read_sysfs(kdumpctl_t) +# dracut -+dev_manage_all_dev_nodes(kdumpctl_t) -+ -+domain_use_interactive_fds(kdumpctl_t) -+ -+files_create_kernel_img(kdumpctl_t) -+files_read_etc_files(kdumpctl_t) -+files_read_etc_runtime_files(kdumpctl_t) -+files_read_usr_files(kdumpctl_t) -+files_read_kernel_modules(kdumpctl_t) -+files_getattr_all_dirs(kdumpctl_t) + dev_manage_all_dev_nodes(kdumpctl_t) + + domain_use_interactive_fds(kdumpctl_t) +@@ -81,36 +91,47 @@ files_read_etc_runtime_files(kdumpctl_t) + files_read_usr_files(kdumpctl_t) + files_read_kernel_modules(kdumpctl_t) + files_getattr_all_dirs(kdumpctl_t) +files_delete_kernel(kdumpctl_t) -+ -+fs_getattr_all_fs(kdumpctl_t) -+fs_search_all(kdumpctl_t) -+ + + fs_getattr_all_fs(kdumpctl_t) + fs_search_all(kdumpctl_t) + +-init_domtrans_script(kdumpctl_t) +application_executable_ioctl(kdumpctl_t) + +auth_read_passwd(kdumpctl_t) + -+init_exec(kdumpctl_t) + init_exec(kdumpctl_t) +systemd_exec_systemctl(kdumpctl_t) +systemd_read_unit_files(kdumpctl_t) -+ -+libs_exec_ld_so(kdumpctl_t) -+ -+logging_send_syslog_msg(kdumpctl_t) + + libs_exec_ld_so(kdumpctl_t) + + logging_send_syslog_msg(kdumpctl_t) +# Need log file from /var/log/dracut.log +logging_write_generic_logs(kdumpctl_t) -+ + +-miscfiles_read_localization(kdumpctl_t) +optional_policy(` + gpg_exec(kdumpctl_t) +') -+ -+optional_policy(` + + optional_policy(` +- gpg_exec(kdumpctl_t) + lvm_read_config(kdumpctl_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- lvm_read_config(kdumpctl_t) + modutils_domtrans_insmod(kdumpctl_t) + modutils_list_module_config(kdumpctl_t) + modutils_read_module_config(kdumpctl_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- modutils_domtrans_insmod(kdumpctl_t) +- modutils_read_module_config(kdumpctl_t) + plymouthd_domtrans_plymouth(kdumpctl_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- plymouthd_domtrans_plymouth(kdumpctl_t) + ssh_exec(kdumpctl_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- ssh_exec(kdumpctl_t) + unconfined_domain(kdumpctl_t) -+') + ') diff --git a/kdumpgui.if b/kdumpgui.if -index d6af9b0..8b1d9c2 100644 +index 182ab8b..8b1d9c2 100644 --- a/kdumpgui.if +++ b/kdumpgui.if -@@ -1,2 +1,23 @@ - ## system-config-kdump GUI - +@@ -1 +1,23 @@ +-## System-config-kdump GUI. ++## system-config-kdump GUI ++ +######################################## +## +## Send and receive messages from @@ -29053,34 +28274,42 @@ index d6af9b0..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 0c52f60..acb89ac 100644 +index e7f5c81..acb89ac 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0) +@@ -1,4 +1,4 @@ +-policy_module(kdumpgui, 1.1.4) ++policy_module(kdumpgui, 1.1.0) + + ######################################## + # +@@ -7,61 +7,66 @@ policy_module(kdumpgui, 1.1.4) type kdumpgui_t; type kdumpgui_exec_t; --dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) +-init_system_domain(kdumpgui_t, kdumpgui_exec_t) +init_daemon_domain(kdumpgui_t, kdumpgui_exec_t) -+ -+type kdumpgui_tmp_t; -+files_tmp_file(kdumpgui_tmp_t) + + type kdumpgui_tmp_t; + files_tmp_file(kdumpgui_tmp_t) ###################################### # - # system-config-kdump local policy +-# Local policy ++# system-config-kdump local policy # --allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; -+allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; + allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; +-allow kdumpgui_t self:process { setsched sigkill }; allow kdumpgui_t self:fifo_file rw_fifo_file_perms; allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; +allow kdumpgui_t self:process { setsched sigkill }; -+ -+manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) -+manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) -+files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) + manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) + manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) + files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) + +-kernel_getattr_core_if(kdumpgui_t) kernel_read_system_state(kdumpgui_t) kernel_read_network_state(kdumpgui_t) +kernel_getattr_core_if(kdumpgui_t) @@ -29088,6 +28317,7 @@ index 0c52f60..acb89ac 100644 corecmd_exec_bin(kdumpgui_t) corecmd_exec_shell(kdumpgui_t) +-dev_getattr_all_blk_files(kdumpgui_t) dev_dontaudit_getattr_all_chr_files(kdumpgui_t) dev_read_sysfs(kdumpgui_t) +dev_read_urand(kdumpgui_t) @@ -29095,97 +28325,147 @@ index 0c52f60..acb89ac 100644 files_manage_boot_files(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t) -@@ -36,28 +47,53 @@ files_manage_etc_runtime_files(kdumpgui_t) ++# Needed for running chkconfig + files_manage_etc_symlinks(kdumpgui_t) ++# for blkid.tab + files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) +fs_read_dos_files(kdumpgui_t) -+fs_getattr_all_fs(kdumpgui_t) -+fs_list_hugetlbfs(kdumpgui_t) -+ + fs_getattr_all_fs(kdumpgui_t) + fs_list_hugetlbfs(kdumpgui_t) +-fs_read_dos_files(kdumpgui_t) + storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) +storage_getattr_removable_dev(kdumpgui_t) auth_use_nsswitch(kdumpgui_t) - logging_send_syslog_msg(kdumpgui_t) -+logging_list_logs(kdumpgui_t) -+logging_read_generic_logs(kdumpgui_t) - ++logging_send_syslog_msg(kdumpgui_t) + logging_list_logs(kdumpgui_t) + logging_read_generic_logs(kdumpgui_t) +-logging_send_syslog_msg(kdumpgui_t) +- -miscfiles_read_localization(kdumpgui_t) -+mount_exec(kdumpgui_t) + + mount_exec(kdumpgui_t) init_dontaudit_read_all_script_files(kdumpgui_t) +init_access_check(kdumpgui_t) + +userdom_dontaudit_search_admin_dir(kdumpgui_t) -+ -+optional_policy(` -+ bootloader_exec(kdumpgui_t) -+ bootloader_rw_config(kdumpgui_t) -+') optional_policy(` - consoletype_exec(kdumpgui_t) + bootloader_exec(kdumpgui_t) +@@ -73,11 +78,11 @@ optional_policy(` ') optional_policy(` +- dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + consoletype_exec(kdumpgui_t) +') -+ + +- optional_policy(` +- policykit_dbus_chat(kdumpgui_t) +- ') +optional_policy(` + dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) -+') -+ -+optional_policy(` - dev_rw_lvm_control(kdumpgui_t) ') optional_policy(` +@@ -87,4 +92,10 @@ optional_policy(` + optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) + kdump_systemctl(kdumpgui_t) + kdumpctl_domtrans(kdumpgui_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(kdumpgui_t) ') - - optional_policy(` diff --git a/kerberos.fc b/kerberos.fc -index 3525d24..8c702c9 100644 +index 4fe75fd..8c702c9 100644 --- a/kerberos.fc +++ b/kerberos.fc -@@ -13,13 +13,14 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +@@ -1,52 +1,44 @@ +-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) ++HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) ++/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + +-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) +-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) ++/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) + +-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + + /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) --/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) --/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) - /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) +/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) --/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +- +-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) +-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +- +-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +- +-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) +- +-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -@@ -27,7 +28,17 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - /var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) - --/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) --/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) +- +-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) +-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0) +- +-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++ +/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) +/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) - ++ +/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) + +/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) - /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) @@ -29194,12 +28474,104 @@ index 3525d24..8c702c9 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index 604f67b..138e1e2 100644 +index f9de9fc..138e1e2 100644 --- a/kerberos.if +++ b/kerberos.if -@@ -82,14 +82,11 @@ interface(`kerberos_use',` - #kerberos libraries are attempting to set the correct file context +@@ -1,27 +1,29 @@ +-## MIT Kerberos admin and KDC. ++## MIT Kerberos admin and KDC ++## ++##

    ++## This policy supports: ++##

    ++##

    ++## Servers: ++##

      ++##
    • kadmind
      • ++##
    • krb5kdc
      • ++##
    ++##

    ++##

    ++## Clients: ++##

      ++##
    • kinit
      • ++##
    • kdestroy
      • ++##
    • klist
      • ++##
    • ksu (incomplete)
      • ++##
    ++##

    ++##     + + ######################################## + ## +-## Role access for kerberos. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-template(`kerberos_role',` +- refpolicywarn(`$0($*) has been deprecated') +-') +- +-######################################## +-## +-## Execute kadmind in the caller domain. ++## Execute kadmind in the current domain + ## + ## + ## +@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',` + type kadmind_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, kadmind_exec_t) + ') + +@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',` + type kpropd_t, kpropd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, kpropd_exec_t, kpropd_t) + ') + + ######################################## + ## +-## Support kerberos services. ++## Use kerberos services + ## + ## + ## +@@ -69,45 +69,43 @@ interface(`kerberos_domtrans_kpropd',` + # + interface(`kerberos_use',` + gen_require(` +- type krb5kdc_conf_t, krb5_host_rcache_t; ++ type krb5_conf_t, krb5kdc_conf_t; ++ type krb5_host_rcache_t; + ') + +- kerberos_read_config($1) +- +- dontaudit $1 krb5_conf_t:file write_file_perms; ++ files_search_etc($1) ++ read_files_pattern($1, krb5_conf_t, krb5_conf_t) ++ dontaudit $1 krb5_conf_t:file write; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + ++ #kerberos libraries are attempting to set the correct file context dontaudit $1 self:process setfscreate; +- selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) @@ -29213,13 +28585,24 @@ index 604f67b..138e1e2 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -103,11 +100,12 @@ interface(`kerberos_use',` - corenet_sendrecv_kerberos_client_packets($1) - corenet_sendrecv_ocsp_client_packets($1) + corenet_udp_sendrecv_generic_node($1) +- +- corenet_sendrecv_kerberos_client_packets($1) +- corenet_tcp_connect_kerberos_port($1) + corenet_tcp_sendrecv_kerberos_port($1) + corenet_udp_sendrecv_kerberos_port($1) +- +- corenet_sendrecv_ocsp_client_packets($1) ++ corenet_tcp_bind_generic_node($1) ++ corenet_udp_bind_generic_node($1) ++ corenet_tcp_connect_kerberos_port($1) + corenet_tcp_connect_ocsp_port($1) +- corenet_tcp_sendrecv_ocsp_port($1) ++ corenet_sendrecv_kerberos_client_packets($1) ++ corenet_sendrecv_ocsp_client_packets($1) -- allow $1 krb5_host_rcache_t:file getattr; + allow $1 krb5_host_rcache_t:dir search_dir_perms; -+ allow $1 krb5_host_rcache_t:file getattr_file_perms; + allow $1 krb5_host_rcache_t:file getattr_file_perms; ') optional_policy(` @@ -29228,53 +28611,247 @@ index 604f67b..138e1e2 100644 pcscd_stream_connect($1) ') ') -@@ -218,6 +216,30 @@ interface(`kerberos_rw_keytab',` +@@ -119,7 +117,7 @@ interface(`kerberos_use',` + + ######################################## + ## +-## Read kerberos configuration files. ++## Read the kerberos configuration file (/etc/krb5.conf). + ## + ## + ## +@@ -135,15 +133,13 @@ interface(`kerberos_read_config',` + + files_search_etc($1) + allow $1 krb5_conf_t:file read_file_perms; +- +- userdom_search_user_home_dirs($1) + allow $1 krb5_home_t:file read_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write +-## kerberos configuration files. ++## Do not audit attempts to write the kerberos ++## configuration file (/etc/krb5.conf). + ## + ## + ## +@@ -156,13 +152,12 @@ interface(`kerberos_dontaudit_write_config',` + type krb5_conf_t; + ') + +- dontaudit $1 krb5_conf_t:file write_file_perms; ++ dontaudit $1 krb5_conf_t:file write; + ') + + ######################################## + ## +-## Read and write kerberos +-## configuration files. ++## Read and write the kerberos configuration file (/etc/krb5.conf). + ## + ## + ## +@@ -182,75 +177,7 @@ interface(`kerberos_rw_config',` ######################################## ## +-## Create, read, write, and delete +-## kerberos home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_manage_krb5_home_files',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Relabel kerberos home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_relabel_krb5_home_files',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 krb5_home_t:file relabel_file_perms; +-') +- +-######################################## +-## +-## Create objects in user home +-## directories with the krb5 home type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`kerberos_home_filetrans_krb5_home',` +- gen_require(` +- type krb5_home_t; +- ') +- +- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) +-') +- +-######################################## +-## +-## Read kerberos key table files. ++## Read the kerberos key table. + ## + ## + ## +@@ -270,7 +197,7 @@ interface(`kerberos_read_keytab',` + + ######################################## + ## +-## Read and write kerberos key table files. ++## Read/Write the kerberos key table. + ## + ## + ## +@@ -289,40 +216,13 @@ interface(`kerberos_rw_keytab',` + + ######################################## + ## +-## Create, read, write, and delete +-## kerberos key table files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`kerberos_manage_keytab_files',` +- gen_require(` +- type krb5_keytab_t; +- ') +- +- files_search_etc($1) +- allow $1 krb5_keytab_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in generic +-## etc directories with the kerberos +-## keytab file type. +## Create keytab file in /etc -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`kerberos_etc_filetrans_keytab',` -+ gen_require(` -+ type krb5_keytab_t; -+ ') -+ + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## + ## + ## + ## The name of the object being created. +@@ -334,13 +234,13 @@ interface(`kerberos_etc_filetrans_keytab',` + type krb5_keytab_t; + ') + +- files_etc_filetrans($1, krb5_keytab_t, $2, $3) + allow $1 krb5_keytab_t:file manage_file_perms; + files_etc_filetrans($1, krb5_keytab_t, file, $2) -+') -+ -+######################################## -+## - ## Create a derived type for kerberos keytab + ') + + ######################################## + ## +-## Create a derived type for kerberos +-## keytab files. ++## Create a derived type for kerberos keytab ## ## -@@ -235,8 +257,13 @@ template(`kerberos_keytab_template',` + ## +@@ -354,21 +254,15 @@ interface(`kerberos_etc_filetrans_keytab',` + ## + # + template(`kerberos_keytab_template',` +- +- ######################################## +- # +- # Declarations +- # +- type $1_keytab_t; files_type($1_keytab_t) +- ######################################## +- # +- # Policy +- # + allow $2 self:process setfscreate; - allow $2 $1_keytab_t:file read_file_perms; ++ allow $2 $1_keytab_t:file read_file_perms; +- allow $2 $1_keytab_t:file read_file_perms; + seutil_read_file_contexts($2) + seutil_read_config($2) + selinux_get_enforce_mode($2) -+ + kerberos_read_keytab($2) kerberos_use($2) - ') -@@ -282,42 +309,21 @@ interface(`kerberos_manage_host_rcache',` - # does not work in conditionals +@@ -376,7 +270,7 @@ template(`kerberos_keytab_template',` + + ######################################## + ## +-## Read kerberos kdc configuration files. ++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). + ## + ## + ## +@@ -396,8 +290,7 @@ interface(`kerberos_read_kdc_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## kerberos host rcache files. ++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). + ## + ## + ## +@@ -411,34 +304,99 @@ interface(`kerberos_manage_host_rcache',` + type krb5_host_rcache_t; + ') + ++ # creates files as system_u no matter what the selinux user ++ # cjp: should be in the below tunable but typeattribute ++ # does not work in conditionals domain_obj_id_change_exemption($1) - tunable_policy(`allow_kerberos',` @@ -29285,127 +28862,150 @@ index 604f67b..138e1e2 100644 seutil_read_file_contexts($1) -- allow $1 krb5_host_rcache_t:file manage_file_perms; + files_rw_generic_tmp_dir($1) + manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) files_search_tmp($1) +- allow $1 krb5_host_rcache_t:file manage_file_perms; ') ') ######################################## ## --## Connect to krb524 service --## --## --## --## Domain allowed access. --## --## --# --interface(`kerberos_connect_524',` -- tunable_policy(`allow_kerberos',` -- allow $1 self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled($1) -- corenet_udp_sendrecv_generic_if($1) -- corenet_udp_sendrecv_generic_node($1) -- corenet_udp_sendrecv_kerberos_master_port($1) -- corenet_sendrecv_kerberos_master_client_packets($1) -- ') --') -- --######################################## --## - ## All of the rules required to administrate - ## an kerberos environment - ## -@@ -338,18 +344,22 @@ interface(`kerberos_admin',` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; -- type krb5kdc_principal_t, krb5kdc_tmp_t; +-## Create objects in generic temporary +-## directories with the kerberos host +-## rcache type. ++## All of the rules required to administrate ++## an kerberos environment + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## +-## ++## + ## +-## Class of the object being created. ++## The role to be allowed to manage the kerberos domain. ++## ++## ++## ++# ++interface(`kerberos_admin',` ++ gen_require(` ++ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; ++ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; ++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; -- type kpropd_t; - ') - -- allow $1 kadmind_t:process { ptrace signal_perms }; ++ type krb5kdc_var_run_t, krb5_host_rcache_t; ++ ') ++ + allow $1 kadmind_t:process signal_perms; - ps_process_pattern($1, kadmind_t) ++ ps_process_pattern($1, kadmind_t) + tunable_policy(`deny_ptrace',`',` + allow $1 kadmind_t:process ptrace; + allow $1 krb5kdc_t:process ptrace; + allow $1 kpropd_t:process ptrace; + ') - -- allow $1 krb5kdc_t:process { ptrace signal_perms }; ++ + allow $1 krb5kdc_t:process signal_perms; - ps_process_pattern($1, krb5kdc_t) - -- allow $1 kpropd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, krb5kdc_t) ++ + allow $1 kpropd_t:process signal_perms; - ps_process_pattern($1, kpropd_t) - - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -@@ -378,3 +388,121 @@ interface(`kerberos_admin',` - - admin_pattern($1, krb5kdc_var_run_t) - ') ++ ps_process_pattern($1, kpropd_t) + -+######################################## -+## -+## Type transition files created in /tmp -+## to the krb5_host_rcache type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`kerberos_tmp_filetrans_host_rcache',` -+ gen_require(` -+ type krb5_host_rcache_t; -+ ') ++ init_labeled_script_domtrans($1, kerberos_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 kerberos_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_list_logs($1) ++ admin_pattern($1, kadmind_log_t) + -+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) -+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) ++ files_list_tmp($1) ++ admin_pattern($1, kadmind_tmp_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, kadmind_var_run_t) ++ ++ admin_pattern($1, krb5_conf_t) ++ ++ admin_pattern($1, krb5_host_rcache_t) ++ ++ admin_pattern($1, krb5_keytab_t) ++ ++ admin_pattern($1, krb5kdc_principal_t) ++ ++ admin_pattern($1, krb5kdc_tmp_t) ++ ++ admin_pattern($1, krb5kdc_var_run_t) +') + +######################################## +## -+## read kerberos homedir content (.k5login) ++## Type transition files created in /tmp ++## to the krb5_host_rcache type. +## +## +## +## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -452,12 +410,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',` + type krb5_host_rcache_t; + ') + +- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) ++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) ++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) + ') + + ######################################## + ## +-## Connect to krb524 service. ++## read kerberos homedir content (.k5login) + ## + ## + ## +@@ -465,82 +424,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',` + ## + ## + # +-interface(`kerberos_connect_524',` +- tunable_policy(`allow_kerberos',` +- allow $1 self:udp_socket create_socket_perms; +- +- corenet_all_recvfrom_unlabeled($1) +- corenet_all_recvfrom_netlabel($1) +- corenet_udp_sendrecv_generic_if($1) +- corenet_udp_sendrecv_generic_node($1) +- +- corenet_sendrecv_kerberos_master_client_packets($1) +- corenet_udp_sendrecv_kerberos_master_port($1) +interface(`kerberos_read_home_content',` + gen_require(` + type krb5_home_t; -+ ') + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, krb5_home_t, krb5_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an kerberos environment. +## create kerberos content in the in the /root directory +## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`kerberos_filetrans_admin_home_content',` + gen_require(` @@ -29420,19 +29020,54 @@ index 604f67b..138e1e2 100644 +## Transition to kerberos named content +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`kerberos_admin',` +interface(`kerberos_filetrans_home_content',` -+ gen_require(` + gen_require(` +- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; +- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; +- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; +- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; +- type krb5kdc_var_run_t, krb5_host_rcache_t; + type krb5_home_t; -+ ') -+ + ') + +- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; +- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd }) +- +- init_labeled_script_domtrans($1, kerberos_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 kerberos_initrc_exec_t system_r; +- allow $2 system_r; +- +- logging_list_logs($1) +- admin_pattern($1, kadmind_log_t) +- +- files_list_tmp($1) +- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) +- +- kerberos_tmp_filetrans_host_rcache($1, file, "host_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") +- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") +- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") +- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") +- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +- +- files_list_pids($1) +- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) + userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") +') -+ + +- files_list_etc($1) +- admin_pattern($1, krb5_conf_t) +######################################## +## +## Transition to kerberos named content @@ -29448,12 +29083,17 @@ index 604f67b..138e1e2 100644 + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') -+ -+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") +- +- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) +- + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") -+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") -+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") -+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") +- +- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, "krb5.keytab") @@ -29468,21 +29108,34 @@ index 604f67b..138e1e2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") -+') + ') diff --git a/kerberos.te b/kerberos.te -index 6a95faf..6127834 100644 +index 3465a9a..6127834 100644 --- a/kerberos.te +++ b/kerberos.te -@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) - ## Allow confined applications to run with kerberos. - ##

    +@@ -1,4 +1,4 @@ +-policy_module(kerberos, 1.11.7) ++policy_module(kerberos, 1.11.0) + + ######################################## + # +@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7) + # + + ## +-##

    +-## Determine whether kerberos is supported. +-##

    ++##

    ++## Allow confined applications to run with kerberos. ++##

    ##     -gen_tunable(allow_kerberos, false) +gen_tunable(kerberos_enabled, false) type kadmind_t; type kadmind_exec_t; -@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) +@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) domain_obj_id_change_exemption(kpropd_t) type krb5_conf_t; @@ -29496,10 +29149,11 @@ index 6a95faf..6127834 100644 +type krb5_host_rcache_t alias saslauthd_tmp_t; files_tmp_file(krb5_host_rcache_t) - # types for general configuration files in /etc -@@ -49,10 +49,11 @@ files_security_file(krb5_keytab_t) ++# types for general configuration files in /etc + type krb5_keytab_t; + files_security_file(krb5_keytab_t) - # types for KDC configs and principal file(s) ++# types for KDC configs and principal file(s) type krb5kdc_conf_t; -files_type(krb5kdc_conf_t) +files_config_file(krb5kdc_conf_t) @@ -29507,36 +29161,60 @@ index 6a95faf..6127834 100644 type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) +files_lock_file(krb5kdc_lock_t) -+ - # types for KDC principal file(s) ++ ++# types for KDC principal file(s) type krb5kdc_principal_t; -@@ -79,8 +80,9 @@ files_pid_file(krb5kdc_var_run_t) + files_type(krb5kdc_principal_t) + +@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t) + # kadmind local policy + # - # Use capabilities. Surplus capabilities may be allowed. ++# Use capabilities. Surplus capabilities may be allowed. allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -+allow kadmind_t self:capability2 block_suspend; - dontaudit kadmind_t self:capability sys_tty_config; --allow kadmind_t self:process { setfscreate signal_perms }; -+allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; +-dontaudit kadmind_t self:capability sys_tty_config; + allow kadmind_t self:capability2 block_suspend; ++dontaudit kadmind_t self:capability sys_tty_config; + allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; - allow kadmind_t self:unix_dgram_socket { connect create write }; - allow kadmind_t self:tcp_socket connected_stream_socket_perms; -@@ -92,10 +94,9 @@ logging_log_filetrans(kadmind_t, kadmind_log_t, file) +-allow kadmind_t self:tcp_socket { accept listen }; ++allow kadmind_t self:unix_dgram_socket { connect create write }; ++allow kadmind_t self:tcp_socket connected_stream_socket_perms; + allow kadmind_t self:udp_socket create_socket_perms; + +-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow kadmind_t kadmind_log_t:file manage_file_perms; + logging_log_filetrans(kadmind_t, kadmind_log_t, file) + allow kadmind_t krb5_conf_t:file read_file_perms; - dontaudit kadmind_t krb5_conf_t:file write; +-dontaudit kadmind_t krb5_conf_t:file write_file_perms; ++dontaudit kadmind_t krb5_conf_t:file write; -read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) --dontaudit kadmind_t krb5kdc_conf_t:file { write setattr }; +-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; +manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) --allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr }; -+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; allow kadmind_t krb5kdc_principal_t:file manage_file_perms; filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) -@@ -115,7 +116,9 @@ kernel_read_network_state(kadmind_t) - kernel_read_proc_symlinks(kadmind_t) + ++can_exec(kadmind_t, kadmind_exec_t) ++ + manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) + manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) + files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) +@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) + manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) + files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) + +-can_exec(kadmind_t, kadmind_exec_t) +- + kernel_read_kernel_sysctls(kadmind_t) ++kernel_list_proc(kadmind_t) + kernel_read_network_state(kadmind_t) ++kernel_read_proc_symlinks(kadmind_t) kernel_read_system_state(kadmind_t) -corenet_all_recvfrom_unlabeled(kadmind_t) @@ -29546,22 +29224,25 @@ index 6a95faf..6127834 100644 corenet_all_recvfrom_netlabel(kadmind_t) corenet_tcp_sendrecv_generic_if(kadmind_t) corenet_udp_sendrecv_generic_if(kadmind_t) -@@ -126,10 +129,14 @@ corenet_udp_sendrecv_all_ports(kadmind_t) +@@ -119,20 +128,28 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) + corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) +- +-corenet_sendrecv_all_server_packets(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) +corenet_tcp_bind_kerberos_password_port(kadmind_t) corenet_udp_bind_kerberos_admin_port(kadmind_t) +corenet_udp_bind_kerberos_password_port(kadmind_t) corenet_tcp_bind_reserved_port(kadmind_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) - corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) ++corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) ++corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) +corenet_sendrecv_kerberos_password_server_packets(kadmind_t) +corenet_tcp_connect_kprop_port(kadmind_t) dev_read_sysfs(kadmind_t) - dev_read_rand(kadmind_t) -@@ -137,6 +144,7 @@ dev_read_urand(kadmind_t) ++dev_read_rand(kadmind_t) ++dev_read_urand(kadmind_t) fs_getattr_all_fs(kadmind_t) fs_search_auto_mountpoints(kadmind_t) @@ -29569,7 +29250,12 @@ index 6a95faf..6127834 100644 domain_use_interactive_fds(kadmind_t) -@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t) + files_read_etc_files(kadmind_t) ++files_read_usr_symlinks(kadmind_t) + files_read_usr_files(kadmind_t) + files_read_var_files(kadmind_t) + +@@ -140,10 +157,12 @@ selinux_validate_context(kadmind_t) logging_send_syslog_msg(kadmind_t) @@ -29579,8 +29265,11 @@ index 6a95faf..6127834 100644 +seutil_read_config(kadmind_t) seutil_read_file_contexts(kadmind_t) - sysnet_read_config(kadmind_t) -@@ -164,10 +173,18 @@ optional_policy(` ++sysnet_read_config(kadmind_t) + sysnet_use_ldap(kadmind_t) + + userdom_dontaudit_use_unpriv_user_fds(kadmind_t) +@@ -154,6 +173,10 @@ optional_policy(` ') optional_policy(` @@ -29591,39 +29280,50 @@ index 6a95faf..6127834 100644 nis_use_ypbind(kadmind_t) ') - optional_policy(` -+ sssd_read_public_files(kadmind_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(kadmind_t) - ') - -@@ -182,6 +199,7 @@ optional_policy(` +@@ -174,24 +197,27 @@ optional_policy(` + # Krb5kdc local policy + # - # Use capabilities. Surplus capabilities may be allowed. ++# Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -+allow krb5kdc_t self:capability2 block_suspend; - dontaudit krb5kdc_t self:capability sys_tty_config; +-dontaudit krb5kdc_t self:capability sys_tty_config; + allow krb5kdc_t self:capability2 block_suspend; ++dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) +-allow krb5kdc_t self:tcp_socket { accept listen }; ++allow krb5kdc_t self:tcp_socket create_stream_socket_perms; + allow krb5kdc_t self:udp_socket create_socket_perms; + allow krb5kdc_t self:fifo_file rw_fifo_file_perms; + + allow krb5kdc_t krb5_conf_t:file read_file_perms; + dontaudit krb5kdc_t krb5_conf_t:file write; + ++can_exec(krb5kdc_t, krb5kdc_exec_t) ++ read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) - dontaudit krb5kdc_t krb5kdc_conf_t:file write; +-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; ++dontaudit krb5kdc_t krb5kdc_conf_t:file write; --allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; -+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; +-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) --allow krb5kdc_t krb5kdc_principal_t:file read_file_perms; --dontaudit krb5kdc_t krb5kdc_principal_t:file write; -+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; + allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; +@@ -203,38 +229,36 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) + manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) + files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) - manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t) +-can_exec(krb5kdc_t, krb5kdc_exec_t) +- + kernel_read_system_state(krb5kdc_t) + kernel_read_kernel_sysctls(krb5kdc_t) ++kernel_list_proc(krb5kdc_t) ++kernel_read_proc_symlinks(krb5kdc_t) + kernel_read_network_state(krb5kdc_t) + kernel_search_network_sysctl(krb5kdc_t) corecmd_exec_bin(krb5kdc_t) @@ -29631,7 +29331,27 @@ index 6a95faf..6127834 100644 corenet_all_recvfrom_netlabel(krb5kdc_t) corenet_tcp_sendrecv_generic_if(krb5kdc_t) corenet_udp_sendrecv_generic_if(krb5kdc_t) -@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t) + corenet_tcp_sendrecv_generic_node(krb5kdc_t) + corenet_udp_sendrecv_generic_node(krb5kdc_t) ++corenet_tcp_sendrecv_all_ports(krb5kdc_t) ++corenet_udp_sendrecv_all_ports(krb5kdc_t) + corenet_tcp_bind_generic_node(krb5kdc_t) + corenet_udp_bind_generic_node(krb5kdc_t) +- +-corenet_sendrecv_kerberos_server_packets(krb5kdc_t) + corenet_tcp_bind_kerberos_port(krb5kdc_t) + corenet_udp_bind_kerberos_port(krb5kdc_t) +-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t) +-corenet_udp_sendrecv_kerberos_port(krb5kdc_t) +- +-corenet_sendrecv_ocsp_client_packets(krb5kdc_t) + corenet_tcp_connect_ocsp_port(krb5kdc_t) +-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t) ++corenet_sendrecv_kerberos_server_packets(krb5kdc_t) ++corenet_sendrecv_ocsp_client_packets(krb5kdc_t) + + dev_read_sysfs(krb5kdc_t) ++dev_read_urand(krb5kdc_t) fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) @@ -29639,27 +29359,33 @@ index 6a95faf..6127834 100644 domain_use_interactive_fds(krb5kdc_t) -@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t) - +@@ -247,10 +271,10 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) + miscfiles_read_generic_certs(krb5kdc_t) -miscfiles_read_localization(krb5kdc_t) -+miscfiles_read_generic_certs(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) -@@ -268,6 +285,10 @@ optional_policy(` ++sysnet_read_config(krb5kdc_t) + sysnet_use_ldap(krb5kdc_t) + + userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) +@@ -261,11 +285,11 @@ optional_policy(` ') optional_policy(` +- nis_use_ypbind(krb5kdc_t) + dirsrv_stream_connect(krb5kdc_t) -+') -+ -+optional_policy(` - nis_use_ypbind(krb5kdc_t) ') -@@ -276,6 +297,10 @@ optional_policy(` + optional_policy(` +- sssd_read_public_files(krb5kdc_t) ++ nis_use_ypbind(krb5kdc_t) + ') + + optional_policy(` +@@ -273,6 +297,10 @@ optional_policy(` ') optional_policy(` @@ -29670,15 +29396,39 @@ index 6a95faf..6127834 100644 udev_read_db(krb5kdc_t) ') -@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -281,10 +309,12 @@ optional_policy(` + # kpropd local policy + # + ++allow kpropd_t self:capability net_bind_service; + allow kpropd_t self:process setfscreate; +-allow kpropd_t self:fifo_file rw_fifo_file_perms; +-allow kpropd_t self:unix_stream_socket { accept listen }; +-allow kpropd_t self:tcp_socket { accept listen }; ++ ++allow kpropd_t self:fifo_file rw_file_perms; ++allow kpropd_t self:unix_stream_socket create_stream_socket_perms; ++allow kpropd_t self:tcp_socket create_stream_socket_perms; + + allow kpropd_t krb5_host_rcache_t:file manage_file_perms; + +@@ -303,14 +333,11 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) -corenet_all_recvfrom_unlabeled(kpropd_t) corenet_tcp_sendrecv_generic_if(kpropd_t) corenet_tcp_sendrecv_generic_node(kpropd_t) - corenet_tcp_sendrecv_all_ports(kpropd_t) -@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t) ++corenet_tcp_sendrecv_all_ports(kpropd_t) + corenet_tcp_bind_generic_node(kpropd_t) +- +-corenet_sendrecv_kprop_server_packets(kpropd_t) + corenet_tcp_bind_kprop_port(kpropd_t) +-corenet_tcp_sendrecv_kprop_port(kpropd_t) + + dev_read_urand(kpropd_t) + +@@ -321,8 +348,6 @@ selinux_validate_context(kpropd_t) logging_send_syslog_msg(kpropd_t) @@ -29688,10 +29438,10 @@ index 6a95faf..6127834 100644 sysnet_dns_name_resolve(kpropd_t) diff --git a/kerneloops.if b/kerneloops.if -index 835b16b..5992eb1 100644 +index 714448f..656a998 100644 --- a/kerneloops.if +++ b/kerneloops.if -@@ -99,17 +99,21 @@ interface(`kerneloops_manage_tmp_files',` +@@ -101,13 +101,17 @@ interface(`kerneloops_manage_tmp_files',` # interface(`kerneloops_admin',` gen_require(` @@ -29704,38 +29454,27 @@ index 835b16b..5992eb1 100644 - allow $1 kerneloops_t:process { ptrace signal_perms }; + allow $1 kerneloops_t:process signal_perms; ps_process_pattern($1, kerneloops_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 kerneloops_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; - -+ files_list_tmp($1) - admin_pattern($1, kerneloops_tmp_t) - ') diff --git a/kerneloops.te b/kerneloops.te -index 6b35547..5c641b9 100644 +index 1101985..7f1061d 100644 --- a/kerneloops.te +++ b/kerneloops.te -@@ -32,7 +32,6 @@ kernel_read_ring_buffer(kerneloops_t) - # Init script handling +@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t) + domain_use_interactive_fds(kerneloops_t) -corenet_all_recvfrom_unlabeled(kerneloops_t) corenet_all_recvfrom_netlabel(kerneloops_t) corenet_tcp_sendrecv_generic_if(kerneloops_t) corenet_tcp_sendrecv_generic_node(kerneloops_t) -@@ -40,15 +39,12 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t) - corenet_tcp_bind_http_port(kerneloops_t) - corenet_tcp_connect_http_port(kerneloops_t) - --files_read_etc_files(kerneloops_t) - - auth_use_nsswitch(kerneloops_t) - +@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t) logging_send_syslog_msg(kerneloops_t) logging_read_generic_logs(kerneloops_t) @@ -29744,35 +29483,33 @@ index 6b35547..5c641b9 100644 optional_policy(` dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') -diff --git a/keyboardd.fc b/keyboardd.fc -new file mode 100644 -index 0000000..485aacc ---- /dev/null -+++ b/keyboardd.fc -@@ -0,0 +1,2 @@ -+ -+/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) diff --git a/keyboardd.if b/keyboardd.if -new file mode 100644 -index 0000000..6134ef2 ---- /dev/null +index 8982b91..6134ef2 100644 +--- a/keyboardd.if +++ b/keyboardd.if -@@ -0,0 +1,39 @@ -+ +@@ -1,19 +1,39 @@ +-## Xorg.conf keyboard layout callout. + +-###################################### +## policy for system-setup-keyboard daemon + +######################################## -+## + ## +-## Read keyboardd unnamed pipes. +## Execute a domain transition to run keyboard setup daemon. -+## -+## + ## + ## +-## +## -+## Domain allowed access. + ## Domain allowed access. +-## +## -+## -+# + ## + # +-interface(`keyboardd_read_pipes',` +interface(`keyboardd_domtrans',` -+ gen_require(` + gen_require(` +- type keyboardd_t; + type keyboardd_t, keyboardd_exec_t; + ') + @@ -29793,65 +29530,45 @@ index 0000000..6134ef2 +interface(`keyboardd_read_pipes',` + gen_require(` + type keyboardd_t; -+ ') -+ + ') + +- allow $1 keyboardd_t:fifo_file read_fifo_file_perms; + allow $1 keyboardd_t:fifo_file read_fifo_file_perms; -+') + ') diff --git a/keyboardd.te b/keyboardd.te -new file mode 100644 -index 0000000..081ae84 ---- /dev/null +index adfe3dc..a60b664 100644 +--- a/keyboardd.te +++ b/keyboardd.te -@@ -0,0 +1,25 @@ -+ -+policy_module(keyboardd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type keyboardd_t; -+type keyboardd_exec_t; -+init_daemon_domain(keyboardd_t, keyboardd_exec_t) -+ -+######################################## -+# -+# keyboardd local policy -+# -+ -+allow keyboardd_t self:fifo_file rw_fifo_file_perms; -+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_manage_etc_runtime_files(keyboardd_t) -+files_etc_filetrans_etc_runtime(keyboardd_t, file) -+ -+files_read_etc_files(keyboardd_t) -+ +@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; + + files_manage_etc_runtime_files(keyboardd_t) + files_etc_filetrans_etc_runtime(keyboardd_t, file) +-files_read_etc_files(keyboardd_t) +- +-miscfiles_read_localization(keyboardd_t) diff --git a/keystone.fc b/keystone.fc -new file mode 100644 -index 0000000..408d6c0 ---- /dev/null +index b273d80..186cd86 100644 +--- a/keystone.fc +++ b/keystone.fc -@@ -0,0 +1,7 @@ -+/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) -+ +@@ -1,3 +1,5 @@ +/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0) + -+/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) -+ -+/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) + /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) + + /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) diff --git a/keystone.if b/keystone.if -new file mode 100644 -index 0000000..f20248c ---- /dev/null +index d3e7fc9..f20248c 100644 +--- a/keystone.if +++ b/keystone.if -@@ -0,0 +1,218 @@ +@@ -1,42 +1,218 @@ +-## Python implementation of the OpenStack identity service API. + +## policy for keystone -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an keystone environment. +## Transition to keystone. +## +## @@ -29871,12 +29588,13 @@ index 0000000..f20248c +######################################## +## +## Read keystone's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +# +interface(`keystone_read_log',` @@ -29893,7 +29611,8 @@ index 0000000..f20248c +## Append to keystone log files. +##     +## -+## + ## +-## Role allowed access. +## Domain allowed access. +## +## @@ -30037,26 +29756,37 @@ index 0000000..f20248c +## +## +## Domain allowed access. -+## -+## -+# -+interface(`keystone_admin',` -+ gen_require(` + ## + ## +-## + # + interface(`keystone_admin',` + gen_require(` +- type keystone_t, keystone_initrc_exec_t, keystone_log_t; +- type keystone_var_lib_t, keystone_tmp_t; + type keystone_t; + type keystone_log_t; + type keystone_var_lib_t; + type keystone_unit_file_t; -+ ') -+ -+ allow $1 keystone_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, keystone_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, keystone_log_t) -+ + ') + + allow $1 keystone_t:process { ptrace signal_perms }; + ps_process_pattern($1, keystone_t) + +- init_labeled_script_domtrans($1, keystone_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 keystone_initrc_exec_t system_r; +- allow $2 system_r; +- + logging_search_logs($1) + admin_pattern($1, keystone_log_t) + +- files_search_var_lib($1 + files_search_var_lib($1) -+ admin_pattern($1, keystone_var_lib_t) -+ + admin_pattern($1, keystone_var_lib_t) + +- files_search_tmp($1) +- admin_pattern($1, keystone_tmp_t) + keystone_systemctl($1) + admin_pattern($1, keystone_unit_file_t) + allow $1 keystone_unit_file_t:service all_service_perms; @@ -30064,102 +29794,59 @@ index 0000000..f20248c + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/keystone.te b/keystone.te -new file mode 100644 -index 0000000..a6606f3 ---- /dev/null +index 3494d9b..4c4fe02 100644 +--- a/keystone.te +++ b/keystone.te -@@ -0,0 +1,68 @@ -+policy_module(keystone, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type keystone_t; -+type keystone_exec_t; -+init_daemon_domain(keystone_t, keystone_exec_t) -+ -+type keystone_log_t; -+logging_log_file(keystone_log_t) -+ -+type keystone_var_lib_t; -+files_type(keystone_var_lib_t) -+ -+type keystone_tmp_t; -+files_tmp_file(keystone_tmp_t) -+ +@@ -21,6 +21,9 @@ files_type(keystone_var_lib_t) + type keystone_tmp_t; + files_tmp_file(keystone_tmp_t) + +type keystone_unit_file_t; +systemd_unit_file(keystone_unit_file_t) + -+######################################## -+# -+# keystone local policy -+# -+allow keystone_t self:fifo_file rw_fifo_file_perms; -+allow keystone_t self:unix_stream_socket create_stream_socket_perms; -+allow keystone_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t) -+manage_files_pattern(keystone_t, keystone_log_t, keystone_log_t) -+logging_log_filetrans(keystone_t, keystone_log_t, { dir file }) -+ -+manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) -+manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) -+manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t) -+files_tmp_filetrans(keystone_t, keystone_tmp_t, { file dir lnk_file }) -+can_exec(keystone_t, keystone_tmp_t) -+ -+manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) -+manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) -+files_var_lib_filetrans(keystone_t, keystone_var_lib_t, { dir file }) -+ -+kernel_read_system_state(keystone_t) -+ -+corecmd_exec_bin(keystone_t) -+corecmd_exec_shell(keystone_t) -+ + ######################################## + # + # Local policy +@@ -62,14 +65,12 @@ corenet_sendrecv_commplex_main_server_packets(keystone_t) + corenet_tcp_bind_commplex_main_port(keystone_t) + corenet_tcp_sendrecv_commplex_main_port(keystone_t) + +-files_read_usr_files(keystone_t) +corenet_tcp_bind_keystone_port(keystone_t) -+corenet_tcp_bind_generic_node(keystone_t) -+ -+dev_read_urand(keystone_t) -+ -+domain_use_interactive_fds(keystone_t) -+ -+files_read_etc_files(keystone_t) -+files_read_usr_files(keystone_t) -+ -+auth_use_pam(keystone_t) -+ -+libs_exec_ldconfig(keystone_t) -+ -+ -+optional_policy(` -+ mysql_stream_connect(keystone_t) -+') + + auth_use_pam(keystone_t) + + libs_exec_ldconfig(keystone_t) + +-miscfiles_read_localization(keystone_t) +- + optional_policy(` + mysql_stream_connect(keystone_t) + mysql_tcp_connect(keystone_t) diff --git a/kismet.if b/kismet.if -index c18c920..582f7f3 100644 +index aa2a337..bb09e3c 100644 --- a/kismet.if +++ b/kismet.if -@@ -239,7 +239,10 @@ interface(`kismet_admin',` - ') +@@ -292,7 +292,11 @@ interface(`kismet_admin',` + allow $2 system_r; ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; + allow $1 kismet_t:process signal_perms; ++ + tunable_policy(`deny_ptrace',`',` + allow $1 kismet_t:process ptrace; + ') - kismet_manage_pid_files($1) - kismet_manage_lib($1) + files_search_var_lib($1) + admin_pattern($1, kismet_var_lib_t) diff --git a/kismet.te b/kismet.te -index 9dd6880..77c768b 100644 +index ea64ed5..fb28673 100644 --- a/kismet.te +++ b/kismet.te -@@ -74,24 +74,21 @@ kernel_read_network_state(kismet_t) +@@ -81,25 +81,24 @@ kernel_read_network_state(kismet_t) corecmd_exec_bin(kismet_t) @@ -30167,53 +29854,56 @@ index 9dd6880..77c768b 100644 corenet_all_recvfrom_netlabel(kismet_t) corenet_tcp_sendrecv_generic_if(kismet_t) corenet_tcp_sendrecv_generic_node(kismet_t) - corenet_tcp_sendrecv_all_ports(kismet_t) corenet_tcp_bind_generic_node(kismet_t) + +-corenet_sendrecv_kismet_server_packets(kismet_t) -corenet_tcp_bind_kismet_port(kismet_t) +-corenet_sendrecv_kismet_client_packets(kismet_t) -corenet_tcp_connect_kismet_port(kismet_t) +-corenet_tcp_sendrecv_kismet_port(kismet_t) +corenet_tcp_bind_rtsclient_port(kismet_t) +corenet_tcp_connect_rtsclient_port(kismet_t) - corenet_tcp_connect_pulseaudio_port(kismet_t) ++corenet_tcp_connect_pulseaudio_port(kismet_t) - auth_use_nsswitch(kismet_t) - --files_read_etc_files(kismet_t) - files_read_usr_files(kismet_t) +-auth_use_nsswitch(kismet_t) +- +-files_read_usr_files(kismet_t) ++corenet_sendrecv_rtsclient_server_packets(kismet_t) ++corenet_tcp_bind_rtsclient_port(kismet_t) ++corenet_sendrecv_rtsclient_client_packets(kismet_t) ++corenet_tcp_connect_rtsclient_port(kismet_t) -miscfiles_read_localization(kismet_t) ++auth_use_nsswitch(kismet_t) -userdom_use_user_terminals(kismet_t) +userdom_use_inherited_user_terminals(kismet_t) - userdom_read_user_tmpfs_files(kismet_t) ++userdom_read_user_tmpfs_files(kismet_t) optional_policy(` -diff --git a/ksmtuned.fc b/ksmtuned.fc -index 9c0c835..8360166 100644 ---- a/ksmtuned.fc -+++ b/ksmtuned.fc -@@ -3,3 +3,5 @@ - /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) - - /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) -+ -+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) + dbus_system_bus_client(kismet_t) diff --git a/ksmtuned.if b/ksmtuned.if -index 6fd0b4c..568f842 100644 +index c530214..b949a9f 100644 --- a/ksmtuned.if +++ b/ksmtuned.if -@@ -55,12 +55,14 @@ interface(`ksmtuned_initrc_domtrans',` +@@ -57,17 +57,15 @@ interface(`ksmtuned_initrc_domtrans',` # interface(`ksmtuned_admin',` gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; -- type ksmtuned_initrc_exec_t; +- type ksmtuned_initrc_exec_t, ksmtuned_log_t; + type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') -- allow $1 ksmtuned_t:process { ptrace signal_perms }; -- ps_process_pattern(ksmtumed_t) +- ksmtuned_initrc_domtrans($1) +- domain_system_change_exemption($1) +- role_transition $2 ksmtuned_initrc_exec_t system_r; +- allow $2 system_r; + allow $1 ksmtuned_t:process signal_perms; + ps_process_pattern($1, ksmtuned_t) + +- allow $1 ksmtuned_t:process { ptrace signal_perms }; +- ps_process_pattern(ksmtumed_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ksmtuned_t:process ptrace; + ') @@ -30221,26 +29911,12 @@ index 6fd0b4c..568f842 100644 files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) diff --git a/ksmtuned.te b/ksmtuned.te -index a73b7a1..d143b12 100644 +index c1539b5..0af603d 100644 --- a/ksmtuned.te +++ b/ksmtuned.te -@@ -9,6 +9,9 @@ type ksmtuned_t; - type ksmtuned_exec_t; - init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) - -+type ksmtuned_log_t; -+logging_log_file(ksmtuned_log_t) -+ - type ksmtuned_initrc_exec_t; - init_script_file(ksmtuned_initrc_exec_t) - -@@ -20,9 +23,13 @@ files_pid_file(ksmtuned_var_run_t) - # ksmtuned local policy - # - --allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; -+allow ksmtuned_t self:capability sys_tty_config; - allow ksmtuned_t self:fifo_file rw_file_perms; +@@ -32,6 +32,10 @@ create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) + setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) + logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir }) +manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) +manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) @@ -30249,45 +29925,42 @@ index a73b7a1..d143b12 100644 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t) +@@ -43,6 +47,7 @@ corecmd_exec_shell(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) - corecmd_exec_bin(ksmtuned_t) -+corecmd_exec_shell(ksmtuned_t) -+ -+ -+mls_file_read_to_clearance(ksmtuned_t) -+ -+term_use_all_inherited_terms(ksmtuned_t) + mls_file_read_to_clearance(ksmtuned_t) --files_read_etc_files(ksmtuned_t) -+auth_use_nsswitch(ksmtuned_t) +@@ -51,5 +56,3 @@ term_use_all_terms(ksmtuned_t) + auth_use_nsswitch(ksmtuned_t) + logging_send_syslog_msg(ksmtuned_t) +- -miscfiles_read_localization(ksmtuned_t) -+logging_send_syslog_msg(ksmtuned_t) diff --git a/ktalk.te b/ktalk.te -index ca5cfdf..a4457d0 100644 +index 2cf3815..2c4c979 100644 --- a/ktalk.te +++ b/ktalk.te -@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ktalkd_t) +@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) --corenet_all_recvfrom_unlabeled(ktalkd_t) - corenet_all_recvfrom_netlabel(ktalkd_t) - corenet_tcp_sendrecv_generic_if(ktalkd_t) - corenet_udp_sendrecv_generic_if(ktalkd_t) -@@ -65,15 +64,12 @@ dev_read_urand(ktalkd_t) ++corenet_all_recvfrom_netlabel(ktalkd_t) ++corenet_tcp_sendrecv_generic_if(ktalkd_t) ++corenet_udp_sendrecv_generic_if(ktalkd_t) ++corenet_tcp_sendrecv_generic_node(ktalkd_t) ++corenet_udp_sendrecv_generic_node(ktalkd_t) ++corenet_tcp_sendrecv_all_ports(ktalkd_t) ++corenet_udp_sendrecv_all_ports(ktalkd_t) ++ + dev_read_urand(ktalkd_t) fs_getattr_xattr_fs(ktalkd_t) --files_read_etc_files(ktalkd_t) - - term_search_ptys(ktalkd_t) -term_use_all_terms(ktalkd_t) ++term_search_ptys(ktalkd_t) +term_use_all_inherited_terms(ktalkd_t) auth_use_nsswitch(ktalkd_t) @@ -30297,40 +29970,34 @@ index ca5cfdf..a4457d0 100644 logging_send_syslog_msg(ktalkd_t) - -miscfiles_read_localization(ktalkd_t) -diff --git a/kudzu.fc b/kudzu.fc -index dd88f74..3317a0c 100644 ---- a/kudzu.fc -+++ b/kudzu.fc -@@ -2,4 +2,5 @@ - /sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) - /sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) - -+/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) - /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) +diff --git a/kudzu.if b/kudzu.if +index 5297064..6ba8108 100644 +--- a/kudzu.if ++++ b/kudzu.if +@@ -86,9 +86,13 @@ interface(`kudzu_admin',` + type kudzu_tmp_t; + ') + +- allow $1 kudzu_t:process { ptrace signal_perms }; ++ allow $1 kudzu_t:process { signal_perms }; + ps_process_pattern($1, kudzu_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 kudzu_t:process ptrace; ++ ') ++ + init_labeled_script_domtrans($1, kudzu_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 4f7bd3c..74cc11d 100644 +index 9725f1a..0ed9942 100644 --- a/kudzu.te +++ b/kudzu.te -@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t) - # Local policy - # - --allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; -+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; - dontaudit kudzu_t self:capability sys_tty_config; - allow kudzu_t self:process { signal_perms execmem }; - allow kudzu_t self:fifo_file rw_fifo_file_perms; -@@ -109,17 +109,10 @@ libs_read_lib_files(kudzu_t) +@@ -101,11 +101,10 @@ libs_read_lib_files(kudzu_t) logging_send_syslog_msg(kudzu_t) miscfiles_read_hwdata(kudzu_t) -miscfiles_read_localization(kudzu_t) -- --modutils_read_module_config(kudzu_t) --modutils_read_module_deps(kudzu_t) --modutils_rename_module_config(kudzu_t) --modutils_delete_module_config(kudzu_t) --modutils_domtrans_insmod(kudzu_t) sysnet_read_config(kudzu_t) @@ -30339,55 +30006,29 @@ index 4f7bd3c..74cc11d 100644 userdom_dontaudit_use_unpriv_user_fds(kudzu_t) userdom_search_user_home_dirs(kudzu_t) -@@ -128,6 +121,14 @@ optional_policy(` +@@ -122,10 +121,6 @@ optional_policy(` ') optional_policy(` -+ modutils_read_module_config(kudzu_t) -+ modutils_read_module_deps(kudzu_t) -+ modutils_rename_module_config(kudzu_t) -+ modutils_delete_module_config(kudzu_t) -+ modutils_domtrans_insmod(kudzu_t) -+') -+ -+optional_policy(` - nscd_socket_use(kudzu_t) +- nscd_use(kudzu_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(kudzu_t) ') -diff --git a/l2tpd.fc b/l2tpd.fc -new file mode 100644 -index 0000000..6b27066 ---- /dev/null -+++ b/l2tpd.fc -@@ -0,0 +1,18 @@ -+/etc/prol2tp(/.*)? gen_context(system_u:object_r:l2tp_etc_t,s0) -+ -+/etc/rc\.d/init\.d/openl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/prol2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/xl2tpd -- gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0) -+ -+/etc/sysconfig/prol2tpd -- gen_context(system_u:object_r:l2tp_etc_t,s0) -+ -+/usr/sbin/openl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -+/usr/sbin/prol2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -+/usr/sbin/xl2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -+ -+/var/run/openl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) -+/var/run/prol2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) -+/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) -+/var/run/prol2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) -+/var/run/xl2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) -+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) -diff --git a/l2tpd.if b/l2tpd.if -new file mode 100644 -index 0000000..562d25b ---- /dev/null -+++ b/l2tpd.if -@@ -0,0 +1,178 @@ +diff --git a/l2tp.if b/l2tp.if +index 73e2803..562d25b 100644 +--- a/l2tp.if ++++ b/l2tp.if +@@ -1,9 +1,45 @@ +-## Layer 2 Tunneling Protocol. +## Layer 2 Tunneling Protocol daemons. -+ -+######################################## -+## + + ######################################## + ## +-## Send to l2tpd with a unix +-## domain dgram socket. +## Transition to l2tpd. +## +## @@ -30426,40 +30067,21 @@ index 0000000..562d25b +######################################## +## +## Send to l2tpd via a unix dgram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_dgram_send',` -+ gen_require(` -+ type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; -+ ') -+ -+ files_search_tmp($1) -+ dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) -+') -+ -+######################################## -+## -+## Read and write l2tpd sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_rw_socket',` -+ gen_require(` -+ type l2tpd_t; -+ ') -+ -+ allow $1 l2tpd_t:socket rw_socket_perms; -+') -+ + ## + ## + ## +@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',` + type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; + ') + +- files_search_pids($1) + files_search_tmp($1) + dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + ') +@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',` + allow $1 l2tpd_t:socket rw_socket_perms; + ') + +######################################## +## +## Read l2tpd PID files. @@ -30479,29 +30101,29 @@ index 0000000..562d25b + allow $1 l2tpd_var_run_t:file read_file_perms; +') + -+##################################### -+## + ##################################### + ## +-## Connect to l2tpd with a unix +-## domain stream socket. +## Connect to l2tpd over a unix domain +## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`l2tpd_stream_connect',` -+ gen_require(` -+ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; -+ ') -+ -+ files_search_pids($1) + ## + ## + ## +@@ -56,14 +110,32 @@ interface(`l2tpd_stream_connect',` + ') + + files_search_pids($1) +- files_search_tmp($1) +- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) + stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an l2tp environment. +## Read and write l2tpd unnamed pipes. +## +## @@ -30522,175 +30144,101 @@ index 0000000..562d25b +## +## All of the rules required to administrate +## an l2tpd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`l2tpd_admin',` -+ gen_require(` -+ type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; -+ type l2tp_etc_t, l2tpd_tmp_t; -+ ') -+ -+ allow $1 l2tpd_t:process signal_perms; -+ ps_process_pattern($1, l2tpd_t) -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 l2tpd_t:process ptrace; -+ ') -+ -+ l2tpd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 l2tpd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_etc($1) -+ admin_pattern($1, l2tp_etc_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, l2tpd_var_run_t) -+ -+ files_search_tmp($1) -+ admin_pattern($1, l2tpd_tmp_t) -+') -diff --git a/l2tpd.te b/l2tpd.te -new file mode 100644 -index 0000000..1e292d4 ---- /dev/null -+++ b/l2tpd.te -@@ -0,0 +1,99 @@ -+policy_module(l2tpd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type l2tpd_t; -+type l2tpd_exec_t; -+init_daemon_domain(l2tpd_t, l2tpd_exec_t) -+ -+type l2tpd_initrc_exec_t; -+init_script_file(l2tpd_initrc_exec_t) -+ -+type l2tp_etc_t; -+files_config_file(l2tp_etc_t) -+ -+type l2tpd_tmp_t; -+files_tmp_file(l2tpd_tmp_t) -+ -+type l2tpd_var_run_t; -+files_pid_file(l2tpd_var_run_t) -+ -+######################################## -+# -+# Local policy -+# -+ -+allow l2tpd_t self:capability { net_admin net_bind_service }; -+allow l2tpd_t self:process signal; -+allow l2tpd_t self:fifo_file rw_fifo_file_perms; -+allow l2tpd_t self:netlink_socket create_socket_perms; -+allow l2tpd_t self:rawip_socket create_socket_perms; -+allow l2tpd_t self:socket create_socket_perms; -+allow l2tpd_t self:tcp_socket create_stream_socket_perms; -+allow l2tpd_t self:unix_dgram_socket sendto; -+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms; -+ -+read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t) -+ -+manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -+manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -+manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -+manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) -+ -+manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) -+files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) -+ -+corenet_all_recvfrom_netlabel(l2tpd_t) -+corenet_raw_sendrecv_generic_if(l2tpd_t) -+corenet_tcp_sendrecv_generic_if(l2tpd_t) -+corenet_udp_sendrecv_generic_if(l2tpd_t) -+corenet_raw_bind_generic_node(l2tpd_t) -+corenet_tcp_bind_generic_node(l2tpd_t) -+corenet_udp_bind_generic_node(l2tpd_t) -+corenet_raw_sendrecv_generic_node(l2tpd_t) -+corenet_tcp_sendrecv_generic_node(l2tpd_t) -+corenet_udp_sendrecv_generic_node(l2tpd_t) -+ -+corenet_tcp_bind_all_rpc_ports(l2tpd_t) -+corenet_udp_bind_all_rpc_ports(l2tpd_t) -+corenet_udp_bind_generic_port(l2tpd_t) -+ -+corenet_udp_bind_l2tp_port(l2tpd_t) -+corenet_udp_sendrecv_l2tp_port(l2tpd_t) -+corenet_sendrecv_l2tp_server_packets(l2tpd_t) -+ -+kernel_read_system_state(l2tpd_t) -+kernel_read_network_state(l2tpd_t) -+# net-pf-24 (pppox) -+kernel_request_load_module(l2tpd_t) -+ -+term_use_ptmx(l2tpd_t) -+term_use_generic_ptys(l2tpd_t) -+term_setattr_generic_ptys(l2tpd_t) -+ -+# prol2tpc -+corecmd_exec_bin(l2tpd_t) -+ -+dev_read_urand(l2tpd_t) -+ -+domain_use_interactive_fds(l2tpd_t) -+ -+files_read_etc_files(l2tpd_t) -+ -+term_use_ptmx(l2tpd_t) -+ -+auth_read_passwd(l2tpd_t) -+ -+logging_send_syslog_msg(l2tpd_t) -+ -+sysnet_dns_name_resolve(l2tpd_t) + ## + ## + ## +@@ -77,22 +149,26 @@ interface(`l2tpd_stream_connect',` + ## + ## + # +-interface(`l2tp_admin',` ++interface(`l2tpd_admin',` + gen_require(` + type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; +- type l2tp_conf_t, l2tpd_tmp_t; ++ type l2tp_etc_t, l2tpd_tmp_t; + ') + +- allow $1 l2tpd_t:process { ptrace signal_perms }; ++ allow $1 l2tpd_t:process signal_perms; + ps_process_pattern($1, l2tpd_t) + +- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 l2tpd_t:process ptrace; ++ ') + -+optional_policy(` -+ ppp_domtrans(l2tpd_t) -+ ppp_signal(l2tpd_t) -+ ppp_kill(l2tpd_t) -+') ++ l2tpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 l2tpd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) +- admin_pattern($1, l2tp_conf_t) ++ admin_pattern($1, l2tp_etc_t) + + files_search_pids($1) + admin_pattern($1, l2tpd_var_run_t) +diff --git a/l2tp.te b/l2tp.te +index 19f2b97..134b150 100644 +--- a/l2tp.te ++++ b/l2tp.te +@@ -75,16 +75,12 @@ corecmd_exec_bin(l2tpd_t) + + dev_read_urand(l2tpd_t) + +-files_read_etc_files(l2tpd_t) +- + term_setattr_generic_ptys(l2tpd_t) + term_use_generic_ptys(l2tpd_t) + term_use_ptmx(l2tpd_t) + + logging_send_syslog_msg(l2tpd_t) + +-miscfiles_read_localization(l2tpd_t) +- + sysnet_dns_name_resolve(l2tpd_t) + + optional_policy(` diff --git a/ldap.fc b/ldap.fc -index c62f23e..40c6b4d 100644 +index bc25c95..dcdbe9b 100644 --- a/ldap.fc +++ b/ldap.fc -@@ -1,6 +1,11 @@ - +@@ -1,8 +1,11 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) --/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) -+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) +-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + ++/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) + /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + +-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + +/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) - /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - + /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + +@@ -17,8 +20,7 @@ + /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) + /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) + +-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index d6b7b2d..bc0ccb3 100644 +index ee0c7cc..6ec5f73 100644 --- a/ldap.if +++ b/ldap.if -@@ -1,5 +1,64 @@ - ## OpenLDAP directory server - +@@ -1,8 +1,68 @@ +-## OpenLDAP directory server. ++## OpenLDAP directory server ++ +####################################### +## +## Execute OpenLDAP in the ldap domain. @@ -30726,9 +30274,10 @@ index d6b7b2d..bc0ccb3 100644 + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## List ldap database directories. +## Execute slapd server in the slapd domain. +## +## @@ -30750,13 +30299,24 @@ index d6b7b2d..bc0ccb3 100644 + ps_process_pattern($1, slapd_t) +') + - ######################################## - ## - ## Read the contents of the OpenLDAP -@@ -21,6 +80,25 @@ interface(`ldap_list_db',` ++######################################## ++## ++## Read the contents of the OpenLDAP ++## database directories. + ## + ## + ## +@@ -15,13 +75,31 @@ interface(`ldap_list_db',` + type slapd_db_t; + ') + +- files_search_etc($1) + allow $1 slapd_db_t:dir list_dir_perms; + ') ######################################## ## +-## Read ldap configuration files. +## Read the contents of the OpenLDAP +## database files. +## @@ -30776,34 +30336,100 @@ index d6b7b2d..bc0ccb3 100644 + +######################################## +## - ## Read the OpenLDAP configuration files. ++## Read the OpenLDAP configuration files. + ## + ## + ## +@@ -55,8 +133,7 @@ interface(`ldap_use',` + + ######################################## + ## +-## Connect to slapd over an unix +-## stream socket. ++## Connect to slapd over an unix stream socket. + ## + ## + ## +@@ -75,29 +152,8 @@ interface(`ldap_stream_connect',` + + ######################################## + ## +-## Connect to ldap over the network. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`ldap_tcp_connect',` +- gen_require(` +- type slapd_t; +- ') +- +- corenet_sendrecv_ldap_client_packets($1) +- corenet_tcp_connect_ldap_port($1) +- corenet_tcp_recvfrom_labeled($1, slapd_t) +- corenet_tcp_sendrecv_ldap_port($1) +-') +- +-######################################## +-## +-## All of the rules required to +-## administrate an ldap environment. ++## All of the rules required to administrate ++## an ldap environment ## ## -@@ -94,10 +172,14 @@ interface(`ldap_admin',` + ## +@@ -106,7 +162,7 @@ interface(`ldap_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the ldap domain. + ## + ## + ## +@@ -115,28 +171,28 @@ interface(`ldap_admin',` + gen_require(` type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; - type slapd_initrc_exec_t; +- type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; +- type slapd_db_t; ++ type slapd_initrc_exec_t; + type ldap_unit_file_t; ') - allow $1 slapd_t:process { ptrace signal_perms }; + allow $1 slapd_t:process signal_perms; ps_process_pattern($1, slapd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 slapd_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, slapd_initrc_exec_t) domain_system_change_exemption($1) -@@ -109,6 +191,7 @@ interface(`ldap_admin',` + role_transition $2 slapd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) +- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t }) ++ admin_pattern($1, slapd_etc_t) +- files_list_locks($1) admin_pattern($1, slapd_lock_t) +- logging_list_logs($1) +- admin_pattern($1, slapd_log_t) +- +- files_search_var_lib($1) + files_list_var_lib($1) admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -116,4 +199,8 @@ interface(`ldap_admin',` +@@ -144,4 +200,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -30813,19 +30439,10 @@ index d6b7b2d..bc0ccb3 100644 + allow $1 ldap_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 64fd1ff..3ee778a 100644 +index d7d9b09..bfc2aa2 100644 --- a/ldap.te +++ b/ldap.te -@@ -10,7 +10,7 @@ type slapd_exec_t; - init_daemon_domain(slapd_t, slapd_exec_t) - - type slapd_cert_t; --files_type(slapd_cert_t) -+miscfiles_cert_type(slapd_cert_t) - - type slapd_db_t; - files_type(slapd_db_t) -@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t) +@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) type slapd_initrc_exec_t; init_script_file(slapd_initrc_exec_t) @@ -30835,22 +30452,7 @@ index 64fd1ff..3ee778a 100644 type slapd_lock_t; files_lock_file(slapd_lock_t) - type slapd_replog_t; - files_type(slapd_replog_t) - -+type slapd_log_t; -+logging_log_file(slapd_log_t) -+ - type slapd_tmp_t; - files_tmp_file(slapd_tmp_t) - -+type slapd_tmpfs_t; -+files_tmpfs_file(slapd_tmpfs_t) -+ - type slapd_var_run_t; - files_pid_file(slapd_var_run_t) - -@@ -67,18 +76,25 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +@@ -73,6 +76,10 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -30861,30 +30463,19 @@ index 64fd1ff..3ee778a 100644 manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) - -+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) -+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) -+ -+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) - manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) - manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) --files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) -+files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) - +@@ -88,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) -corenet_all_recvfrom_unlabeled(slapd_t) corenet_all_recvfrom_netlabel(slapd_t) corenet_tcp_sendrecv_generic_if(slapd_t) - corenet_udp_sendrecv_generic_if(slapd_t) -@@ -100,23 +116,25 @@ fs_search_auto_mountpoints(slapd_t) - - domain_use_interactive_fds(slapd_t) + corenet_tcp_sendrecv_generic_node(slapd_t) +@@ -110,25 +116,23 @@ fs_getattr_all_fs(slapd_t) + fs_search_auto_mountpoints(slapd_t) --files_read_etc_files(slapd_t) files_read_etc_runtime_files(slapd_t) - files_read_usr_files(slapd_t) +-files_read_usr_files(slapd_t) files_list_var_lib(slapd_t) auth_use_nsswitch(slapd_t) @@ -30900,52 +30491,192 @@ index 64fd1ff..3ee778a 100644 optional_policy(` kerberos_keytab_template(slapd, slapd_t) +- kerberos_manage_host_rcache(slapd_t) +- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") +- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") +- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55") ') optional_policy(` -diff --git a/likewise.fc b/likewise.fc -index 057a4e4..57491fc 100644 ---- a/likewise.fc -+++ b/likewise.fc -@@ -20,7 +20,8 @@ - /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) - /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) +diff --git a/lightsquid.if b/lightsquid.if +index 33a28b9..33ffe24 100644 +--- a/lightsquid.if ++++ b/lightsquid.if +@@ -76,5 +76,7 @@ interface(`lightsquid_admin',` + files_search_var_lib($1) + admin_pattern($1, lightsquid_rw_content_t) + +- apache_list_sys_content($1) ++ optional_policy(` ++ apache_list_sys_content($1) ++ ') + ') +diff --git a/lightsquid.te b/lightsquid.te +index 40a2607..308accb 100644 +--- a/lightsquid.te ++++ b/lightsquid.te +@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t) + + dev_read_urand(lightsquid_t) + +-files_read_etc_files(lightsquid_t) +-files_read_usr_files(lightsquid_t) +- +-miscfiles_read_localization(lightsquid_t) +- + squid_read_config(lightsquid_t) + squid_read_log(lightsquid_t) --/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) -+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) -+/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) - /var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) - /var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) - /var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) diff --git a/likewise.if b/likewise.if -index 771e04b..1072aea 100644 +index bd20e8c..3393a01 100644 --- a/likewise.if +++ b/likewise.if -@@ -63,7 +63,7 @@ template(`likewise_domain_template',` +@@ -1,9 +1,22 @@ + ## Likewise Active Directory support for UNIX. ++## ++##

    ++## Likewise Open is a free, open source application that joins Linux, Unix, ++## and Mac machines to Microsoft Active Directory to securely authenticate ++## users with their domain credentials. ++##

    ++##     + + ####################################### + ## + ## The template to define a likewise domain. + ## ++## ++##

    ++## This template creates a domain to be used for ++## a new likewise daemon. ++##

    ++##     + ## + ## + ## The type of daemon to be used. +@@ -11,6 +24,7 @@ + ## + # + template(`likewise_domain_template',` ++ + gen_require(` + attribute likewise_domains; + type likewise_var_lib_t; +@@ -24,6 +38,7 @@ template(`likewise_domain_template',` + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) ++ domain_use_interactive_fds($1_t) + + typeattribute $1_t likewise_domains; + +@@ -38,15 +53,18 @@ template(`likewise_domain_template',` + + #################################### + # +- # Policy ++ # Local Policy + # + + allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:fifo_file rw_fifo_file_perms; +- allow $1_t self:unix_stream_socket { accept listen }; ++ allow $1_t self:unix_dgram_socket create_socket_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -- allow $1_t likewise_var_lib_t:dir setattr; + allow $1_t likewise_var_lib_t:dir setattr_dir_perms; - ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, file) -@@ -82,7 +82,6 @@ template(`likewise_domain_template',` - logging_send_syslog_msg($1_t) +@@ -55,12 +73,15 @@ template(`likewise_domain_template',` -- miscfiles_read_localization($1_t) + manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) ++ ++ kernel_read_system_state($1_t) ++ ++ logging_send_syslog_msg($1_t) ') ######################################## + ## +-## Connect to lsassd with a unix domain +-## stream socket. ++## Connect to lsassd. + ## + ## + ## +@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',` + files_search_pids($1) + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) + ') +- +-######################################## +-## +-## All of the rules required to +-## administrate an likewise environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`likewise_admin',` +- gen_require(` +- attribute likewise_domains; +- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t; +- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t; +- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t; +- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; +- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; +- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; +- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t; +- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t; +- ') +- +- allow $1 likewise_domains:process { ptrace signal_perms }; +- ps_process_pattern($1, likewise_domains) +- +- init_labeled_script_domtrans($1, likewise_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 likewise_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_list_etc($1) +- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) +- +- files_search_var_lib($1) +- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t }) +- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t }) +- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t }) +- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t }) +- admin_pattern($1, dcerpcd_var_lib_t) +- +- files_list_tmp($1) +- admin_pattern($1, lsassd_tmp_t) +- +- files_list_pids($1) +- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t }) +- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) +-') diff --git a/likewise.te b/likewise.te -index 5ba6cc2..e3f65d6 100644 +index 408fbe3..e86ead6 100644 --- a/likewise.te +++ b/likewise.te -@@ -17,7 +17,7 @@ type likewise_var_lib_t; +@@ -26,7 +26,7 @@ type likewise_var_lib_t; files_type(likewise_var_lib_t) type likewise_pstore_lock_t; @@ -30954,48 +30685,36 @@ index 5ba6cc2..e3f65d6 100644 type likewise_krb5_ad_t; files_type(likewise_krb5_ad_t) -@@ -49,7 +49,6 @@ likewise_domain_template(srvsvcd) - stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - - corenet_all_recvfrom_netlabel(dcerpcd_t) --corenet_all_recvfrom_unlabeled(dcerpcd_t) - corenet_sendrecv_generic_client_packets(dcerpcd_t) - corenet_sendrecv_generic_server_packets(dcerpcd_t) - corenet_tcp_sendrecv_generic_if(dcerpcd_t) -@@ -73,7 +72,6 @@ stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dc - stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - - corenet_all_recvfrom_netlabel(eventlogd_t) --corenet_all_recvfrom_unlabeled(eventlogd_t) - corenet_sendrecv_generic_server_packets(eventlogd_t) - corenet_tcp_sendrecv_generic_if(eventlogd_t) - corenet_tcp_sendrecv_generic_node(eventlogd_t) -@@ -116,7 +114,6 @@ corecmd_exec_bin(lsassd_t) +@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t) + + allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms; + +-kernel_read_system_state(likewise_domains) +- + dev_read_rand(likewise_domains) + dev_read_urand(likewise_domains) + + domain_use_interactive_fds(likewise_domains) + +-files_read_etc_files(likewise_domains) + files_search_var_lib(likewise_domains) + +-logging_send_syslog_msg(likewise_domains) +- +-miscfiles_read_localization(likewise_domains) +- + ################################# + # + # dcerpcd local policy +@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t) corecmd_exec_shell(lsassd_t) corenet_all_recvfrom_netlabel(lsassd_t) -corenet_all_recvfrom_unlabeled(lsassd_t) corenet_tcp_sendrecv_generic_if(lsassd_t) corenet_tcp_sendrecv_generic_node(lsassd_t) - corenet_tcp_sendrecv_generic_port(lsassd_t) -@@ -165,7 +162,6 @@ stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ - stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) - - corenet_all_recvfrom_netlabel(lwiod_t) --corenet_all_recvfrom_unlabeled(lwiod_t) - corenet_sendrecv_smbd_server_packets(lwiod_t) - corenet_sendrecv_smbd_client_packets(lwiod_t) - corenet_tcp_sendrecv_generic_if(lwiod_t) -@@ -205,7 +201,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ - # Likewise DC location service local policy - # --allow netlogond_t self:capability {dac_override}; -+allow netlogond_t self:capability dac_override; - - manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) - -@@ -226,7 +222,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ +@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) corenet_all_recvfrom_netlabel(srvsvcd_t) @@ -31003,23 +30722,11 @@ index 5ba6cc2..e3f65d6 100644 corenet_sendrecv_generic_server_packets(srvsvcd_t) corenet_tcp_sendrecv_generic_if(srvsvcd_t) corenet_tcp_sendrecv_generic_node(srvsvcd_t) -diff --git a/lircd.fc b/lircd.fc -index 49e04e5..69db026 100644 ---- a/lircd.fc -+++ b/lircd.fc -@@ -2,6 +2,7 @@ - - /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) - /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) -+/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0) - - /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) - diff --git a/lircd.if b/lircd.if -index 418cc81..cdb2561 100644 +index dff21a7..b6981c8 100644 --- a/lircd.if +++ b/lircd.if -@@ -80,8 +80,11 @@ interface(`lircd_admin',` +@@ -81,8 +81,11 @@ interface(`lircd_admin',` type lircd_initrc_exec_t, lircd_etc_t; ') @@ -31033,7 +30740,7 @@ index 418cc81..cdb2561 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 6a78de1..57f0aa2 100644 +index 98b5405..b1d3cdf 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -31045,38 +30752,7 @@ index 6a78de1..57f0aa2 100644 type lircd_var_run_t alias lircd_sock_t; files_pid_file(lircd_var_run_t) -@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t) - # - - allow lircd_t self:capability { chown kill sys_admin }; -+allow lircd_t self:process signal; - allow lircd_t self:fifo_file rw_fifo_file_perms; - allow lircd_t self:unix_dgram_socket create_socket_perms; - allow lircd_t self:tcp_socket create_stream_socket_perms; -@@ -38,27 +39,29 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) - # /dev/lircd socket - dev_filetrans(lircd_t, lircd_var_run_t, sock_file) - -+kernel_request_load_module(lircd_t) -+ - corenet_tcp_sendrecv_generic_if(lircd_t) - corenet_tcp_bind_generic_node(lircd_t) - corenet_tcp_bind_lirc_port(lircd_t) - corenet_tcp_sendrecv_all_ports(lircd_t) - corenet_tcp_connect_lirc_port(lircd_t) - --dev_read_generic_usb_dev(lircd_t) -+dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right - dev_read_mouse(lircd_t) - dev_filetrans_lirc(lircd_t) - dev_rw_lirc(lircd_t) - dev_rw_input_dev(lircd_t) -+dev_read_sysfs(lircd_t) - --files_read_etc_files(lircd_t) -+files_read_config_files(lircd_t) - files_list_var(lircd_t) - files_manage_generic_locks(lircd_t) +@@ -64,9 +64,8 @@ files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) term_use_ptmx(lircd_t) @@ -31088,10 +30764,10 @@ index 6a78de1..57f0aa2 100644 - sysnet_dns_name_resolve(lircd_t) diff --git a/livecd.if b/livecd.if -index ae29d9f..fb7869e 100644 +index e354181..da499d4 100644 --- a/livecd.if +++ b/livecd.if -@@ -36,11 +36,39 @@ interface(`livecd_domtrans',` +@@ -38,11 +38,39 @@ interface(`livecd_domtrans',` # interface(`livecd_run',` gen_require(` @@ -31134,10 +30810,10 @@ index ae29d9f..fb7869e 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 008f718..2a9d6c0 100644 +index 33f64b5..09b5105 100644 --- a/livecd.te +++ b/livecd.te -@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) +@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.1) # Declarations # @@ -31156,7 +30832,7 @@ index 008f718..2a9d6c0 100644 type livecd_tmp_t; files_tmp_file(livecd_tmp_t) @@ -21,7 +22,7 @@ files_tmp_file(livecd_tmp_t) - # livecd local policy + # Local policy # -dontaudit livecd_t self:capability2 mac_admin; @@ -31164,334 +30840,87 @@ index 008f718..2a9d6c0 100644 domain_ptrace_all_domains(livecd_t) -@@ -30,14 +31,5 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) - files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) - +@@ -36,13 +37,5 @@ optional_policy(` + hal_dbus_chat(livecd_t) + ') optional_policy(` - mount_run(livecd_t, livecd_roles) -+ unconfined_domain_noaudit(livecd_t) - ') -- --optional_policy(` -- hal_dbus_chat(livecd_t) -') - -optional_policy(` -- unconfined_domain(livecd_t) +- rpm_domtrans(livecd_t) -') - -diff --git a/lldpad.fc b/lldpad.fc -new file mode 100644 -index 0000000..83a4348 ---- /dev/null -+++ b/lldpad.fc -@@ -0,0 +1,8 @@ -+ -+/etc/rc\.d/init\.d/lldpad -- gen_context(system_u:object_r:lldpad_initrc_exec_t,s0) -+ -+/usr/sbin/lldpad -- gen_context(system_u:object_r:lldpad_exec_t,s0) -+ -+/var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0) -+ -+/var/run/lldpad\.pid -- gen_context(system_u:object_r:lldpad_var_run_t,s0) +-optional_policy(` + unconfined_domain_noaudit(livecd_t) + ') diff --git a/lldpad.if b/lldpad.if -new file mode 100644 -index 0000000..6550968 ---- /dev/null +index d18c960..fb5b674 100644 +--- a/lldpad.if +++ b/lldpad.if -@@ -0,0 +1,201 @@ -+ -+## policy for lldpad -+ -+######################################## -+## -+## Transition to lldpad. +@@ -2,6 +2,25 @@ + + ####################################### + ## ++## Transition to lldpad. +## +## +## -+## Domain allowed to transition. ++## Domain allowed to transition. +## +## +# +interface(`lldpad_domtrans',` -+ gen_require(` -+ type lldpad_t, lldpad_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, lldpad_exec_t, lldpad_t) -+') -+ -+ -+######################################## -+## -+## Execute lldpad server in the lldpad domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_initrc_domtrans',` -+ gen_require(` -+ type lldpad_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, lldpad_initrc_exec_t) -+') -+ -+ -+######################################## -+## -+## Search lldpad lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_search_lib',` -+ gen_require(` -+ type lldpad_var_lib_t; -+ ') -+ -+ allow $1 lldpad_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read lldpad lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_read_lib_files',` -+ gen_require(` -+ type lldpad_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t) -+') -+ -+######################################## -+## -+## Manage lldpad lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_manage_lib_files',` -+ gen_require(` -+ type lldpad_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t) -+') -+ -+######################################## -+## -+## Manage lldpad lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_manage_lib_dirs',` -+ gen_require(` -+ type lldpad_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, lldpad_var_lib_t, lldpad_var_lib_t) -+') -+ -+ -+######################################## -+## -+## Read lldpad PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_read_pid_files',` -+ gen_require(` -+ type lldpad_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 lldpad_var_run_t:file read_file_perms; -+') -+ -+##################################### -+## -+## Send to a lldpad unix dgram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lldpad_dgram_send',` -+ gen_require(` -+ type lldpad_t; -+ ') ++ gen_require(` ++ type lldpad_t, lldpad_exec_t; ++ ') + -+ allow $1 lldpad_t:unix_dgram_socket sendto; -+ allow lldpad_t $1:unix_dgram_socket sendto; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, lldpad_exec_t, lldpad_t) +') + -+######################################## ++####################################### +## -+## All of the rules required to administrate -+## an lldpad environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`lldpad_admin',` -+ gen_require(` -+ type lldpad_t; -+ type lldpad_initrc_exec_t; -+ type lldpad_var_lib_t; -+ type lldpad_var_run_t; -+ ') -+ -+ allow $1 lldpad_t:process signal_perms; -+ ps_process_pattern($1, lldpad_t) + ## Send to lldpad with a unix dgram socket. + ## + ## +@@ -42,9 +61,13 @@ interface(`lldpad_admin',` + type lldpad_var_run_t; + ') + +- allow $1 lldpad_t:process { ptrace signal_perms }; ++ allow $1 lldpad_t:process { signal_perms }; + ps_process_pattern($1, lldpad_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 lldpad_t:process ptrace; + ') + -+ lldpad_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 lldpad_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, lldpad_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, lldpad_var_run_t) -+ -+') -+ + init_labeled_script_domtrans($1, lldpad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 lldpad_initrc_exec_t system_r; diff --git a/lldpad.te b/lldpad.te -new file mode 100644 -index 0000000..c38f564 ---- /dev/null +index 648def0..0b6281d 100644 +--- a/lldpad.te +++ b/lldpad.te -@@ -0,0 +1,70 @@ -+policy_module(lldpad, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type lldpad_t; -+type lldpad_exec_t; -+init_daemon_domain(lldpad_t, lldpad_exec_t) -+ -+type lldpad_initrc_exec_t; -+init_script_file(lldpad_initrc_exec_t) -+ -+type lldpad_tmpfs_t; -+files_tmpfs_file(lldpad_tmpfs_t) -+ -+type lldpad_var_lib_t; -+files_type(lldpad_var_lib_t) -+ -+type lldpad_var_run_t; -+files_pid_file(lldpad_var_run_t) -+ -+######################################## -+# -+# lldpad local policy -+# -+ -+allow lldpad_t self:capability { net_admin net_raw }; -+ifdef(`hide_broken_symptoms',` -+ # caused by some bogus kernel code -+ dontaudit lldpad_t self:capability sys_module; -+') -+ -+allow lldpad_t self:shm create_shm_perms; -+allow lldpad_t self:fifo_file rw_fifo_file_perms; -+ -+allow lldpad_t self:unix_stream_socket create_stream_socket_perms; -+allow lldpad_t self:netlink_route_socket create_netlink_socket_perms; -+allow lldpad_t self:packet_socket create_socket_perms; -+allow lldpad_t self:udp_socket create_socket_perms; -+ -+manage_files_pattern(lldpad_t,lldpad_tmpfs_t,lldpad_tmpfs_t) -+fs_tmpfs_filetrans(lldpad_t,lldpad_tmpfs_t,file) -+ -+manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) -+manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) -+ -+manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -+manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -+manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -+# this needs to be fixed in lldpad package -+# bug: # -+files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file }) -+ -+kernel_read_all_sysctls(lldpad_t) -+kernel_read_network_state(lldpad_t) -+kernel_request_load_module(lldpad_t) -+ -+dev_read_sysfs(lldpad_t) -+ -+files_read_etc_files(lldpad_t) -+ -+logging_send_syslog_msg(lldpad_t) -+ +@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t) + + dev_read_sysfs(lldpad_t) + +-files_read_etc_files(lldpad_t) +- + logging_send_syslog_msg(lldpad_t) + +-miscfiles_read_localization(lldpad_t) +userdom_dgram_send(lldpad_t) -+ -+optional_policy(` -+ fcoemon_dgram_send(lldpad_t) -+') -diff --git a/loadkeys.fc b/loadkeys.fc -index 8549f9f..68be454 100644 ---- a/loadkeys.fc -+++ b/loadkeys.fc -@@ -1,3 +1,3 @@ --/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) --/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) -+/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) -+/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0) + optional_policy(` + fcoe_dgram_send_fcoemon(lldpad_t) diff --git a/loadkeys.te b/loadkeys.te -index 2523758..96308b5 100644 +index 6cbb977..fa49534 100644 --- a/loadkeys.te +++ b/loadkeys.te -@@ -31,14 +31,15 @@ files_read_etc_runtime_files(loadkeys_t) +@@ -31,14 +31,14 @@ files_read_etc_runtime_files(loadkeys_t) term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) @@ -31503,99 +30932,241 @@ index 2523758..96308b5 100644 locallogin_use_fds(loadkeys_t) -miscfiles_read_localization(loadkeys_t) - +- -userdom_use_user_ttys(loadkeys_t) +userdom_use_inherited_user_ttys(loadkeys_t) userdom_list_user_home_content(loadkeys_t) ifdef(`hide_broken_symptoms',` -@@ -46,5 +47,9 @@ ifdef(`hide_broken_symptoms',` - ') - - optional_policy(` -+ keyboardd_read_pipes(loadkeys_t) -+') -+ -+optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) - ') diff --git a/lockdev.te b/lockdev.te -index 572b5db..1e55f43 100644 +index db87831..30bfb76 100644 --- a/lockdev.te +++ b/lockdev.te -@@ -34,4 +34,5 @@ fs_getattr_xattr_fs(lockdev_t) +@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t) logging_send_syslog_msg(lockdev_t) -userdom_use_user_terminals(lockdev_t) +userdom_use_inherited_user_terminals(lockdev_t) + +diff --git a/logrotate.fc b/logrotate.fc +index a11d5be..36c8de7 100644 +--- a/logrotate.fc ++++ b/logrotate.fc +@@ -1,6 +1,9 @@ +-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) ++/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) + + /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) + ++ifdef(`distro_debian', ` + /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) +-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) ++', ` ++/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) ++') +diff --git a/logrotate.if b/logrotate.if +index dd8e01a..9cd6b0b 100644 +--- a/logrotate.if ++++ b/logrotate.if +@@ -1,4 +1,4 @@ +-## Rotates, compresses, removes and mails system log files. ++## Rotate and archive system logs + + ######################################## + ## +@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',` + + ######################################## + ## +-## Execute logrotate in the logrotate +-## domain, and allow the specified +-## role the logrotate domain. ++## Execute logrotate in the logrotate domain, and ++## allow the specified role the logrotate domain. + ## + ## + ## +@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',` + # + interface(`logrotate_run',` + gen_require(` +- attribute_role logrotate_roles; ++ type logrotate_t; + ') + + logrotate_domtrans($1) +- roleattribute $2 logrotate_roles; ++ role $2 types logrotate_t; + ') + + ######################################## +@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',` + + ######################################## + ## +-## Do not audit attempts to inherit +-## logrotate file descriptors. ++## Do not audit attempts to inherit logrotate file descriptors. + ## + ## + ## +@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',` + + ######################################## + ## +-## Read logrotate temporary files. ++## Read a logrotate temporary files. + ## + ## + ## diff --git a/logrotate.te b/logrotate.te -index 7090dae..8a2583b 100644 +index 7bab8e5..8a2583b 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t) +@@ -1,20 +1,18 @@ +-policy_module(logrotate, 1.14.5) ++policy_module(logrotate, 1.14.0) + + ######################################## + # + # Declarations # - # Change ownership on log files. --allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; --# for mailx --dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; -+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; -+dontaudit logrotate_t self:capability sys_resource; +-attribute_role logrotate_roles; +-roleattribute system_r logrotate_roles; +- + type logrotate_t; +-type logrotate_exec_t; + domain_type(logrotate_t) + domain_obj_id_change_exemption(logrotate_t) + domain_system_change_exemption(logrotate_t) ++role system_r types logrotate_t; ++ ++type logrotate_exec_t; + domain_entry_file(logrotate_t, logrotate_exec_t) +-role logrotate_roles types logrotate_t; - allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + type logrotate_lock_t; + files_lock_file(logrotate_lock_t) +@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t) + type logrotate_var_lib_t; + files_type(logrotate_var_lib_t) -@@ -39,6 +38,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi - allow logrotate_t self:process setfscreate; +-mta_base_mail_template(logrotate) +-role system_r types logrotate_mail_t; +- + ######################################## + # + # Local policy + # +-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; +-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; ++# Change ownership on log files. ++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; ++dontaudit logrotate_t self:capability sys_resource; ++ ++allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ ++# Set a context other than the default one for newly created files. ++allow logrotate_t self:process setfscreate; ++ allow logrotate_t self:fd use; -+allow logrotate_t self:key manage_key_perms; + allow logrotate_t self:key manage_key_perms; allow logrotate_t self:fifo_file rw_fifo_file_perms; - allow logrotate_t self:unix_dgram_socket create_socket_perms; - allow logrotate_t self:unix_stream_socket create_stream_socket_perms; -@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) - # for /var/lib/logrotate.status and /var/lib/logcheck ++allow logrotate_t self:unix_dgram_socket create_socket_perms; ++allow logrotate_t self:unix_stream_socket create_stream_socket_perms; + allow logrotate_t self:unix_dgram_socket sendto; +-allow logrotate_t self:unix_stream_socket { accept connectto listen }; ++allow logrotate_t self:unix_stream_socket connectto; + allow logrotate_t self:shm create_shm_perms; + allow logrotate_t self:sem create_sem_perms; + allow logrotate_t self:msgq create_msgq_perms; +@@ -48,29 +52,47 @@ allow logrotate_t self:msg { send receive }; + allow logrotate_t logrotate_lock_t:file manage_file_perms; + files_lock_filetrans(logrotate_t, logrotate_lock_t, file) + ++can_exec(logrotate_t, logrotate_tmp_t) ++ + manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) + manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) + files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) + ++# for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) -+read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) +-can_exec(logrotate_t, logrotate_tmp_t) +- kernel_read_system_state(logrotate_t) -@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t) - mls_file_read_all_levels(logrotate_t) - mls_file_write_all_levels(logrotate_t) - mls_file_upgrade(logrotate_t) -+mls_process_write_to_clearance(logrotate_t) + kernel_read_kernel_sysctls(logrotate_t) - selinux_get_fs_mount(logrotate_t) - selinux_get_enforce_mode(logrotate_t) -@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t) - # Run helper programs. ++dev_read_urand(logrotate_t) ++ ++fs_search_auto_mountpoints(logrotate_t) ++fs_getattr_xattr_fs(logrotate_t) ++fs_list_inotifyfs(logrotate_t) ++ ++mls_file_read_all_levels(logrotate_t) ++mls_file_write_all_levels(logrotate_t) ++mls_file_upgrade(logrotate_t) ++mls_process_write_to_clearance(logrotate_t) ++ ++selinux_get_fs_mount(logrotate_t) ++selinux_get_enforce_mode(logrotate_t) ++ ++auth_manage_login_records(logrotate_t) ++auth_use_nsswitch(logrotate_t) ++ ++# Run helper programs. corecmd_exec_bin(logrotate_t) corecmd_exec_shell(logrotate_t) -+corecmd_getattr_all_executables(logrotate_t) + corecmd_getattr_all_executables(logrotate_t) +-dev_read_urand(logrotate_t) +- domain_signal_all_domains(logrotate_t) domain_use_interactive_fds(logrotate_t) -@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t) + domain_getattr_all_entry_files(logrotate_t) ++# Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) files_read_usr_files(logrotate_t) --files_read_etc_files(logrotate_t) - files_read_etc_runtime_files(logrotate_t) +@@ -78,49 +100,44 @@ files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t) -@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) + files_read_var_lib_files(logrotate_t) ++# Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -+files_dontaudit_list_mnt(logrotate_t) + files_dontaudit_list_mnt(logrotate_t) - # cjp: why is this needed? +-fs_search_auto_mountpoints(logrotate_t) +-fs_getattr_xattr_fs(logrotate_t) +-fs_list_inotifyfs(logrotate_t) +- +-mls_file_read_all_levels(logrotate_t) +-mls_file_write_all_levels(logrotate_t) +-mls_file_upgrade(logrotate_t) +-mls_process_write_to_clearance(logrotate_t) +- +-selinux_get_fs_mount(logrotate_t) +-selinux_get_enforce_mode(logrotate_t) +- +-auth_manage_login_records(logrotate_t) +-auth_use_nsswitch(logrotate_t) +- ++# cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -112,21 +115,21 @@ logging_send_audit_msgs(logrotate_t) - # cjp: why is this needed? + + logging_manage_all_logs(logrotate_t) + logging_send_syslog_msg(logrotate_t) + logging_send_audit_msgs(logrotate_t) ++# cjp: why is this needed? logging_exec_all_logs(logrotate_t) -miscfiles_read_localization(logrotate_t) @@ -31612,94 +31183,71 @@ index 7090dae..8a2583b 100644 +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -- --cron_system_entry(logrotate_t, logrotate_exec_t) --cron_search_spool(logrotate_t) -- --mta_send_mail(logrotate_t) +userdom_list_admin_dir(logrotate_t) +userdom_dontaudit_getattr_user_home_content(logrotate_t) - ifdef(`distro_debian', ` -- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; -+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms; - # for savelog - can_exec(logrotate_t, logrotate_exec_t) - -@@ -138,7 +141,7 @@ ifdef(`distro_debian', ` - ') - - optional_policy(` -- abrt_cache_manage(logrotate_t) -+ abrt_manage_cache(logrotate_t) - ') - - optional_policy(` -@@ -154,6 +157,10 @@ optional_policy(` - ') - - optional_policy(` -+ awstats_domtrans(logrotate_t) -+') +-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) +- +-ifdef(`distro_debian',` ++ifdef(`distro_debian', ` + allow logrotate_t logrotate_tmp_t:file relabel_file_perms; ++ # for savelog + can_exec(logrotate_t, logrotate_exec_t) + +- logging_check_exec_syslog(logrotate_t) ++ # for syslogd-listfiles + logging_read_syslog_config(logrotate_t) + -+optional_policy(` - asterisk_domtrans(logrotate_t) ++ # for "test -x /sbin/syslogd" ++ logging_check_exec_syslog(logrotate_t) ') -@@ -162,10 +169,20 @@ optional_policy(` + optional_policy(` +@@ -140,11 +157,11 @@ optional_policy(` ') optional_policy(` -+ callweaver_exec(logrotate_t) -+ callweaver_stream_connect(logrotate_t) -+') -+ -+optional_policy(` - consoletype_exec(logrotate_t) +- asterisk_domtrans(logrotate_t) ++ awstats_domtrans(logrotate_t) ') optional_policy(` -+ cron_system_entry(logrotate_t, logrotate_exec_t) -+ cron_search_spool(logrotate_t) -+') -+ -+optional_policy(` - cups_domtrans(logrotate_t) +- awstats_domtrans(logrotate_t) ++ asterisk_domtrans(logrotate_t) ') -@@ -178,6 +195,10 @@ optional_policy(` + optional_policy(` +@@ -178,7 +195,7 @@ optional_policy(` ') optional_policy(` +- chronyd_read_key_files(logrotate_t) + chronyd_read_keys(logrotate_t) -+') -+ -+optional_policy(` - icecast_signal(logrotate_t) ') -@@ -194,15 +215,19 @@ optional_policy(` + optional_policy(` +@@ -198,17 +215,14 @@ optional_policy(` ') optional_policy(` + mysql_read_home_content(logrotate_t) mysql_read_config(logrotate_t) - mysql_search_db(logrotate_t) ++ mysql_search_db(logrotate_t) mysql_stream_connect(logrotate_t) ') optional_policy(` -- psad_domtrans(logrotate_t) +- openvswitch_read_pid_files(logrotate_t) +- openvswitch_domtrans(logrotate_t) +-') +- +-optional_policy(` +- polipo_log_filetrans_log(logrotate_t, file, "polipo") + polipo_named_filetrans_log_files(logrotate_t) ') -+optional_policy(` -+ psad_domtrans(logrotate_t) -+') - optional_policy(` - samba_exec_log(logrotate_t) -@@ -217,6 +242,11 @@ optional_policy(` +@@ -228,10 +242,16 @@ optional_policy(` ') optional_policy(` @@ -31711,98 +31259,58 @@ index 7090dae..8a2583b 100644 squid_domtrans(logrotate_t) ') -@@ -228,3 +258,14 @@ optional_policy(` optional_policy(` - varnishd_manage_log(logrotate_t) ++ #Red Hat bug 564565 + su_exec(logrotate_t) ') -+ -+####################################### -+# + +@@ -241,13 +261,11 @@ optional_policy(` + + ####################################### + # +-# Mail local policy +# logrotate_mail local policy -+# -+ + # + +-allow logrotate_mail_t logrotate_t:fd use; +-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; +-allow logrotate_mail_t logrotate_t:process sigchld; +- +-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) +- +mta_base_mail_template(logrotate) +mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) +role system_r types logrotate_mail_t; -+logging_read_all_logs(logrotate_mail_t) + logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) -diff --git a/logwatch.fc b/logwatch.fc -index 3c7b1e8..1e155f5 100644 ---- a/logwatch.fc -+++ b/logwatch.fc -@@ -1,7 +1,11 @@ - /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) -+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) - - /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) - - /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) - /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) -+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) - /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) -+ -+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/logwatch.te b/logwatch.te -index 75ce30f..061b725 100644 +index 4256a4c..ba62d5b 100644 --- a/logwatch.te +++ b/logwatch.te -@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0) +@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6) type logwatch_t; type logwatch_exec_t; +-init_system_domain(logwatch_t, logwatch_exec_t) +init_daemon_domain(logwatch_t, logwatch_exec_t) - application_domain(logwatch_t, logwatch_exec_t) - role system_r types logwatch_t; - -@@ -19,6 +20,12 @@ files_lock_file(logwatch_lock_t) - type logwatch_tmp_t; - files_tmp_file(logwatch_tmp_t) - -+type logwatch_var_run_t; -+files_pid_file(logwatch_var_run_t) -+ -+mta_base_mail_template(logwatch) -+role system_r types logwatch_mail_t; -+ - ######################################## - # - # Local policy -@@ -39,6 +46,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) - manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) - files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) - -+allow logwatch_t logwatch_var_run_t:file manage_file_perms; -+files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) -+ - kernel_read_fs_sysctls(logwatch_t) - kernel_read_kernel_sysctls(logwatch_t) - kernel_read_system_state(logwatch_t) -@@ -56,8 +66,8 @@ domain_read_all_domains_state(logwatch_t) ++application_domain(logwatch_t, logwatch_exec_t) - files_list_var(logwatch_t) + type logwatch_cache_t; + files_type(logwatch_cache_t) +@@ -67,10 +68,12 @@ files_list_var(logwatch_t) + files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) --files_read_etc_files(logwatch_t) files_read_etc_runtime_files(logwatch_t) +files_read_system_conf_files(logwatch_t) files_read_usr_files(logwatch_t) - files_search_spool(logwatch_t) - files_search_mnt(logwatch_t) -@@ -67,9 +77,14 @@ files_dontaudit_search_boot(logwatch_t) - files_dontaudit_search_all_dirs(logwatch_t) + fs_getattr_all_dirs(logwatch_t) fs_getattr_all_fs(logwatch_t) +fs_getattr_all_dirs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -+storage_dontaudit_getattr_fixed_disk_dev(logwatch_t) -+ -+mls_file_read_to_clearance(logwatch_t) -+ - term_dontaudit_getattr_pty_dirs(logwatch_t) - term_dontaudit_list_ptys(logwatch_t) - -@@ -84,19 +99,19 @@ libs_read_lib_files(logwatch_t) +@@ -92,17 +95,22 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -31810,82 +31318,99 @@ index 75ce30f..061b725 100644 - selinux_dontaudit_getattr_dir(logwatch_t) --sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) +userdom_dontaudit_list_admin_dir(logwatch_t) --mta_send_mail(logwatch_t) -+#mta_send_mail(logwatch_t) -+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) + mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) + mta_getattr_spool(logwatch_t) - ifdef(`distro_redhat',` - files_search_all(logwatch_t) ++ifdef(`distro_redhat',` ++ files_search_all(logwatch_t) + files_getattr_all_files(logwatch_t) - files_getattr_all_file_type_fs(logwatch_t) ++ files_getattr_all_file_type_fs(logwatch_t) ++') ++ + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(logwatch_t) ') +@@ -164,6 +172,8 @@ dev_read_sysfs(logwatch_mail_t) + + logging_read_all_logs(logwatch_mail_t) -@@ -145,3 +160,24 @@ optional_policy(` - samba_read_log(logwatch_t) - samba_read_share_files(logwatch_t) - ') -+ -+######################################## -+# -+# Logwatch mail Local policy -+# -+ -+allow logwatch_mail_t self:capability { dac_read_search dac_override }; -+ -+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) -+ -+dev_read_rand(logwatch_mail_t) -+dev_read_urand(logwatch_mail_t) -+dev_read_sysfs(logwatch_mail_t) -+ -+logging_read_all_logs(logwatch_mail_t) -+ +mta_read_home(logwatch_mail_t) + -+optional_policy(` -+ cron_use_system_job_fds(logwatch_mail_t) -+') + optional_policy(` + cron_use_system_job_fds(logwatch_mail_t) + ') diff --git a/lpd.fc b/lpd.fc -index 5c9eb68..e4f3c24 100644 +index 2fb9b2e..08974e3 100644 --- a/lpd.fc +++ b/lpd.fc -@@ -24,7 +24,7 @@ +@@ -19,6 +19,7 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) --/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) +/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) + /usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) - -@@ -35,3 +35,4 @@ - /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) - /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) - /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) -+/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh) + /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) diff --git a/lpd.if b/lpd.if -index a4f32f5..628b63c 100644 +index 6256371..628b63c 100644 --- a/lpd.if +++ b/lpd.if -@@ -14,6 +14,7 @@ - ## User domain for the role +@@ -1,44 +1,37 @@ +-## Line printer daemon. ++## Line printer daemon + + ######################################## + ## +-## Role access for lpd. ++## Role access for lpd + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role ## ## +## # interface(`lpd_role',` gen_require(` -@@ -27,7 +28,10 @@ interface(`lpd_role',` - dontaudit lpr_t $2:unix_stream_socket { read write }; +- attribute_role lpr_roles; +- type lpr_t, lpr_exec_t; ++ type lpr_t, lpr_exec_t, print_spool_t; + ') + +- ######################################## +- # +- # Declarations +- # +- +- roleattribute $1 lpr_roles; +- +- ######################################## +- # +- # Policy +- # ++ role $1 types lpr_t; ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, lpr_exec_t, lpr_t) ++ dontaudit lpr_t $2:unix_stream_socket { read write }; + +- allow $2 lpr_t:process { ptrace signal_perms }; ps_process_pattern($2, lpr_t) -- allow $2 lpr_t:process signull; +- +- dontaudit lpr_t $2:unix_stream_socket { read write }; + allow $2 lpr_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $2 lpr_t:process ptrace; @@ -31893,16 +31418,82 @@ index a4f32f5..628b63c 100644 optional_policy(` cups_read_config($2) -@@ -153,7 +157,7 @@ interface(`lpd_relabel_spool',` +@@ -60,15 +53,13 @@ interface(`lpd_domtrans_checkpc',` + type checkpc_t, checkpc_exec_t; ') - files_search_spool($1) -- allow $1 print_spool_t:file { relabelto relabelfrom }; -+ allow $1 print_spool_t:file relabel_file_perms; +- corecmd_search_bin($1) + domtrans_pattern($1, checkpc_exec_t, checkpc_t) + ') + + ######################################## + ## +-## Execute amrecover in the lpd +-## domain, and allow the specified +-## role the lpd domain. ++## Execute amrecover in the lpd domain, and ++## allow the specified role the lpd domain. + ## + ## + ## +@@ -84,16 +75,16 @@ interface(`lpd_domtrans_checkpc',` + # + interface(`lpd_run_checkpc',` + gen_require(` +- attribute_role checkpc_roles; ++ type checkpc_t; + ') + + lpd_domtrans_checkpc($1) +- roleattribute $2 checkpc_roles; ++ role $2 types checkpc_t; ') ######################################## -@@ -186,7 +190,7 @@ interface(`lpd_read_config',` + ## +-## List printer spool directories. ++## List the contents of the printer spool directories. + ## + ## + ## +@@ -112,7 +103,7 @@ interface(`lpd_list_spool',` + + ######################################## + ## +-## Read printer spool files. ++## Read the printer spool files. + ## + ## + ## +@@ -131,8 +122,7 @@ interface(`lpd_read_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## printer spool content. ++## Create, read, write, and delete printer spool files. + ## + ## + ## +@@ -153,7 +143,7 @@ interface(`lpd_manage_spool',` + + ######################################## + ## +-## Relabel spool files. ++## Relabel from and to the spool files. + ## + ## + ## +@@ -172,7 +162,7 @@ interface(`lpd_relabel_spool',` + + ######################################## + ## +-## Read printer configuration files. ++## List the contents of the printer spool directories. + ## + ## + ## +@@ -200,12 +190,11 @@ interface(`lpd_read_config',` ## ## # @@ -31911,44 +31502,44 @@ index a4f32f5..628b63c 100644 gen_require(` type lpr_t, lpr_exec_t; ') -@@ -196,6 +200,32 @@ template(`lpd_domtrans_lpr',` - ######################################## - ## -+## Execute lpr in the lpr domain, and -+## allow the specified role the lpr domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`lpd_run_lpr',` -+ gen_require(` +- corecmd_search_bin($1) + domtrans_pattern($1, lpr_exec_t, lpr_t) + ') + +@@ -228,16 +217,17 @@ template(`lpd_domtrans_lpr',` + # + interface(`lpd_run_lpr',` + gen_require(` +- attribute_role lpr_roles; + type lpr_t; -+ ') -+ -+ lpd_domtrans_lpr($1) + ') + + lpd_domtrans_lpr($1) +- roleattribute $2 lpr_roles; + role $2 types lpr_t; -+') -+ -+######################################## -+## - ## Allow the specified domain to execute lpr - ## in the caller domain. + ') + + ######################################## + ## +-## Execute lpr in the caller domain. ++## Allow the specified domain to execute lpr ++## in the caller domain. ## + ## + ## +@@ -250,6 +240,5 @@ interface(`lpd_exec_lpr',` + type lpr_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, lpr_exec_t) + ') diff --git a/lpd.te b/lpd.te -index a03b63a..99e8d96 100644 +index b9270f7..0fd2f4c 100644 --- a/lpd.te +++ b/lpd.te -@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) +@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) type print_spool_t; typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; @@ -31957,37 +31548,23 @@ index a03b63a..99e8d96 100644 ubac_constrained(print_spool_t) type printer_t; - files_type(printer_t) - - type printconf_t; --files_type(printconf_t) -+files_config_file(printconf_t) - - ######################################## - # -@@ -78,12 +78,11 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) - delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) - files_search_spool(checkpc_t) - --allow checkpc_t printconf_t:file getattr; -+allow checkpc_t printconf_t:file getattr_file_perms; - allow checkpc_t printconf_t:dir list_dir_perms; +@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms; kernel_read_system_state(checkpc_t) -corenet_all_recvfrom_unlabeled(checkpc_t) corenet_all_recvfrom_netlabel(checkpc_t) corenet_tcp_sendrecv_generic_if(checkpc_t) - corenet_udp_sendrecv_generic_if(checkpc_t) -@@ -102,7 +101,6 @@ corecmd_exec_bin(checkpc_t) + corenet_tcp_sendrecv_generic_node(checkpc_t) +@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t) domain_use_interactive_fds(checkpc_t) -files_read_etc_files(checkpc_t) files_read_etc_runtime_files(checkpc_t) - - init_use_script_ptys(checkpc_t) -@@ -111,7 +109,7 @@ init_use_fds(checkpc_t) + files_search_pids(checkpc_t) + files_search_spool(checkpc_t) +@@ -107,7 +105,7 @@ init_use_fds(checkpc_t) sysnet_read_config(checkpc_t) @@ -31996,32 +31573,30 @@ index a03b63a..99e8d96 100644 optional_policy(` cron_system_entry(checkpc_t, checkpc_exec_t) -@@ -143,9 +141,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) - manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) - files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) - -+manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) - manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) - manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) --files_pid_filetrans(lpd_t, lpd_var_run_t, file) -+files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) - - # Write to /var/spool/lpd. - manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -@@ -163,7 +162,6 @@ kernel_read_kernel_sysctls(lpd_t) - # bash wants access to /proc/meminfo +@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t) + kernel_read_kernel_sysctls(lpd_t) kernel_read_system_state(lpd_t) -corenet_all_recvfrom_unlabeled(lpd_t) corenet_all_recvfrom_netlabel(lpd_t) corenet_tcp_sendrecv_generic_if(lpd_t) - corenet_udp_sendrecv_generic_if(lpd_t) -@@ -197,12 +195,10 @@ files_list_var_lib(lpd_t) + corenet_tcp_sendrecv_generic_node(lpd_t) +@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t) + domain_use_interactive_fds(lpd_t) + + files_read_etc_runtime_files(lpd_t) +-files_read_usr_files(lpd_t) + files_list_world_readable(lpd_t) + files_read_world_readable_files(lpd_t) + files_read_world_readable_symlinks(lpd_t) + files_list_var_lib(lpd_t) files_read_var_lib_files(lpd_t) files_read_var_lib_symlinks(lpd_t) - # config files for lpd are of type etc_t, probably should change this -files_read_etc_files(lpd_t) + files_search_spool(lpd_t) + fs_getattr_all_fs(lpd_t) +@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t) logging_send_syslog_msg(lpd_t) miscfiles_read_fonts(lpd_t) @@ -32029,35 +31604,26 @@ index a03b63a..99e8d96 100644 sysnet_read_config(lpd_t) -@@ -236,9 +232,9 @@ can_exec(lpr_t, lpr_exec_t) - # Allow lpd to read, rename, and unlink spool files. - allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; - -+kernel_read_system_state(lpr_t) +@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t) + kernel_read_crypto_sysctls(lpr_t) kernel_read_kernel_sysctls(lpr_t) -corenet_all_recvfrom_unlabeled(lpr_t) corenet_all_recvfrom_netlabel(lpr_t) corenet_tcp_sendrecv_generic_if(lpr_t) - corenet_udp_sendrecv_generic_if(lpr_t) -@@ -256,7 +252,6 @@ domain_use_interactive_fds(lpr_t) - - files_search_spool(lpr_t) - # for lpd config files (should have a new type) --files_read_etc_files(lpr_t) - # for test print - files_read_usr_files(lpr_t) - #Added to cover read_content macro -@@ -271,23 +266,25 @@ term_use_generic_ptys(lpr_t) + corenet_tcp_sendrecv_generic_node(lpr_t) +@@ -249,23 +242,27 @@ term_use_generic_ptys(lpr_t) auth_use_nsswitch(lpr_t) +-logging_send_syslog_msg(lpr_t) +- + miscfiles_read_fonts(lpr_t) -miscfiles_read_localization(lpr_t) -+miscfiles_read_fonts(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) - # Write to the user domain tty. -userdom_use_user_terminals(lpr_t) ++# Write to the user domain tty. +userdom_use_inherited_user_terminals(lpr_t) userdom_read_user_home_content_files(lpr_t) userdom_read_user_tmp_files(lpr_t) @@ -32065,23 +31631,24 @@ index a03b63a..99e8d96 100644 +userdom_stream_connect(lpr_t) tunable_policy(`use_lpd_server',` - # lpr can run in lightweight mode, without a local print spooler. -- allow lpr_t lpd_var_run_t:dir search; -- allow lpr_t lpd_var_run_t:sock_file write; +- allow lpr_t lpd_t:process signal; +- +- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t) ++ # lpr can run in lightweight mode, without a local print spooler. + allow lpr_t lpd_var_run_t:dir search_dir_perms; + allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; files_read_var_files(lpr_t) - # Connect to lpd via a Unix domain socket. -- allow lpr_t printer_t:sock_file rw_sock_file_perms; -- allow lpr_t lpd_t:unix_stream_socket connectto; ++ # Connect to lpd via a Unix domain socket. + allow lpr_t printer_t:sock_file read_sock_file_perms; -+ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) - # Send SIGHUP to lpd. - allow lpr_t lpd_t:process signal; + stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) ++ # Send SIGHUP to lpd. ++ allow lpr_t lpd_t:process signal; -@@ -305,17 +302,7 @@ tunable_policy(`use_lpd_server',` - read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) +@@ -279,17 +276,7 @@ tunable_policy(`use_lpd_server',` + allow lpr_t printconf_t:lnk_file read_lnk_file_perms; ') -tunable_policy(`use_nfs_home_dirs',` @@ -32099,141 +31666,353 @@ index a03b63a..99e8d96 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +311,13 @@ optional_policy(` +@@ -298,5 +285,13 @@ optional_policy(` ') optional_policy(` +- gnome_stream_connect_all_gkeyringd(lpr_t) + gnome_stream_connect_gkeyringd(lpr_t) +') + +optional_policy(` - logging_send_syslog_msg(lpr_t) - ') ++ logging_send_syslog_msg(lpr_t) ++') + +optional_policy(` + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) -+') -diff --git a/mailman.fc b/mailman.fc -index 1083f98..c7daa85 100644 ---- a/mailman.fc -+++ b/mailman.fc -@@ -1,11 +1,14 @@ --/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) --/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - --/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) --/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) --/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) --/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) --/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) -+/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -+/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+ -+/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) -+/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) -+/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) -+/var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0) -+/var/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0) - - # - # distro_debian -@@ -23,12 +26,12 @@ ifdef(`distro_debian', ` - # distro_redhat - # - ifdef(`distro_redhat', ` --/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -+/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) - --/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) --/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) --/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) --/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib/mailman.*/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -+/usr/lib/mailman.*/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -+/usr/lib/mailman.*/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib/mailman.*/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - --/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -+/var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ') diff --git a/mailman.if b/mailman.if -index 67c7fdd..2f226de 100644 +index 108c0f1..d28241c 100644 --- a/mailman.if +++ b/mailman.if -@@ -54,7 +54,6 @@ template(`mailman_domain_template', ` - kernel_read_kernel_sysctls(mailman_$1_t) - kernel_read_system_state(mailman_$1_t) +@@ -1,44 +1,66 @@ +-## Manage electronic mail discussion and e-newsletter lists. ++## Mailman is for managing electronic mail discussion and e-newsletter lists + + ####################################### + ## +-## The template to define a mailman domain. ++## The template to define a mailmain domain. + ## +-## ++## ++##

    ++## This template creates a domain to be used for ++## a new mailman daemon. ++##

    ++##     ++## + ## +-## Domain prefix to be used. ++## The type of daemon to be used eg, cgi would give mailman_cgi_ + ## + ## + # +-template(`mailman_domain_template',` +- gen_require(` +- attribute mailman_domain; +- ') ++template(`mailman_domain_template', ` + +- ######################################## +- # +- # Declarations +- # ++ ######################################## ++ # ++ # Declarations ++ # + + type mailman_$1_t; +- type mailman_$1_exec_t; + domain_type(mailman_$1_t) ++ type mailman_$1_exec_t; + domain_entry_file(mailman_$1_t, mailman_$1_exec_t) + role system_r types mailman_$1_t; -- corenet_all_recvfrom_unlabeled(mailman_$1_t) - corenet_all_recvfrom_netlabel(mailman_$1_t) - corenet_tcp_sendrecv_generic_if(mailman_$1_t) - corenet_udp_sendrecv_generic_if(mailman_$1_t) -@@ -74,7 +73,7 @@ template(`mailman_domain_template', ` - corecmd_exec_all_executables(mailman_$1_t) + type mailman_$1_tmp_t; + files_tmp_file(mailman_$1_tmp_t) - files_exec_etc_files(mailman_$1_t) -- files_list_usr(mailman_$1_t) -+ files_read_usr_files(mailman_$1_t) - files_list_var(mailman_$1_t) - files_list_var_lib(mailman_$1_t) - files_read_var_lib_symlinks(mailman_$1_t) -@@ -87,7 +86,6 @@ template(`mailman_domain_template', ` +- #################################### +- # +- # Policy +- # ++ #################################### ++ # ++ # Policy ++ # - logging_send_syslog_msg(mailman_$1_t) + manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) -- miscfiles_read_localization(mailman_$1_t) ++ kernel_read_system_state(mailman_$1_t) ++ ++ corenet_all_recvfrom_unlabeled(mailman_$1_t) ++ corenet_all_recvfrom_netlabel(mailman_$1_t) ++ corenet_tcp_sendrecv_generic_if(mailman_$1_t) ++ corenet_udp_sendrecv_generic_if(mailman_$1_t) ++ corenet_raw_sendrecv_generic_if(mailman_$1_t) ++ corenet_tcp_sendrecv_generic_node(mailman_$1_t) ++ corenet_udp_sendrecv_generic_node(mailman_$1_t) ++ corenet_raw_sendrecv_generic_node(mailman_$1_t) ++ corenet_tcp_sendrecv_all_ports(mailman_$1_t) ++ corenet_udp_sendrecv_all_ports(mailman_$1_t) ++ corenet_tcp_bind_generic_node(mailman_$1_t) ++ corenet_udp_bind_generic_node(mailman_$1_t) ++ corenet_tcp_connect_smtp_port(mailman_$1_t) ++ corenet_sendrecv_smtp_client_packets(mailman_$1_t) ++ + auth_use_nsswitch(mailman_$1_t) ++ ++ logging_send_syslog_msg(mailman_$1_t) ') ####################################### -@@ -108,6 +106,31 @@ interface(`mailman_domtrans',` +@@ -56,15 +78,12 @@ interface(`mailman_domtrans',` + type mailman_mail_exec_t, mailman_mail_t; + ') + +- libs_search_lib($1) domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) ') -+######################################## -+## + ######################################## + ## +-## Execute the mailman program in the +-## mailman domain and allow the +-## specified role the mailman domain. +## Execute the mailman program in the mailman domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## + ## + ## + ## +@@ -73,18 +92,18 @@ interface(`mailman_domtrans',` + ## + ## + ## +-## Role allowed access. +## The role to allow the mailman domain. -+## -+## -+## -+# -+interface(`mailman_run',` -+ gen_require(` + ## + ## + ## + # + interface(`mailman_run',` + gen_require(` +- attribute_role mailman_roles; + type mailman_mail_t; -+ ') -+ -+ mailman_domtrans($1) + ') + + mailman_domtrans($1) +- roleattribute $2 mailman_roles; + role $2 types mailman_mail_t; -+') -+ + ') + + ####################################### +@@ -103,7 +122,6 @@ interface(`mailman_domtrans_cgi',` + type mailman_cgi_exec_t, mailman_cgi_t; + ') + +- libs_search_lib($1) + domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) + ') + +@@ -122,13 +140,12 @@ interface(`mailman_exec',` + type mailman_mail_exec_t; + ') + +- libs_search_lib($1) + can_exec($1, mailman_mail_exec_t) + ') + + ####################################### + ## +-## Send generic signals to mailman cgi. ++## Send generic signals to the mailman cgi domain. + ## + ## + ## +@@ -146,7 +163,7 @@ interface(`mailman_signal_cgi',` + + ####################################### + ## +-## Search mailman data directories. ++## Allow domain to search data directories. + ## + ## + ## +@@ -159,13 +176,12 @@ interface(`mailman_search_data',` + type mailman_data_t; + ') + +- files_search_spool($1) + allow $1 mailman_data_t:dir search_dir_perms; + ') + + ####################################### + ## +-## Read mailman data content. ++## Allow domain to to read mailman data files. + ## + ## + ## +@@ -178,7 +194,6 @@ interface(`mailman_read_data_files',` + type mailman_data_t; + ') + +- files_search_spool($1) + list_dirs_pattern($1, mailman_data_t, mailman_data_t) + read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) +@@ -186,8 +201,8 @@ interface(`mailman_read_data_files',` + + ####################################### + ## +-## Create, read, write, and delete +-## mailman data files. ++## Allow domain to to create mailman data files ++## and write the directory. + ## + ## + ## +@@ -200,14 +215,13 @@ interface(`mailman_manage_data_files',` + type mailman_data_t; + ') + +- files_search_spool($1) + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) + ') + + ####################################### + ## +-## List mailman data directories. ++## List the contents of mailman data directories. + ## + ## + ## +@@ -220,13 +234,12 @@ interface(`mailman_list_data',` + type mailman_data_t; + ') + +- files_search_spool($1) + allow $1 mailman_data_t:dir list_dir_perms; + ') + + ####################################### + ## +-## Read mailman data symbolic links. ++## Allow read acces to mailman data symbolic links. + ## + ## + ## +@@ -244,7 +257,7 @@ interface(`mailman_read_data_symlinks',` + + ####################################### + ## +-## Read mailman log files. ++## Read mailman logs. + ## + ## + ## +@@ -257,13 +270,12 @@ interface(`mailman_read_log',` + type mailman_log_t; + ') + +- logging_search_logs($1) + read_files_pattern($1, mailman_log_t, mailman_log_t) + ') + ####################################### ## - ## Execute mailman CGI scripts in the +-## Append mailman log files. ++## Append to mailman logs. + ## + ## + ## +@@ -276,14 +288,13 @@ interface(`mailman_append_log',` + type mailman_log_t; + ') + +- logging_search_logs($1) + append_files_pattern($1, mailman_log_t, mailman_log_t) + ') + + ####################################### + ## + ## Create, read, write, and delete +-## mailman log content. ++## mailman logs. + ## + ## + ## +@@ -296,14 +307,13 @@ interface(`mailman_manage_log',` + type mailman_log_t; + ') + +- logging_search_logs($1) + manage_files_pattern($1, mailman_log_t, mailman_log_t) + manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) + ') + + ####################################### + ## +-## Read mailman archive content. ++## Allow domain to read mailman archive files. + ## + ## + ## +@@ -316,7 +326,6 @@ interface(`mailman_read_archive',` + type mailman_archive_t; + ') + +- files_search_var_lib($1) + allow $1 mailman_archive_t:dir list_dir_perms; + read_files_pattern($1, mailman_archive_t, mailman_archive_t) + read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) +@@ -324,8 +333,7 @@ interface(`mailman_read_archive',` + + ####################################### + ## +-## Execute mailman_queue in the +-## mailman_queue domain. ++## Execute mailman_queue in the mailman_queue domain. + ## + ## + ## +@@ -338,6 +346,5 @@ interface(`mailman_domtrans_queue',` + type mailman_queue_exec_t, mailman_queue_t; + ') + +- libs_search_lib($1) + domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) + ') diff --git a/mailman.te b/mailman.te -index 22265f0..da52800 100644 +index 8eaf51b..256819c 100644 --- a/mailman.te +++ b/mailman.te -@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t) - type mailman_lock_t; - files_lock_file(mailman_lock_t) +@@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) + logging_log_filetrans(mailman_domain, mailman_log_t, file) -+type mailman_var_run_t; -+files_pid_file(mailman_var_run_t) -+ - mailman_domain_template(mail) - init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) + kernel_read_kernel_sysctls(mailman_domain) +-kernel_read_system_state(mailman_domain) + +-corenet_all_recvfrom_unlabeled(mailman_domain) +-corenet_all_recvfrom_netlabel(mailman_domain) + corenet_tcp_sendrecv_generic_if(mailman_domain) + corenet_tcp_sendrecv_generic_node(mailman_domain) -@@ -54,6 +57,9 @@ optional_policy(` +@@ -82,10 +79,6 @@ fs_getattr_all_fs(mailman_domain) + libs_exec_ld_so(mailman_domain) + libs_exec_lib_files(mailman_domain) + +-logging_send_syslog_msg(mailman_domain) +- +-miscfiles_read_localization(mailman_domain) +- + ######################################## + # + # CGI local policy +@@ -104,6 +97,9 @@ optional_policy(` apache_search_sys_script_state(mailman_cgi_t) apache_read_config(mailman_cgi_t) apache_dontaudit_rw_stream_sockets(mailman_cgi_t) @@ -32242,34 +32021,38 @@ index 22265f0..da52800 100644 + ') - ######################################## -@@ -62,13 +68,23 @@ optional_policy(` + optional_policy(` +@@ -115,8 +111,9 @@ optional_policy(` + # Mail local policy # - allow mailman_mail_t self:unix_dgram_socket create_socket_perms; --allow mailman_mail_t self:process { signal signull }; -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -+allow mailman_mail_t self:process { setsched signal signull }; +-allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config }; ++allow mailman_mail_t self:process { setsched signal signull }; ++allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) - manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) - manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) + manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) +@@ -126,10 +123,17 @@ corenet_sendrecv_innd_client_packets(mailman_mail_t) + corenet_tcp_connect_innd_port(mailman_mail_t) + corenet_tcp_sendrecv_innd_port(mailman_mail_t) +manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) +manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) +files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) + -+# make NNTP gateway working + corenet_sendrecv_spamd_client_packets(mailman_mail_t) + corenet_tcp_connect_spamd_port(mailman_mail_t) + corenet_tcp_sendrecv_spamd_port(mailman_mail_t) + +corenet_tcp_connect_innd_port(mailman_mail_t) +corenet_tcp_connect_spamd_port(mailman_mail_t) + -+dev_read_urand(mailman_mail_t) -+ - files_search_spool(mailman_mail_t) + dev_read_urand(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) -@@ -81,11 +97,16 @@ optional_policy(` +@@ -142,6 +146,10 @@ optional_policy(` ') optional_policy(` @@ -32280,239 +32063,133 @@ index 22265f0..da52800 100644 cron_read_pipes(mailman_mail_t) ') - optional_policy(` - postfix_search_spool(mailman_mail_t) -+ postfix_rw_master_pipes(mailman_mail_t) - ') - - ######################################## -@@ -94,7 +115,7 @@ optional_policy(` - # - - allow mailman_queue_t self:capability { setgid setuid }; --allow mailman_queue_t self:process signal; -+allow mailman_queue_t self:process { setsched signal_perms }; - allow mailman_queue_t self:fifo_file rw_fifo_file_perms; - allow mailman_queue_t self:unix_dgram_socket create_socket_perms; - -@@ -104,13 +125,12 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) - - kernel_read_proc_symlinks(mailman_queue_t) +@@ -163,6 +171,8 @@ corenet_sendrecv_innd_client_packets(mailman_queue_t) + corenet_tcp_connect_innd_port(mailman_queue_t) + corenet_tcp_sendrecv_innd_port(mailman_queue_t) +corenet_tcp_connect_innd_port(mailman_queue_t) + auth_domtrans_chk_passwd(mailman_queue_t) files_dontaudit_search_pids(mailman_queue_t) - --# for su --seutil_dontaudit_search_config(mailman_queue_t) -- - # some of the following could probably be changed to dontaudit, someone who - # knows mailman well should test this out and send the changes - userdom_search_user_home_dirs(mailman_queue_t) -@@ -125,4 +145,4 @@ optional_policy(` - - optional_policy(` - su_exec(mailman_queue_t) --') -\ No newline at end of file -+') -diff --git a/mailscanner.fc b/mailscanner.fc -new file mode 100644 -index 0000000..827e22e ---- /dev/null -+++ b/mailscanner.fc -@@ -0,0 +1,11 @@ -+/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0) -+ -+/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0) -+ -+/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0) -+ -+/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0) -+ -+/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) -+ -+/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) diff --git a/mailscanner.if b/mailscanner.if -new file mode 100644 -index 0000000..bd1d48e ---- /dev/null +index 0293f34..bd1d48e 100644 +--- a/mailscanner.if +++ b/mailscanner.if -@@ -0,0 +1,61 @@ -+## E-mail security and anti-spam package for e-mail gateway systems. -+ -+######################################## -+## +@@ -2,29 +2,27 @@ + + ######################################## + ## +-## Create, read, write, and delete +-## mscan spool content. +## Execute a domain transition to run +## MailScanner. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+# + ## + ## + # +-interface(`mscan_manage_spool_content',` +interface(`mailscanner_initrc_domtrans',` -+ gen_require(` + gen_require(` +- type mscan_spool_t; + type mscan_initrc_exec_t; -+ ') -+ + ') + +- files_search_spool($1) +- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) +- manage_files_pattern($1, mscan_spool_t, mscan_spool_t) + init_labeled_script_domtrans($1, mscan_initrc_exec_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mscan environment +## All of the rules required to administrate +## an mailscanner environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# + ## + ## + ## +@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',` + ## + ## + # +-interface(`mscan_admin',` +interface(`mailscanner_admin',` -+ gen_require(` + gen_require(` +- type mscan_t, mscan_etc_t, mscan_initrc_exec_t; +- type mscan_var_run_t, mscan_spool_t; + type mscan_t, mscan_var_run_t, mscan_etc_t; + type mscan_initrc_exec_t; -+ ') -+ + ') + +- allow $1 mscan_t:process { ptrace signal_perms }; +- ps_process_pattern($1, mscan_t) +- +- init_labeled_script_domtrans($1, mscan_initrc_exec_t) + mailscanner_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 mscan_initrc_exec_t system_r; -+ allow $2 system_r; -+ + domain_system_change_exemption($1) + role_transition $2 mscan_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) + allow $1 mscan_t:process signal_perms; + ps_process_pattern($1, mscan_t) + tunable_policy(`deny_ptrace',`',` + allow $1 mscan_t:process ptrace; + ') + -+ admin_pattern($1, mscan_etc_t) + admin_pattern($1, mscan_etc_t) + files_list_etc($1) -+ -+ admin_pattern($1, mscan_var_run_t) + +- files_search_pids($1 + admin_pattern($1, mscan_var_run_t) +- +- files_search_spool($1) +- admin_pattern($1, mscan_spool_t) + files_list_pids($1) -+') + ') diff --git a/mailscanner.te b/mailscanner.te -new file mode 100644 -index 0000000..d2f7a62 ---- /dev/null +index 725ba32..38269ae 100644 +--- a/mailscanner.te +++ b/mailscanner.te -@@ -0,0 +1,86 @@ -+policy_module(mailscanner, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type mscan_t; -+type mscan_exec_t; -+init_daemon_domain(mscan_t, mscan_exec_t) -+ -+type mscan_initrc_exec_t; -+init_script_file(mscan_initrc_exec_t) -+ -+type mscan_etc_t; -+files_config_file(mscan_etc_t) -+ -+type mscan_tmp_t; -+files_tmp_file(mscan_tmp_t) -+ -+type mscan_var_run_t; -+files_pid_file(mscan_var_run_t) -+ -+######################################## -+# -+# Local policy -+# -+ -+allow mscan_t self:capability { setuid chown setgid dac_override }; -+allow mscan_t self:process signal; -+allow mscan_t self:fifo_file rw_fifo_file_perms; -+ -+read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) +@@ -34,6 +34,7 @@ allow mscan_t self:process signal; + allow mscan_t self:fifo_file rw_fifo_file_perms; + + read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) +list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t) -+ -+manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) -+files_pid_filetrans(mscan_t, mscan_var_run_t, file) -+ -+manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) -+manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t) -+files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file }) -+ -+can_exec(mscan_t, mscan_exec_t) -+ -+kernel_read_system_state(mscan_t) -+ -+corecmd_exec_bin(mscan_t) -+corecmd_exec_shell(mscan_t) -+ -+corenet_tcp_connect_fprot_port(mscan_t) -+corenet_tcp_sendrecv_fprot_port(mscan_t) -+corenet_sendrecv_fprot_client_packets(mscan_t) -+corenet_udp_bind_generic_node(mscan_t) -+corenet_udp_bind_generic_port(mscan_t) -+corenet_udp_sendrecv_all_ports(mscan_t) -+corenet_sendrecv_generic_server_packets(mscan_t) -+ -+dev_read_urand(mscan_t) -+ -+files_read_usr_files(mscan_t) -+ -+fs_getattr_xattr_fs(mscan_t) -+ -+auth_dontaudit_read_shadow(mscan_t) -+auth_use_nsswitch(mscan_t) -+ -+logging_send_syslog_msg(mscan_t) -+ -+optional_policy(` -+ clamav_domtrans_clamscan(mscan_t) -+ clamav_manage_clamd_pid(mscan_t) -+') -+ -+optional_policy(` -+ mta_send_mail(mscan_t) -+ mta_manage_queue(mscan_t) -+') -+ -+optional_policy(` -+ procmail_domtrans(mscan_t) -+') -+ -+optional_policy(` + + manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) + files_pid_filetrans(mscan_t, mscan_var_run_t, file) +@@ -81,10 +82,9 @@ auth_use_nsswitch(mscan_t) + + logging_send_syslog_msg(mscan_t) + +-miscfiles_read_localization(mscan_t) +- + optional_policy(` + clamav_domtrans_clamscan(mscan_t) ++ clamav_manage_clamd_pid(mscan_t) + ') + + optional_policy(` +@@ -97,5 +97,6 @@ optional_policy(` + ') + + optional_policy(` + spamassassin_read_home_client(mscan_t) -+ spamassassin_read_lib_files(mscan_t) -+') -diff --git a/man2html.fc b/man2html.fc -new file mode 100644 -index 0000000..2907017 ---- /dev/null -+++ b/man2html.fc -@@ -0,0 +1,5 @@ -+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) -+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) -+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) -+ -+/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) + spamassassin_read_lib_files(mscan_t) + ') diff --git a/man2html.if b/man2html.if -new file mode 100644 -index 0000000..050157a ---- /dev/null +index 54ec04d..fe43dea 100644 +--- a/man2html.if +++ b/man2html.if -@@ -0,0 +1,127 @@ -+ -+## policy for httpd_man2html_script +@@ -1 +1,127 @@ + ## A Unix manpage-to-HTML converter. + +######################################## +## @@ -32633,36 +32310,42 @@ index 0000000..050157a + + files_search_var($1) + admin_pattern($1, httpd_man2html_script_cache_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/man2html.te b/man2html.te -new file mode 100644 -index 0000000..29b79eb ---- /dev/null +index e08c55d..9e634bd 100644 +--- a/man2html.te +++ b/man2html.te -@@ -0,0 +1,30 @@ -+policy_module(man2html, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type httpd_man2html_script_cache_t; -+files_type(httpd_man2html_script_cache_t) -+ -+######################################## -+# +@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0) + # Declarations + # + +-apache_content_template(man2html) + + type httpd_man2html_script_cache_t; + files_type(httpd_man2html_script_cache_t) + + ######################################## + # +-# Local policy +# httpd_man2html_script local policy -+# -+ + # + +-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) +-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir) +optional_policy(` -+ + +-files_read_etc_files(httpd_man2html_script_t) + apache_content_template(man2html) -+ + +-miscfiles_read_localization(httpd_man2html_script_t) +-miscfiles_read_man_pages(httpd_man2html_script_t) + allow httpd_man2html_script_t self:process { fork }; + + manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) @@ -32670,56 +32353,57 @@ index 0000000..29b79eb + manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) + files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file }) + -+ domain_use_interactive_fds(httpd_man2html_script_t) -+ -+ files_read_etc_files(httpd_man2html_script_t) +') diff --git a/mandb.fc b/mandb.fc -new file mode 100644 -index 0000000..75b9968 ---- /dev/null +index 2de0f64..03f96e3 100644 +--- a/mandb.fc +++ b/mandb.fc -@@ -0,0 +1,3 @@ +@@ -1 +1,5 @@ + /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) ++ +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) diff --git a/mandb.if b/mandb.if -new file mode 100644 -index 0000000..4a4e899 ---- /dev/null +index 327f3f7..65bfa15 100644 +--- a/mandb.if +++ b/mandb.if -@@ -0,0 +1,187 @@ +@@ -1,14 +1,14 @@ +-## On-line manual database. + +## policy for mandb -+ -+######################################## -+## + + ######################################## + ## +-## Execute the mandb program in +-## the mandb domain. +## Transition to mandb. -+## -+## + ## + ## +-## +## -+## Domain allowed to transition. + ## Domain allowed to transition. +-## +## -+## -+# -+interface(`mandb_domtrans',` -+ gen_require(` -+ type mandb_t, mandb_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, mandb_exec_t, mandb_t) -+') -+ -+######################################## -+## + ## + # + interface(`mandb_domtrans',` +@@ -22,33 +22,45 @@ interface(`mandb_domtrans',` + + ######################################## + ## +-## Execute mandb in the mandb +-## domain, and allow the specified +-## role the mandb domain. +## Search mandb cache directories. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`mandb_search_cache',` + gen_require(` @@ -32735,30 +32419,38 @@ index 0000000..4a4e899 +## Read mandb cache files. +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`mandb_run',` +interface(`mandb_read_cache_files',` -+ gen_require(` + gen_require(` +- attribute_role mandb_roles; + type mandb_cache_t; -+ ') -+ + ') + +- lightsquid_domtrans($1) +- roleattribute $2 mandb_roles; + files_search_var($1) + read_files_pattern($1, mandb_cache_t, mandb_cache_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search mandb cache directories. +## Relabel mandb cache files/directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -56,13 +68,18 @@ interface(`mandb_run',` + ## + ## + # +-interface(`mandb_search_cache',` +- refpolicywarn(`$0($*) has been deprecated') +interface(`mandb_relabel_cache',` + gen_require(` + type mandb_cache_t; @@ -32766,18 +32458,21 @@ index 0000000..4a4e899 + + allow $1 mandb_cache_t:dir relabel_dir_perms; + allow $1 mandb_cache_t:file relabel_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete mandb cache content. +## Set attributes on mandb cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -70,13 +87,18 @@ interface(`mandb_search_cache',` + ## + ## + # +-interface(`mandb_delete_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') +interface(`mandb_setattr_cache_dirs',` + gen_require(` + type mandb_cache_t; @@ -32785,18 +32480,21 @@ index 0000000..4a4e899 + + files_search_var($1) + allow $1 mandb_cache_t:dir setattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read mandb cache content. +## Delete mandb cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',` + ## + ## + # +-interface(`mandb_read_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') +interface(`mandb_delete_cache',` + gen_require(` + type mandb_cache_t; @@ -32807,19 +32505,15 @@ index 0000000..4a4e899 + delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t) + delete_files_pattern($1, mandb_cache_t, mandb_cache_t) + delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## mandb cache files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ') + + ######################################## +@@ -99,37 +129,60 @@ interface(`mandb_read_cache_content',` + ## + ## + # +-interface(`mandb_manage_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') +interface(`mandb_manage_cache_files',` + gen_require(` + type mandb_cache_t; @@ -32827,17 +32521,20 @@ index 0000000..4a4e899 + + files_search_var($1) + manage_files_pattern($1, mandb_cache_t, mandb_cache_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mandb environment. +## Manage mandb cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`mandb_manage_cache_dirs',` + gen_require(` @@ -32855,101 +32552,105 @@ index 0000000..4a4e899 +## an mandb environment +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# -+interface(`mandb_admin',` -+ gen_require(` + ## + ## +-## + # + interface(`mandb_admin',` + gen_require(` +- type mandb_t, mandb_cache_t; + type mandb_t; + type mandb_cache_t; -+ ') -+ -+ allow $1 mandb_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, mandb_t) -+ + ') + + allow $1 mandb_t:process { ptrace signal_perms }; + ps_process_pattern($1, mandb_t) + +- mandb_run($1, $2) + files_search_var($1) + admin_pattern($1, mandb_cache_t) + +- # pending +- # miscfiles_manage_man_cache_content(mandb_t) + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/mandb.te b/mandb.te -new file mode 100644 -index 0000000..8cc45e7 ---- /dev/null +index 5a414e0..4e159c2 100644 +--- a/mandb.te +++ b/mandb.te -@@ -0,0 +1,35 @@ -+policy_module(mandb, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type mandb_t; -+type mandb_exec_t; +@@ -10,9 +10,12 @@ roleattribute system_r mandb_roles; + + type mandb_t; + type mandb_exec_t; +-application_domain(mandb_t, mandb_exec_t) +init_daemon_domain(mandb_t, mandb_exec_t) -+cron_system_entry(mandb_t, mandb_exec_t) -+ + role mandb_roles types mandb_t; + +type mandb_cache_t; +files_type(mandb_cache_t) + -+######################################## -+# -+# mandb local policy -+# -+allow mandb_t self:fifo_file rw_fifo_file_perms; -+allow mandb_t self:unix_stream_socket create_stream_socket_perms; -+allow mandb_t self:process signal; -+ + ######################################## + # + # Local policy +@@ -22,14 +25,17 @@ allow mandb_t self:process signal; + allow mandb_t self:fifo_file rw_fifo_file_perms; + allow mandb_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) + -+kernel_read_system_state(mandb_t) -+ -+corecmd_exec_bin(mandb_t) -+ -+domain_use_interactive_fds(mandb_t) -+ -+files_read_etc_files(mandb_t) -diff --git a/mcelog.fc b/mcelog.fc -index 56c43c0..409bbfc 100644 ---- a/mcelog.fc -+++ b/mcelog.fc -@@ -1 +1,5 @@ - /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) -+ -+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) -+ -+/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) + kernel_read_system_state(mandb_t) + + corecmd_exec_bin(mandb_t) + + domain_use_interactive_fds(mandb_t) + +-files_read_etc_files(mandb_t) +- + miscfiles_manage_man_cache(mandb_t) + + optional_policy(` +diff --git a/mcelog.if b/mcelog.if +index 9dbe694..f89651e 100644 +--- a/mcelog.if ++++ b/mcelog.if +@@ -56,6 +56,6 @@ interface(`mcelog_admin',` + logging_search_logs($1) + admin_pattern($1, mcelog_log_t) + +- files_search_pids($1 ++ files_search_pids($1) + admin_pattern($1, mcelog_var_run_t) + ') diff --git a/mcelog.te b/mcelog.te -index 5671977..99a63b2 100644 +index 13ea191..799df10 100644 --- a/mcelog.te +++ b/mcelog.te -@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0) +@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) + ## + gen_tunable(mcelog_server, false) +-## +-##

    +-## Determine whether mcelog can use syslog. +-##

    +-##     +-gen_tunable(mcelog_syslog, false) +- type mcelog_t; type mcelog_exec_t; -+init_system_domain(mcelog_t, mcelog_exec_t) - application_domain(mcelog_t, mcelog_exec_t) --cron_system_entry(mcelog_t, mcelog_exec_t) -+ -+type mcelog_var_run_t; -+files_pid_file(mcelog_var_run_t) -+ -+type mcelog_log_t; -+logging_log_file(mcelog_log_t) - - ######################################## - # -@@ -17,16 +23,33 @@ cron_system_entry(mcelog_t, mcelog_exec_t) - - allow mcelog_t self:capability sys_admin; + init_daemon_domain(mcelog_t, mcelog_exec_t) +@@ -82,19 +75,31 @@ manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) + manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) + files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) @@ -32967,21 +32668,31 @@ index 5671977..99a63b2 100644 + dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) -+dev_rw_sysfs(mcelog_t) + dev_rw_sysfs(mcelog_t) - files_read_etc_files(mcelog_t) - - # for /dev/mem access +-files_read_etc_files(mcelog_t) +- mls_file_read_all_levels(mcelog_t) +auth_read_passwd(mcelog_t) + - logging_send_syslog_msg(mcelog_t) + locallogin_use_fds(mcelog_t) -miscfiles_read_localization(mcelog_t) -+optional_policy(` -+ cron_system_entry(mcelog_t, mcelog_exec_t) -+') ++logging_send_syslog_msg(mcelog_t) + + tunable_policy(`mcelog_client',` + allow mcelog_t self:unix_stream_socket connectto; +@@ -114,9 +119,6 @@ tunable_policy(`mcelog_server',` + allow mcelog_t self:unix_stream_socket { listen accept }; + ') + +-tunable_policy(`mcelog_syslog',` +- logging_send_syslog_msg(mcelog_t) +-') + + optional_policy(` + cron_system_entry(mcelog_t, mcelog_exec_t) diff --git a/mcollective.fc b/mcollective.fc new file mode 100644 index 0000000..821bf88 @@ -33148,11 +32859,12 @@ index 0000000..5dd171f + +files_read_etc_files(mcollective_t) diff --git a/mediawiki.if b/mediawiki.if -index 98d28b4..1c1d012 100644 +index 9771b4b..1c1d012 100644 --- a/mediawiki.if +++ b/mediawiki.if @@ -1 +1,40 @@ - ## Mediawiki policy +-## Open source wiki package written in PHP. ++## Mediawiki policy + +####################################### +## @@ -33193,7 +32905,7 @@ index 98d28b4..1c1d012 100644 + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') diff --git a/mediawiki.te b/mediawiki.te -index d7cb9e4..7e81838 100644 +index c528b9f..212712c 100644 --- a/mediawiki.te +++ b/mediawiki.te @@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0) @@ -33207,7 +32919,7 @@ index d7cb9e4..7e81838 100644 ######################################## # - # mediawiki local policy + # Local policy # -files_search_var_lib(httpd_mediawiki_script_t) @@ -33216,72 +32928,125 @@ index d7cb9e4..7e81838 100644 -miscfiles_read_tetex_data(httpd_mediawiki_script_t) + miscfiles_read_tetex_data(httpd_mediawiki_script_t) +') -diff --git a/memcached.fc b/memcached.fc -index 4d69477..d3b4f39 100644 ---- a/memcached.fc -+++ b/memcached.fc -@@ -2,4 +2,5 @@ - - /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) - -+/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) - /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/memcached.if b/memcached.if -index db4fd6f..650014e 100644 +index 1d4eb19..650014e 100644 --- a/memcached.if +++ b/memcached.if -@@ -40,6 +40,44 @@ interface(`memcached_read_pid_files',` +@@ -1,4 +1,4 @@ +-## High-performance memory object caching system. ++## high-performance memory object caching system + + ######################################## + ## +@@ -12,17 +12,16 @@ + # + interface(`memcached_domtrans',` + gen_require(` +- type memcached_t,memcached_exec_t; ++ type memcached_t; ++ type memcached_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, memcached_exec_t, memcached_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## memcached pid files. ++## Read memcached PID files. + ## + ## + ## +@@ -30,18 +29,18 @@ interface(`memcached_domtrans',` + ## + ## + # +-interface(`memcached_manage_pid_files',` ++interface(`memcached_read_pid_files',` + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) +- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) ++ allow $1 memcached_var_run_t:file read_file_perms; + ') ######################################## ## +-## Read memcached pid files. +## Manage memcached PID files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',` + ## + ## + # +-interface(`memcached_read_pid_files',` +interface(`memcached_manage_pid_files',` -+ gen_require(` -+ type memcached_var_run_t; -+ ') -+ -+ files_search_pids($1) + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) +- allow $1 memcached_var_run_t:file read_file_perms; + manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to memcached using a unix +-## domain stream socket. +## Connect to memcached over a unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`memcached_stream_connect',` -+ gen_require(` -+ type memcached_t, memcached_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an memcached environment ## -@@ -57,17 +95,20 @@ interface(`memcached_read_pid_files',` - # - interface(`memcached_admin',` - gen_require(` + ## + ## +@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',` + + ######################################## + ## +-## Connect to memcache over the network. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`memcached_tcp_connect',` +- gen_require(` - type memcached_t; -- type memcached_initrc_exec_t; -+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; +- ') +- +- corenet_sendrecv_memcache_client_packets($1) +- corenet_tcp_connect_memcache_port($1) +- corenet_tcp_recvfrom_labeled($1, memcached_t) +- corenet_tcp_sendrecv_memcache_port($1) +-') +- +-######################################## +-## +-## All of the rules required to +-## administrate an memcached environment. ++## All of the rules required to administrate ++## an memcached environment + ## + ## + ## +@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the memcached domain. + ## + ## + ## +@@ -121,14 +98,17 @@ interface(`memcached_admin',` + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') - allow $1 memcached_t:process { ptrace signal_perms }; @@ -33296,119 +33061,169 @@ index db4fd6f..650014e 100644 role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; +- files_search_pids($1) + files_list_pids($1) admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index b681608..9c4fc55 100644 +index 4926208..293e577 100644 --- a/memcached.te +++ b/memcached.te -@@ -28,7 +28,6 @@ allow memcached_t self:udp_socket { create_socket_perms listen }; - allow memcached_t self:fifo_file rw_fifo_file_perms; - allow memcached_t self:unix_stream_socket create_stream_socket_perms; - --corenet_all_recvfrom_unlabeled(memcached_t) - corenet_udp_sendrecv_generic_if(memcached_t) - corenet_udp_sendrecv_generic_node(memcached_t) - corenet_udp_sendrecv_all_ports(memcached_t) -@@ -42,12 +41,12 @@ corenet_udp_bind_memcache_port(memcached_t) - - manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) - manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) --files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) -+manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file }) - - kernel_read_kernel_sysctls(memcached_t) - kernel_read_system_state(memcached_t) - --files_read_etc_files(memcached_t) - - term_dontaudit_use_all_ptys(memcached_t) - term_dontaudit_use_all_ttys(memcached_t) -@@ -55,4 +54,3 @@ term_dontaudit_use_console(memcached_t) +@@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) -miscfiles_read_localization(memcached_t) diff --git a/milter.fc b/milter.fc -index 1ec5a6c..64ac6f0 100644 +index 89409eb..64ac6f0 100644 --- a/milter.fc +++ b/milter.fc -@@ -1,15 +1,26 @@ +@@ -1,18 +1,26 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) +/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) --/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) - /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) ++/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) +-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) - /var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) - /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) +-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) ++/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if -index ee72cbe..bdf319a 100644 +index cba62db..bdf319a 100644 --- a/milter.if +++ b/milter.if -@@ -24,9 +24,13 @@ template(`milter_template',` +@@ -1,47 +1,59 @@ +-## Milter mail filters. ++## Milter mail filters + +-####################################### ++######################################## + ## +-## The template to define a milter domain. ++## Create a set of derived types for various ++## mail filter applications using the milter interface. + ## +-## ++## + ## +-## Domain prefix to be used. ++## The name to be used for deriving type names. + ## + ## + # + template(`milter_template',` ++ # attributes common to all milters + gen_require(` + attribute milter_data_type, milter_domains; + ') + +- ######################################## +- # +- # Declarations +- # +- + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) ++ role system_r types $1_milter_t; - # Type for the milter data (e.g. the socket used to communicate with the MTA) ++ # Type for the milter data (e.g. the socket used to communicate with the MTA) type $1_milter_data_t, milter_data_type; -- files_type($1_milter_data_t) -+ files_pid_file($1_milter_data_t) -+ + files_pid_file($1_milter_data_t) + +- ######################################## +- # +- # Policy +- # + # Allow communication with MTA over a unix-domain socket + # Note: usage with TCP sockets requires additional policy - allow $1_milter_t self:fifo_file rw_fifo_file_perms; +- manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) ++ allow $1_milter_t self:fifo_file rw_fifo_file_perms; + - # Allow communication with MTA over a TCP socket - allow $1_milter_t self:tcp_socket create_stream_socket_perms; - -@@ -36,12 +40,13 @@ template(`milter_template',` - # Create other data files and directories in the data directory - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) ++ # Allow communication with MTA over a TCP socket ++ allow $1_milter_t self:tcp_socket create_stream_socket_perms; ++ ++ # Allow communication with MTA over a unix-domain socket + manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) +- auth_use_nsswitch($1_milter_t) ++ # Create other data files and directories in the data directory ++ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) ++ + kernel_dontaudit_read_system_state($1_milter_t) + - corenet_tcp_bind_generic_node($1_milter_t) - corenet_tcp_bind_milter_port($1_milter_t) - - files_read_etc_files($1_milter_t) ++ corenet_tcp_bind_generic_node($1_milter_t) ++ corenet_tcp_bind_milter_port($1_milter_t) ++ ++ files_read_etc_files($1_milter_t) ++ ++ ++ logging_send_syslog_msg($1_milter_t) + ') -- miscfiles_read_localization($1_milter_t) + ######################################## + ## +-## connect to all milter domains using +-## a unix domain stream socket. ++## MTA communication with milter sockets + ## + ## + ## +@@ -55,12 +67,13 @@ interface(`milter_stream_connect_all',` + ') - logging_send_syslog_msg($1_milter_t) + files_search_pids($1) ++ getattr_dirs_pattern($1, milter_data_type, milter_data_type) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) ') -@@ -61,6 +66,7 @@ interface(`milter_stream_connect_all',` - attribute milter_data_type, milter_domains; + + ######################################## + ## +-## Get attributes of all milter sock files. ++## Allow getattr of milter sockets + ## + ## + ## +@@ -73,13 +86,31 @@ interface(`milter_getattr_all_sockets',` + attribute milter_data_type; ') -+ files_search_pids($1) - getattr_dirs_pattern($1, milter_data_type, milter_data_type) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) ++ getattr_dirs_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) ') -@@ -86,6 +92,24 @@ interface(`milter_getattr_all_sockets',` ######################################## ## +-## Create, read, write, and delete +-## spamassissin milter data content. +## Allow setattr of milter dirs +## +## @@ -33427,10 +33242,11 @@ index ee72cbe..bdf319a 100644 + +######################################## +## - ## Manage spamassassin milter state ++## Manage spamassassin milter state ## ## -@@ -104,3 +128,22 @@ interface(`milter_manage_spamass_state',` + ## +@@ -97,3 +128,22 @@ interface(`milter_manage_spamass_state',` manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) ') @@ -33454,10 +33270,19 @@ index ee72cbe..bdf319a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 26101cb..64c2969 100644 +index 92508b2..64c2969 100644 --- a/milter.te +++ b/milter.te -@@ -9,6 +9,13 @@ policy_module(milter, 1.4.0) +@@ -1,77 +1,98 @@ +-policy_module(milter, 1.4.2) ++policy_module(milter, 1.4.0) + + ######################################## + # + # Declarations + # + ++# attributes common to all milters attribute milter_domains; attribute milter_data_type; @@ -33468,86 +33293,164 @@ index 26101cb..64c2969 100644 +type dkim_milter_private_key_t; +files_type(dkim_milter_private_key_t) + - # currently-supported milters are milter-greylist, milter-regex and spamass-milter ++# currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) -@@ -20,6 +27,26 @@ milter_template(spamass) + milter_template(spamass) + ++# Type for the spamass-milter home directory, under which spamassassin will ++# store system-wide preferences, bayes databases etc. if not configured to ++# use per-user configuration type spamass_milter_state_t; files_type(spamass_milter_state_t) -+####################################### -+# + ####################################### + # +-# Common local policy +# dkim-milter local policy -+# -+ + # + +-allow milter_domains self:fifo_file rw_fifo_file_perms; +-allow milter_domains self:tcp_socket { accept listen }; +allow dkim_milter_t self:capability { kill setgid setuid }; +allow dkim_milter_t self:process signal; +allow dkim_milter_t self:tcp_socket create_stream_socket_perms; +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; -+ + +-kernel_dontaudit_read_system_state(milter_domains) +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) -+ + +-corenet_all_recvfrom_unlabeled(milter_domains) +-corenet_all_recvfrom_netlabel(milter_domains) +-corenet_tcp_sendrecv_generic_if(milter_domains) +-corenet_tcp_sendrecv_generic_node(milter_domains) +-corenet_tcp_bind_generic_node(milter_domains) +kernel_read_kernel_sysctls(dkim_milter_t) -+ + +-corenet_tcp_bind_milter_port(milter_domains) +-corenet_tcp_sendrecv_all_ports(milter_domains) +auth_use_nsswitch(dkim_milter_t) -+ + +-miscfiles_read_localization(milter_domains) +sysnet_dns_name_resolve(dkim_milter_t) -+ + +-logging_send_syslog_msg(milter_domains) +mta_read_config(dkim_milter_t) -+ + ######################################## # - # milter-greylist local policy -@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t) +-# greylist local policy ++# milter-greylist local policy ++# ensure smtp clients retry mail like real MTAs and not spamware ++# http://hcpnet.free.fr/milter-greylist/ + # + ++# It removes any existing socket (not owned by root) whilst running as root, ++# fixes permissions, renices itself and then calls setgid() and setuid() to ++# drop privileges allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; +allow greylist_milter_t self:tcp_socket create_stream_socket_perms; + - # It creates a pid file /var/run/milter-greylist.pid ++# It creates a pid file /var/run/milter-greylist.pid files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) kernel_read_kernel_sysctls(greylist_milter_t) +-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t) +-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) +-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t) +-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) +-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t) +- +-corenet_sendrecv_kismet_server_packets(greylist_milter_t) +-corenet_tcp_bind_kismet_port(greylist_milter_t) +-corenet_tcp_sendrecv_kismet_port(greylist_milter_t) +dev_read_rand(greylist_milter_t) +dev_read_urand(greylist_milter_t) -+ -+corecmd_exec_bin(greylist_milter_t) -+corecmd_exec_shell(greylist_milter_t) -+ + + corecmd_exec_bin(greylist_milter_t) + corecmd_exec_shell(greylist_milter_t) + +-dev_read_rand(greylist_milter_t) +-dev_read_urand(greylist_milter_t) +corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) +corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) +corenet_tcp_bind_rtsclient_port(greylist_milter_t) -+ + +# perl getgroups() reads a bunch of files in /etc +files_read_etc_files(greylist_milter_t) - # Allow the milter to read a GeoIP database in /usr/share ++# Allow the milter to read a GeoIP database in /usr/share files_read_usr_files(greylist_milter_t) - # The milter runs from /var/lib/milter-greylist and maintains files there -@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t) - # Config is in /etc/mail/greylist.conf ++# The milter runs from /var/lib/milter-greylist and maintains files there + files_search_var_lib(greylist_milter_t) + ++# Look up username for dropping privs ++auth_use_nsswitch(greylist_milter_t) ++ ++# Config is in /etc/mail/greylist.conf mta_read_config(greylist_milter_t) +-miscfiles_read_localization(greylist_milter_t) + +sysnet_read_config(greylist_milter_t) + + + optional_policy(` + mysql_stream_connect(greylist_milter_t) +@@ -79,30 +100,48 @@ optional_policy(` + + ######################################## + # +-# regex local policy ++# milter-regex local policy ++# filter emails using regular expressions ++# http://www.benzedrine.cx/milter-regex.html + # + ++# It removes any existing socket (not owned by root) whilst running as root ++# and then calls setgid() and setuid() to drop privileges + allow regex_milter_t self:capability { setuid setgid dac_override }; + ++# The milter's socket directory lives under /var/spool + files_search_spool(regex_milter_t) + ++# Look up username for dropping privs ++auth_use_nsswitch(regex_milter_t) + -+optional_policy(` -+ mysql_stream_connect(greylist_milter_t) -+') -+ ++# Config is in /etc/mail/milter-regex.conf + mta_read_config(regex_milter_t) + ######################################## # - # milter-regex local policy -@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t) - corecmd_read_bin_symlinks(spamass_milter_t) - corecmd_search_bin(spamass_milter_t) +-# spamass local policy ++# spamass-milter local policy ++# pipe emails through SpamAssassin ++# http://savannah.nongnu.org/projects/spamass-milt/ + # + ++# The milter runs from /var/lib/spamass-milter + allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; ++files_search_var_lib(spamass_milter_t) + + kernel_read_system_state(spamass_milter_t) + ++# When used with -b or -B options, the milter invokes sendmail to send mail ++# to a spamtrap address, using popen() + corecmd_exec_shell(spamass_milter_t) ++corecmd_read_bin_symlinks(spamass_milter_t) ++corecmd_search_bin(spamass_milter_t) +-files_search_var_lib(spamass_milter_t) +auth_use_nsswitch(spamass_milter_t) -+ + mta_send_mail(spamass_milter_t) - # The main job of the milter is to pipe spam through spamc and act on the result ++# The main job of the milter is to pipe spam through spamc and act on the result + optional_policy(` + spamassassin_domtrans_client(spamass_milter_t) + ') diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -34126,35 +34029,13 @@ index 0000000..ecfd7be + userdom_read_user_home_content_files(mock_build_t) +') diff --git a/modemmanager.te b/modemmanager.te -index b3ace16..41f9aa5 100644 +index cb4c13d..14e8f87 100644 --- a/modemmanager.te +++ b/modemmanager.te -@@ -7,7 +7,7 @@ policy_module(modemmanager, 1.1.0) +@@ -31,8 +31,9 @@ files_read_etc_files(modemmanager_t) - type modemmanager_t; - type modemmanager_exec_t; --dbus_system_domain(modemmanager_t, modemmanager_exec_t) -+init_daemon_domain(modemmanager_t, modemmanager_exec_t) - typealias modemmanager_t alias ModemManager_t; - typealias modemmanager_exec_t alias ModemManager_exec_t; - -@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; - # ModemManager local policy - # - --allow modemmanager_t self:process signal; -+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -+allow modemmanager_t self:process { getsched signal }; - allow modemmanager_t self:fifo_file rw_file_perms; - allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; - allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,13 +29,29 @@ dev_rw_modem(modemmanager_t) - - files_read_etc_files(modemmanager_t) - --term_use_unallocated_ttys(modemmanager_t) -+term_use_generic_ptys(modemmanager_t) -+term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t + term_use_generic_ptys(modemmanager_t) + term_use_unallocated_ttys(modemmanager_t) +term_use_usb_ttys(modemmanager_t) -miscfiles_read_localization(modemmanager_t) @@ -34162,30 +34043,11 @@ index b3ace16..41f9aa5 100644 logging_send_syslog_msg(modemmanager_t) --networkmanager_dbus_chat(modemmanager_t) -+optional_policy(` -+ dbus_system_domain(modemmanager_t, modemmanager_exec_t) -+') -+ -+optional_policy(` -+ networkmanager_dbus_chat(modemmanager_t) -+') -+ -+optional_policy(` -+ devicekit_dbus_chat_power(modemmanager_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(modemmanager_t) -+') - - optional_policy(` - udev_read_db(modemmanager_t) diff --git a/mojomojo.if b/mojomojo.if -index 657a9fc..7022903 100644 +index 73952f4..80e26d2 100644 --- a/mojomojo.if +++ b/mojomojo.if -@@ -10,27 +10,26 @@ +@@ -10,12 +10,6 @@ ## Domain allowed access. ## ## @@ -34197,61 +34059,30 @@ index 657a9fc..7022903 100644 -## # interface(`mojomojo_admin',` - gen_require(` -- type httpd_mojomojo_script_t; -- type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; -- type httpd_mojomojo_rw_content_t; -- type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; -+ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; -+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t; -+ type httpd_mojomojo_script_exec_t, httpd_mojomo_script_t; - ') - -- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; -+ allow $1 httpd_mojomojo_script_t:process signal_perms; - ps_process_pattern($1, httpd_mojomojo_script_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_mojomo_script_t:process ptrace; -+ ') -+ -+ files_list_tmp($1) -+ admin_pattern($1, httpd_mojomojo_tmp_t) - -- files_search_var_lib(httpd_mojomojo_script_t) -+ files_list_var_lib(httpd_mojomojo_script_t) - -- apache_search_sys_content($1) -+ apache_list_sys_content($1) - admin_pattern($1, httpd_mojomojo_script_exec_t) - admin_pattern($1, httpd_mojomojo_script_t) - admin_pattern($1, httpd_mojomojo_content_t) + refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') diff --git a/mojomojo.te b/mojomojo.te -index 83f002c..d09878d 100644 +index 7e534cf..3652584 100644 --- a/mojomojo.te +++ b/mojomojo.te -@@ -5,32 +5,42 @@ policy_module(mojomojo, 1.0.0) +@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1) # Declarations # -apache_content_template(mojomojo) -+ +type httpd_mojomojo_tmp_t; +files_tmp_file(httpd_mojomojo_tmp_t) ######################################## # - # mojomojo local policy + # Local policy # -allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +optional_policy(` + apache_content_template(mojomojo) --corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) --corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) +-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) --corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) --corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) + allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; @@ -34270,14 +34101,9 @@ index 83f002c..d09878d 100644 -mta_send_mail(httpd_mojomojo_script_t) + files_search_var_lib(httpd_mojomojo_script_t) - --optional_policy(` -- mysql_stream_connect(httpd_mojomojo_script_t) --') ++ + sysnet_dns_name_resolve(httpd_mojomojo_script_t) - --optional_policy(` -- postgresql_stream_connect(httpd_mojomojo_script_t) ++ + mta_send_mail(httpd_mojomojo_script_t) + + optional_policy(` @@ -34287,52 +34113,78 @@ index 83f002c..d09878d 100644 + optional_policy(` + postgresql_stream_connect(httpd_mojomojo_script_t) + ') - ') -diff --git a/mono.te b/mono.te -index dff0f12..ecab36d 100644 ---- a/mono.te -+++ b/mono.te -@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) - # Local policy - # - --allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; -+allow mono_t self:process { signal getsched execheap execmem execstack }; ++') +diff --git a/mongodb.te b/mongodb.te +index 4de8949..5c237c3 100644 +--- a/mongodb.te ++++ b/mongodb.te +@@ -54,8 +54,5 @@ corenet_tcp_bind_generic_node(mongod_t) + dev_read_sysfs(mongod_t) + dev_read_urand(mongod_t) - init_dbus_chat_script(mono_t) +-files_read_etc_files(mongod_t) +- + fs_getattr_all_fs(mongod_t) +-miscfiles_read_localization(mongod_t) diff --git a/monop.te b/monop.te -index 6647a35..f3b35e1 100644 +index 4462c0e..84944d1 100644 --- a/monop.te +++ b/monop.te -@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(monopd_t) +@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t) kernel_list_proc(monopd_t) kernel_read_proc_symlinks(monopd_t) -corenet_all_recvfrom_unlabeled(monopd_t) corenet_all_recvfrom_netlabel(monopd_t) corenet_tcp_sendrecv_generic_if(monopd_t) - corenet_udp_sendrecv_generic_if(monopd_t) -@@ -65,8 +64,6 @@ fs_search_auto_mountpoints(monopd_t) + corenet_tcp_sendrecv_generic_node(monopd_t) +@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t) + + domain_use_interactive_fds(monopd_t) + +-files_read_etc_files(monopd_t) +- + fs_getattr_all_fs(monopd_t) + fs_search_auto_mountpoints(monopd_t) logging_send_syslog_msg(monopd_t) -miscfiles_read_localization(monopd_t) - - sysnet_read_config(monopd_t) + sysnet_dns_name_resolve(monopd_t) userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 3a73e74..0fa08be 100644 +index 6ffaba2..0fa08be 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -2,8 +2,18 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0 - HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +@@ -1,38 +1,58 @@ +-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +- +-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) +- +-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -34342,40 +34194,55 @@ index 3a73e74..0fa08be 100644 +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - - # - # /bin -@@ -16,6 +26,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++ ++# ++# /bin ++# ++/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - +-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +- +-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) +-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ +ifdef(`distro_redhat',` +/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + /usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +') + - ifdef(`distro_debian',` - /usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) - ') -@@ -23,11 +39,20 @@ ifdef(`distro_debian',` - # - # /lib - # --/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ifdef(`distro_debian',` ++/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++') ++ ++# ++# /lib ++# + +/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) --/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) + +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) @@ -34386,49 +34253,228 @@ index 3a73e74..0fa08be 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index b397fde..cccec7e 100644 +index 6194b80..cccec7e 100644 --- a/mozilla.if +++ b/mozilla.if -@@ -18,10 +18,11 @@ +@@ -1,146 +1,76 @@ +-## Policy for Mozilla and related web browsers. ++## Policy for Mozilla and related web browsers + + ######################################## + ## +-## Role access for mozilla. ++## Role access for mozilla + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # interface(`mozilla_role',` gen_require(` type mozilla_t, mozilla_exec_t, mozilla_home_t; +- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; +- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; - attribute_role mozilla_roles; + #attribute_role mozilla_roles; ') -- roleattribute $1 mozilla_roles; +- ######################################## +- # +- # Declarations +- # + #roleattribute $1 mozilla_roles; + role $1 types mozilla_t; - domain_auto_trans($2, mozilla_exec_t, mozilla_t) - # Unrestricted inheritance from the caller. -@@ -47,7 +48,24 @@ interface(`mozilla_role',` - relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - +- roleattribute $1 mozilla_roles; +- +- ######################################## +- # +- # Policy +- # +- +- domtrans_pattern($2, mozilla_exec_t, mozilla_t) ++ domain_auto_trans($2, mozilla_exec_t, mozilla_t) ++ # Unrestricted inheritance from the caller. ++ allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; ++ allow mozilla_t $2:fd use; ++ allow mozilla_t $2:process { sigchld signull }; ++ allow mozilla_t $2:unix_stream_socket connectto; + +- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; ++ # Allow the user domain to signal/ps. + ps_process_pattern($2, mozilla_t) +- +- allow mozilla_t $2:process signull; +- allow mozilla_t $2:unix_stream_socket connectto; ++ allow $2 mozilla_t:process signal_perms; + + allow $2 mozilla_t:fd use; +- allow $2 mozilla_t:shm rw_shm_perms; +- +- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) ++ allow $2 mozilla_t:shm { associate getattr }; ++ allow $2 mozilla_t:shm { unix_read unix_write }; ++ allow $2 mozilla_t:unix_stream_socket connectto; + +- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") ++ # X access, Home files ++ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) ++ manage_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) + +- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + #should be remove then with adding of roleattribute + mozilla_run_plugin(mozilla_t, $1) - mozilla_dbus_chat($2) -+ ++ mozilla_dbus_chat($2) + +- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_manage_tmp_role($1, mozilla_t) -+ -+ optional_policy(` + + optional_policy(` +- mozilla_dbus_chat($2) + nsplugin_role($1, mozilla_t) -+ ') -+ + ') +-') + +-######################################## +-## +-## Role access for mozilla plugin. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`mozilla_role_plugin',` +- gen_require(` +- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; +- type mozilla_home_t; + optional_policy(` + pulseaudio_role($1, mozilla_t) + pulseaudio_filetrans_admin_home_content(mozilla_t) + pulseaudio_filetrans_home_content(mozilla_t) -+ ') -+ + ') + +- mozilla_run_plugin($2, $1) +- mozilla_run_plugin_config($2, $1) +- +- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; +- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) +- +- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; +- allow $2 mozilla_plugin_t:fd use; +- +- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) +- +- allow mozilla_plugin_t $2:process signull; +- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; +- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; +- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; +- allow mozilla_plugin_t $2:sem create_sem_perms; +- +- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") +- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") +- +- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- +- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + mozilla_filetrans_home_content($2) -+ + +- allow $2 mozilla_plugin_rw_t:dir list_dir_perms; +- allow $2 mozilla_plugin_rw_t:file read_file_perms; +- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +- can_exec($2, mozilla_plugin_rw_t) +- +- optional_policy(` +- mozilla_dbus_chat_plugin($2) +- ') + ') + + ######################################## + ## +-## Read mozilla home directory content. ++## Read mozilla home directory content + ## + ## + ## +@@ -153,15 +83,15 @@ interface(`mozilla_read_user_home_files',` + type mozilla_home_t; + ') + +- userdom_search_user_home_dirs($1) + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; ++ userdom_search_user_home_dirs($1) + ') + + ######################################## + ## +-## Write mozilla home directory files. ++## Write mozilla home directory content + ## + ## + ## +@@ -174,14 +104,13 @@ interface(`mozilla_write_user_home_files',` + type mozilla_home_t; + ') + +- userdom_search_user_home_dirs($1) + write_files_pattern($1, mozilla_home_t, mozilla_home_t) ++ userdom_search_user_home_dirs($1) ') ######################################## -@@ -105,7 +123,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',` + ## +-## Do not audit attempts to read and +-## write mozilla home directory files. ++## Dontaudit attempts to read/write mozilla home directory content + ## + ## + ## +@@ -194,14 +123,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',` type mozilla_home_t; ') @@ -34437,17 +34483,125 @@ index b397fde..cccec7e 100644 ') ######################################## -@@ -193,11 +211,35 @@ interface(`mozilla_domtrans',` + ## +-## Do not audit attempt to Create, +-## read, write, and delete mozilla +-## home directory content. ++## Dontaudit attempts to write mozilla home directory content + ## + ## + ## +@@ -216,12 +143,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',` + + dontaudit $1 mozilla_home_t:dir manage_dir_perms; + dontaudit $1 mozilla_home_t:file manage_file_perms; +- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; + ') + + ######################################## + ## +-## Execute mozilla home directory files. (Deprecated) ++## Execute mozilla home directory content. + ## + ## + ## +@@ -230,33 +156,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',` + ## + # + interface(`mozilla_exec_user_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.') +- mozilla_exec_user_plugin_home_files($1) +-') +- +-######################################## +-## +-## Execute mozilla plugin home directory files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mozilla_exec_user_plugin_home_files',` + gen_require(` +- type mozilla_home_t, mozilla_plugin_home_t; ++ type mozilla_home_t; + ') + +- userdom_search_user_home_dirs($1) +- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) ++ can_exec($1, mozilla_home_t) + ') + + ######################################## + ## +-## Mozilla home directory file +-## text relocation. (Deprecated) ++## Execmod mozilla home directory content. + ## + ## + ## +@@ -265,27 +174,11 @@ interface(`mozilla_exec_user_plugin_home_files',` + ## + # + interface(`mozilla_execmod_user_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.') +- mozilla_execmod_user_plugin_home_files($1) +-') +- +-######################################## +-## +-## Mozilla plugin home directory file +-## text relocation. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mozilla_execmod_user_plugin_home_files',` + gen_require(` +- type mozilla_plugin_home_t; ++ type mozilla_home_t; + ') + +- allow $1 mozilla_plugin_home_t:file execmod; ++ allow $1 mozilla_home_t:file execmod; + ') + + ######################################## +@@ -303,102 +196,102 @@ interface(`mozilla_domtrans',` + type mozilla_t, mozilla_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, mozilla_exec_t, mozilla_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run mozilla plugin. ++## Execute a domain transition to run mozilla_plugin. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## # interface(`mozilla_domtrans_plugin',` gen_require(` -- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; -+ type mozilla_plugin_t, mozilla_plugin_exec_t; + type mozilla_plugin_t, mozilla_plugin_exec_t; + type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; + type mozilla_plugin_rw_t; - class dbus send_msg; ++ class dbus send_msg; ') +- corecmd_search_bin($1) domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + allow mozilla_plugin_t $1:process signull; @@ -34471,33 +34625,99 @@ index b397fde..cccec7e 100644 + allow $1 mozilla_plugin_t:dbus send_msg; + allow mozilla_plugin_t $1:dbus send_msg; + - allow mozilla_plugin_t $1:process signull; ++ allow mozilla_plugin_t $1:process signull; ') -@@ -224,6 +266,32 @@ interface(`mozilla_run_plugin',` + ######################################## + ## +-## Execute mozilla plugin in the +-## mozilla plugin domain, and allow +-## the specified role the mozilla +-## plugin domain. ++## Execute mozilla_plugin in the mozilla_plugin domain, and ++## allow the specified role the mozilla_plugin domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access + ## + ## + ## + ## +-## Role allowed access. ++## The role to be allowed the mozilla_plugin domain. + ## + ## + # + interface(`mozilla_run_plugin',` + gen_require(` +- attribute_role mozilla_plugin_roles; ++ type mozilla_plugin_t; + ') mozilla_domtrans_plugin($1) - role $2 types mozilla_plugin_t; +- roleattribute $2 mozilla_plugin_roles; ++ role $2 types mozilla_plugin_t; + role $2 types mozilla_plugin_config_t; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Execute a domain transition to +-## run mozilla plugin config. +## Execute qemu unconfined programs in the role. -+## -+## + ## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`mozilla_domtrans_plugin_config',` +- gen_require(` +- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; +- ') +- +- corecmd_search_bin($1) +- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) +-') +- +-######################################## +-## +-## Execute mozilla plugin config in +-## the mozilla plugin config domain, +-## and allow the specified role the +-## mozilla plugin config domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## + ## +-## +-## Role allowed access. +-## +## +## The role to allow the mozilla_plugin domain. +## -+## + ## +## -+# + # +-interface(`mozilla_run_plugin_config',` +- gen_require(` +- attribute_role mozilla_plugin_config_roles; +- ') +interface(`mozilla_role_plugin',` + gen_require(` + type mozilla_plugin_t; + type mozilla_plugin_config_t; + ') -+ + +- mozilla_domtrans_plugin_config($1) +- roleattribute $2 mozilla_plugin_config_roles; + role $1 types mozilla_plugin_t; + role $1 types mozilla_plugin_config_t; + @@ -34507,69 +34727,107 @@ index b397fde..cccec7e 100644 ') ######################################## -@@ -265,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',` - allow $1 mozilla_t:tcp_socket rw_socket_perms; +@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',` + + ######################################## + ## +-## Send and receive messages from +-## mozilla plugin over dbus. ++## read/write mozilla per user tcp_socket + ## + ## + ## +@@ -433,76 +325,90 @@ interface(`mozilla_dbus_chat',` + ## + ## + # +-interface(`mozilla_dbus_chat_plugin',` ++interface(`mozilla_rw_tcp_sockets',` + gen_require(` +- type mozilla_plugin_t; +- class dbus send_msg; ++ type mozilla_t; + ') + +- allow $1 mozilla_plugin_t:dbus send_msg; +- allow mozilla_plugin_t $1:dbus send_msg; ++ allow $1 mozilla_t:tcp_socket rw_socket_perms; ') +-######################################## +####################################### -+## + ## +-## Read and write mozilla TCP sockets. +## Read mozilla_plugin tmpfs files -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access +## -+## -+# + ## + # +-interface(`mozilla_rw_tcp_sockets',` +- gen_require(` +- type mozilla_t; +- ') +interface(`mozilla_plugin_read_tmpfs_files',` + gen_require(` + type mozilla_plugin_tmpfs_t; + ') -+ + +- allow $1 mozilla_t:tcp_socket rw_socket_perms; + allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; -+') -+ + ') + ######################################## ## --## Read mozilla_plugin tmpfs files +-## Create, read, write, and delete +-## mozilla plugin rw files. +## Delete mozilla_plugin tmpfs files ## ## ## -@@ -275,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',` +-## Domain allowed access. ++## Domain allowed access ## ## # --interface(`mozilla_plugin_read_tmpfs_files',` +-interface(`mozilla_manage_plugin_rw_files',` +interface(`mozilla_plugin_delete_tmpfs_files',` gen_require(` - type mozilla_plugin_tmpfs_t; +- type mozilla_plugin_rw_t; ++ type mozilla_plugin_tmpfs_t; ') -- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; +- libs_search_lib($1) +- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; ') ######################################## ## --## Delete mozilla_plugin tmpfs files +-## Read mozilla_plugin tmpfs files. +## Dontaudit read/write to a mozilla_plugin leaks ## ## ## --## Domain allowed access +-## Domain allowed access. +## Domain to not audit. ## ## # --interface(`mozilla_plugin_delete_tmpfs_files',` +-interface(`mozilla_plugin_read_tmpfs_files',` +interface(`mozilla_plugin_dontaudit_leaks',` gen_require(` - type mozilla_plugin_tmpfs_t; + type mozilla_plugin_t; ') -- allow $1 mozilla_plugin_tmpfs_t:file unlink; +- fs_search_tmpfs($1) +- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') + @@ -34590,62 +34848,93 @@ index b397fde..cccec7e 100644 + + dontaudit $1 mozilla_plugin_tmp_t:file { read write }; ') -+ -+######################################## -+## + + ######################################## + ## +-## Delete mozilla_plugin tmpfs files. +## Create, read, write, and delete +## mozilla_plugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -510,19 +416,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` + ## + ## + # +-interface(`mozilla_plugin_delete_tmpfs_files',` +interface(`mozilla_plugin_manage_rw_files',` -+ gen_require(` + gen_require(` +- type mozilla_plugin_tmpfs_t; + type mozilla_plugin_rw_t; -+ ') -+ + ') + +- fs_search_tmpfs($1) +- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; + allow $1 mozilla_plugin_rw_t:file manage_file_perms; + allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## generic mozilla plugin home content. +## read mozilla_plugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -530,45 +435,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',` + ## + ## + # +-interface(`mozilla_manage_generic_plugin_home_content',` +interface(`mozilla_plugin_read_rw_files',` -+ gen_require(` + gen_require(` +- type mozilla_plugin_home_t; + type mozilla_plugin_rw_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 mozilla_plugin_home_t:dir manage_dir_perms; +- allow $1 mozilla_plugin_home_t:file manage_file_perms; +- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; +- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; +- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the generic mozilla +-## plugin home type. +## Create mozilla content in the user home directory +## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`mozilla_home_filetrans_plugin_home',` +interface(`mozilla_filetrans_home_content',` + -+ gen_require(` + gen_require(` +- type mozilla_plugin_home_t; + type mozilla_home_t; -+ ') -+ + ') + +- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") @@ -34661,29 +34950,43 @@ index b397fde..cccec7e 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") -+') + ') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..8cf0087 100644 +index 6a306ee..8247246 100644 --- a/mozilla.te +++ b/mozilla.te -@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) +@@ -1,4 +1,4 @@ +-policy_module(mozilla, 2.7.4) ++policy_module(mozilla, 2.6.0) + + ######################################## + # +@@ -6,23 +6,38 @@ policy_module(mozilla, 2.7.4) + # ## - ##

    +-##

    +-## Determine whether mozilla can +-## make its stack executable. +-##

    ++##

    +## Allow mozilla plugin domain to connect to the network using TCP. +##

    -+##     -+gen_tunable(mozilla_plugin_can_network_connect, false) -+ -+## -+##

    - ## Allow confined web browsers to read home directory content - ##

    ##     - gen_tunable(mozilla_read_content, false) +-gen_tunable(mozilla_execstack, false) ++gen_tunable(mozilla_plugin_can_network_connect, false) -attribute_role mozilla_roles; +-attribute_role mozilla_plugin_roles; +-attribute_role mozilla_plugin_config_roles; ++## ++##

    ++## Allow confined web browsers to read home directory content ++##

    ++##     ++gen_tunable(mozilla_read_content, false) ++ +## +##

    +## Allow mozilla_plugins to create random content in the users home directory @@ -34701,14 +35004,22 @@ index d4fcb75..8cf0087 100644 -role mozilla_roles types mozilla_t; +#role mozilla_roles types mozilla_t; +role system_r types mozilla_t; ++ ++type mozilla_conf_t; ++files_config_file(mozilla_conf_t) + + type mozilla_home_t; + typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; +@@ -31,29 +46,26 @@ userdom_user_home_content(mozilla_home_t) - type mozilla_conf_t; - files_config_file(mozilla_conf_t) -@@ -32,14 +47,26 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; - application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) --role mozilla_roles types mozilla_plugin_t; +-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +-role mozilla_plugin_roles types mozilla_plugin_t; +- +-type mozilla_plugin_home_t; +-userdom_user_home_content(mozilla_plugin_home_t) ++application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +#role mozilla_roles types mozilla_plugin_t; +role system_r types mozilla_plugin_t; @@ -34720,44 +35031,174 @@ index d4fcb75..8cf0087 100644 +userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) -+type mozilla_plugin_rw_t; -+files_type(mozilla_plugin_rw_t) -+ -+type mozilla_plugin_config_t; -+type mozilla_plugin_config_exec_t; +-optional_policy(` +- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) +-') +- + type mozilla_plugin_rw_t; + files_type(mozilla_plugin_rw_t) + + type mozilla_plugin_config_t; + type mozilla_plugin_config_exec_t; +-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +-role mozilla_plugin_config_roles types mozilla_plugin_config_t; +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +#role mozilla_roles types mozilla_plugin_config_t; +role system_r types mozilla_plugin_config_t; -+ + type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) +@@ -63,10 +75,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys + typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; + userdom_user_tmpfs_file(mozilla_tmpfs_t) -@@ -100,7 +127,6 @@ corecmd_exec_shell(mozilla_t) +-optional_policy(` +- pulseaudio_tmpfs_content(mozilla_tmpfs_t) +-') +- + ######################################## + # + # Local policy +@@ -75,23 +83,26 @@ optional_policy(` + allow mozilla_t self:capability { sys_nice setgid setuid }; + allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; + allow mozilla_t self:fifo_file rw_fifo_file_perms; +-allow mozilla_t self:shm create_shm_perms; ++allow mozilla_t self:shm { unix_read unix_write read write destroy create }; + allow mozilla_t self:sem create_sem_perms; + allow mozilla_t self:socket create_socket_perms; +-allow mozilla_t self:unix_stream_socket { accept listen }; ++allow mozilla_t self:unix_stream_socket { listen accept }; ++# Browse the web, connect to printer ++allow mozilla_t self:tcp_socket create_socket_perms; ++allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; + +-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; +-allow mozilla_t mozilla_plugin_t:fd use; ++# for bash - old mozilla binary ++can_exec(mozilla_t, mozilla_exec_t) + +-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; +-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; +-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape") +-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix") ++# X access, Home files ++manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) ++userdom_search_user_home_dirs(mozilla_t) ++userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir) + +-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") ++# Mozpluggerrc ++allow mozilla_t mozilla_conf_t:file read_file_perms; + + manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) + manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) +@@ -103,76 +114,70 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) + +-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; +-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; +-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) +- +-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) +- + kernel_read_kernel_sysctls(mozilla_t) + kernel_read_network_state(mozilla_t) ++# Access /proc, sysctl + kernel_read_system_state(mozilla_t) + kernel_read_net_sysctls(mozilla_t) + ++# Look for plugins + corecmd_list_bin(mozilla_t) ++# for bash - old mozilla binary + corecmd_exec_shell(mozilla_t) corecmd_exec_bin(mozilla_t) - # Browse the web, connect to printer -corenet_all_recvfrom_unlabeled(mozilla_t) ++# Browse the web, connect to printer corenet_all_recvfrom_netlabel(mozilla_t) corenet_tcp_sendrecv_generic_if(mozilla_t) - corenet_raw_sendrecv_generic_if(mozilla_t) -@@ -110,6 +136,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) ++corenet_raw_sendrecv_generic_if(mozilla_t) + corenet_tcp_sendrecv_generic_node(mozilla_t) +- +-corenet_sendrecv_http_client_packets(mozilla_t) +-corenet_tcp_connect_http_port(mozilla_t) ++corenet_raw_sendrecv_generic_node(mozilla_t) + corenet_tcp_sendrecv_http_port(mozilla_t) +- +-corenet_sendrecv_http_cache_client_packets(mozilla_t) +-corenet_tcp_connect_http_cache_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) +- +-corenet_sendrecv_squid_client_packets(mozilla_t) +-corenet_tcp_connect_squid_port(mozilla_t) corenet_tcp_sendrecv_squid_port(mozilla_t) +- +-corenet_sendrecv_ftp_client_packets(mozilla_t) +-corenet_tcp_connect_ftp_port(mozilla_t) corenet_tcp_sendrecv_ftp_port(mozilla_t) +- +-corenet_sendrecv_ipp_client_packets(mozilla_t) +-corenet_tcp_connect_ipp_port(mozilla_t) +corenet_tcp_connect_all_ephemeral_ports(mozilla_t) corenet_tcp_sendrecv_ipp_port(mozilla_t) - corenet_tcp_connect_http_port(mozilla_t) - corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -140,7 +167,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t) +- +-corenet_sendrecv_soundd_client_packets(mozilla_t) ++corenet_tcp_connect_http_port(mozilla_t) ++corenet_tcp_connect_http_cache_port(mozilla_t) ++corenet_tcp_connect_squid_port(mozilla_t) ++corenet_tcp_connect_ftp_port(mozilla_t) ++corenet_tcp_connect_ipp_port(mozilla_t) ++corenet_tcp_connect_generic_port(mozilla_t) + corenet_tcp_connect_soundd_port(mozilla_t) +-corenet_tcp_sendrecv_soundd_port(mozilla_t) +- +-corenet_sendrecv_speech_client_packets(mozilla_t) ++corenet_sendrecv_http_client_packets(mozilla_t) ++corenet_sendrecv_http_cache_client_packets(mozilla_t) ++corenet_sendrecv_squid_client_packets(mozilla_t) ++corenet_sendrecv_ftp_client_packets(mozilla_t) ++corenet_sendrecv_ipp_client_packets(mozilla_t) ++corenet_sendrecv_generic_client_packets(mozilla_t) ++# Should not need other ports ++corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) ++corenet_dontaudit_tcp_bind_generic_port(mozilla_t) + corenet_tcp_connect_speech_port(mozilla_t) +-corenet_tcp_sendrecv_speech_port(mozilla_t) + +-dev_getattr_sysfs_dirs(mozilla_t) +-dev_read_sound(mozilla_t) +-dev_read_rand(mozilla_t) + dev_read_urand(mozilla_t) +-dev_rw_dri(mozilla_t) ++dev_read_rand(mozilla_t) + dev_write_sound(mozilla_t) ++dev_read_sound(mozilla_t) ++dev_dontaudit_rw_dri(mozilla_t) ++dev_getattr_sysfs_dirs(mozilla_t) + + domain_dontaudit_read_all_domains_state(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) --files_read_etc_files(mozilla_t) - # /var/lib +-files_read_var_files(mozilla_t) ++# /var/lib files_read_var_lib_files(mozilla_t) - # interacting with gstreamer -@@ -151,42 +177,34 @@ files_dontaudit_getattr_boot_dirs(mozilla_t) - fs_dontaudit_getattr_all_fs(mozilla_t) ++# interacting with gstreamer ++files_read_var_files(mozilla_t) + files_read_var_symlinks(mozilla_t) + files_dontaudit_getattr_boot_dirs(mozilla_t) + +-fs_getattr_all_fs(mozilla_t) ++fs_dontaudit_getattr_all_fs(mozilla_t) fs_search_auto_mountpoints(mozilla_t) fs_list_inotifyfs(mozilla_t) -fs_rw_tmpfs_files(mozilla_t) @@ -34765,94 +35206,241 @@ index d4fcb75..8cf0087 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -+auth_use_nsswitch(mozilla_t) -+ +@@ -181,56 +186,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) --# Browse the web, connect to printer --sysnet_dns_name_resolve(mozilla_t) -- -userdom_use_user_ptys(mozilla_t) +- +-userdom_manage_user_tmp_dirs(mozilla_t) +-userdom_manage_user_tmp_files(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t) +-userdom_manage_user_home_content_dirs(mozilla_t) +-userdom_manage_user_home_content_files(mozilla_t) +-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) +- +-userdom_write_user_tmp_sockets(mozilla_t) +- -mozilla_run_plugin(mozilla_t, mozilla_roles) +-mozilla_run_plugin_config(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles) xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) --tunable_policy(`allow_execmem',` -- allow mozilla_t self:process { execmem execstack }; +-ifndef(`enable_mls',` +- fs_list_dos(mozilla_t) +- fs_read_dos_files(mozilla_t) +- +- fs_search_removable(mozilla_t) +- fs_read_removable_files(mozilla_t) +- fs_read_removable_symlinks(mozilla_t) +- +- fs_read_iso9660_files(mozilla_t) +tunable_policy(`selinuxuser_execstack',` + allow mozilla_t self:process execstack; ') +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow mozilla_t self:process execmem; + ') + +-tunable_policy(`mozilla_execstack',` +- allow mozilla_t self:process { execmem execstack }; +-') +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_t) - fs_manage_nfs_files(mozilla_t) - fs_manage_nfs_symlinks(mozilla_t) -+tunable_policy(`deny_execmem',`',` -+ allow mozilla_t self:process execmem; - ') - +-') +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_t) - fs_manage_cifs_files(mozilla_t) - fs_manage_cifs_symlinks(mozilla_t) --') +userdom_home_manager(mozilla_t) ++ ++# Uploads, local html ++tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(mozilla_t) ++ files_list_home(mozilla_t) ++ fs_read_nfs_files(mozilla_t) ++ fs_read_nfs_symlinks(mozilla_t) ++ ++',` ++ files_dontaudit_list_home(mozilla_t) ++ fs_dontaudit_list_auto_mountpoints(mozilla_t) ++ fs_dontaudit_read_nfs_files(mozilla_t) ++ fs_dontaudit_list_nfs(mozilla_t) ++') ++ ++tunable_policy(`mozilla_read_content && use_samba_home_dirs',` ++ fs_list_auto_mountpoints(mozilla_t) ++ files_list_home(mozilla_t) ++ fs_read_cifs_files(mozilla_t) ++ fs_read_cifs_symlinks(mozilla_t) ++',` ++ files_dontaudit_list_home(mozilla_t) ++ fs_dontaudit_list_auto_mountpoints(mozilla_t) ++ fs_dontaudit_read_cifs_files(mozilla_t) ++ fs_dontaudit_list_cifs(mozilla_t) ++') ++ ++tunable_policy(`mozilla_read_content',` ++ userdom_list_user_tmp(mozilla_t) ++ userdom_read_user_tmp_files(mozilla_t) ++ userdom_read_user_tmp_symlinks(mozilla_t) ++ userdom_read_user_home_content_files(mozilla_t) ++ userdom_read_user_home_content_symlinks(mozilla_t) ++ ++ ifndef(`enable_mls',` ++ fs_search_removable(mozilla_t) ++ fs_read_removable_files(mozilla_t) ++ fs_read_removable_symlinks(mozilla_t) ++ ') ++',` ++ files_dontaudit_list_tmp(mozilla_t) ++ files_dontaudit_list_home(mozilla_t) ++ fs_dontaudit_list_removable(mozilla_t) ++ fs_dontaudit_read_removable_files(mozilla_t) ++ userdom_dontaudit_list_user_tmp(mozilla_t) ++ userdom_dontaudit_read_user_tmp_files(mozilla_t) ++ userdom_dontaudit_list_user_home_dirs(mozilla_t) ++ userdom_dontaudit_read_user_home_content_files(mozilla_t) + ') + + optional_policy(` +@@ -244,19 +266,12 @@ optional_policy(` + + optional_policy(` + cups_read_rw_config(mozilla_t) ++ cups_dbus_chat(mozilla_t) + ') + + optional_policy(` +- dbus_all_session_bus_client(mozilla_t) + dbus_system_bus_client(mozilla_t) +- +- optional_policy(` +- cups_dbus_chat(mozilla_t) +- ') +- +- optional_policy(` +- mozilla_dbus_chat_plugin(mozilla_t) +- ') ++ dbus_session_bus_client(mozilla_t) + + optional_policy(` + networkmanager_dbus_chat(mozilla_t) +@@ -265,33 +280,32 @@ optional_policy(` - # Uploads, local html - tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -263,6 +281,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) - gnome_manage_config(mozilla_t) +- gnome_manage_generic_gconf_home_content(mozilla_t) +- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") +- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") +- gnome_manage_generic_home_content(mozilla_t) +- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome") +- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2") +- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") ++ gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ') optional_policy(` -@@ -283,7 +302,8 @@ optional_policy(` +- java_exec(mozilla_t) +- java_manage_generic_home_content(mozilla_t) +- java_home_filetrans_java_home(mozilla_t, dir, ".java") ++ java_domtrans(mozilla_t) ') optional_policy(` -- pulseaudio_role(mozilla_roles, mozilla_t) +- lpd_run_lpr(mozilla_t, mozilla_roles) ++ lpd_domtrans_lpr(mozilla_t) + ') + + optional_policy(` +- mplayer_exec(mozilla_t) +- mplayer_manage_generic_home_content(mozilla_t) +- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) + ') + + optional_policy(` +- pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) - pulseaudio_stream_connect(mozilla_t) - pulseaudio_manage_home_files(mozilla_t) ++ pulseaudio_stream_connect(mozilla_t) ++ pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,65 +317,102 @@ optional_policy(` - # mozilla_plugin local policy + + optional_policy(` +@@ -300,63 +314,53 @@ optional_policy(` + + ######################################## + # +-# Plugin local policy ++# mozilla_plugin local policy # --dontaudit mozilla_plugin_t self:capability { sys_ptrace }; --allow mozilla_plugin_t self:process { setsched signal_perms execmem }; +-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; +-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; --allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_tty_config }; + +allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; - allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; - allow mozilla_plugin_t self:udp_socket create_socket_perms; --allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; ++allow mozilla_plugin_t self:udp_socket create_socket_perms; allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; + allow mozilla_plugin_t self:sem create_sem_perms; allow mozilla_plugin_t self:shm create_shm_perms; +-allow mozilla_plugin_t self:tcp_socket { accept listen }; +-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; +- +-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; +-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; +-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; +-allow mozilla_plugin_t mozilla_t:sem create_sem_perms; +- +-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) +-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +- +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix") +- +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient") +-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata") +- +-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +allow mozilla_plugin_t self:msgq create_msgq_perms; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +allow mozilla_plugin_t self:unix_dgram_socket sendto; +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; - - can_exec(mozilla_plugin_t, mozilla_home_t) --read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) ++ ++can_exec(mozilla_plugin_t, mozilla_home_t) +manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) @@ -34877,19 +35465,22 @@ index d4fcb75..8cf0087 100644 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) -+ -+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; + + allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; +-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) - can_exec(mozilla_plugin_t, mozilla_exec_t) +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +- +-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) ++can_exec(mozilla_plugin_t, mozilla_exec_t) --kernel_read_kernel_sysctls(mozilla_plugin_t) -+kernel_read_all_sysctls(mozilla_plugin_t) + kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) - kernel_read_network_state(mozilla_plugin_t) - kernel_request_load_module(mozilla_plugin_t) -+kernel_dontaudit_getattr_core_if(mozilla_plugin_t) +@@ -366,155 +370,110 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -34899,29 +35490,73 @@ index d4fcb75..8cf0087 100644 -corenet_all_recvfrom_unlabeled(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) -+corenet_tcp_connect_asterisk_port(mozilla_plugin_t) - corenet_tcp_connect_generic_port(mozilla_plugin_t) --corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) +- +-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) + corenet_tcp_connect_asterisk_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) +- +-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_generic_port(mozilla_plugin_t) +corenet_tcp_connect_flash_port(mozilla_plugin_t) -+corenet_tcp_connect_ftp_port(mozilla_plugin_t) + corenet_tcp_connect_ftp_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) +- +-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) +-corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) +- +-corenet_sendrecv_http_client_packets(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_http_port(mozilla_plugin_t) +- +-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) +corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) --corenet_tcp_connect_squid_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) +- +-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) +corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) -+corenet_tcp_connect_ircd_port(mozilla_plugin_t) -+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) +- +-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) + corenet_tcp_connect_ircd_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) +- +-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t) + corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) +- +-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) +- +-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) +-corenet_tcp_connect_monopd_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) +- +-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) +-corenet_tcp_connect_soundd_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) +- +-corenet_sendrecv_speech_client_packets(mozilla_plugin_t) +corenet_tcp_connect_msnp_port(mozilla_plugin_t) +corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) -+corenet_tcp_connect_squid_port(mozilla_plugin_t) -+corenet_tcp_connect_streaming_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) +- +-corenet_sendrecv_squid_client_packets(mozilla_plugin_t) + corenet_tcp_connect_squid_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) +- +-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t) ++corenet_tcp_connect_rtsp_port(mozilla_plugin_t) +corenet_tcp_connect_soundd_port(mozilla_plugin_t) -+corenet_tcp_connect_tor_socks_port(mozilla_plugin_t) -+corenet_tcp_connect_vnc_port(mozilla_plugin_t) -+corenet_tcp_connect_commplex_port(mozilla_plugin_t) ++corenet_tcp_connect_tor_port(mozilla_plugin_t) + corenet_tcp_connect_vnc_port(mozilla_plugin_t) +-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) ++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t) +corenet_tcp_connect_couchdb_port(mozilla_plugin_t) +corenet_tcp_connect_monopd_port(mozilla_plugin_t) +corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) @@ -34929,46 +35564,63 @@ index d4fcb75..8cf0087 100644 +corenet_udp_bind_generic_node(mozilla_plugin_t) +corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) +-dev_read_generic_usb_dev(mozilla_plugin_t) dev_read_rand(mozilla_plugin_t) +-dev_read_realtime_clock(mozilla_plugin_t) +-dev_read_sound(mozilla_plugin_t) +-dev_read_sysfs(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) +dev_read_generic_usb_dev(mozilla_plugin_t) dev_read_video_dev(mozilla_plugin_t) +-dev_write_sound(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) +-dev_rw_dri(mozilla_plugin_t) +dev_read_realtime_clock(mozilla_plugin_t) - dev_read_sysfs(mozilla_plugin_t) - dev_read_sound(mozilla_plugin_t) - dev_write_sound(mozilla_plugin_t) - # for nvidia driver ++dev_read_sysfs(mozilla_plugin_t) ++dev_read_sound(mozilla_plugin_t) ++dev_write_sound(mozilla_plugin_t) ++# for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) - dev_dontaudit_rw_dri(mozilla_plugin_t) +- +-dev_dontaudit_getattr_generic_files(mozilla_plugin_t) +-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) +-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) +-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) ++dev_dontaudit_rw_dri(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,55 +420,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) + +-files_exec_usr_files(mozilla_plugin_t) +-files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) - files_list_mnt(mozilla_plugin_t) ++files_list_mnt(mozilla_plugin_t) +files_exec_usr_files(mozilla_plugin_t) +fs_rw_inherited_tmpfs_files(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) - fs_list_dos(mozilla_plugin_t) --fs_read_dos_files(mozilla_plugin_t) +-# fs_read_hugetlbfs_files(mozilla_plugin_t) +-fs_search_auto_mountpoints(mozilla_plugin_t) +- +-term_getattr_all_ttys(mozilla_plugin_t) +-term_getattr_all_ptys(mozilla_plugin_t) ++fs_list_dos(mozilla_plugin_t) +fs_read_noxattr_fs_files(mozilla_plugin_t) +fs_read_hugetlbfs_files(mozilla_plugin_t) -+application_exec(mozilla_plugin_t) - application_dontaudit_signull(mozilla_plugin_t) + application_exec(mozilla_plugin_t) ++application_dontaudit_signull(mozilla_plugin_t) auth_use_nsswitch(mozilla_plugin_t) +init_dontaudit_getattr_initctl(mozilla_plugin_t) +init_read_all_script_files(mozilla_plugin_t) + -+libs_exec_ld_so(mozilla_plugin_t) -+libs_exec_lib_files(mozilla_plugin_t) -+ + libs_exec_ld_so(mozilla_plugin_t) + libs_exec_lib_files(mozilla_plugin_t) + logging_send_syslog_msg(mozilla_plugin_t) -miscfiles_read_localization(mozilla_plugin_t) @@ -34977,40 +35629,55 @@ index d4fcb75..8cf0087 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) --sysnet_dns_name_resolve(mozilla_plugin_t) +-userdom_manage_user_tmp_dirs(mozilla_plugin_t) +-userdom_manage_user_tmp_files(mozilla_plugin_t) - - term_getattr_all_ttys(mozilla_plugin_t) - term_getattr_all_ptys(mozilla_plugin_t) +-userdom_manage_user_home_content_dirs(mozilla_plugin_t) +-userdom_manage_user_home_content_files(mozilla_plugin_t) +-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) +- +-userdom_write_user_tmp_sockets(mozilla_plugin_t) ++term_getattr_all_ttys(mozilla_plugin_t) ++term_getattr_all_ptys(mozilla_plugin_t) +term_getattr_ptmx(mozilla_plugin_t) +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) - userdom_rw_user_tmpfs_files(mozilla_plugin_t) ++userdom_rw_user_tmpfs_files(mozilla_plugin_t) +userdom_delete_user_tmpfs_files(mozilla_plugin_t) userdom_dontaudit_use_user_terminals(mozilla_plugin_t) - userdom_manage_user_tmp_sockets(mozilla_plugin_t) - userdom_manage_user_tmp_dirs(mozilla_plugin_t) --userdom_read_user_tmp_files(mozilla_plugin_t) ++userdom_manage_user_tmp_sockets(mozilla_plugin_t) ++userdom_manage_user_tmp_dirs(mozilla_plugin_t) +userdom_rw_inherited_user_tmp_files(mozilla_plugin_t) +userdom_delete_user_tmp_files(mozilla_plugin_t) +userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t) +userdom_manage_home_certs(mozilla_plugin_t) - userdom_read_user_tmp_symlinks(mozilla_plugin_t) ++userdom_read_user_tmp_symlinks(mozilla_plugin_t) +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) -+ - userdom_read_user_home_content_files(mozilla_plugin_t) - userdom_read_user_home_content_symlinks(mozilla_plugin_t) -+userdom_read_home_certs(mozilla_plugin_t) -+userdom_read_home_audio_files(mozilla_plugin_t) --tunable_policy(`allow_execmem',` -- allow mozilla_plugin_t self:process { execmem execstack }; +-ifndef(`enable_mls',` +- fs_list_dos(mozilla_plugin_t) +- fs_read_dos_files(mozilla_plugin_t) +- +- fs_search_removable(mozilla_plugin_t) +- fs_read_removable_files(mozilla_plugin_t) +- fs_read_removable_symlinks(mozilla_plugin_t) +- +- fs_read_iso9660_files(mozilla_plugin_t) -') - --tunable_policy(`allow_execstack',` -- allow mozilla_plugin_t self:process { execstack }; +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_t self:process execmem; -') - +-tunable_policy(`mozilla_execstack',` +- allow mozilla_plugin_t self:process { execmem execstack }; +-') ++userdom_read_user_home_content_files(mozilla_plugin_t) ++userdom_read_user_home_content_symlinks(mozilla_plugin_t) ++userdom_read_home_certs(mozilla_plugin_t) ++userdom_read_home_audio_files(mozilla_plugin_t) + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) @@ -35027,35 +35694,39 @@ index d4fcb75..8cf0087 100644 ') optional_policy(` -@@ -422,24 +483,39 @@ optional_policy(` +@@ -523,36 +482,43 @@ optional_policy(` + ') + optional_policy(` - dbus_system_bus_client(mozilla_plugin_t) - dbus_session_bus_client(mozilla_plugin_t) +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) ++ dbus_system_bus_client(mozilla_plugin_t) ++ dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) - dbus_read_lib_files(mozilla_plugin_t) ++ dbus_read_lib_files(mozilla_plugin_t) ') optional_policy(` -+ git_dontaudit_read_session_content_files(mozilla_plugin_t) -+') -+ -+ -+optional_policy(` - gnome_manage_config(mozilla_plugin_t) +- dbus_all_session_bus_client(mozilla_plugin_t) +- dbus_connect_all_session_bus(mozilla_plugin_t) +- dbus_system_bus_client(mozilla_plugin_t) ++ gnome_manage_config(mozilla_plugin_t) + gnome_read_usr_config(mozilla_plugin_t) + gnome_filetrans_home_content(mozilla_plugin_t) + gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` -- java_exec(mozilla_plugin_t) +- gnome_manage_generic_home_content(mozilla_plugin_t) +- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") +- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2") +- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') optional_policy(` -- mplayer_exec(mozilla_plugin_t) -- mplayer_read_user_home_files(mozilla_plugin_t) -+ java_exec(mozilla_plugin_t) + java_exec(mozilla_plugin_t) +- java_manage_generic_home_content(mozilla_plugin_t) +- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") ') +#optional_policy(` @@ -35063,114 +35734,173 @@ index d4fcb75..8cf0087 100644 +#') + optional_policy(` -- pcscd_stream_connect(mozilla_plugin_t) -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_filetrans_home_content(mozilla_plugin_t) -+ mplayer_manage_user_home_dirs(mozilla_plugin_t) -+ mplayer_manage_user_home_files(mozilla_plugin_t) +- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_manage_generic_home_content(mozilla_plugin_t) ++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ') optional_policy(` -@@ -447,10 +523,116 @@ optional_policy(` - pulseaudio_stream_connect(mozilla_plugin_t) - pulseaudio_setattr_home_dir(mozilla_plugin_t) - pulseaudio_manage_home_files(mozilla_plugin_t) +- mplayer_exec(mozilla_plugin_t) +- mplayer_manage_generic_home_content(mozilla_plugin_t) +- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++ pulseaudio_exec(mozilla_plugin_t) ++ pulseaudio_stream_connect(mozilla_plugin_t) ++ pulseaudio_setattr_home_dir(mozilla_plugin_t) ++ pulseaudio_manage_home_files(mozilla_plugin_t) + pulseaudio_manage_home_symlinks(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ pcscd_stream_connect(mozilla_plugin_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +@@ -560,7 +526,7 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) + rtkit_scheduled(mozilla_plugin_t) ') optional_policy(` -+ udev_read_db(mozilla_plugin_t) -+') -+ -+optional_policy(` +@@ -568,108 +534,100 @@ optional_policy(` + ') + + optional_policy(` +- xserver_read_user_xauth(mozilla_plugin_t) + xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) + xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) xserver_read_xdm_pid(mozilla_plugin_t) xserver_stream_connect(mozilla_plugin_t) xserver_use_user_fonts(mozilla_plugin_t) +- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) + xserver_read_user_iceauth(mozilla_plugin_t) + xserver_read_user_xauth(mozilla_plugin_t) + xserver_append_xdm_home_files(mozilla_plugin_t) + xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Plugin config local policy +# mozilla_plugin_config local policy -+# -+ -+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; + # + + allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; +-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; +-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; +-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; +- +-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; +-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; +-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; +allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; -+ + +-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) +-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +allow mozilla_plugin_config_t self:fifo_file rw_file_perms; +allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -+ + +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") +ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) -+ + +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") +-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") +dev_search_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_dontaudit_rw_dri(mozilla_plugin_config_t) -+ + +-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +fs_search_auto_mountpoints(mozilla_plugin_config_t) +fs_list_inotifyfs(mozilla_plugin_config_t) -+ + +-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+ + +-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +- +-kernel_read_system_state(mozilla_plugin_config_t) +-kernel_request_load_module(mozilla_plugin_config_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -+ -+corecmd_exec_bin(mozilla_plugin_config_t) -+corecmd_exec_shell(mozilla_plugin_config_t) -+ + + corecmd_exec_bin(mozilla_plugin_config_t) + corecmd_exec_shell(mozilla_plugin_config_t) + +-dev_read_urand(mozilla_plugin_config_t) +-dev_rw_dri(mozilla_plugin_config_t) +-dev_search_sysfs(mozilla_plugin_config_t) +-dev_dontaudit_read_rand(mozilla_plugin_config_t) +kernel_read_system_state(mozilla_plugin_config_t) +kernel_request_load_module(mozilla_plugin_config_t) -+ -+domain_use_interactive_fds(mozilla_plugin_config_t) -+ -+files_read_usr_files(mozilla_plugin_config_t) -+files_dontaudit_search_home(mozilla_plugin_config_t) + + domain_use_interactive_fds(mozilla_plugin_config_t) + +-files_list_tmp(mozilla_plugin_config_t) + files_read_usr_files(mozilla_plugin_config_t) + files_dontaudit_search_home(mozilla_plugin_config_t) +files_list_tmp(mozilla_plugin_config_t) -+ -+fs_getattr_all_fs(mozilla_plugin_config_t) -+ -+auth_use_nsswitch(mozilla_plugin_config_t) -+ -+miscfiles_read_fonts(mozilla_plugin_config_t) -+ + + fs_getattr_all_fs(mozilla_plugin_config_t) +-fs_search_auto_mountpoints(mozilla_plugin_config_t) +-fs_list_inotifyfs(mozilla_plugin_config_t) + + auth_use_nsswitch(mozilla_plugin_config_t) + +-miscfiles_read_localization(mozilla_plugin_config_t) + miscfiles_read_fonts(mozilla_plugin_config_t) + +userdom_search_user_home_content(mozilla_plugin_config_t) -+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) -+userdom_read_user_home_content_files(mozilla_plugin_config_t) + userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) + userdom_read_user_home_content_files(mozilla_plugin_config_t) +userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) +userdom_use_inherited_user_ptys(mozilla_plugin_config_t) +userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t) +userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t) +userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t) -+ + +-userdom_use_user_ptys(mozilla_plugin_config_t) +- +-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) +domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) -+ + +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_config_t self:process execmem; +-') +- +-tunable_policy(`mozilla_execstack',` +- allow mozilla_plugin_config_t self:process { execmem execstack }; +optional_policy(` + gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) -+') -+ + ') + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(mozilla_plugin_config_t) +- fs_manage_nfs_files(mozilla_plugin_config_t) +- fs_manage_nfs_symlinks(mozilla_plugin_config_t) +optional_policy(` + xserver_use_user_fonts(mozilla_plugin_config_t) -+') -+ + ') + +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_config_t) +- fs_manage_cifs_files(mozilla_plugin_config_t) +- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +ifdef(`distro_redhat',` + typealias mozilla_plugin_t alias nsplugin_t; + typealias mozilla_plugin_exec_t alias nsplugin_exec_t; @@ -35179,68 +35909,53 @@ index d4fcb75..8cf0087 100644 + typealias mozilla_home_t alias nsplugin_home_t; + typealias mozilla_plugin_config_t alias nsplugin_config_t; + typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; -+') -+ + ') + +-optional_policy(` +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_enable_homedirs',` + userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) -+') -+ + ') + +-optional_policy(` +- xserver_use_user_fonts(mozilla_plugin_config_t) +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(mozilla_plugin_t) ') -diff --git a/mpd.fc b/mpd.fc -index ddc14d6..c74bf3d 100644 ---- a/mpd.fc -+++ b/mpd.fc -@@ -6,3 +6,5 @@ - /var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) - /var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) - /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) -+ -+/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) diff --git a/mpd.if b/mpd.if -index d72276f..cb8c563 100644 +index 5fa77c7..a0e8661 100644 --- a/mpd.if +++ b/mpd.if -@@ -244,8 +244,11 @@ interface(`mpd_admin',` - type mpd_tmpfs_t; +@@ -344,9 +344,13 @@ interface(`mpd_admin',` + type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; ') - allow $1 mpd_t:process { ptrace signal_perms }; + allow $1 mpd_t:process signal_perms; ps_process_pattern($1, mpd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 mpd_t:process ptrace; + ') - ++ mpd_initrc_domtrans($1) domain_system_change_exemption($1) + role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7f68872..d92aaa8 100644 +index 7c8afcc..bf055f0 100644 --- a/mpd.te +++ b/mpd.te -@@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; - allow mpd_t self:tcp_socket create_stream_socket_perms; +@@ -74,6 +74,9 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; + allow mpd_t self:unix_dgram_socket sendto; + allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; + +read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) - manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) - manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) -@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) - - read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t) - -+manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t) -+manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t) -+logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file }) -+ - manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) - manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) - manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -@@ -72,7 +79,6 @@ kernel_read_kernel_sysctls(mpd_t) + allow mpd_t mpd_data_t:dir manage_dir_perms; + allow mpd_t mpd_data_t:file manage_file_perms; +@@ -110,7 +113,6 @@ kernel_read_kernel_sysctls(mpd_t) corecmd_exec_bin(mpd_t) @@ -35248,15 +35963,7 @@ index 7f68872..d92aaa8 100644 corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -87,6 +93,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t) - corenet_sendrecv_pulseaudio_client_packets(mpd_t) - corenet_sendrecv_soundd_client_packets(mpd_t) - -+dev_read_urand(mpd_t) - dev_read_sound(mpd_t) - dev_write_sound(mpd_t) - dev_read_sysfs(mpd_t) -@@ -101,7 +108,9 @@ auth_use_nsswitch(mpd_t) +@@ -150,7 +152,9 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) @@ -35265,9 +35972,9 @@ index 7f68872..d92aaa8 100644 +userdom_read_user_tmpfs_files(mpd_t) +userdom_home_reader(mpd_t) - optional_policy(` - alsa_read_rw_config(mpd_t) -@@ -122,5 +131,20 @@ optional_policy(` + tunable_policy(`mpd_enable_homedirs',` + userdom_search_user_home_dirs(mpd_t) +@@ -199,6 +203,16 @@ optional_policy(` ') optional_policy(` @@ -35283,260 +35990,48 @@ index 7f68872..d92aaa8 100644 +optional_policy(` udev_read_db(mpd_t) ') -+ -+optional_policy(` -+ xserver_dontaudit_stream_connect(mpd_t) -+ xserver_dontaudit_read_xdm_pid(mpd_t) -+') -diff --git a/mplayer.if b/mplayer.if -index d8ea41d..87c7046 100644 ---- a/mplayer.if -+++ b/mplayer.if -@@ -102,3 +102,96 @@ interface(`mplayer_read_user_home_files',` - read_files_pattern($1, mplayer_home_t, mplayer_home_t) - userdom_search_user_home_dirs($1) - ') -+ -+######################################## -+##

    -+## Manage mplayer per user homedir -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mplayer_manage_user_home_dirs',` -+ gen_require(` -+ type mplayer_home_t; -+ ') -+ -+ manage_dirs_pattern($1, mplayer_home_t, mplayer_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## -+## Manage mplayer per user homedir -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mplayer_manage_user_home_files',` -+ gen_require(` -+ type mplayer_home_t; -+ ') -+ -+ manage_files_pattern($1, mplayer_home_t, mplayer_home_t) -+ manage_lnk_files_pattern($1, mplayer_home_t, mplayer_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## -+## Transition to mplayer named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mplayer_filetrans_home_content',` -+ gen_require(` -+ type mplayer_home_t; -+ ') -+ -+ userdom_user_home_dir_filetrans($1, mplayer_home_t, file, ".mplayer") -+') -+ -+######################################## -+## -+## Execute mplayer_exec_t -+## in the specified domain. -+## -+## -+##

    -+## Execute a mplayer_exec_t -+## in the specified domain. -+##

    -+##

    -+## No interprocess communication (signals, pipes, -+## etc.) is provided by this interface since -+## the domains are not owned by this module. -+##

    -+##     -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`mplayer_exec_domtrans',` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ -+ allow $2 mplayer_exec_t:file entrypoint; -+ domtrans_pattern($1, mplayer_exec_t, $2) -+') + diff --git a/mplayer.te b/mplayer.te -index 0cdea57..321a21a 100644 +index 9aca704..e8e71cb 100644 --- a/mplayer.te -+++ b/mplayer.te -@@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0) - ## Allow mplayer executable stack - ##

    - ##     --gen_tunable(allow_mplayer_execstack, false) -+gen_tunable(mplayer_execstack, false) - - type mencoder_t; - type mencoder_exec_t; -@@ -71,15 +71,15 @@ fs_search_auto_mountpoints(mencoder_t) - # Access to DVD/CD/V4L - storage_raw_read_removable_device(mencoder_t) - --miscfiles_read_localization(mencoder_t) - --userdom_use_user_terminals(mencoder_t) -+userdom_use_inherited_user_terminals(mencoder_t) - # Handle removable media, /tmp, and /home - userdom_list_user_tmp(mencoder_t) - userdom_read_user_tmp_files(mencoder_t) - userdom_read_user_tmp_symlinks(mencoder_t) - userdom_read_user_home_content_files(mencoder_t) - userdom_read_user_home_content_symlinks(mencoder_t) -+userdom_home_manager(mencoder_t) - - # Read content to encode - ifndef(`enable_mls',` -@@ -88,58 +88,18 @@ ifndef(`enable_mls',` - fs_read_removable_symlinks(mencoder_t) - ') - --tunable_policy(`allow_execmem',` -+tunable_policy(`deny_execmem',`',` - allow mencoder_t self:process execmem; - ') - --tunable_policy(`allow_execmod',` -+tunable_policy(`selinuxuser_execmod',` - dev_execmod_zero(mencoder_t) - ') - --tunable_policy(`allow_mplayer_execstack',` -+tunable_policy(`mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; - ') - --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mencoder_t) -- fs_manage_nfs_files(mencoder_t) -- fs_manage_nfs_symlinks(mencoder_t) -- --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mencoder_t) -- fs_manage_cifs_files(mencoder_t) -- fs_manage_cifs_symlinks(mencoder_t) -- --') -- --# Read content to encode --tunable_policy(`use_nfs_home_dirs',` -- fs_list_auto_mountpoints(mencoder_t) -- files_list_home(mencoder_t) -- fs_read_nfs_files(mencoder_t) -- fs_read_nfs_symlinks(mencoder_t) -- --',` -- files_dontaudit_list_home(mencoder_t) -- fs_dontaudit_list_auto_mountpoints(mencoder_t) -- fs_dontaudit_read_nfs_files(mencoder_t) -- fs_dontaudit_list_nfs(mencoder_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_list_auto_mountpoints(mencoder_t) -- files_list_home(mencoder_t) -- fs_read_cifs_files(mencoder_t) -- fs_read_cifs_symlinks(mencoder_t) --',` -- files_dontaudit_list_home(mencoder_t) -- fs_dontaudit_list_auto_mountpoints(mencoder_t) -- fs_dontaudit_read_cifs_files(mencoder_t) -- fs_dontaudit_list_cifs(mencoder_t) --') -- - ######################################## - # - # mplayer local policy -@@ -156,6 +116,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) - manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) - manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) - userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) -+userdom_search_user_home_dirs(mplayer_t) - - manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) - manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -@@ -177,7 +138,6 @@ kernel_read_system_state(mplayer_t) - kernel_read_kernel_sysctls(mplayer_t) - - corenet_all_recvfrom_netlabel(mplayer_t) --corenet_all_recvfrom_unlabeled(mplayer_t) - corenet_tcp_sendrecv_generic_if(mplayer_t) - corenet_tcp_sendrecv_generic_node(mplayer_t) - corenet_tcp_bind_generic_node(mplayer_t) -@@ -206,7 +166,6 @@ domain_use_interactive_fds(mplayer_t) - # Access to DVD/CD/V4L - storage_raw_read_removable_device(mplayer_t) ++++ b/mplayer.te +@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4) + ## its stack executable. + ##

    + ## +-gen_tunable(allow_mplayer_execstack, false) ++gen_tunable(mplayer_execstack, false) --files_read_etc_files(mplayer_t) - files_dontaudit_list_non_security(mplayer_t) - files_dontaudit_getattr_non_security_files(mplayer_t) - files_read_non_security_files(mplayer_t) -@@ -222,10 +181,13 @@ fs_dontaudit_getattr_all_fs(mplayer_t) - fs_search_auto_mountpoints(mplayer_t) - fs_list_inotifyfs(mplayer_t) + attribute_role mencoder_roles; + attribute_role mplayer_roles; +@@ -95,15 +95,15 @@ ifndef(`enable_mls',` + fs_read_iso9660_files(mencoder_t) + ') --miscfiles_read_localization(mplayer_t) -+auth_use_nsswitch(mplayer_t) -+ -+logging_send_syslog_msg(mplayer_t) -+ - miscfiles_read_fonts(mplayer_t) +-tunable_policy(`allow_execmem',` +- allow mencoder_t self:process execmem; ++tunable_policy(`deny_execmem',`',` ++ allow mencoder_t self:process execmem; + ') --userdom_use_user_terminals(mplayer_t) -+userdom_use_inherited_user_terminals(mplayer_t) - # Read media files - userdom_list_user_tmp(mplayer_t) - userdom_read_user_tmp_files(mplayer_t) -@@ -233,6 +195,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) - userdom_read_user_home_content_files(mplayer_t) - userdom_read_user_home_content_symlinks(mplayer_t) - userdom_write_user_tmp_sockets(mplayer_t) -+userdom_home_manager(mplayer_t) +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + dev_execmod_zero(mencoder_t) + ') - xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` + allow mencoder_t self:process { execmem execstack }; + ') -@@ -243,62 +206,31 @@ ifdef(`enable_mls',`',` - fs_read_removable_symlinks(mplayer_t) +@@ -211,15 +211,15 @@ ifndef(`enable_mls',` + fs_read_iso9660_files(mplayer_t) ') -tunable_policy(`allow_execmem',` +- allow mplayer_t self:process execmem; +tunable_policy(`deny_execmem',`',` - allow mplayer_t self:process execmem; ++ allow mplayer_t self:process execmem; ') -tunable_policy(`allow_execmod',` @@ -35549,103 +36044,37 @@ index 0cdea57..321a21a 100644 allow mplayer_t self:process { execmem execstack }; ') --tunable_policy(`use_nfs_home_dirs',` -- fs_manage_nfs_dirs(mplayer_t) -- fs_manage_nfs_files(mplayer_t) -- fs_manage_nfs_symlinks(mplayer_t) --') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mplayer_t) -- fs_manage_cifs_files(mplayer_t) -- fs_manage_cifs_symlinks(mplayer_t) --') -- - # Legacy domain issues +@@ -235,7 +235,7 @@ tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_symlinks(mplayer_t) + ') + -tunable_policy(`allow_mplayer_execstack',` +tunable_policy(`mplayer_execstack',` allow mplayer_t mplayer_tmpfs_t:file execute; ') --# Read songs --tunable_policy(`use_nfs_home_dirs',` -- fs_list_auto_mountpoints(mplayer_t) -- files_list_home(mplayer_t) -- fs_read_nfs_files(mplayer_t) -- fs_read_nfs_symlinks(mplayer_t) -- --',` -- files_dontaudit_list_home(mplayer_t) -- fs_dontaudit_list_auto_mountpoints(mplayer_t) -- fs_dontaudit_read_nfs_files(mplayer_t) -- fs_dontaudit_list_nfs(mplayer_t) --') -+userdom_home_manager(mplayer_t) - --tunable_policy(`use_samba_home_dirs',` -- fs_list_auto_mountpoints(mplayer_t) -- files_list_home(mplayer_t) -- fs_read_cifs_files(mplayer_t) -- fs_read_cifs_symlinks(mplayer_t) --',` -- files_dontaudit_list_home(mplayer_t) -- fs_dontaudit_list_auto_mountpoints(mplayer_t) -- fs_dontaudit_read_cifs_files(mplayer_t) -- fs_dontaudit_list_cifs(mplayer_t) -+optional_policy(` -+ alsa_read_rw_config(mplayer_t) - ') - - optional_policy(` -- alsa_read_rw_config(mplayer_t) -+ gnome_setattr_config_dirs(mplayer_t) - ') - - optional_policy(` -diff --git a/mrtg.fc b/mrtg.fc -index 37fb953..7e9773a 100644 ---- a/mrtg.fc -+++ b/mrtg.fc -@@ -14,5 +14,6 @@ - # - /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) - /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) -+/var/lock/mrtg-rrd(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) - /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) - /var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/mrtg.te b/mrtg.te -index 0e19d80..c203717 100644 +index c97c177..273b714 100644 --- a/mrtg.te +++ b/mrtg.te -@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) - dontaudit mrtg_t mrtg_etc_t:dir write; - dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; - -+manage_dirs_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) - manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) - manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t) -+files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file }) - -+manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) - manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) - logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) - -@@ -62,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) +@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) corecmd_exec_bin(mrtg_t) corecmd_exec_shell(mrtg_t) -corenet_all_recvfrom_unlabeled(mrtg_t) corenet_all_recvfrom_netlabel(mrtg_t) corenet_tcp_sendrecv_generic_if(mrtg_t) - corenet_udp_sendrecv_generic_if(mrtg_t) -@@ -88,7 +90,6 @@ files_getattr_tmp_dirs(mrtg_t) - # for uptime - files_read_etc_runtime_files(mrtg_t) - # read config files --files_read_etc_files(mrtg_t) + corenet_tcp_sendrecv_generic_node(mrtg_t) +@@ -87,6 +86,8 @@ files_search_var(mrtg_t) + files_search_locks(mrtg_t) + files_search_var_lib(mrtg_t) + files_search_spool(mrtg_t) ++files_getattr_tmp_dirs(mrtg_t) ++files_read_etc_runtime_files(mrtg_t) fs_search_auto_mountpoints(mrtg_t) - fs_getattr_xattr_fs(mrtg_t) -@@ -108,13 +109,12 @@ libs_read_lib_files(mrtg_t) + fs_getattr_all_fs(mrtg_t) +@@ -105,13 +106,12 @@ libs_read_lib_files(mrtg_t) logging_send_syslog_msg(mrtg_t) @@ -35662,30 +36091,32 @@ index 0e19d80..c203717 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index afa18c8..2f102b2 100644 +index f42896c..2f102b2 100644 --- a/mta.fc +++ b/mta.fc -@@ -1,30 +1,41 @@ --HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -+HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) -+HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) -+HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) -+HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +@@ -2,33 +2,40 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) + HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) + HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) + HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) - /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) +-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) ++/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) - /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) --/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) --/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -+/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) - ifdef(`distro_redhat',` - /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) - ') +-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) ++/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) + /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) +-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) ++ifdef(`distro_redhat',` ++/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ++') --/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) +/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) @@ -35693,191 +36124,317 @@ index afa18c8..2f102b2 100644 +/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) + +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) --/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) --/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) --/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) --/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) --/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) --/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) -+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) - /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) +-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) ++/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index 4e2a5ba..0005ac0 100644 +index ed81cac..0005ac0 100644 --- a/mta.if +++ b/mta.if -@@ -37,6 +37,7 @@ interface(`mta_stub',` - ## is the prefix for user_t). +@@ -1,4 +1,4 @@ +-## Common e-mail transfer agent policy. ++## Policy common to all email tranfer agents. + + ######################################## + ## +@@ -18,23 +18,37 @@ interface(`mta_stub',` + + ####################################### + ## +-## The template to define a mail domain. ++## Basic mail transfer agent domain template. + ## ++## ++##

    ++## This template creates a derived domain which is ++## a email transfer agent, which sends mail on ++## behalf of the user. ++##

    ++##

    ++## This is the basic types and rules, common ++## to the system agent and user agents. ++##

    ++##     + ## + ## +-## Domain prefix to be used. ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). ## ## +## # template(`mta_base_mail_template',` ++ + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + +- ######################################## ++ ############################## + # +- # Declarations ++ # $1_mail_t declarations + # -@@ -56,92 +57,19 @@ template(`mta_base_mail_template',` + type $1_mail_t, user_mail_domain; +@@ -43,17 +57,16 @@ template(`mta_base_mail_template',` type $1_mail_tmp_t; files_tmp_file($1_mail_tmp_t) -- ############################## +- ######################################## - # -- # $1_mail_t local policy +- # Declarations - # - -- allow $1_mail_t self:capability { setuid setgid chown }; -- allow $1_mail_t self:process { signal_perms setrlimit }; -- allow $1_mail_t self:tcp_socket create_socket_perms; -- -- # re-exec itself -- can_exec($1_mail_t, sendmail_exec_t) -- allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; -+ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) -+ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) -+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - - kernel_read_system_state($1_mail_t) -- kernel_read_kernel_sysctls($1_mail_t) -- -- corenet_all_recvfrom_unlabeled($1_mail_t) -- corenet_all_recvfrom_netlabel($1_mail_t) -- corenet_tcp_sendrecv_generic_if($1_mail_t) -- corenet_tcp_sendrecv_generic_node($1_mail_t) -- corenet_tcp_sendrecv_all_ports($1_mail_t) -- corenet_tcp_connect_all_ports($1_mail_t) -- corenet_tcp_connect_smtp_port($1_mail_t) -- corenet_sendrecv_smtp_client_packets($1_mail_t) -- -- corecmd_exec_bin($1_mail_t) -- -- files_read_etc_files($1_mail_t) -- files_search_spool($1_mail_t) -- # It wants to check for nscd -- files_dontaudit_search_pids($1_mail_t) + manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) ++ kernel_read_system_state($1_mail_t) ++ auth_use_nsswitch($1_mail_t) -- init_dontaudit_rw_utmp($1_mail_t) -- - logging_send_syslog_msg($1_mail_t) - -- miscfiles_read_localization($1_mail_t) -- -- optional_policy(` -- exim_read_log($1_mail_t) -- exim_append_log($1_mail_t) -- exim_manage_spool_files($1_mail_t) -- ') -- ++ logging_send_syslog_msg($1_mail_t) ++ optional_policy(` postfix_domtrans_user_mail_handler($1_mail_t) ') -- -- optional_policy(` -- procmail_exec($1_mail_t) -- ') -- -- optional_policy(` -- qmail_domtrans_inject($1_mail_t) -- ') -- -- optional_policy(` -- gen_require(` -- type etc_mail_t, mail_spool_t, mqueue_spool_t; -- ') -- -- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) -- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) -- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) -- -- allow $1_mail_t etc_mail_t:dir search_dir_perms; -- -- # Write to /var/spool/mail and /var/spool/mqueue. -- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) -- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) -- -- # Check available space. -- fs_getattr_xattr_fs($1_mail_t) -- -- files_read_etc_runtime_files($1_mail_t) -- -- # Write to /var/log/sendmail.st -- sendmail_manage_log($1_mail_t) -- sendmail_create_log($1_mail_t) -- ') -- -- optional_policy(` -- uucp_manage_spool($1_mail_t) -- ') - ') +@@ -61,61 +74,41 @@ template(`mta_base_mail_template',` ######################################## -@@ -169,11 +97,19 @@ interface(`mta_role',` + ## +-## Role access for mta. ++## Role access for mta + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`mta_role',` + gen_require(` + attribute mta_user_agent; +- attribute_role user_mail_roles; +- type user_mail_t, sendmail_exec_t, mail_home_t; +- type user_mail_tmp_t, mail_home_rw_t; ++ type user_mail_t, sendmail_exec_t; + ') - # Transition from the user domain to the derived domain. - domtrans_pattern($2, sendmail_exec_t, user_mail_t) -- allow $2 sendmail_exec_t:lnk_file { getattr read }; -+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; +- roleattribute $1 user_mail_roles; +- +- # this is something i need to fix +- # i dont know if and why it is needed +- # will role attribute work? +- role $1 types mta_user_agent; ++ role $1 types { user_mail_t mta_user_agent }; - allow mta_user_agent $2:fd use; - allow mta_user_agent $2:process sigchld; -- allow mta_user_agent $2:fifo_file { read write }; ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, sendmail_exec_t, user_mail_t) + allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; + +- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; +- ps_process_pattern($2, { user_mail_t mta_user_agent }) +- +- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; +- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") +- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") +- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") +- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") +- +- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; +- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") +- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") +- +- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; ++ allow mta_user_agent $2:fd use; ++ allow mta_user_agent $2:process sigchld; + allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms; -+ -+ optional_policy(` -+ exim_run($2, $1) -+ ') -+ -+ optional_policy(` + + optional_policy(` + exim_run($2, $1) + ') + + optional_policy(` +- mailman_run($2, $1) + mailman_run(mta_user_agent, $1) -+ ') + ') ') - ######################################## -@@ -220,6 +156,25 @@ interface(`mta_agent_executable',` +@@ -163,125 +156,23 @@ interface(`mta_agent_executable',` application_executable_file($1) ') +-####################################### +-## +-## Read mta mail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mta_read_mail_home_files',` +- gen_require(` +- type mail_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 mail_home_t:file read_file_perms; +-') +- +-####################################### +-## +-## Create, read, write, and delete +-## mta mail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mta_manage_mail_home_files',` +- gen_require(` +- type mail_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 mail_home_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in user home +-## directories with the generic mail +-## home type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`mta_home_filetrans_mail_home',` +- gen_require(` +- type mail_home_t; +- ') +- +- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) +-') +- +-####################################### +-## +-## Create, read, write, and delete +-## mta mail home rw content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`mta_manage_mail_home_rw_content',` +- gen_require(` +- type mail_home_rw_t; +- ') +- +- userdom_search_user_home_dirs($1) +- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) +- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) +- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) +-') +- +-######################################## +###################################### -+## + ## +-## Create specified objects in user home +-## directories with the generic mail +-## home rw type. +## Dontaudit read and write an leaked file descriptors -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`mta_home_filetrans_mail_home_rw',` +interface(`mta_dontaudit_leaks_system_mail',` -+ gen_require(` + gen_require(` +- type mail_home_rw_t; + type system_mail_t; -+ ') -+ + ') + +- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) + dontaudit $1 system_mail_t:fifo_file write; + dontaudit $1 system_mail_t:tcp_socket { read write }; -+') -+ + ') + ######################################## - ## - ## Make the specified type by a system MTA. -@@ -306,10 +261,15 @@ interface(`mta_mailserver_sender',` - interface(`mta_mailserver_delivery',` - gen_require(` - attribute mailserver_delivery; -- type mail_spool_t; +@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',` + ') + + init_system_domain($1, sendmail_exec_t) +- + typeattribute $1 mailserver_domain; + ') + +@@ -374,6 +264,12 @@ interface(`mta_mailserver_delivery',` ') typeattribute $1 mailserver_delivery; @@ -35890,17 +36447,42 @@ index 4e2a5ba..0005ac0 100644 ') ####################################### -@@ -361,8 +321,7 @@ interface(`mta_send_mail',` +@@ -394,6 +290,12 @@ interface(`mta_mailserver_user_agent',` + ') - allow mta_user_agent $1:fd use; - allow mta_user_agent $1:process sigchld; -- allow mta_user_agent $1:fifo_file rw_fifo_file_perms; -- + typeattribute $1 mta_user_agent; ++ ++ optional_policy(` ++ # apache should set close-on-exec ++ apache_dontaudit_rw_stream_sockets($1) ++ apache_dontaudit_rw_sys_script_stream_sockets($1) ++ ') + ') + + ######################################## +@@ -408,14 +310,19 @@ interface(`mta_mailserver_user_agent',` + # + interface(`mta_send_mail',` + gen_require(` ++ attribute mta_user_agent; + type system_mail_t; + attribute mta_exec_type; + ') + +- corecmd_search_bin($1) ++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ corecmd_read_bin_symlinks($1) + domtrans_pattern($1, mta_exec_type, system_mail_t) + +- allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ allow mta_user_agent $1:fd use; ++ allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; - dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; ++ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; ') -@@ -393,12 +352,19 @@ interface(`mta_send_mail',` + ######################################## +@@ -445,18 +352,24 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -35909,11 +36491,13 @@ index 4e2a5ba..0005ac0 100644 + attribute mta_user_agent; ') - files_search_usr($1) -+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - corecmd_read_bin_symlinks($1) +- corecmd_search_bin($1) - domain_auto_trans($1, sendmail_exec_t, $2) -+ ++ files_search_usr($1) ++ allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ corecmd_read_bin_symlinks($1) + +- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; + allow $2 mta_exec_type:file entrypoint; + domtrans_pattern($1, mta_exec_type, $2) + allow mta_user_agent $1:fd use; @@ -35922,7 +36506,13 @@ index 4e2a5ba..0005ac0 100644 ') ######################################## -@@ -411,7 +377,6 @@ interface(`mta_sendmail_domtrans',` + ## +-## Send signals to system mail. ++## Send system mail client a signal + ## + ## + ## +@@ -464,7 +377,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -35930,10 +36520,11 @@ index 4e2a5ba..0005ac0 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -422,6 +387,60 @@ interface(`mta_signal_system_mail',` +@@ -475,7 +387,43 @@ interface(`mta_signal_system_mail',` ######################################## ## +-## Send kill signals to system mail. +## Send all user mail client a signal +## +## @@ -35971,30 +36562,20 @@ index 4e2a5ba..0005ac0 100644 +######################################## +## +## Send system mail client a kill signal -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mta_kill_system_mail',` -+ gen_require(` -+ type system_mail_t; -+ ') -+ -+ allow $1 system_mail_t:process sigkill; -+') -+ -+######################################## -+## - ## Execute sendmail in the caller domain. ## ## -@@ -440,6 +459,26 @@ interface(`mta_sendmail_exec',` + ## +@@ -506,13 +454,32 @@ interface(`mta_sendmail_exec',` + type sendmail_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, sendmail_exec_t) + ') ######################################## ## +-## Read mail server configuration content. +## Check whether sendmail executable +## files are executable. +## @@ -36015,83 +36596,187 @@ index 4e2a5ba..0005ac0 100644 + +######################################## +## - ## Read mail server configuration. ++## Read mail server configuration. + ## + ## + ## +@@ -528,13 +495,13 @@ interface(`mta_read_config',` + + files_search_etc($1) + allow $1 etc_mail_t:dir list_dir_perms; +- allow $1 etc_mail_t:file read_file_perms; +- allow $1 etc_mail_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, etc_mail_t, etc_mail_t) ++ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) + ') + + ######################################## + ## +-## Write mail server configuration files. ++## write mail server configuration. ## ## -@@ -481,6 +520,25 @@ interface(`mta_write_config',` + ## +@@ -548,33 +515,31 @@ interface(`mta_write_config',` + type etc_mail_t; + ') + +- files_search_etc($1) + write_files_pattern($1, etc_mail_t, etc_mail_t) + ') ######################################## ## +-## Read mail address alias files. +## Manage mail server configuration. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`mta_read_aliases',` +interface(`mta_manage_config',` -+ gen_require(` + gen_require(` +- type etc_aliases_t; + type etc_mail_t; -+ ') -+ + ') + +- files_search_etc($1) +- allow $1 etc_aliases_t:file read_file_perms; + manage_files_pattern($1, etc_mail_t, etc_mail_t) -+') -+ -+######################################## -+## - ## Read mail address aliases. + ') + + ######################################## + ## +-## Create, read, write, and delete +-## mail address alias content. ++## Read mail address aliases. ## ## -@@ -496,6 +554,7 @@ interface(`mta_read_aliases',` + ## +@@ -582,84 +547,66 @@ interface(`mta_read_aliases',` + ## + ## + # +-interface(`mta_manage_aliases',` ++interface(`mta_read_aliases',` + gen_require(` + type etc_aliases_t; + ') files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; +- manage_files_pattern($1, etc_aliases_t, etc_aliases_t) +- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) ++ allow $1 etc_aliases_t:file read_file_perms; + allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; ') ######################################## -@@ -516,6 +575,9 @@ interface(`mta_manage_aliases',` - files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) + ## +-## Create specified object in generic +-## etc directories with the mail address +-## alias type. ++## Create, read, write, and delete mail address aliases. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`mta_etc_filetrans_aliases',` ++interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + +- files_etc_filetrans($1, etc_aliases_t, $2, $3) ++ files_search_etc($1) ++ manage_files_pattern($1, etc_aliases_t, etc_aliases_t) ++ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) + mta_etc_filetrans_aliases($1, "aliases") + mta_etc_filetrans_aliases($1, "aliases.db") + mta_etc_filetrans_aliases($1, "aliasesdb-stamp") ') ######################################## -@@ -528,13 +590,18 @@ interface(`mta_manage_aliases',` + ## +-## Create specified objects in specified +-## directories with a type transition to +-## the mail address alias type. ++## Type transition files created in /etc ++## to the mail address aliases type. + ## + ## + ## ## Domain allowed access. ## ## -+## -+## -+## The name of the object being created. -+## -+## +-## +-## +-## Directory to transition on. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## + ## + ## + ## The name of the object being created. + ## + ## # - interface(`mta_etc_filetrans_aliases',` +-interface(`mta_spec_filetrans_aliases',` ++interface(`mta_etc_filetrans_aliases',` gen_require(` type etc_aliases_t; ') -- files_etc_filetrans($1, etc_aliases_t, file) +- filetrans_pattern($1, $2, etc_aliases_t, $3, $4) + files_etc_filetrans($1, etc_aliases_t, file, $2) ') ######################################## -@@ -554,7 +621,7 @@ interface(`mta_rw_aliases',` + ## +-## Read and write mail alias files. ++## Read and write mail aliases. + ## + ## + ## +@@ -674,14 +621,13 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) -- allow $1 etc_aliases_t:file { rw_file_perms setattr }; +- allow $1 etc_aliases_t:file rw_file_perms; + allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; ') ####################################### -@@ -576,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` + ## +-## Do not audit attempts to read +-## and write TCP sockets of mail +-## delivery domains. ++## Do not audit attempts to read and write TCP ++## sockets of mail delivery domains. + ## + ## + ## +@@ -697,6 +643,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') @@ -36117,78 +36802,227 @@ index 4e2a5ba..0005ac0 100644 ####################################### ## ## Connect to all mail servers over TCP. (Deprecated) -@@ -648,8 +734,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -713,8 +678,8 @@ interface(`mta_tcp_connect_all_mailservers',` - files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search_dir_perms; -- dontaudit $1 mail_spool_t:lnk_file read; -- dontaudit $1 mail_spool_t:file getattr; -+ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 mail_spool_t:file getattr_file_perms; - ') + ####################################### + ## +-## Do not audit attempts to read +-## mail spool symlinks. ++## Do not audit attempts to read a symlink ++## in the mail spool. + ## + ## + ## +@@ -732,7 +697,7 @@ interface(`mta_dontaudit_read_spool_symlinks',` + + ######################################## + ## +-## Get attributes of mail spool content. ++## Get the attributes of mail spool files. + ## + ## + ## +@@ -753,8 +718,8 @@ interface(`mta_getattr_spool',` + + ######################################## + ## +-## Do not audit attempts to get +-## attributes of mail spool files. ++## Do not audit attempts to get the attributes ++## of mail spool files. + ## + ## + ## +@@ -775,9 +740,8 @@ interface(`mta_dontaudit_getattr_spool_files',` ####################################### -@@ -672,6 +758,11 @@ interface(`mta_dontaudit_getattr_spool_files',` - ## The object class of the object being created. - ## - ## -+## -+## -+## The name of the object being created. -+## -+## - # - interface(`mta_spool_filetrans',` - gen_require(` -@@ -679,7 +770,26 @@ interface(`mta_spool_filetrans',` - ') + ## +-## Create specified objects in the +-## mail spool directory with a +-## private type. ++## Create private objects in the ++## mail spool directory. + ## + ## + ## +@@ -811,7 +775,7 @@ interface(`mta_spool_filetrans',` - files_search_spool($1) -- filetrans_pattern($1, mail_spool_t, $2, $3) -+ filetrans_pattern($1, mail_spool_t, $2, $3, $4) -+') -+ -+####################################### -+## + ####################################### + ## +-## Read mail spool files. +## Read the mail spool. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -819,10 +783,10 @@ interface(`mta_spool_filetrans',` + ## + ## + # +-interface(`mta_read_spool_files',` +- gen_require(` +- type mail_spool_t; +- ') +interface(`mta_read_spool',` + gen_require(` + type mail_spool_t; + ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, mail_spool_t, mail_spool_t) - ') + + files_search_spool($1) + read_files_pattern($1, mail_spool_t, mail_spool_t) +@@ -830,7 +794,7 @@ interface(`mta_read_spool_files',` ######################################## -@@ -699,8 +809,8 @@ interface(`mta_rw_spool',` + ## +-## Read and write mail spool files. ++## Read and write the mail spool. + ## + ## + ## +@@ -845,13 +809,14 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; -- allow $1 mail_spool_t:file setattr; -- rw_files_pattern($1, mail_spool_t, mail_spool_t) +- allow $1 mail_spool_t:file rw_file_perms; +- allow $1 mail_spool_t:lnk_file read_lnk_file_perms; + allow $1 mail_spool_t:file setattr_file_perms; + manage_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + + ####################################### + ## +-## Create, read, and write mail spool files. ++## Create, read, and write the mail spool. + ## + ## + ## +@@ -866,13 +831,14 @@ interface(`mta_append_spool',` + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; +- manage_files_pattern($1, mail_spool_t, mail_spool_t) +- allow $1 mail_spool_t:lnk_file read_lnk_file_perms; ++ create_files_pattern($1, mail_spool_t, mail_spool_t) ++ write_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + + ####################################### + ## +-## Delete mail spool files. ++## Delete from the mail spool. + ## + ## + ## +@@ -891,8 +857,7 @@ interface(`mta_delete_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## mail spool content. ++## Create, read, write, and delete mail spool files. + ## + ## + ## +@@ -911,45 +876,9 @@ interface(`mta_manage_spool',` + manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + +-####################################### +-## +-## Create specified objects in the +-## mail queue spool directory with a +-## private type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`mta_queue_filetrans',` +- gen_require(` +- type mqueue_spool_t; +- ') +- +- files_search_spool($1) +- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) +-') +- + ######################################## + ## +-## Search mail queue directories. ++## Search mail queue dirs. + ## + ## + ## +@@ -968,7 +897,7 @@ interface(`mta_search_queue',` + + ####################################### + ## +-## List mail queue directories. ++## List the mail queue. + ## + ## + ## +@@ -981,13 +910,13 @@ interface(`mta_list_queue',` + type mqueue_spool_t; + ') + +- files_search_spool($1) + allow $1 mqueue_spool_t:dir list_dir_perms; ++ files_search_spool($1) ') -@@ -840,7 +950,7 @@ interface(`mta_dontaudit_rw_queue',` + ####################################### + ## +-## Read mail queue files. ++## Read the mail queue. + ## + ## + ## +@@ -1000,14 +929,14 @@ interface(`mta_read_queue',` + type mqueue_spool_t; ') - dontaudit $1 mqueue_spool_t:dir search_dir_perms; -- dontaudit $1 mqueue_spool_t:file { getattr read write }; -+ dontaudit $1 mqueue_spool_t:file rw_file_perms; +- files_search_spool($1) + read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ++ files_search_spool($1) ') + ####################################### + ## + ## Do not audit attempts to read and +-## write mail queue content. ++## write the mail queue. + ## + ## + ## +@@ -1027,7 +956,7 @@ interface(`mta_dontaudit_rw_queue',` ######################################## -@@ -866,6 +976,41 @@ interface(`mta_manage_queue',` + ## + ## Create, read, write, and delete +-## mail queue content. ++## mail queue files. + ## + ## + ## +@@ -1047,6 +976,41 @@ interface(`mta_manage_queue',` ####################################### ## @@ -36230,7 +37064,26 @@ index 4e2a5ba..0005ac0 100644 ## Read sendmail binary. ## ## -@@ -901,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1055,6 +1019,7 @@ interface(`mta_manage_queue',` + ## + ## + # ++# cjp: added for postfix + interface(`mta_read_sendmail_bin',` + gen_require(` + type sendmail_exec_t; +@@ -1065,8 +1030,8 @@ interface(`mta_read_sendmail_bin',` + + ####################################### + ## +-## Read and write unix domain stream +-## sockets of all base mail domains. ++## Read and write unix domain stream sockets ++## of user mail domains. + ## + ## + ## +@@ -1081,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -36405,20 +37258,25 @@ index 4e2a5ba..0005ac0 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index 84a7d66..61f95e2 100644 +index afd2fad..ed44eaf 100644 --- a/mta.te +++ b/mta.te -@@ -20,14 +20,19 @@ files_type(etc_aliases_t) - type etc_mail_t; - files_config_file(etc_mail_t) +@@ -1,4 +1,4 @@ +-policy_module(mta, 2.6.5) ++policy_module(mta, 2.5.0) --type mail_forward_t; --files_type(mail_forward_t) -+type mail_home_t alias mail_forward_t; -+userdom_user_home_content(mail_home_t) -+ -+type mail_home_rw_t; -+userdom_user_home_content(mail_home_rw_t) + ######################################## + # +@@ -14,8 +14,6 @@ attribute mailserver_sender; + + attribute user_mail_domain; + +-attribute_role user_mail_roles; +- + type etc_aliases_t; + files_type(etc_aliases_t) + +@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t) type mqueue_spool_t; files_mountpoint(mqueue_spool_t) @@ -36430,44 +37288,176 @@ index 84a7d66..61f95e2 100644 type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -50,21 +55,12 @@ userdom_user_tmp_file(user_mail_tmp_t) +@@ -43,178 +43,79 @@ role system_r types system_mail_t; + mta_base_mail_template(user) + typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; + typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; +-userdom_user_application_type(user_mail_t) +-role user_mail_roles types user_mail_t; +- + typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; + typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; ++userdom_user_application_type(user_mail_t) + userdom_user_tmp_file(user_mail_tmp_t) + + ######################################## + # +-# Common base mail policy +-# +- +-allow user_mail_domain self:capability { setuid setgid chown }; +-allow user_mail_domain self:process { signal_perms setrlimit }; +-allow user_mail_domain self:fifo_file rw_fifo_file_perms; +- +-allow user_mail_domain mta_exec_type:file entrypoint; +- +-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; +- +-manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) +-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") +-userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") +- +-read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) +- +-manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) +-read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t }) +- +-allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; +- +-can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) +- +-kernel_read_system_state(user_mail_domain) +-kernel_read_kernel_sysctls(user_mail_domain) +-kernel_read_network_state(user_mail_domain) +-kernel_request_load_module(user_mail_domain) +- +-corenet_all_recvfrom_netlabel(user_mail_domain) +-corenet_tcp_sendrecv_generic_if(user_mail_domain) +-corenet_tcp_sendrecv_generic_node(user_mail_domain) +- +-corenet_sendrecv_all_client_packets(user_mail_domain) +-corenet_tcp_connect_all_ports(user_mail_domain) +-corenet_tcp_sendrecv_all_ports(user_mail_domain) +- +-corecmd_exec_bin(user_mail_domain) +- +-dev_read_urand(user_mail_domain) +- +-domain_use_interactive_fds(user_mail_domain) +- +-files_read_etc_runtime_files(user_mail_domain) +-files_read_usr_files(user_mail_domain) +-files_search_spool(user_mail_domain) +-files_dontaudit_search_pids(user_mail_domain) +- +-fs_getattr_all_fs(user_mail_domain) +- +-init_dontaudit_rw_utmp(user_mail_domain) +- +-logging_send_syslog_msg(user_mail_domain) +- +-miscfiles_read_localization(user_mail_domain) +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(user_mail_domain) +- fs_manage_cifs_files(user_mail_domain) +- fs_read_cifs_symlinks(user_mail_domain) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(user_mail_domain) +- fs_manage_nfs_files(user_mail_domain) +- fs_read_nfs_symlinks(user_mail_domain) +-') +- +-optional_policy(` +- courier_manage_spool_dirs(user_mail_domain) +- courier_manage_spool_files(user_mail_domain) +- courier_rw_spool_pipes(user_mail_domain) +-') +- +-optional_policy(` +- exim_domtrans(user_mail_domain) +- exim_manage_log(user_mail_domain) +- exim_manage_spool_files(user_mail_domain) +-') +- +-optional_policy(` +- files_getattr_tmp_dirs(user_mail_domain) +- +- postfix_exec_master(user_mail_domain) +- postfix_read_config(user_mail_domain) +- postfix_search_spool(user_mail_domain) +- postfix_rw_inherited_master_pipes(user_mail_domain) +- +- ifdef(`distro_redhat',` +- postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) +- ') +-') +- +-optional_policy(` +- procmail_exec(user_mail_domain) +-') +- +-optional_policy(` +- qmail_domtrans_inject(user_mail_domain) +-') +- +-optional_policy(` +- sendmail_manage_log(user_mail_domain) +- sendmail_log_filetrans_sendmail_log(user_mail_domain, file) +-') +- +-optional_policy(` +- uucp_manage_spool(user_mail_domain) +-') +- +-######################################## +-# +-# System local policy ++# System mail local policy + # - # newalias required this, not sure if it is needed in 'if' file ++# newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; --allow system_mail_t self:fifo_file rw_fifo_file_perms; -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) -+allow system_mail_t mail_home_t:file manage_file_perms; - - read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - --allow system_mail_t mail_forward_t:file read_file_perms; - --allow system_mail_t mta_exec_type:file entrypoint; +-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - --can_exec(system_mail_t, mta_exec_type) -- --kernel_read_system_state(system_mail_t) --kernel_read_network_state(system_mail_t) --kernel_request_load_module(system_mail_t) -+corecmd_exec_shell(system_mail_t) + allow system_mail_t mail_home_t:file manage_file_perms; +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc") +-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter") + +-allow system_mail_t user_mail_domain:dir list_dir_perms; +-allow system_mail_t user_mail_domain:file read_file_perms; +-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; ++read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + corecmd_exec_shell(system_mail_t) + +-dev_read_rand(system_mail_t) dev_read_sysfs(system_mail_t) - dev_read_rand(system_mail_t) -@@ -74,14 +70,25 @@ files_read_usr_files(system_mail_t) ++dev_read_rand(system_mail_t) ++dev_read_urand(system_mail_t) - fs_rw_anon_inodefs_files(system_mail_t) +-fs_rw_anon_inodefs_files(system_mail_t) ++files_read_usr_files(system_mail_t) -selinux_getattr_fs(system_mail_t) -- ++fs_rw_anon_inodefs_files(system_mail_t) + term_dontaudit_use_unallocated_ttys(system_mail_t) init_use_script_ptys(system_mail_t) +init_dontaudit_rw_stream_socket(system_mail_t) - --userdom_use_user_terminals(system_mail_t) ++ +userdom_use_inherited_user_terminals(system_mail_t) - userdom_dontaudit_search_user_home_dirs(system_mail_t) ++userdom_dontaudit_search_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) + +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) @@ -36475,7 +37465,8 @@ index 84a7d66..61f95e2 100644 + +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) -+ + +-userdom_use_user_terminals(system_mail_t) + +logging_append_all_logs(system_mail_t) + @@ -36483,7 +37474,10 @@ index 84a7d66..61f95e2 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,25 +99,40 @@ optional_policy(` + apache_append_squirrelmail_data(system_mail_t) ++ ++ # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -36500,7 +37494,7 @@ index 84a7d66..61f95e2 100644 optional_policy(` arpwatch_manage_tmp_files(system_mail_t) -- ifdef(`hide_broken_symptoms', ` +- ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') + ifdef(`hide_broken_symptoms', ` @@ -36510,13 +37504,12 @@ index 84a7d66..61f95e2 100644 ') optional_policy(` +@@ -223,18 +124,18 @@ optional_policy(` + ') + + optional_policy(` - clamav_stream_connect(system_mail_t) - clamav_append_log(system_mail_t) -+ bugzilla_search_content(system_mail_t) -+ bugzilla_dontaudit_rw_stream_sockets(system_mail_t) -+') -+ -+optional_policy(` + courier_stream_connect_authdaemon(system_mail_t) ') @@ -36529,7 +37522,11 @@ index 84a7d66..61f95e2 100644 ') optional_policy(` -@@ -124,12 +146,9 @@ optional_policy(` +- courier_stream_connect_authdaemon(system_mail_t) + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) +@@ -245,13 +146,8 @@ optional_policy(` ') optional_policy(` @@ -36538,13 +37535,18 @@ index 84a7d66..61f95e2 100644 -') - -optional_policy(` +- fail2ban_dontaudit_rw_stream_sockets(system_mail_t) fail2ban_append_log(system_mail_t) + fail2ban_dontaudit_leaks(system_mail_t) -+ fail2ban_rw_inherited_tmp_files(system_mail_t) + fail2ban_rw_inherited_tmp_files(system_mail_t) + ') + +@@ -264,10 +160,15 @@ optional_policy(` ') optional_policy(` -@@ -146,6 +165,10 @@ optional_policy(` ++ # newaliases runs as system_mail_t when the sendmail initscript does a restart + milter_getattr_all_sockets(system_mail_t) ') optional_policy(` @@ -36555,48 +37557,52 @@ index 84a7d66..61f95e2 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,22 +181,13 @@ optional_policy(` +@@ -278,6 +179,15 @@ optional_policy(` + manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) - - domain_use_interactive_fds(system_mail_t) -- -- # postfix needs this for newaliases -- files_getattr_tmp_dirs(system_mail_t) -- -- postfix_exec_master(system_mail_t) -- postfix_read_config(system_mail_t) -- postfix_search_spool(system_mail_t) -- -- ifdef(`distro_redhat',` -- # compatability for old default main.cf -- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) -- ') - ') - - optional_policy(` - qmail_domtrans_inject(system_mail_t) ++ ++ domain_use_interactive_fds(system_mail_t) ++') ++ ++optional_policy(` ++ qmail_domtrans_inject(system_mail_t) + qmail_manage_spool_dirs(system_mail_t) + qmail_manage_spool_files(system_mail_t) + qmail_rw_spool_pipes(system_mail_t) ') optional_policy(` -@@ -189,6 +203,10 @@ optional_policy(` +@@ -293,42 +203,36 @@ optional_policy(` ') optional_policy(` +- spamassassin_stream_connect_spamd(system_mail_t) + spamd_stream_connect(system_mail_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` smartmon_read_tmp_files(system_mail_t) ') -@@ -199,20 +217,23 @@ optional_policy(` - arpwatch_search_data(mailserver_delivery) +-######################################## +-# +-# MTA user agent local policy +-# +- +-userdom_use_user_terminals(mta_user_agent) +- +-optional_policy(` +- apache_append_log(mta_user_agent) +-') ++# should break this up among sections: + + optional_policy(` ++ # why is mail delivered to a directory of type arpwatch_data_t? ++ arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) -- ifdef(`hide_broken_symptoms', ` +- ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) - ') - @@ -36615,96 +37621,113 @@ index 84a7d66..61f95e2 100644 # Mailserver delivery local policy # +-allow mailserver_delivery self:fifo_file rw_fifo_file_perms; +allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms; -+ + allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -220,21 +241,14 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) --read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) +userdom_search_admin_dir(mailserver_delivery) +read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) ++ + manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) +-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t }) ++manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) + manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir") +-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir") + + read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) --read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mailserver_delivery) - fs_manage_cifs_files(mailserver_delivery) -- fs_manage_cifs_symlinks(mailserver_delivery) +- fs_read_cifs_symlinks(mailserver_delivery) -') -+manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) -+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) -+manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t) - +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mailserver_delivery) - fs_manage_nfs_files(mailserver_delivery) -- fs_manage_nfs_symlinks(mailserver_delivery) +- fs_read_nfs_symlinks(mailserver_delivery) -') -+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - +- optional_policy(` - dovecot_manage_spool(mailserver_delivery) -@@ -242,6 +256,10 @@ optional_policy(` +- arpwatch_search_data(mailserver_delivery) ++ dovecot_manage_spool(mailserver_delivery) ++ dovecot_domtrans_deliver(mailserver_delivery) ') optional_policy(` +- dovecot_manage_spool(mailserver_delivery) +- dovecot_domtrans_deliver(mailserver_delivery) + logwatch_search_cache_dir(mailserver_delivery) -+') -+ -+optional_policy(` - # so MTA can access /var/lib/mailman/mail/wrapper + ') + + optional_policy(` ++ # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,6 +267,14 @@ optional_policy(` - mailman_read_data_symlinks(mailserver_delivery) - ') + mailman_domtrans(mailserver_delivery) +@@ -387,24 +277,168 @@ optional_policy(` -+optional_policy(` -+ postfix_rw_master_pipes(mailserver_delivery) -+') -+ -+optional_policy(` -+ uucp_domtrans_uux(mailserver_delivery) -+') -+ ######################################## # - # User send mail local policy -@@ -256,9 +282,9 @@ optional_policy(` - - domain_use_interactive_fds(user_mail_t) +-# User local policy ++# User send mail local policy + # --userdom_use_user_terminals(user_mail_t) +-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t) +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue") +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward") +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc") +-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter") ++domain_use_interactive_fds(user_mail_t) ++ +userdom_use_inherited_user_terminals(user_mail_t) - # Write to the user domain tty. cjp: why? --userdom_use_user_terminals(mta_user_agent) ++# Write to the user domain tty. cjp: why? +userdom_use_inherited_user_terminals(mta_user_agent) - # Create dead.letter in user home directories. - userdom_manage_user_home_content_files(user_mail_t) - userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -270,6 +296,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery) - userdom_manage_user_home_content_pipes(mailserver_delivery) - userdom_manage_user_home_content_sockets(mailserver_delivery) - userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) ++# Create dead.letter in user home directories. ++userdom_manage_user_home_content_files(user_mail_t) ++userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) ++# for reading .forward - maybe we need a new type for it? ++# also for delivering mail to maildir ++userdom_manage_user_home_content_dirs(mailserver_delivery) ++userdom_manage_user_home_content_files(mailserver_delivery) ++userdom_manage_user_home_content_symlinks(mailserver_delivery) ++userdom_manage_user_home_content_pipes(mailserver_delivery) ++userdom_manage_user_home_content_sockets(mailserver_delivery) ++userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) +allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms; + - # Read user temporary files. - userdom_read_user_tmp_files(user_mail_t) - userdom_dontaudit_append_user_tmp_files(user_mail_t) -@@ -277,6 +305,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) - # files in an appropriate place for mta_user_agent - userdom_read_user_tmp_files(mta_user_agent) ++# Read user temporary files. ++userdom_read_user_tmp_files(user_mail_t) ++userdom_dontaudit_append_user_tmp_files(user_mail_t) ++# cjp: this should probably be read all user tmp ++# files in an appropriate place for mta_user_agent ++userdom_read_user_tmp_files(mta_user_agent) + + dev_read_sysfs(user_mail_t) + +-userdom_use_user_terminals(user_mail_t) ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(user_mail_t) ++ fs_manage_cifs_symlinks(user_mail_t) ++') + + optional_policy(` + allow user_mail_t self:capability dac_override; + ++ # Read user temporary files. ++ # postfix seems to need write access if the file handle is opened read/write + userdom_rw_user_tmp_files(user_mail_t) -+dev_read_sysfs(user_mail_t) -+ - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(user_mail_t) - fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +322,123 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -36794,7 +37817,7 @@ index 84a7d66..61f95e2 100644 + postfix_exec_master(user_mail_domain) + postfix_read_config(user_mail_domain) + postfix_search_spool(user_mail_domain) -+ postfix_rw_master_pipes(user_mail_domain) ++ postfix_rw_inherited_master_pipes(user_mail_domain) + + ifdef(`distro_redhat',` + # compatability for old default main.cf @@ -36829,113 +37852,219 @@ index 84a7d66..61f95e2 100644 + clamav_stream_connect(mta_user_agent) +') diff --git a/munin.fc b/munin.fc -index fd71d69..123ee4c 100644 +index eb4b72a..123ee4c 100644 --- a/munin.fc +++ b/munin.fc -@@ -4,7 +4,9 @@ - /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +@@ -1,77 +1,78 @@ +-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +- ++/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) + /etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) + +-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +- +-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +- ++/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) ++/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) --/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) -+ -+# label all plugins as unconfined_munin_plugin_exec_t -+/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) - # disk plugins - /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) -@@ -41,6 +43,9 @@ - /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++# label all plugins as unconfined_munin_plugin_exec_t + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) + +-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) ++# disk plugins ++/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) + +-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++# mail plugins ++/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) + +-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++# services plugins ++/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +# selinux plugins -+/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) -+ - # system plugins + /usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) + ++# system plugins /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -51,6 +56,7 @@ - /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -58,12 +64,15 @@ - /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -+/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) - /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) - /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) - /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) ++/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) + /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) +- +-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) +- +-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) +- +-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +-/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) ++/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) ++/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) ++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/munin.if b/munin.if -index c358d8f..1cc176c 100644 +index b744fe3..4c1b6a8 100644 --- a/munin.if +++ b/munin.if -@@ -13,10 +13,11 @@ +@@ -1,12 +1,13 @@ +-## Munin network-wide load graphing. ++## Munin network-wide load graphing (formerly LRRD) + +-####################################### ++######################################## + ## +-## The template to define a munin plugin domain. ++## Create a set of derived types for various ++## munin plugins, + ## +-## ++## + ## +-## Domain prefix to be used. ++## The name to be used for deriving type names. + ## + ## # - template(`munin_plugin_template',` +@@ -14,12 +15,8 @@ template(`munin_plugin_template',` gen_require(` -- type munin_t, munin_exec_t, munin_etc_t; -+ type munin_t; -+ attribute munin_plugin_domain; - ') + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t; +- ') + +- ######################################## +- # +- # Declarations +- # ++ ') -- type $1_munin_plugin_t; -+ type $1_munin_plugin_t, munin_plugin_domain; + type $1_munin_plugin_t, munin_plugin_domain; type $1_munin_plugin_exec_t; - typealias $1_munin_plugin_t alias munin_$1_plugin_t; - typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; -@@ -36,17 +37,9 @@ template(`munin_plugin_template',` - # automatic transition rules from munin domain - # to specific munin plugin domain +@@ -33,15 +30,22 @@ template(`munin_plugin_template',` + files_tmp_file($1_munin_plugin_tmp_t) + + ######################################## +- # +- # Policy +- # ++ # ++ # Policy ++ # + ++ # automatic transition rules from munin domain ++ # to specific munin plugin domain domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) -- -- allow $1_munin_plugin_t munin_exec_t:file read_file_perms; -- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms; -- -- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t) -+ allow munin_t $1_munin_plugin_t:process signal_perms; - kernel_read_system_state($1_munin_plugin_t) -- -- corecmd_exec_bin($1_munin_plugin_t) -- -- miscfiles_read_localization($1_munin_plugin_t) + manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) ++ ++ kernel_read_system_state($1_munin_plugin_t) ++ ++ corenet_all_recvfrom_unlabeled($1_munin_plugin_t) ++ corenet_all_recvfrom_netlabel($1_munin_plugin_t) ') ######################################## -@@ -65,9 +58,8 @@ interface(`munin_stream_connect',` - type munin_var_run_t, munin_t; - ') - -- allow $1 munin_t:unix_stream_socket connectto; -- allow $1 munin_var_run_t:sock_file { getattr write }; - files_search_pids($1) -+ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) - ') +@@ -66,7 +70,7 @@ interface(`munin_stream_connect',` ####################################### -@@ -88,12 +80,50 @@ interface(`munin_read_config',` + ## +-## Read munin configuration content. ++## Read munin configuration files. + ## + ## + ## +@@ -80,15 +84,53 @@ interface(`munin_read_config',` + type munin_etc_t; + ') +- files_search_etc($1) allow $1 munin_etc_t:dir list_dir_perms; allow $1 munin_etc_t:file read_file_perms; -- allow $1 munin_etc_t:lnk_file { getattr read }; -+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms; - files_search_etc($1) + allow $1 munin_etc_t:lnk_file read_lnk_file_perms; ++ files_search_etc($1) ') ####################################### ## +-## Append munin log files. +## Read munin library files. +## +## @@ -36974,21 +38103,39 @@ index c358d8f..1cc176c 100644 + +####################################### +## - ## Append to the munin log. ++## Append to the munin log. ## ## -@@ -172,12 +202,14 @@ interface(`munin_admin',` - gen_require(` - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; -- type httpd_munin_content_t; -- type munin_initrc_exec_t; -+ type httpd_munin_content_t, munin_initrc_exec_t; + ## +@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',` + + ######################################## + ## +-## All of the rules required to +-## administrate an munin environment. ++## All of the rules required to administrate ++## an munin environment + ## + ## + ## +@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the munin domain. + ## + ## + ## +@@ -170,8 +212,12 @@ interface(`munin_admin',` + type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') -- allow $1 munin_t:process { ptrace signal_perms }; +- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { munin_plugin_domain munin_t }) + allow $1 munin_t:process signal_perms; - ps_process_pattern($1, munin_t) ++ ps_process_pattern($1, munin_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 munin_t:process ptrace; + ') @@ -36996,90 +38143,77 @@ index c358d8f..1cc176c 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..addfbf2 100644 +index 97370e4..be752a6 100644 --- a/munin.te +++ b/munin.te -@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) - # Declarations +@@ -45,7 +45,7 @@ munin_plugin_template(unconfined) + # Common munin plugin local policy # -+attribute munin_plugin_domain; -+ - type munin_t alias lrrd_t; - type munin_exec_t alias lrrd_exec_t; - init_daemon_domain(munin_t, munin_exec_t) -@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t) - type munin_var_lib_t alias lrrd_var_lib_t; - files_type(munin_var_lib_t) +-allow munin_plugin_domain self:process signal; ++allow munin_plugin_domain self:process signal_perms; + allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; -+type munin_plugin_state_t; -+files_type(munin_plugin_state_t) -+ - type munin_var_run_t alias lrrd_var_run_t; - files_pid_file(munin_var_run_t) + allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; +@@ -58,24 +58,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; -@@ -31,16 +36,20 @@ munin_plugin_template(disk) + manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) - munin_plugin_template(mail) +-kernel_read_system_state(munin_plugin_domain) +- +-corenet_all_recvfrom_unlabeled(munin_plugin_domain) +-corenet_all_recvfrom_netlabel(munin_plugin_domain) + corenet_tcp_sendrecv_generic_if(munin_plugin_domain) + corenet_tcp_sendrecv_generic_node(munin_plugin_domain) -+munin_plugin_template(selinux) -+ - munin_plugin_template(services) + corecmd_exec_bin(munin_plugin_domain) + corecmd_exec_shell(munin_plugin_domain) - munin_plugin_template(system) +-files_read_etc_files(munin_plugin_domain) +-files_read_usr_files(munin_plugin_domain) + files_search_var_lib(munin_plugin_domain) -+munin_plugin_template(unconfined) -+ - ######################################## - # - # Local policy - # + fs_getattr_all_fs(munin_plugin_domain) --allow munin_t self:capability { chown dac_override setgid setuid }; -+allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; - dontaudit munin_t self:capability sys_tty_config; - allow munin_t self:process { getsched setsched signal_perms }; - allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -71,9 +80,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +-miscfiles_read_localization(munin_plugin_domain) +- + optional_policy(` + nscd_use(munin_plugin_domain) + ') +@@ -114,7 +106,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) + manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - files_search_var_lib(munin_t) -+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) - manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) - manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) --files_pid_filetrans(munin_t, munin_var_run_t, file) -+files_pid_filetrans(munin_t, munin_var_run_t, { file dir }) -+ +-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) +rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) - kernel_read_system_state(munin_t) - kernel_read_network_state(munin_t) -@@ -82,7 +94,6 @@ kernel_read_all_sysctls(munin_t) + manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) + manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) +@@ -130,7 +122,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) -corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) - corenet_udp_sendrecv_generic_if(munin_t) -@@ -101,7 +112,6 @@ dev_read_urand(munin_t) - domain_use_interactive_fds(munin_t) + corenet_tcp_sendrecv_generic_node(munin_t) +@@ -153,7 +144,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) --files_read_etc_files(munin_t) files_read_etc_runtime_files(munin_t) - files_read_usr_files(munin_t) +-files_read_usr_files(munin_t) files_list_spool(munin_t) -@@ -115,7 +125,7 @@ logging_send_syslog_msg(munin_t) + + fs_getattr_all_fs(munin_t) +@@ -165,7 +155,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) -miscfiles_read_localization(munin_t) -+miscfiles_setattr_fonts_cache_dirs(munin_t) + miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) - -@@ -128,6 +138,11 @@ optional_policy(` +@@ -179,6 +168,11 @@ optional_policy(` manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) apache_search_sys_content(munin_t) @@ -37091,275 +38225,227 @@ index f17583b..addfbf2 100644 ') optional_policy(` -@@ -145,6 +160,7 @@ optional_policy(` - optional_policy(` - mta_read_config(munin_t) - mta_send_mail(munin_t) -+ mta_list_queue(munin_t) - mta_read_queue(munin_t) - ') - -@@ -155,10 +171,13 @@ optional_policy(` - - optional_policy(` - netutils_domtrans_ping(munin_t) -+ netutils_signal_ping(munin_t) -+ netutils_kill_ping(munin_t) - ') +@@ -213,7 +207,6 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) -+ postfix_getattr_spool_files(munin_t) +- postfix_getattr_all_spool_files(munin_t) ') optional_policy(` -@@ -182,6 +201,7 @@ optional_policy(` - # local policy for disk plugins - # - -+allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; - allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; - - rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t) - - corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) +@@ -252,11 +245,17 @@ dev_read_sysfs(disk_munin_plugin_t) + dev_read_urand(disk_munin_plugin_t) --files_read_etc_files(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) +files_read_usr_files(disk_munin_plugin_t) - --fs_getattr_all_fs(disk_munin_plugin_t) -- ++ +dev_getattr_lvm_control(disk_munin_plugin_t) - dev_read_sysfs(disk_munin_plugin_t) - dev_read_urand(disk_munin_plugin_t) ++dev_read_sysfs(disk_munin_plugin_t) ++dev_read_urand(disk_munin_plugin_t) +dev_read_all_blk_files(munin_disk_plugin_t) + fs_getattr_all_fs(disk_munin_plugin_t) + fs_getattr_all_dirs(disk_munin_plugin_t) + -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) -+fs_getattr_all_fs(disk_munin_plugin_t) -+fs_getattr_all_dirs(disk_munin_plugin_t) -+ +storage_raw_read_fixed_disk(disk_munin_plugin_t) sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +244,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -275,27 +274,36 @@ optional_policy(` + + allow mail_munin_plugin_t self:capability dac_override; + ++allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; ++allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++ + rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) --files_read_etc_files(mail_munin_plugin_t) -+logging_read_generic_logs(mail_munin_plugin_t) + logging_read_generic_logs(mail_munin_plugin_t) --fs_getattr_all_fs(mail_munin_plugin_t) ++sysnet_read_config(mail_munin_plugin_t) ++ +optional_policy(` + exim_read_log(mail_munin_plugin_t) +') - --logging_read_generic_logs(mail_munin_plugin_t) -+optional_policy(` -+ mta_read_config(mail_munin_plugin_t) -+ mta_send_mail(mail_munin_plugin_t) ++ + optional_policy(` +- mta_list_queue(mail_munin_plugin_t) + mta_read_config(mail_munin_plugin_t) +- mta_read_queue(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) + mta_list_queue(mail_munin_plugin_t) + mta_read_queue(mail_munin_plugin_t) -+') + ') --mta_read_config(mail_munin_plugin_t) --mta_send_mail(mail_munin_plugin_t) --mta_read_queue(mail_munin_plugin_t) -+optional_policy(` + optional_policy(` +- nscd_use(mail_munin_plugin_t) + nscd_socket_use(mail_munin_plugin_t) -+') + ') optional_policy(` +- postfix_getattr_all_spool_files(mail_munin_plugin_t) postfix_read_config(mail_munin_plugin_t) postfix_list_spool(mail_munin_plugin_t) + postfix_getattr_spool_files(mail_munin_plugin_t) ') optional_policy(` - sendmail_read_log(mail_munin_plugin_t) - ') - -+################################## -+# -+# local policy for selinux plugins -+# -+ -+selinux_get_enforce_mode(selinux_munin_plugin_t) -+ - ################################### - # - # local policy for service plugins - # - -+allow services_munin_plugin_t self:shm create_sem_perms; -+allow services_munin_plugin_t self:sem create_sem_perms; - allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; - allow services_munin_plugin_t self:udp_socket create_socket_perms; - allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +295,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) - dev_read_urand(services_munin_plugin_t) - dev_read_rand(services_munin_plugin_t) - --fs_getattr_all_fs(services_munin_plugin_t) -- --files_read_etc_files(services_munin_plugin_t) -- - sysnet_read_config(services_munin_plugin_t) - - optional_policy(` -+ cups_read_config(services_munin_plugin_t) - cups_stream_connect(services_munin_plugin_t) - ') - -@@ -279,6 +316,14 @@ optional_policy(` +@@ -353,7 +361,11 @@ optional_policy(` ') optional_policy(` +- nscd_use(services_munin_plugin_t) + nscd_socket_use(services_munin_plugin_t) +') + +optional_policy(` + ntp_exec(services_munin_plugin_t) -+') -+ -+optional_policy(` - postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +331,18 @@ optional_policy(` - snmp_read_snmp_var_lib_files(services_munin_plugin_t) + optional_policy(` +@@ -413,3 +425,4 @@ optional_policy(` + optional_policy(` + unconfined_domain(unconfined_munin_plugin_t) ') - -+optional_policy(` -+ sssd_stream_connect(services_munin_plugin_t) -+') -+ -+optional_policy(` -+ varnishd_read_lib_files(services_munin_plugin_t) -+') -+ -+optional_policy(` -+ bind_read_config(munin_services_plugin_t) -+') + - ################################## - # - # local policy for system plugins -@@ -295,12 +352,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; - - rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - --kernel_read_network_state(system_munin_plugin_t) --kernel_read_all_sysctls(system_munin_plugin_t) +diff --git a/mysql.fc b/mysql.fc +index c48dc17..43f60de 100644 +--- a/mysql.fc ++++ b/mysql.fc +@@ -1,11 +1,24 @@ +-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - --corecmd_exec_shell(system_munin_plugin_t) -+# needed by munin_* plugins -+read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) - --fs_getattr_all_fs(system_munin_plugin_t) -+kernel_read_network_state(system_munin_plugin_t) - - dev_read_sysfs(system_munin_plugin_t) - dev_read_urand(system_munin_plugin_t) -@@ -313,3 +368,47 @@ init_read_utmp(system_munin_plugin_t) - sysnet_exec_ifconfig(system_munin_plugin_t) - - term_getattr_unallocated_ttys(system_munin_plugin_t) -+term_getattr_all_ttys(system_munin_plugin_t) -+term_getattr_all_ptys(system_munin_plugin_t) -+ -+optional_policy(` -+ bind_read_config(system_munin_plugin_t) -+') +-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) +-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) +- +-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) +- ++# mysql database server + -+####################################### +# -+# Unconfined plugin policy ++# /HOME +# ++HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) ++/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) + -+optional_policy(` -+ unconfined_domain(unconfined_munin_plugin_t) -+') ++/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) + -+################################ +# -+# local policy for munin plugin domains ++# /etc +# ++/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) ++/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0) ++/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0) + -+allow munin_plugin_domain self:process signal; -+ -+allow munin_plugin_domain munin_exec_t:file read_file_perms; -+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; -+ -+# creates plugin state files -+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) -+ -+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) -+ -+corecmd_exec_bin(munin_plugin_domain) -+corecmd_exec_shell(munin_plugin_domain) -+ -+files_search_var_lib(munin_plugin_domain) -+files_read_usr_files(munin_plugin_domain) -+ -+fs_getattr_all_fs(munin_plugin_domain) -+ -+auth_read_passwd(munin_plugin_domain) -+ -+optional_policy(` -+ nscd_socket_use(munin_plugin_domain) -+') -diff --git a/mysql.fc b/mysql.fc -index 716d666..43f60de 100644 ---- a/mysql.fc -+++ b/mysql.fc -@@ -1,6 +1,14 @@ - # mysql database server ++# ++# /usr ++# + /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) - # -+# /HOME +@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) + + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) + /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) +-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) ++/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) +# -+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) -+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) -+ -+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) -+ ++# /var +# - # /etc - # - /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) ++/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) ++/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) + + /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) + +-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) +-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) ++/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) ++/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) diff --git a/mysql.if b/mysql.if -index e9c0982..404ed6d 100644 +index 687af38..404ed6d 100644 --- a/mysql.if +++ b/mysql.if -@@ -18,6 +18,24 @@ interface(`mysql_domtrans',` +@@ -1,23 +1,4 @@ +-## Open source database. +- +-######################################## +-## +-## Role access for mysql. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`mysql_role',` +- refpolicywarn(`$0($*) has been deprecated') +-') ++## Policy for MySQL + + ###################################### + ## +@@ -34,38 +15,30 @@ interface(`mysql_domtrans',` + type mysqld_t, mysqld_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, mysqld_exec_t, mysqld_t) ') +-######################################## +###################################### -+## + ## +-## Execute mysqld in the mysqld domain, and +-## allow the specified role the mysqld domain. +## Execute MySQL in the caller domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`mysql_run_mysqld',` +interface(`mysql_exec',` -+ gen_require(` + gen_require(` +- attribute_role mysqld_roles; + type mysqld_exec_t; -+ ') -+ + ') + +- mysql_domtrans($1) +- roleattribute $2 mysqld_roles; + can_exec($1, mysqld_exec_t) -+') -+ + ') + ######################################## ## - ## Send a generic signal to MySQL. -@@ -36,6 +54,24 @@ interface(`mysql_signal',` +-## Send generic signals to mysqld. ++## Send a generic signal to MySQL. + ## + ## + ## +@@ -81,9 +54,27 @@ interface(`mysql_signal',` allow $1 mysqld_t:process signal; ') @@ -37383,19 +38469,69 @@ index e9c0982..404ed6d 100644 + ######################################## ## - ## Allow the specified domain to connect to postgresql with a tcp socket. -@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',` - type mysqld_t, mysqld_var_run_t, mysqld_db_t; +-## Connect to mysqld with a tcp socket. ++## Allow the specified domain to connect to postgresql with a tcp socket. + ## + ## + ## +@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',` + + ######################################## + ## +-## Connect to mysqld with a unix +-# domain stream socket. ++## Connect to MySQL using a unix domain stream socket. + ## + ## + ## +@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',` ') -+ files_search_pids($1) - stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) - stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) + files_search_pids($1) +- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) ++ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) ++ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') -@@ -122,6 +159,26 @@ interface(`mysql_search_db',` ######################################## ## +-## Read mysqld configuration content. ++## Read MySQL configuration files. + ## + ## + ## +@@ -139,7 +130,6 @@ interface(`mysql_read_config',` + type mysqld_etc_t; + ') + +- files_search_etc($1) + allow $1 mysqld_etc_t:dir list_dir_perms; + allow $1 mysqld_etc_t:file read_file_perms; + allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; +@@ -147,7 +137,8 @@ interface(`mysql_read_config',` + + ######################################## + ## +-## Search mysqld db directories. ++## Search the directories that contain MySQL ++## database storage. + ## + ## + ## +@@ -155,6 +146,8 @@ interface(`mysql_read_config',` + ## + ## + # ++# cjp: "_dir" in the name is added to clarify that this ++# is not searching the database itself. + interface(`mysql_search_db',` + gen_require(` + type mysqld_db_t; +@@ -166,7 +159,27 @@ interface(`mysql_search_db',` + + ######################################## + ## +-## Read and write mysqld database directories. +## List the directories that contain MySQL +## database storage. +## @@ -37416,37 +38552,139 @@ index e9c0982..404ed6d 100644 + +######################################## +## - ## Read and write to the MySQL database directory. ++## Read and write to the MySQL database directory. + ## + ## + ## +@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',` + + ######################################## + ## +-## Create, read, write, and delete +-## mysqld database directories. ++## Create, read, write, and delete MySQL database directories. + ## + ## + ## +@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',` + + ####################################### + ## +-## Append mysqld database files. ++## Append to the MySQL database directory. + ## + ## + ## +@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',` + + ####################################### + ## +-## Read and write mysqld database files. ++## Read and write to the MySQL database directory. + ## + ## + ## +@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',` + + ####################################### + ## +-## Create, read, write, and delete +-## mysqld database files. ++## Create, read, write, and delete MySQL database files. + ## + ## + ## +@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',` + + ######################################## + ## +-## Read and write mysqld database sockets. ++## Read and write to the MySQL database + ## named socket. + ## + ## +@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',` + ## + # + interface(`mysql_rw_db_sockets',` +- refpolicywarn(`$0($*) has been deprecated.') ++ gen_require(` ++ type mysqld_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 mysqld_db_t:dir search_dir_perms; ++ allow $1 mysqld_db_t:sock_file rw_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## mysqld home files. ++## Write to the MySQL log. ## ## -@@ -252,12 +309,12 @@ interface(`mysql_write_log',` + ## +@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',` + ## + ## + # +-interface(`mysql_manage_mysqld_home_files',` ++interface(`mysql_write_log',` + gen_require(` +- type mysqld_home_t; ++ type mysqld_log_t; ') - logging_search_logs($1) -- allow $1 mysqld_log_t:file { write_file_perms setattr }; +- userdom_search_user_home_dirs($1) +- allow $1 mysqld_home_t:file manage_file_perms; ++ logging_search_logs($1) + allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; ') - ###################################### +-######################################## ++###################################### ## --## Execute MySQL server in the mysql domain. +-## Relabel mysqld home files. +## Execute MySQL safe script in the mysql safe domain. ## ## ## -@@ -273,6 +330,24 @@ interface(`mysql_domtrans_mysql_safe',` - domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`mysql_relabel_mysqld_home_files',` ++interface(`mysql_domtrans_mysql_safe',` + gen_require(` +- type mysqld_home_t; ++ type mysqld_safe_t, mysqld_safe_exec_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 mysqld_home_t:file relabel_file_perms; ++ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) ') +-######################################## +###################################### -+## + ## +-## Create objects in user home +-## directories with the mysqld home type. +## Execute MySQL_safe in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +# +interface(`mysql_safe_exec',` + gen_require(` @@ -37456,118 +38694,203 @@ index e9c0982..404ed6d 100644 + can_exec($1, mysqld_safe_exec_t) +') + - ##################################### ++##################################### ++## ++## Read MySQL PID files. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`mysql_home_filetrans_mysqld_home',` ++interface(`mysql_read_pid_files',` + gen_require(` +- type mysqld_home_t; ++ type mysqld_var_run_t; + ') + +- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) ++ mysql_search_pid_files($1) ++ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + ') + +-######################################## ++##################################### ## - ## Read MySQL PID files. -@@ -313,6 +388,67 @@ interface(`mysql_search_pid_files',` +-## Write mysqld log files. ++## Search MySQL PID files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`mysql_write_log',` ++interface(`mysql_search_pid_files',` + gen_require(` +- type mysqld_log_t; ++ type mysqld_var_run_t; + ') - ######################################## +- logging_search_logs($1) +- allow $1 mysqld_log_t:file write_file_perms; ++ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + ') + +-###################################### ++######################################## ## +-## Execute mysqld safe in the +-## mysqld safe domain. +## Execute mysqld server in the mysqld domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# + ## + ## + ## +@@ -374,18 +396,22 @@ interface(`mysql_write_log',` + ## + ## + # +-interface(`mysql_domtrans_mysql_safe',` +interface(`mysql_systemctl',` -+ gen_require(` + gen_require(` +- type mysqld_safe_t, mysqld_safe_exec_t; + type mysqld_unit_file_t; + type mysqld_t; -+ ') -+ + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) + systemd_exec_systemctl($1) + allow $1 mysqld_unit_file_t:file read_file_perms; + allow $1 mysqld_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, mysqld_t) -+') -+ + ') + +-##################################### +######################################## -+## + ## +-## Read mysqld pid files. +## read mysqld homedir content (.k5login) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',` + ## + ## + # +-interface(`mysql_read_pid_files',` +interface(`mysql_read_home_content',` -+ gen_require(` + gen_require(` +- type mysqld_var_run_t; + type mysqld_home_t; -+ ') -+ + ') + +- files_search_pids($1) +- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + userdom_search_user_home_dirs($1) + read_files_pattern($1, mysqld_home_t, mysqld_home_t) -+') -+ + ') + +-##################################### +######################################## -+## + ## +-## Search mysqld pid files. +## Transition to mysqld named content -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`mysql_search_pid_files',` +interface(`mysql_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type mysqld_var_run_t; + type mysqld_home_t; -+ ') -+ + ') + +- files_search_pids($1) +- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") + userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") -+') -+ -+######################################## -+## - ## All of the rules required to administrate an mysql environment + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mysqld environment. ++## All of the rules required to administrate an mysql environment ## ## -@@ -329,27 +465,45 @@ interface(`mysql_search_pid_files',` + ## +@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the mysql domain. + ## + ## + ## # interface(`mysql_admin',` gen_require(` -- type mysqld_t, mysqld_var_run_t; -- type mysqld_tmp_t, mysqld_db_t; -- type mysqld_etc_t, mysqld_log_t; -- type mysqld_initrc_exec_t; +- type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; -+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; +- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; +- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; + type mysqld_etc_t; + type mysqld_home_t; + type mysqld_unit_file_t; ') -- allow $1 mysqld_t:process { ptrace signal_perms }; +- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) + allow $1 mysqld_t:process signal_perms; - ps_process_pattern($1, mysqld_t) ++ ps_process_pattern($1, mysqld_t) + tunable_policy(`deny_ptrace',`',` + allow $1 mysqld_t:process ptrace; + ') - init_labeled_script_domtrans($1, mysqld_initrc_exec_t) +- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) ++ init_labeled_script_domtrans($1, mysqld_initrc_exec_t) domain_system_change_exemption($1) - role_transition $2 mysqld_initrc_exec_t system_r; +- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; ++ role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; +- files_search_pids($1) +- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) + files_list_pids($1) - admin_pattern($1, mysqld_var_run_t) ++ admin_pattern($1, mysqld_var_run_t) +- files_search_var_lib($1) admin_pattern($1, mysqld_db_t) +- files_search_etc($1) +- admin_pattern($1, { mysqld_etc_t mysqld_home_t }) + files_list_etc($1) - admin_pattern($1, mysqld_etc_t) ++ admin_pattern($1, mysqld_etc_t) +- logging_search_logs($1) + logging_list_logs($1) admin_pattern($1, mysqld_log_t) +- files_search_tmp($1) + files_list_tmp($1) admin_pattern($1, mysqld_tmp_t) -+ + +- mysql_run_mysqld($1, $2) + userdom_search_user_home_dirs($1) + files_list_root($1) + admin_pattern($1, mysqld_home_t) @@ -37579,23 +38902,72 @@ index e9c0982..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 1cf05a3..8855ea2 100644 +index 9f6179e..8855ea2 100644 --- a/mysql.te +++ b/mysql.te -@@ -29,6 +29,12 @@ files_type(mysqld_db_t) - type mysqld_etc_t alias etc_mysqld_t; - files_config_file(mysqld_etc_t) +@@ -1,4 +1,4 @@ +-policy_module(mysql, 1.13.5) ++policy_module(mysql, 1.13.0) + + ######################################## + # +@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5) + # + + ## +-##

    +-## Determine whether mysqld can +-## connect to all TCP ports. +-##

    ++##

    ++## Allow mysqld to connect to all ports ++##

    + ##     + gen_tunable(mysql_connect_any, false) + +-attribute_role mysqld_roles; +- + type mysqld_t; + type mysqld_exec_t; + init_daemon_domain(mysqld_t, mysqld_exec_t) +-application_domain(mysqld_t, mysqld_exec_t) +-role mysqld_roles types mysqld_t; + + type mysqld_safe_t; + type mysqld_safe_exec_t; +@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) + + type mysqld_var_run_t; + files_pid_file(mysqld_var_run_t) +-init_daemon_run_dir(mysqld_var_run_t, "mysqld") + + type mysqld_db_t; + files_type(mysqld_db_t) +@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t) + type mysqld_home_t; + userdom_user_home_content(mysqld_home_t) -+type mysqld_home_t; -+userdom_user_home_content(mysqld_home_t) -+ +type mysqld_unit_file_t; +systemd_unit_file(mysqld_unit_file_t) + type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -64,11 +70,12 @@ allow mysqld_t self:udp_socket create_socket_perms; +@@ -62,26 +59,26 @@ files_pid_file(mysqlmanagerd_var_run_t) + # Local policy + # + +-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; ++allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; + dontaudit mysqld_t self:capability sys_tty_config; + allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; + allow mysqld_t self:fifo_file rw_fifo_file_perms; + allow mysqld_t self:shm create_shm_perms; +-allow mysqld_t self:unix_stream_socket { accept listen }; +-allow mysqld_t self:tcp_socket { accept listen }; ++allow mysqld_t self:unix_stream_socket create_stream_socket_perms; ++allow mysqld_t self:tcp_socket create_stream_socket_perms; ++allow mysqld_t self:udp_socket create_socket_perms; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -37603,114 +38975,189 @@ index 1cf05a3..8855ea2 100644 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) - allow mysqld_t mysqld_etc_t:file read_file_perms; --allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; -+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; - allow mysqld_t mysqld_etc_t:dir list_dir_perms; +-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) +- +-allow mysqld_t mysqld_etc_t:dir list_dir_perms; +-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; ++allow mysqld_t mysqld_etc_t:file read_file_perms; + allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; ++allow mysqld_t mysqld_etc_t:dir list_dir_perms; - allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,14 +85,21 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) - manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) - files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) +-allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow mysqld_t mysqld_log_t:file manage_file_perms; + logging_log_filetrans(mysqld_t, mysqld_log_t, file) -+manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) - manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -93,50 +90,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) --files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file }) -+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) -+ -+userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) -+kernel_read_network_state(mysqld_t) +-kernel_read_kernel_sysctls(mysqld_t) ++userdom_dontaudit_use_unpriv_user_fds(mysqld_t) ++ + kernel_read_network_state(mysqld_t) kernel_read_system_state(mysqld_t) +kernel_read_network_state(mysqld_t) - kernel_read_kernel_sysctls(mysqld_t) - --corenet_all_recvfrom_unlabeled(mysqld_t) ++kernel_read_kernel_sysctls(mysqld_t) ++ +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) -+ + +-corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) - corenet_udp_sendrecv_generic_if(mysqld_t) -@@ -110,7 +124,6 @@ domain_use_interactive_fds(mysqld_t) ++corenet_udp_sendrecv_generic_if(mysqld_t) + corenet_tcp_sendrecv_generic_node(mysqld_t) ++corenet_udp_sendrecv_generic_node(mysqld_t) ++corenet_tcp_sendrecv_all_ports(mysqld_t) ++corenet_udp_sendrecv_all_ports(mysqld_t) + corenet_tcp_bind_generic_node(mysqld_t) +- +-corenet_sendrecv_mysqld_server_packets(mysqld_t) + corenet_tcp_bind_mysqld_port(mysqld_t) +-corenet_sendrecv_mysqld_client_packets(mysqld_t) + corenet_tcp_connect_mysqld_port(mysqld_t) +-corenet_tcp_sendrecv_mysqld_port(mysqld_t) +- +-corecmd_exec_bin(mysqld_t) +-corecmd_exec_shell(mysqld_t) ++corenet_sendrecv_mysqld_client_packets(mysqld_t) ++corenet_sendrecv_mysqld_server_packets(mysqld_t) + + dev_read_sysfs(mysqld_t) + dev_read_urand(mysqld_t) + +-domain_use_interactive_fds(mysqld_t) +- + fs_getattr_all_fs(mysqld_t) + fs_search_auto_mountpoints(mysqld_t) + fs_rw_hugetlbfs_files(mysqld_t) - files_getattr_var_lib_dirs(mysqld_t) ++domain_use_interactive_fds(mysqld_t) ++ ++files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) --files_read_etc_files(mysqld_t) files_read_usr_files(mysqld_t) - files_search_var_lib(mysqld_t) ++files_search_var_lib(mysqld_t) -@@ -118,17 +131,10 @@ auth_use_nsswitch(mysqld_t) + auth_use_nsswitch(mysqld_t) logging_send_syslog_msg(mysqld_t) -miscfiles_read_localization(mysqld_t) -- - sysnet_read_config(mysqld_t) ++sysnet_read_config(mysqld_t) +-userdom_search_user_home_dirs(mysqld_t) -userdom_dontaudit_use_unpriv_user_fds(mysqld_t) --# for /root/.my.cnf - should not be needed: --userdom_read_user_home_content_files(mysqld_t) -- - ifdef(`distro_redhat',` -- # because Fedora has the sock_file in the database directory -- type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; ++ifdef(`distro_redhat',` + filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) - ') ++') tunable_policy(`mysql_connect_any',` -@@ -154,10 +160,11 @@ optional_policy(` +- corenet_sendrecv_all_client_packets(mysqld_t) + corenet_tcp_connect_all_ports(mysqld_t) +- corenet_tcp_sendrecv_all_ports(mysqld_t) ++ corenet_sendrecv_all_client_packets(mysqld_t) + ') + + optional_policy(` +@@ -153,29 +156,22 @@ optional_policy(` + + ####################################### + # +-# Safe local policy ++# Local mysqld_safe policy # allow mysqld_safe_t self:capability { chown dac_override fowner kill }; --dontaudit mysqld_safe_t self:capability sys_ptrace; -+allow mysqld_safe_t self:process { setsched getsched setrlimit }; + allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; +-allow mysqld_safe_t mysqld_t:process signull; +- read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) +-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; +-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; ++domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -@@ -170,26 +177,33 @@ kernel_read_system_state(mysqld_safe_t) - kernel_read_kernel_sysctls(mysqld_safe_t) +-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) ++allow mysqld_safe_t mysqld_log_t:file manage_file_perms; - corecmd_exec_bin(mysqld_safe_t) -+corecmd_exec_shell(mysqld_safe_t) + manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) +- +-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) ++delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) - dev_list_sysfs(mysqld_safe_t) + kernel_read_system_state(mysqld_safe_t) + kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,17 +183,22 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) -files_read_etc_files(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) +-files_search_pids(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) +-files_dontaudit_search_all_mountpoints(mysqld_safe_t) - logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -+logging_send_syslog_msg(mysqld_safe_t) ++logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + logging_send_syslog_msg(mysqld_safe_t) --hostname_exec(mysqld_safe_t) +-miscfiles_read_localization(mysqld_safe_t) +auth_read_passwd(mysqld_safe_t) --miscfiles_read_localization(mysqld_safe_t) +-userdom_search_user_home_dirs(mysqld_safe_t) +domain_dontaudit_signull_all_domains(mysqld_safe_t) - - mysql_manage_db_files(mysqld_safe_t) - mysql_read_config(mysqld_safe_t) - mysql_search_pid_files(mysqld_safe_t) ++ ++mysql_manage_db_files(mysqld_safe_t) ++mysql_read_config(mysqld_safe_t) ++mysql_search_pid_files(mysqld_safe_t) +mysql_signull(mysqld_safe_t) - mysql_write_log(mysqld_safe_t) ++mysql_write_log(mysqld_safe_t) + + optional_policy(` + hostname_exec(mysqld_safe_t) +@@ -205,7 +206,7 @@ optional_policy(` -+optional_policy(` -+ hostname_exec(mysqld_safe_t) -+') -+ ######################################## # - # MySQL Manager Policy -@@ -218,7 +232,6 @@ kernel_read_system_state(mysqlmanagerd_t) +-# Manager local policy ++# MySQL Manager Policy + # + + allow mysqlmanagerd_t self:capability { dac_override kill }; +@@ -214,11 +215,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; + allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; + allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; + +-allow mysqlmanagerd_t mysqld_t:process signal; +- +-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; +-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; +-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; ++mysql_read_config(initrc_t) ++mysql_read_config(mysqlmanagerd_t) ++mysql_read_pid_files(mysqlmanagerd_t) ++mysql_search_db(mysqlmanagerd_t) ++mysql_signal(mysqlmanagerd_t) ++mysql_stream_connect(mysqlmanagerd_t) + + domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) + +@@ -226,31 +228,23 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) + manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) + filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) + +-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) +- + kernel_read_system_state(mysqlmanagerd_t) corecmd_exec_shell(mysqlmanagerd_t) @@ -37718,172 +39165,237 @@ index 1cf05a3..8855ea2 100644 corenet_all_recvfrom_netlabel(mysqlmanagerd_t) corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t) -@@ -231,9 +244,7 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) ++corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t) + corenet_tcp_bind_generic_node(mysqlmanagerd_t) +- +-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) + corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t) +-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) + corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t) +-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) ++corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) ++corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) dev_read_urand(mysqlmanagerd_t) -files_read_etc_files(mysqlmanagerd_t) files_read_usr_files(mysqlmanagerd_t) +-files_search_pids(mysqlmanagerd_t) +-files_search_var_lib(mysqlmanagerd_t) -miscfiles_read_localization(mysqlmanagerd_t) - userdom_getattr_user_home_dirs(mysqlmanagerd_t) +-userdom_search_user_home_dirs(mysqlmanagerd_t) ++userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/nagios.fc b/nagios.fc -index 1238f2e..d80b4db 100644 +index d78dfc3..d80b4db 100644 --- a/nagios.fc +++ b/nagios.fc -@@ -6,7 +6,7 @@ - /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - --/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +@@ -1,88 +1,93 @@ +-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) ++/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) + +-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) ++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) +/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - /usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -@@ -19,70 +19,75 @@ - ifdef(`distro_debian',` - /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - ') --/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) --/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) ++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + +-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) + +-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + +-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++ifdef(`distro_debian',` ++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++') +/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - # admin plugins --/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) ++# admin plugins + /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) - # check disk plugins - /usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++# check disk plugins ++/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - # mail plugins -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++# mail plugins +/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) + +/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) - # system plugins --/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++# system plugins + /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - - # services plugins --/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) --/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - - # unconfined plugins --/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -+ + /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + ++# services plugins + /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + ++# unconfined plugins + /usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + +-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) +- +-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +- +-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) +-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) +- +-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +# eventhandlers +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) diff --git a/nagios.if b/nagios.if -index 8581040..d7d9a79 100644 +index 0641e97..d7d9a79 100644 --- a/nagios.if +++ b/nagios.if -@@ -12,31 +12,24 @@ +@@ -1,12 +1,13 @@ +-## Network monitoring server. ++## Net Saint / NAGIOS - network monitoring server + +-####################################### ++######################################## + ## +-## The template to define a nagios plugin domain. ++## Create a set of derived types for various ++## nagios plugins, + ## +-## ++## + ## +-## Domain prefix to be used. ++## The name to be used for deriving type names. + ## ## # - template(`nagios_plugin_template',` -- - gen_require(` -+ attribute nagios_plugin_domain; +@@ -16,38 +17,31 @@ template(`nagios_plugin_template',` type nagios_t, nrpe_t; -- type nagios_log_t; ') -- type nagios_$1_plugin_t; -+ type nagios_$1_plugin_t, nagios_plugin_domain; +- ######################################## +- # +- # Declarations +- # +- + type nagios_$1_plugin_t, nagios_plugin_domain; type nagios_$1_plugin_exec_t; application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) role system_r types nagios_$1_plugin_t; -- allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; +- ######################################## +- # +- # Policy +- # - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) -+ allow nagios_t nagios_$1_plugin_exec_t:file ioctl; + allow nagios_t nagios_$1_plugin_exec_t:file ioctl; - # needed by command.cfg ++ # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - -- allow nagios_t nagios_$1_plugin_t:process signal_perms; -- -- # cjp: leaked file descriptor -- dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; -- dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; ++ + kernel_read_system_state(nagios_$1_plugin_t) - -- miscfiles_read_localization(nagios_$1_plugin_t) ++ ') ######################################## -@@ -49,7 +42,6 @@ template(`nagios_plugin_template',` + ## +-## Do not audit attempts to read or +-## write nagios unnamed pipes. ++## Do not audit attempts to read or write nagios ++## unnamed pipes. + ## + ## + ## ## Domain to not audit. ## ## @@ -37891,10 +39403,72 @@ index 8581040..d7d9a79 100644 # interface(`nagios_dontaudit_rw_pipes',` gen_require(` -@@ -159,6 +151,26 @@ interface(`nagios_read_tmp_files',` +@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',` + + ######################################## + ## +-## Read nagios configuration content. ++## Allow the specified domain to read ++## nagios configuration files. + ## + ## + ## +@@ -73,15 +68,14 @@ interface(`nagios_read_config',` + type nagios_etc_t; + ') + +- files_search_etc($1) + allow $1 nagios_etc_t:dir list_dir_perms; + allow $1 nagios_etc_t:file read_file_perms; +- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ###################################### + ## +-## Read nagios log files. ++## Read nagios logs. + ## + ## + ## +@@ -100,8 +94,7 @@ interface(`nagios_read_log',` + + ######################################## + ## +-## Do not audit attempts to read or +-## write nagios log files. ++## Do not audit attempts to read or write nagios logs. + ## + ## + ## +@@ -132,13 +125,14 @@ interface(`nagios_search_spool',` + type nagios_spool_t; + ') + +- files_search_spool($1) + allow $1 nagios_spool_t:dir search_dir_perms; ++ files_search_spool($1) + ') ######################################## ## +-## Read nagios temporary files. ++## Allow the specified domain to read ++## nagios temporary files. + ## + ## + ## +@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',` + type nagios_tmp_t; + ') + +- files_search_tmp($1) + allow $1 nagios_tmp_t:file read_file_perms; ++ files_search_tmp($1) ++') ++ ++######################################## ++## +## Allow the specified domain to read +## nagios temporary files. +## @@ -37911,289 +39485,256 @@ index 8581040..d7d9a79 100644 + + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) -+') -+ -+######################################## -+## - ## Execute the nagios NRPE with - ## a domain transition. + ') + + ######################################## + ## +-## Execute nrpe with a domain transition. ++## Execute the nagios NRPE with ++## a domain transition. + ## + ## + ## +@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',` + type nrpe_t, nrpe_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, nrpe_exec_t, nrpe_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an nagios environment. ++## All of the rules required to administrate ++## an nagios environment ## -@@ -195,15 +207,16 @@ interface(`nagios_domtrans_nrpe',` + ## + ## +@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the nagios domain. + ## + ## + ## # interface(`nagios_admin',` gen_require(` -- type nagios_t, nrpe_t; -- type nagios_tmp_t, nagios_log_t; -- type nagios_etc_t, nrpe_etc_t; -- type nagios_spool_t, nagios_var_run_t; -- type nagios_initrc_exec_t; -+ type nagios_t, nrpe_t, nagios_initrc_exec_t; +- attribute nagios_plugin_domain; + type nagios_t, nrpe_t, nagios_initrc_exec_t; +- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; +- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; +- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; +- type nagios_eventhandler_plugin_tmp_t; + type nagios_tmp_t, nagios_log_t, nagios_var_run_t; + type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') -- allow $1 nagios_t:process { ptrace signal_perms }; +- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) + allow $1 nagios_t:process signal_perms; - ps_process_pattern($1, nagios_t) ++ ps_process_pattern($1, nagios_t) + tunable_policy(`deny_ptrace',`',` + allow $1 nagios_t:process ptrace; + ') init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 nagios_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_tmp($1) +- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) ++ files_list_tmp($1) ++ admin_pattern($1, nagios_tmp_t) + +- logging_search_logs($1) ++ logging_list_logs($1) + admin_pattern($1, nagios_log_t) + +- files_search_etc($1) +- admin_pattern($1, { nrpe_etc_t nagios_etc_t }) ++ files_list_etc($1) ++ admin_pattern($1, nagios_etc_t) + +- files_search_spool($1) ++ files_list_spool($1) + admin_pattern($1, nagios_spool_t) + +- files_search_pids($1) +- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) ++ files_list_pids($1) ++ admin_pattern($1, nagios_var_run_t) + +- files_search_var_lib($1) +- admin_pattern($1, nagios_var_lib_t) ++ admin_pattern($1, nrpe_etc_t) + ') diff --git a/nagios.te b/nagios.te -index c3e2a2d..f4cbdff 100644 +index 44ad3b7..fd0b6d3 100644 --- a/nagios.te +++ b/nagios.te -@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0) - # Declarations - # - -+attribute nagios_plugin_domain; -+ - type nagios_t; - type nagios_exec_t; - init_daemon_domain(nagios_t, nagios_exec_t) -@@ -25,7 +27,10 @@ type nagios_var_run_t; +@@ -27,7 +27,7 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) type nagios_spool_t; -files_type(nagios_spool_t) +files_spool_file(nagios_spool_t) -+ -+type nagios_var_lib_t; -+files_type(nagios_var_lib_t) - nagios_plugin_template(admin) - nagios_plugin_template(checkdisk) -@@ -33,6 +38,10 @@ nagios_plugin_template(mail) - nagios_plugin_template(services) - nagios_plugin_template(system) - nagios_plugin_template(unconfined) -+nagios_plugin_template(eventhandler) -+ -+type nagios_eventhandler_plugin_tmp_t; -+files_tmp_file(nagios_eventhandler_plugin_tmp_t) + type nagios_var_lib_t; + files_type(nagios_var_lib_t) +@@ -63,19 +63,21 @@ files_pid_file(nrpe_var_run_t) - type nagios_system_plugin_tmp_t; - files_tmp_file(nagios_system_plugin_tmp_t) -@@ -77,13 +86,17 @@ files_pid_filetrans(nagios_t, nagios_var_run_t, file) - manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) - files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) + allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; -+manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -+manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir }) ++allow nrpe_t nagios_plugin_domain:process { signal sigkill }; ++ ++allow nagios_t nagios_plugin_domain:process signal_perms; + - kernel_read_system_state(nagios_t) - kernel_read_kernel_sysctls(nagios_t) -+kernel_read_software_raid_state(nagios_t) ++# cjp: leaked file descriptor + dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; + dontaudit nagios_plugin_domain nagios_log_t:file { read write }; + +-kernel_read_system_state(nagios_plugin_domain) +- + dev_read_urand(nagios_plugin_domain) + dev_read_rand(nagios_plugin_domain) + + files_read_usr_files(nagios_plugin_domain) + +-miscfiles_read_localization(nagios_plugin_domain) +- +-userdom_use_user_terminals(nagios_plugin_domain) ++userdom_use_inherited_user_ptys(nagios_plugin_domain) ++userdom_use_inherited_user_ttys(nagios_plugin_domain) + ######################################## + # +@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) -corenet_all_recvfrom_unlabeled(nagios_t) corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) - corenet_udp_sendrecv_generic_if(nagios_t) -@@ -103,31 +116,27 @@ domain_use_interactive_fds(nagios_t) - # for ps - domain_read_all_domains_state(nagios_t) + corenet_tcp_sendrecv_generic_node(nagios_t) +@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t) --files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) +-files_read_usr_files(nagios_t) files_search_spool(nagios_t) -+files_read_usr_files(nagios_t) fs_getattr_all_fs(nagios_t) - fs_search_auto_mountpoints(nagios_t) - --# for who --init_read_utmp(nagios_t) -- - auth_use_nsswitch(nagios_t) +@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -miscfiles_read_localization(nagios_t) - +- userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) - mta_send_mail(nagios_t) -+mta_signal_system_mail(nagios_t) -+mta_kill_system_mail(nagios_t) - - optional_policy(` -- netutils_domtrans_ping(nagios_t) -- netutils_signal_ping(nagios_t) - netutils_kill_ping(nagios_t) - ') - -@@ -143,6 +152,7 @@ optional_policy(` +@@ -178,6 +176,7 @@ optional_policy(` # - # Nagios CGI local policy + # CGI local policy # + optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -180,29 +190,31 @@ optional_policy(` - # - - allow nrpe_t self:capability { setuid setgid }; --dontaudit nrpe_t self:capability {sys_tty_config sys_resource}; -+dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; - allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; - allow nrpe_t self:fifo_file rw_fifo_file_perms; - allow nrpe_t self:tcp_socket create_stream_socket_perms; - -+read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t) -+ - domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) - --read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) -+read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) - files_search_etc(nrpe_t) +@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin - manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) - files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) - -+kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) kernel_read_software_raid_state(nrpe_t) -kernel_read_system_state(nrpe_t) corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) - - corenet_tcp_bind_generic_node(nrpe_t) - corenet_tcp_bind_inetd_child_port(nrpe_t) --corenet_sendrecv_unlabeled_packets(nrpe_t) -+corenet_all_recvfrom_netlabel(nrpe_t) - - dev_read_sysfs(nrpe_t) - dev_read_urand(nrpe_t) -@@ -211,7 +223,7 @@ domain_use_interactive_fds(nrpe_t) +@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) --files_read_etc_files(nrpe_t) -+files_read_usr_files(nrpe_t) +-files_read_usr_files(nrpe_t) fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -220,7 +232,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) -miscfiles_read_localization(nrpe_t) - +- userdom_dontaudit_use_unpriv_user_fds(nrpe_t) -@@ -252,11 +263,9 @@ optional_policy(` - corecmd_read_bin_files(nagios_admin_plugin_t) - corecmd_read_bin_symlinks(nagios_admin_plugin_t) - --dev_read_urand(nagios_admin_plugin_t) - dev_getattr_all_chr_files(nagios_admin_plugin_t) - dev_getattr_all_blk_files(nagios_admin_plugin_t) - --files_read_etc_files(nagios_admin_plugin_t) - # for check_file_age plugin - files_getattr_all_dirs(nagios_admin_plugin_t) - files_getattr_all_files(nagios_admin_plugin_t) -@@ -271,20 +280,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) + optional_policy(` +@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; -- - allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; - allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; - allow nagios_mail_plugin_t self:udp_socket create_socket_perms; +-allow nagios_mail_plugin_t self:tcp_socket { accept listen }; ++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_mail_plugin_t self:udp_socket create_socket_perms; --kernel_read_system_state(nagios_mail_plugin_t) kernel_read_kernel_sysctls(nagios_mail_plugin_t) corecmd_read_bin_files(nagios_mail_plugin_t) corecmd_read_bin_symlinks(nagios_mail_plugin_t) --dev_read_urand(nagios_mail_plugin_t) -- -files_read_etc_files(nagios_mail_plugin_t) - +- logging_send_syslog_msg(nagios_mail_plugin_t) -@@ -300,7 +304,7 @@ optional_policy(` - - optional_policy(` - postfix_stream_connect_master(nagios_mail_plugin_t) -- posftix_exec_postqueue(nagios_mail_plugin_t) -+ postfix_exec_postqueue(nagios_mail_plugin_t) - ') + sysnet_dns_name_resolve(nagios_mail_plugin_t) +@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; - ###################################### -@@ -311,7 +315,9 @@ optional_policy(` - # needed by ioctl() - allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; + kernel_read_software_raid_state(nagios_checkdisk_plugin_t) --files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) -+kernel_read_software_raid_state(nagios_checkdisk_plugin_t) -+ +files_getattr_all_dirs(nagios_checkdisk_plugin_t) + files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) - fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,11 +329,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) - # local policy for service check plugins +@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + # Services local policy # --allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; +-allow nagios_services_plugin_t self:capability net_raw; +allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; -- - allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; - allow nagios_services_plugin_t self:udp_socket create_socket_perms; +-allow nagios_services_plugin_t self:tcp_socket { accept listen }; ++allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_services_plugin_t self:udp_socket create_socket_perms; +allow nagios_services_plugin_t self:rawip_socket create_socket_perms; corecmd_exec_bin(nagios_services_plugin_t) -@@ -342,6 +348,8 @@ files_read_usr_files(nagios_services_plugin_t) - - optional_policy(` - netutils_domtrans_ping(nagios_services_plugin_t) -+ netutils_signal_ping(nagios_services_plugin_t) -+ netutils_kill_ping(nagios_services_plugin_t) - ') - - optional_policy(` -@@ -365,6 +373,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) -+read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) -+ - kernel_read_system_state(nagios_system_plugin_t) ++kernel_read_system_state(nagios_system_plugin_t) kernel_read_kernel_sysctls(nagios_system_plugin_t) -@@ -372,11 +382,13 @@ corecmd_exec_bin(nagios_system_plugin_t) - corecmd_exec_shell(nagios_system_plugin_t) - - dev_read_sysfs(nagios_system_plugin_t) --dev_read_urand(nagios_system_plugin_t) + corecmd_exec_bin(nagios_system_plugin_t) +@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) -files_read_etc_files(nagios_system_plugin_t) -+ -+fs_getattr_all_fs(nagios_system_plugin_t) -+ -+auth_read_passwd(nagios_system_plugin_t) +- + fs_getattr_all_fs(nagios_system_plugin_t) - # needed by check_users plugin ++auth_read_passwd(nagios_system_plugin_t) ++ optional_policy(` -@@ -391,3 +403,48 @@ optional_policy(` + init_read_utmp(nagios_system_plugin_t) + ') +@@ -450,3 +449,26 @@ init_domtrans_script(nagios_eventhandler_plugin_t) optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -38220,28 +39761,6 @@ index c3e2a2d..f4cbdff 100644 + unconfined_domain(nagios_eventhandler_plugin_t) +') + -+###################################### -+# -+# nagios plugin domain policy -+# -+ -+allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; -+ -+allow nrpe_t nagios_plugin_domain:process { signal sigkill }; -+ -+allow nagios_t nagios_plugin_domain:process signal_perms; -+ -+# cjp: leaked file descriptor -+dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; -+dontaudit nagios_plugin_domain nagios_log_t:file { read write }; -+ -+dev_read_urand(nagios_plugin_domain) -+dev_read_rand(nagios_plugin_domain) -+ -+files_read_usr_files(nagios_plugin_domain) -+ -+userdom_use_inherited_user_ptys(nagios_plugin_domain) -+userdom_use_inherited_user_ttys(nagios_plugin_domain) diff --git a/namespace.fc b/namespace.fc new file mode 100644 index 0000000..ce51c8d @@ -38355,10 +39874,10 @@ index 0000000..ef7b846 +userdom_relabelto_user_home_files(namespace_init_t) +userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file }) diff --git a/ncftool.if b/ncftool.if -index a648982..59f096b 100644 +index db9578f..96e5824 100644 --- a/ncftool.if +++ b/ncftool.if -@@ -36,9 +36,19 @@ interface(`ncftool_domtrans',` +@@ -38,9 +38,19 @@ interface(`ncftool_domtrans',` # interface(`ncftool_run',` gen_require(` @@ -38382,10 +39901,10 @@ index a648982..59f096b 100644 ') + diff --git a/ncftool.te b/ncftool.te -index f19ca0b..3eadfbb 100644 +index b13c0b1..1161ce1 100644 --- a/ncftool.te +++ b/ncftool.te -@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0) +@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.2) # Declarations # @@ -38405,21 +39924,15 @@ index f19ca0b..3eadfbb 100644 ######################################## # - # ncftool local policy - # +@@ -22,6 +23,7 @@ role ncftool_roles types ncftool_t; --allow ncftool_t self:capability { net_admin sys_ptrace }; -+allow ncftool_t self:capability net_admin; + allow ncftool_t self:capability net_admin; allow ncftool_t self:process signal; + allow ncftool_t self:fifo_file manage_fifo_file_perms; allow ncftool_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; - allow ncftool_t self:tcp_socket create_stream_socket_perms; allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; - -@@ -41,24 +45,33 @@ domain_read_all_domains_state(ncftool_t) +@@ -41,27 +43,32 @@ domain_read_all_domains_state(ncftool_t) dev_read_sysfs(ncftool_t) @@ -38450,14 +39963,16 @@ index f19ca0b..3eadfbb 100644 userdom_use_user_terminals(ncftool_t) userdom_read_user_tmp_files(ncftool_t) +-optional_policy(` +- brctl_run(ncftool_t, ncftool_roles) +-') +#optional_policy(` +# brctl_run(ncftool_t, ncftool_roles) +#') -+ + optional_policy(` consoletype_exec(ncftool_t) - ') -@@ -69,13 +82,18 @@ optional_policy(` +@@ -73,13 +80,18 @@ optional_policy(` optional_policy(` iptables_initrc_domtrans(ncftool_t) @@ -38479,77 +39994,149 @@ index f19ca0b..3eadfbb 100644 + #netutils_run(ncftool_t, ncftool_roles) ') diff --git a/nessus.te b/nessus.te -index abf25da..bad6973 100644 +index 56c0fbd..173a2c0 100644 --- a/nessus.te +++ b/nessus.te -@@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t) - # for nmap etc +@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t) + corecmd_exec_bin(nessusd_t) -corenet_all_recvfrom_unlabeled(nessusd_t) corenet_all_recvfrom_netlabel(nessusd_t) corenet_tcp_sendrecv_generic_if(nessusd_t) corenet_udp_sendrecv_generic_if(nessusd_t) -@@ -85,7 +84,6 @@ fs_search_auto_mountpoints(nessusd_t) +@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t) + domain_use_interactive_fds(nessusd_t) + + files_list_var_lib(nessusd_t) +-files_read_etc_files(nessusd_t) + files_read_etc_runtime_files(nessusd_t) + + fs_getattr_all_fs(nessusd_t) +@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t) logging_send_syslog_msg(nessusd_t) -miscfiles_read_localization(nessusd_t) - +- sysnet_read_config(nessusd_t) + userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index 386543b..8fe1d63 100644 +index a1fb3c3..8fe1d63 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,6 +1,19 @@ - /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - --/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) -+/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) -+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) -+/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+ +@@ -1,43 +1,43 @@ +-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + + /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) + /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) + /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) + /etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + +-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+ + +-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+ + +-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) - /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -12,15 +25,19 @@ - /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) ++/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +-/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) ++/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -+/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - - /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) - /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + /usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) --/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) -+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) +-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) +-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) ++/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) ++/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) + ++/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + +-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 2324d9e..96dbf6f 100644 +index 0e8508c..96dbf6f 100644 --- a/networkmanager.if +++ b/networkmanager.if -@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` - ## Allow caller to relabel tun_socket +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Read and write networkmanager udp sockets. ++## Read and write NetworkManager UDP sockets. + ## + ## + ## +@@ -10,6 +10,7 @@ + ## + ## + # ++# cjp: added for named. + interface(`networkmanager_rw_udp_sockets',` + gen_require(` + type NetworkManager_t; +@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',` + + ######################################## + ## +-## Read and write networkmanager packet sockets. ++## Read and write NetworkManager packet sockets. + ## + ## + ## +@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',` + ## + ## + # ++# cjp: added for named. + interface(`networkmanager_rw_packet_sockets',` + gen_require(` + type NetworkManager_t; +@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',` + + ####################################### + ## +-## Relabel networkmanager tun socket. ++## Allow caller to relabel tun_socket ## ## -## @@ -38561,7 +40148,43 @@ index 2324d9e..96dbf6f 100644 ## # interface(`networkmanager_attach_tun_iface',` -@@ -116,6 +116,29 @@ interface(`networkmanager_initrc_domtrans',` +@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',` + + ######################################## + ## +-## Read and write networkmanager netlink ++## Read and write NetworkManager netlink + ## routing sockets. + ## + ## +@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',` + ## + ## + # ++# cjp: added for named. + interface(`networkmanager_rw_routing_sockets',` + gen_require(` + type NetworkManager_t; +@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',` + + ######################################## + ## +-## Execute networkmanager with a domain transition. ++## Execute NetworkManager with a domain transition. + ## + ## + ## +@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',` + + ######################################## + ## +-## Execute networkmanager scripts with +-## an automatic domain transition to initrc. ++## Execute NetworkManager scripts with an automatic domain transition to initrc. + ## + ## + ## +@@ -114,8 +116,31 @@ interface(`networkmanager_initrc_domtrans',` ######################################## ## @@ -38589,12 +40212,16 @@ index 2324d9e..96dbf6f 100644 +######################################## +## ## Send and receive messages from - ## NetworkManager over dbus. +-## networkmanager over dbus. ++## NetworkManager over dbus. ## -@@ -137,6 +160,28 @@ interface(`networkmanager_dbus_chat',` + ## + ## +@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',` ######################################## ## +-## Send generic signals to networkmanager. +## Do not audit attempts to send and +## receive messages from NetworkManager +## over dbus. @@ -38617,66 +40244,103 @@ index 2324d9e..96dbf6f 100644 + +######################################## +## - ## Send a generic signal to NetworkManager ++## Send a generic signal to NetworkManager ## ## -@@ -173,6 +218,25 @@ interface(`networkmanager_read_lib_files',` + ## +@@ -153,7 +200,7 @@ interface(`networkmanager_signal',` + + ######################################## + ## +-## Read networkmanager lib files. ++## Read NetworkManager lib files. + ## + ## + ## +@@ -171,29 +218,28 @@ interface(`networkmanager_read_lib_files',` read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ') +-######################################## +####################################### -+## + ## +-## Append networkmanager log files. +## Read NetworkManager conf files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`networkmanager_append_log_files',` +- gen_require(` +- type NetworkManager_log_t; +- ') +interface(`networkmanager_read_conf',` + gen_require(` + type NetworkManager_etc_t; + ') -+ + +- logging_search_logs($1) +- allow $1 NetworkManager_log_t:dir list_dir_perms; +- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) + allow $1 NetworkManager_etc_t:dir list_dir_perms; + read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) -+') -+ + ') + ######################################## ## - ## Read NetworkManager PID files. -@@ -191,3 +255,110 @@ interface(`networkmanager_read_pid_files',` - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; - ') -+ -+######################################## -+## +-## Read networkmanager pid files. ++## Read NetworkManager PID files. + ## + ## + ## +@@ -212,12 +258,12 @@ interface(`networkmanager_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an networkmanager environment. +## Execute NetworkManager in the NetworkManager domain, and +## allow the specified role the NetworkManager domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# + ## + ## + ## +@@ -227,33 +273,92 @@ interface(`networkmanager_read_pid_files',` + ## + ## + # +-interface(`networkmanager_admin',` +interface(`networkmanager_run',` -+ gen_require(` + gen_require(` +- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; +- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; +- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; + type NetworkManager_t, NetworkManager_exec_t; -+ ') -+ + ') + +- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) +- +- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 NetworkManager_initrc_exec_t system_r; +- allow $2 system_r; + networkmanager_domtrans($1) + role $2 types NetworkManager_t; +') -+ + +- logging_search_etc($1) +- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) +######################################## +## +## Allow the specified domain to append @@ -38692,12 +40356,15 @@ index 2324d9e..96dbf6f 100644 + gen_require(` + type NetworkManager_log_t; + ') -+ -+ logging_search_logs($1) + + logging_search_logs($1) +- admin_pattern($1, NetworkManager_log_t) + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') -+ + +- files_search_var_lib($1) +- admin_pattern($1, NetworkManager_var_lib_t) +####################################### +## +## Allow the specified domain to manage @@ -38713,7 +40380,9 @@ index 2324d9e..96dbf6f 100644 + gen_require(` + type NetworkManager_var_lib_t; + ') -+ + +- files_search_pids($1) +- admin_pattern($1, NetworkManager_var_run_t) + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +') + @@ -38733,7 +40402,9 @@ index 2324d9e..96dbf6f 100644 + type NetworkManager_var_run_t; + type NetworkManager_var_lib_t; + ') -+ + +- files_search_tmp($1) +- admin_pattern($1, NetworkManager_tmp_t) + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf") + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf") @@ -38756,34 +40427,48 @@ index 2324d9e..96dbf6f 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") -+') + ') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..a953cf1 100644 +index 0b48a30..c0e8f13 100644 --- a/networkmanager.te +++ b/networkmanager.te -@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) - type NetworkManager_initrc_exec_t; - init_script_file(NetworkManager_initrc_exec_t) +@@ -1,4 +1,4 @@ +-policy_module(networkmanager, 1.14.7) ++policy_module(networkmanager, 1.14.0) + ######################################## + # +@@ -9,15 +9,18 @@ type NetworkManager_t; + type NetworkManager_exec_t; + init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) + ++type NetworkManager_initrc_exec_t; ++init_script_file(NetworkManager_initrc_exec_t) ++ +type NetworkManager_unit_file_t; +systemd_unit_file(NetworkManager_unit_file_t) + -+type NetworkManager_etc_t; -+files_config_file(NetworkManager_etc_t) -+ -+type NetworkManager_etc_rw_t; -+files_config_file(NetworkManager_etc_rw_t) -+ + type NetworkManager_etc_t; + files_config_file(NetworkManager_etc_t) + + type NetworkManager_etc_rw_t; + files_config_file(NetworkManager_etc_rw_t) + +-type NetworkManager_initrc_exec_t; +-init_script_file(NetworkManager_initrc_exec_t) +- type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,35 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) + # Local policy + # - # networkmanager will ptrace itself if gdb is installed - # and it receives a unexpected signal (rh bug #204161) --allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; --dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; +-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; ++# networkmanager will ptrace itself if gdb is installed ++# and it receives a unexpected signal (rh bug #204161) +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; +dontaudit NetworkManager_t self:capability sys_tty_config; +ifdef(`hide_broken_symptoms',` @@ -38797,41 +40482,60 @@ index 0619395..a953cf1 100644 +') + allow NetworkManager_t self:fifo_file rw_fifo_file_perms; - allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; - allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; +-allow NetworkManager_t self:unix_dgram_socket sendto; +-allow NetworkManager_t self:unix_stream_socket { accept listen }; ++allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; ++allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; -+allow NetworkManager_t self:netlink_socket create_socket_perms; + allow NetworkManager_t self:netlink_socket create_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; - allow NetworkManager_t self:tcp_socket create_stream_socket_perms; --allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom }; -+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; - allow NetworkManager_t self:udp_socket create_socket_perms; +-allow NetworkManager_t self:tcp_socket { accept listen }; ++allow NetworkManager_t self:tcp_socket create_stream_socket_perms; + allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; ++allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; - can_exec(NetworkManager_t, NetworkManager_exec_t) +-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms; +-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms; +-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms; ++can_exec(NetworkManager_t, NetworkManager_exec_t) +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) -+ -+manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -+manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -+filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -+ -+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) + manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) + manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) + filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) + +-allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms; +-append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) +-create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) +-setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) ++manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) ++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) ++ +can_exec(NetworkManager_t, NetworkManager_tmp_t) manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -75,7 +107,6 @@ kernel_request_load_module(NetworkManager_t) +@@ -81,9 +100,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ + manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) + +-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) +- +-kernel_read_crypto_sysctls(NetworkManager_t) + kernel_read_system_state(NetworkManager_t) + kernel_read_network_state(NetworkManager_t) + kernel_read_kernel_sysctls(NetworkManager_t) +@@ -91,7 +107,6 @@ kernel_request_load_module(NetworkManager_t) kernel_read_debugfs(NetworkManager_t) kernel_rw_net_sysctls(NetworkManager_t) @@ -38839,34 +40543,65 @@ index 0619395..a953cf1 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -95,11 +126,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) +@@ -102,22 +117,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) + corenet_tcp_sendrecv_all_ports(NetworkManager_t) + corenet_udp_sendrecv_all_ports(NetworkManager_t) + corenet_udp_bind_generic_node(NetworkManager_t) +- +-corenet_sendrecv_isakmp_server_packets(NetworkManager_t) + corenet_udp_bind_isakmp_port(NetworkManager_t) +- +-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) + corenet_udp_bind_dhcpc_port(NetworkManager_t) +- +-corenet_sendrecv_all_client_packets(NetworkManager_t) + corenet_tcp_connect_all_ports(NetworkManager_t) +- ++corenet_sendrecv_isakmp_server_packets(NetworkManager_t) ++corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) ++corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_rw_tun_tap_dev(NetworkManager_t) corenet_getattr_ppp_dev(NetworkManager_t) --dev_read_sysfs(NetworkManager_t) -+dev_rw_sysfs(NetworkManager_t) +-corecmd_exec_shell(NetworkManager_t) +-corecmd_exec_bin(NetworkManager_t) +- + dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) - dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +133,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) -+dev_rw_wireless(NetworkManager_t) + dev_rw_wireless(NetworkManager_t) +-domain_use_interactive_fds(NetworkManager_t) +-domain_read_all_domains_state(NetworkManager_t) +- +-files_read_etc_runtime_files(NetworkManager_t) +-files_read_usr_files(NetworkManager_t) +-files_read_usr_src_files(NetworkManager_t) +- fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +145,10 @@ corecmd_exec_shell(NetworkManager_t) - corecmd_exec_bin(NetworkManager_t) + fs_list_inotifyfs(NetworkManager_t) +@@ -140,6 +141,17 @@ mls_file_read_all_levels(NetworkManager_t) - domain_use_interactive_fds(NetworkManager_t) --domain_read_confined_domains_state(NetworkManager_t) -+domain_read_all_domains_state(NetworkManager_t) + selinux_dontaudit_search_fs(NetworkManager_t) --files_read_etc_files(NetworkManager_t) - files_read_etc_runtime_files(NetworkManager_t) ++corecmd_exec_shell(NetworkManager_t) ++corecmd_exec_bin(NetworkManager_t) ++ ++domain_use_interactive_fds(NetworkManager_t) ++domain_read_all_domains_state(NetworkManager_t) ++ ++files_read_etc_runtime_files(NetworkManager_t) +files_read_system_conf_files(NetworkManager_t) - files_read_usr_files(NetworkManager_t) - files_read_usr_src_files(NetworkManager_t) ++files_read_usr_files(NetworkManager_t) ++files_read_usr_src_files(NetworkManager_t) ++ + storage_getattr_fixed_disk_dev(NetworkManager_t) -@@ -128,35 +160,51 @@ init_domtrans_script(NetworkManager_t) + init_read_utmp(NetworkManager_t) +@@ -148,10 +160,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -38874,34 +40609,29 @@ index 0619395..a953cf1 100644 + logging_send_syslog_msg(NetworkManager_t) --miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) +-miscfiles_read_localization(NetworkManager_t) --modutils_domtrans_insmod(NetworkManager_t) -- seutil_read_config(NetworkManager_t) - sysnet_domtrans_ifconfig(NetworkManager_t) - sysnet_domtrans_dhcpc(NetworkManager_t) - sysnet_signal_dhcpc(NetworkManager_t) -+sysnet_signull_dhcpc(NetworkManager_t) - sysnet_read_dhcpc_pid(NetworkManager_t) -+sysnet_read_dhcp_config(NetworkManager_t) - sysnet_delete_dhcpc_pid(NetworkManager_t) -+sysnet_kill_dhcpc(NetworkManager_t) -+sysnet_read_dhcpc_state(NetworkManager_t) -+sysnet_delete_dhcpc_state(NetworkManager_t) +@@ -166,21 +179,32 @@ sysnet_kill_dhcpc(NetworkManager_t) + sysnet_read_dhcpc_state(NetworkManager_t) + sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) - # in /etc created by NetworkManager will be labelled net_conf_t. ++# in /etc created by NetworkManager will be labelled net_conf_t. sysnet_manage_config(NetworkManager_t) sysnet_etc_filetrans_config(NetworkManager_t) +-# certificates in user home directories (cert_home_t in ~/\.pki) +-userdom_read_user_home_content_files(NetworkManager_t) +- +-userdom_write_user_tmp_sockets(NetworkManager_t) +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) - # Read gnome-keyring ++# Read gnome-keyring +userdom_read_home_certs(NetworkManager_t) - userdom_read_user_home_content_files(NetworkManager_t) ++userdom_read_user_home_content_files(NetworkManager_t) +userdom_dgram_send(NetworkManager_t) + +tunable_policy(`use_nfs_home_dirs',` @@ -38921,25 +40651,37 @@ index 0619395..a953cf1 100644 ') optional_policy(` -@@ -176,10 +224,17 @@ optional_policy(` +@@ -196,10 +220,6 @@ optional_policy(` ') optional_policy(` -+ cron_read_system_job_lib_files(NetworkManager_t) -+') -+ -+optional_policy(` +- consolekit_read_pid_files(NetworkManager_t) +-') +- +-optional_policy(` + consoletype_exec(NetworkManager_t) + ') + +@@ -210,16 +230,11 @@ optional_policy(` + optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) +- optional_policy(` +- avahi_dbus_chat(NetworkManager_t) +- ') + init_dbus_chat(NetworkManager_t) -+ + optional_policy(` consolekit_dbus_chat(NetworkManager_t) +- ') +- +- optional_policy(` +- policykit_dbus_chat(NetworkManager_t) + consolekit_read_pid_files(NetworkManager_t) ') ') -@@ -191,6 +246,7 @@ optional_policy(` +@@ -231,18 +246,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -38947,31 +40689,35 @@ index 0619395..a953cf1 100644 ') optional_policy(` -@@ -202,23 +258,45 @@ optional_policy(` +- gnome_stream_connect_all_gkeyringd(NetworkManager_t) ++ hal_write_log(NetworkManager_t) + ') + + optional_policy(` +- hal_write_log(NetworkManager_t) ++ howl_signal(NetworkManager_t) ') optional_policy(` +- howl_signal(NetworkManager_t) + gnome_dontaudit_search_config(NetworkManager_t) -+') -+ -+optional_policy(` -+ ipsec_domtrans_mgmt(NetworkManager_t) -+ ipsec_kill_mgmt(NetworkManager_t) -+ ipsec_signal_mgmt(NetworkManager_t) -+ ipsec_signull_mgmt(NetworkManager_t) -+') -+ -+optional_policy(` - iptables_domtrans(NetworkManager_t) ') optional_policy(` -+ netutils_exec_ping(NetworkManager_t) -+') -+ -+optional_policy(` - nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) +@@ -257,11 +273,7 @@ optional_policy(` + ') + + optional_policy(` +- libs_exec_ldconfig(NetworkManager_t) +-') +- +-optional_policy(` +- modutils_domtrans_insmod(NetworkManager_t) ++ l2tpd_domtrans(NetworkManager_t) + ') + + optional_policy(` +@@ -274,10 +286,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -38979,32 +40725,34 @@ index 0619395..a953cf1 100644 ') optional_policy(` - # Dispatcher starting and stoping ntp ++ # Dispatcher starting and stoping ntp ntp_initrc_domtrans(NetworkManager_t) + ntp_systemctl(NetworkManager_t) - ') - - optional_policy(` -+ modutils_domtrans_insmod(NetworkManager_t) +') + +optional_policy(` -+ openvpn_read_config(NetworkManager_t) - openvpn_domtrans(NetworkManager_t) - openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) -@@ -234,6 +312,10 @@ optional_policy(` ++ modutils_domtrans_insmod(NetworkManager_t) + ') + + optional_policy(` +@@ -289,6 +308,7 @@ optional_policy(` ') optional_policy(` ++ policykit_dbus_chat(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) +@@ -296,7 +316,7 @@ optional_policy(` + ') + + optional_policy(` +- polipo_initrc_domtrans(NetworkManager_t) + polipo_systemctl(NetworkManager_t) -+') -+ -+optional_policy(` - ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +323,7 @@ optional_policy(` + ') + + optional_policy(` +@@ -307,6 +327,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -39012,28 +40760,26 @@ index 0619395..a953cf1 100644 ') optional_policy(` -@@ -254,6 +337,12 @@ optional_policy(` +@@ -320,13 +341,14 @@ optional_policy(` ') optional_policy(` +- udev_exec(NetworkManager_t) +- udev_read_db(NetworkManager_t) + systemd_write_inhibit_pipes(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) -+') -+ -+optional_policy(` - udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) ') -@@ -263,6 +352,7 @@ optional_policy(` - vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) - vpn_signull(NetworkManager_t) -+ vpn_relabelfrom_tun_socket(NetworkManager_t) + + optional_policy(` +- # unconfined_dgram_send(NetworkManager_t) +- unconfined_stream_connect(NetworkManager_t) ++ udev_exec(NetworkManager_t) ++ udev_read_db(NetworkManager_t) ') - ######################################## -@@ -284,6 +374,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru + optional_policy(` +@@ -356,6 +378,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -39041,20 +40787,32 @@ index 0619395..a953cf1 100644 term_dontaudit_use_console(wpa_cli_t) diff --git a/nis.fc b/nis.fc -index 632a565..cd0e015 100644 +index 8aa1bfa..cd0e015 100644 --- a/nis.fc +++ b/nis.fc -@@ -9,7 +9,9 @@ +@@ -2,21 +2,26 @@ + /etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +- + /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) + +-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) ++/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) ++/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -+/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + /usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) - /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) -@@ -18,3 +20,8 @@ +-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) ++/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) + + /var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) @@ -39064,9 +40822,15 @@ index 632a565..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index abe3f7f..1112fae 100644 +index 46e55c3..1112fae 100644 --- a/nis.if +++ b/nis.if +@@ -1,4 +1,4 @@ +-## Policy for NIS (YP) servers and clients. ++## Policy for NIS (YP) servers and clients + + ######################################## + ## @@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',` gen_require(` type var_yp_t; @@ -39078,9 +40842,9 @@ index abe3f7f..1112fae 100644 allow $1 self:udp_socket create_socket_perms; allow $1 var_yp_t:dir list_dir_perms; -- allow $1 var_yp_t:lnk_file { getattr read }; -+ allow $1 var_yp_t:lnk_file read_lnk_file_perms; - allow $1 var_yp_t:file read_file_perms; +- allow $1 var_yp_t:file read_file_perms; + allow $1 var_yp_t:lnk_file read_lnk_file_perms; ++ allow $1 var_yp_t:file read_file_perms; - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) @@ -39105,7 +40869,7 @@ index abe3f7f..1112fae 100644 corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) -@@ -88,7 +82,7 @@ interface(`nis_use_ypbind_uncond',` +@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',` ## # interface(`nis_use_ypbind',` @@ -39114,6 +40878,14 @@ index abe3f7f..1112fae 100644 nis_use_ypbind_uncond($1) ') ') + + ######################################## + ## +-## Use nis to authenticate passwords. ++## Use the nis to authenticate passwords + ## + ## + ## @@ -105,7 +99,7 @@ interface(`nis_use_ypbind',` ## # @@ -39123,35 +40895,77 @@ index abe3f7f..1112fae 100644 nis_use_ypbind_uncond($1) corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) -@@ -131,6 +125,24 @@ interface(`nis_domtrans_ypbind',` - domtrans_pattern($1, ypbind_exec_t, ypbind_t) - ') +@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',` -+####################################### -+## + ####################################### + ## +-## Execute ypbind in the caller domain. +## Execute ypbind in the caller domain. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed to transition. +## -+## -+# -+interface(`nis_exec_ypbind',` + ## + # + interface(`nis_exec_ypbind',` +- gen_require(` +- type ypbind_exec_t; +- ') + gen_require(` + type ypbind_t, ypbind_exec_t; + ') -+ -+ can_exec($1, ypbind_exec_t) -+') -+ + +- corecmd_search_bin($1) + can_exec($1, ypbind_exec_t) + ') + +@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',` + # + interface(`nis_run_ypbind',` + gen_require(` +- attribute_role ypbind_roles; ++ type ypbind_t; + ') + + nis_domtrans_ypbind($1) +- roleattribute $2 ypbind_roles; ++ role $2 types ypbind_t; + ') + + ######################################## +@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',` + ######################################## ## - ## Execute ypbind in the ypbind domain, and -@@ -337,6 +349,55 @@ interface(`nis_initrc_domtrans_ypbind',` +-## List nis data directories. ++## List the contents of the NIS data directory. + ## + ## + ## +@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',` + # + interface(`nis_delete_ypbind_pid',` + gen_require(` +- type ypbind_var_run_t; ++ type ypbind_t; + ') + +- allow $1 ypbind_var_run_t:file delete_file_perms; ++ # TODO: add delete pid from dir call to files ++ allow $1 ypbind_t:file unlink; + ') + + ######################################## +@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## +-## All of the rules required to +-## administrate an nis environment. +## Execute ypbind server in the ypbind domain. +## +## @@ -39201,10 +41015,12 @@ index abe3f7f..1112fae 100644 + +######################################## +## - ## All of the rules required to administrate - ## an nis environment ++## All of the rules required to administrate ++## an nis environment ## -@@ -354,22 +415,31 @@ interface(`nis_initrc_domtrans_ypbind',` + ## + ## +@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -39213,68 +41029,91 @@ index abe3f7f..1112fae 100644 + type ypbind_t, yppasswdd_t, ypserv_t; + type ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -- type ypbind_initrc_exec_t, nis_initrc_exec_t; +- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; + type ypserv_tmp_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; + type nis_unit_file_t; + type ypbind_unit_file_t; - ') - -- allow $1 ypbind_t:process { ptrace signal_perms }; ++ ') ++ + allow $1 ypbind_t:process signal_perms; - ps_process_pattern($1, ypbind_t) ++ ps_process_pattern($1, ypbind_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ypbind_t:process ptrace; + allow $1 yppasswdd_t:process ptrace; + allow $1 ypserv_t:process ptrace; + allow $1 ypxfr_t:process ptrace; -+ ') + ') -- allow $1 yppasswdd_t:process { ptrace signal_perms }; +- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) + allow $1 yppasswdd_t:process signal_perms; - ps_process_pattern($1, yppasswdd_t) - -- allow $1 ypserv_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, yppasswdd_t) ++ + allow $1 ypserv_t:process signal_perms; - ps_process_pattern($1, ypserv_t) - -- allow $1 ypxfr_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypserv_t) ++ + allow $1 ypxfr_t:process signal_perms; - ps_process_pattern($1, ypxfr_t) ++ ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) -@@ -379,18 +449,22 @@ interface(`nis_admin',` - role_transition $2 ypbind_initrc_exec_t system_r; + nis_initrc_domtrans_ypbind($1) + domain_system_change_exemption($1) +- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; ++ role_transition $2 nis_initrc_exec_t system_r; ++ role_transition $2 ypbind_initrc_exec_t system_r; allow $2 system_r; - files_list_tmp($1) -- admin_pattern($1, ypbind_tmp_t) +- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) - files_list_pids($1) - admin_pattern($1, ypbind_var_run_t) +- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) ++ admin_pattern($1, ypbind_var_run_t) + nis_systemctl_ypbind($1) + admin_pattern($1, ypbind_unit_file_t) + allow $1 ypbind_unit_file_t:service all_service_perms; - - admin_pattern($1, yppasswdd_var_run_t) ++ ++ admin_pattern($1, yppasswdd_var_run_t) files_list_etc($1) admin_pattern($1, ypserv_conf_t) +- files_search_var($1) +- admin_pattern($1, var_yp_t) + admin_pattern($1, ypserv_var_run_t) + - admin_pattern($1, ypserv_tmp_t) ++ admin_pattern($1, ypserv_tmp_t) -- admin_pattern($1, ypserv_var_run_t) +- nis_run_ypbind($1, $2) + nis_systemctl($1) + admin_pattern($1, nis_unit_file_t) + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index f27899c..f1dd1fa 100644 +index 3e4a31c..f1dd1fa 100644 --- a/nis.te +++ b/nis.te -@@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t) +@@ -1,12 +1,10 @@ +-policy_module(nis, 1.11.1) ++policy_module(nis, 1.11.0) + + ######################################## + # + # Declarations + # + +-attribute_role ypbind_roles; +- + type nis_initrc_exec_t; + init_script_file(nis_initrc_exec_t) + +@@ -16,16 +14,18 @@ files_type(var_yp_t) + type ypbind_t; + type ypbind_exec_t; + init_daemon_domain(ypbind_t, ypbind_exec_t) +-role ypbind_roles types ypbind_t; + type ypbind_initrc_exec_t; init_script_file(ypbind_initrc_exec_t) @@ -39291,7 +41130,7 @@ index f27899c..f1dd1fa 100644 type yppasswdd_t; type yppasswdd_exec_t; -@@ -37,7 +40,7 @@ type ypserv_exec_t; +@@ -40,7 +40,7 @@ type ypserv_exec_t; init_daemon_domain(ypserv_t, ypserv_exec_t) type ypserv_conf_t; @@ -39300,7 +41139,7 @@ index f27899c..f1dd1fa 100644 type ypserv_tmp_t; files_tmp_file(ypserv_tmp_t) -@@ -52,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) +@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) @@ -39310,7 +41149,15 @@ index f27899c..f1dd1fa 100644 ######################################## # # ypbind local policy -@@ -76,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) +@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t) + dontaudit ypbind_t self:capability { net_admin sys_tty_config }; + allow ypbind_t self:fifo_file rw_fifo_file_perms; + allow ypbind_t self:process signal_perms; ++allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; + allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; + allow ypbind_t self:tcp_socket create_stream_socket_perms; + allow ypbind_t self:udp_socket create_socket_perms; +@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) kernel_read_system_state(ypbind_t) kernel_read_kernel_sysctls(ypbind_t) @@ -39318,7 +41165,29 @@ index f27899c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(ypbind_t) corenet_tcp_sendrecv_generic_if(ypbind_t) corenet_udp_sendrecv_generic_if(ypbind_t) -@@ -108,9 +113,9 @@ domain_use_interactive_fds(ypbind_t) +@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t) + corenet_udp_sendrecv_all_ports(ypbind_t) + corenet_tcp_bind_generic_node(ypbind_t) + corenet_udp_bind_generic_node(ypbind_t) +- + corenet_tcp_bind_generic_port(ypbind_t) + corenet_udp_bind_generic_port(ypbind_t) + corenet_tcp_bind_reserved_port(ypbind_t) +@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t) + corenet_tcp_bind_all_rpc_ports(ypbind_t) + corenet_udp_bind_all_rpc_ports(ypbind_t) + corenet_tcp_connect_all_ports(ypbind_t) +-corenet_sendrecv_all_client_packets(ypbind_t) +-corenet_sendrecv_generic_server_packets(ypbind_t) +- + corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) ++corenet_sendrecv_all_client_packets(ypbind_t) ++corenet_sendrecv_generic_server_packets(ypbind_t) + + dev_read_sysfs(ypbind_t) + +@@ -112,9 +113,9 @@ domain_use_interactive_fds(ypbind_t) files_read_etc_files(ypbind_t) files_list_var(ypbind_t) @@ -39330,12 +41199,31 @@ index f27899c..f1dd1fa 100644 sysnet_read_config(ypbind_t) -@@ -156,12 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +@@ -124,7 +125,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) + optional_policy(` + dbus_system_bus_client(ypbind_t) + dbus_connect_system_bus(ypbind_t) +- + init_dbus_chat_script(ypbind_t) + + optional_policy(` +@@ -149,7 +149,8 @@ allow yppasswdd_t self:capability dac_override; + dontaudit yppasswdd_t self:capability sys_tty_config; + allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:process { getsched setfscreate signal_perms }; +-allow yppasswdd_t self:unix_stream_socket { accept listen }; ++allow yppasswdd_t self:unix_dgram_socket create_socket_perms; ++allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; + allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; + allow yppasswdd_t self:tcp_socket create_stream_socket_perms; + allow yppasswdd_t self:udp_socket create_socket_perms; +@@ -160,14 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) +-can_exec(yppasswdd_t, yppasswdd_exec_t) +can_exec(yppasswdd_t,yppasswdd_exec_t) -+ + kernel_list_proc(yppasswdd_t) kernel_read_proc_symlinks(yppasswdd_t) kernel_getattr_proc_files(yppasswdd_t) @@ -39345,23 +41233,53 @@ index f27899c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) corenet_udp_sendrecv_generic_if(yppasswdd_t) -@@ -186,6 +192,7 @@ selinux_get_fs_mount(yppasswdd_t) +@@ -177,22 +177,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) + corenet_udp_sendrecv_all_ports(yppasswdd_t) + corenet_tcp_bind_generic_node(yppasswdd_t) + corenet_udp_bind_generic_node(yppasswdd_t) +- + corenet_tcp_bind_all_rpc_ports(yppasswdd_t) + corenet_udp_bind_all_rpc_ports(yppasswdd_t) +-corenet_sendrecv_generic_server_packets(yppasswdd_t) +- + corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) + corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) +- +-corecmd_exec_bin(yppasswdd_t) +-corecmd_exec_shell(yppasswdd_t) +- +-domain_use_interactive_fds(yppasswdd_t) +- +-files_read_etc_files(yppasswdd_t) +-files_read_etc_runtime_files(yppasswdd_t) +-files_relabel_etc_files(yppasswdd_t) ++corenet_sendrecv_generic_server_packets(yppasswdd_t) + + dev_read_sysfs(yppasswdd_t) + +@@ -203,11 +192,20 @@ selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) +auth_read_passwd(yppasswdd_t) auth_etc_filetrans_shadow(yppasswdd_t) - corecmd_exec_bin(yppasswdd_t) -@@ -199,7 +206,6 @@ files_relabel_etc_files(yppasswdd_t) - ++corecmd_exec_bin(yppasswdd_t) ++corecmd_exec_shell(yppasswdd_t) ++ ++domain_use_interactive_fds(yppasswdd_t) ++ ++files_read_etc_files(yppasswdd_t) ++files_read_etc_runtime_files(yppasswdd_t) ++files_relabel_etc_files(yppasswdd_t) ++ logging_send_syslog_msg(yppasswdd_t) -miscfiles_read_localization(yppasswdd_t) sysnet_read_config(yppasswdd_t) -@@ -211,6 +217,10 @@ optional_policy(` +@@ -219,6 +217,10 @@ optional_policy(` ') optional_policy(` @@ -39372,7 +41290,17 @@ index f27899c..f1dd1fa 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -247,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t) +@@ -234,7 +236,8 @@ optional_policy(` + dontaudit ypserv_t self:capability sys_tty_config; + allow ypserv_t self:fifo_file rw_fifo_file_perms; + allow ypserv_t self:process signal_perms; +-allow ypserv_t self:unix_stream_socket { accept listen }; ++allow ypserv_t self:unix_dgram_socket create_socket_perms; ++allow ypserv_t self:unix_stream_socket create_stream_socket_perms; + allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; + allow ypserv_t self:tcp_socket connected_stream_socket_perms; + allow ypserv_t self:udp_socket create_socket_perms; +@@ -254,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) @@ -39380,7 +41308,38 @@ index f27899c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -279,7 +288,6 @@ files_read_etc_files(ypserv_t) +@@ -264,31 +266,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) + corenet_udp_sendrecv_all_ports(ypserv_t) + corenet_tcp_bind_generic_node(ypserv_t) + corenet_udp_bind_generic_node(ypserv_t) +- + corenet_tcp_bind_reserved_port(ypserv_t) + corenet_udp_bind_reserved_port(ypserv_t) + corenet_tcp_bind_all_rpc_ports(ypserv_t) + corenet_udp_bind_all_rpc_ports(ypserv_t) +-corenet_sendrecv_generic_server_packets(ypserv_t) +- + corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) ++corenet_sendrecv_generic_server_packets(ypserv_t) + +-corecmd_exec_bin(ypserv_t) ++dev_read_sysfs(ypserv_t) + +-files_read_etc_files(ypserv_t) +-files_read_var_files(ypserv_t) ++fs_getattr_all_fs(ypserv_t) ++fs_search_auto_mountpoints(ypserv_t) + +-dev_read_sysfs(ypserv_t) ++corecmd_exec_bin(ypserv_t) + + domain_use_interactive_fds(ypserv_t) + +-fs_getattr_all_fs(ypserv_t) +-fs_search_auto_mountpoints(ypserv_t) ++files_read_var_files(ypserv_t) ++files_read_etc_files(ypserv_t) logging_send_syslog_msg(ypserv_t) @@ -39388,7 +41347,18 @@ index f27899c..f1dd1fa 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -317,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -310,8 +309,8 @@ optional_policy(` + # ypxfr local policy + # + +-allow ypxfr_t self:unix_stream_socket { accept listen }; +-allow ypxfr_t self:unix_dgram_socket { accept listen }; ++allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; ++allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms; + allow ypxfr_t self:tcp_socket create_stream_socket_perms; + allow ypxfr_t self:udp_socket create_socket_perms; + allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; +@@ -326,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -39396,7 +41366,26 @@ index f27899c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -342,6 +349,5 @@ files_search_usr(ypxfr_t) +@@ -336,23 +334,20 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) + corenet_udp_sendrecv_all_ports(ypxfr_t) + corenet_tcp_bind_generic_node(ypxfr_t) + corenet_udp_bind_generic_node(ypxfr_t) +- + corenet_tcp_bind_reserved_port(ypxfr_t) + corenet_udp_bind_reserved_port(ypxfr_t) + corenet_tcp_bind_all_rpc_ports(ypxfr_t) + corenet_udp_bind_all_rpc_ports(ypxfr_t) ++corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) + corenet_tcp_connect_all_ports(ypxfr_t) + corenet_sendrecv_generic_server_packets(ypxfr_t) + corenet_sendrecv_all_client_packets(ypxfr_t) + +-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) +-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) +- + files_read_etc_files(ypxfr_t) + files_search_usr(ypxfr_t) logging_send_syslog_msg(ypxfr_t) @@ -39814,75 +41803,237 @@ index 0000000..f0aaecf +') + diff --git a/nscd.fc b/nscd.fc -index 623b731..429bd79 100644 +index ba64485..429bd79 100644 --- a/nscd.fc +++ b/nscd.fc -@@ -11,3 +11,5 @@ - /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) +@@ -1,13 +1,15 @@ + /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + +-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) ++/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + +-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +- +-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + + /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) + /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) ++ ++/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) diff --git a/nscd.if b/nscd.if -index 85188dc..2b37836 100644 +index 8f2ab09..685270c 100644 --- a/nscd.if +++ b/nscd.if -@@ -116,7 +116,26 @@ interface(`nscd_socket_use',` +@@ -1,8 +1,8 @@ +-## Name service cache daemon. ++## Name service cache daemon + + ######################################## + ## +-## Send generic signals to nscd. ++## Send generic signals to NSCD. + ## + ## + ## +@@ -20,7 +20,7 @@ interface(`nscd_signal',` + + ######################################## + ## +-## Send kill signals to nscd. ++## Send NSCD the kill signal. + ## + ## + ## +@@ -38,7 +38,7 @@ interface(`nscd_kill',` + + ######################################## + ## +-## Send null signals to nscd. ++## Send signulls to NSCD. + ## + ## + ## +@@ -56,7 +56,7 @@ interface(`nscd_signull',` + + ######################################## + ## +-## Execute nscd in the nscd domain. ++## Execute NSCD in the nscd domain. + ## + ## + ## +@@ -75,7 +75,8 @@ interface(`nscd_domtrans',` + + ######################################## + ## +-## Execute nscd in the caller domain. ++## Allow the specified domain to execute nscd ++## in the caller domain. + ## + ## + ## +@@ -88,14 +89,13 @@ interface(`nscd_exec',` + type nscd_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, nscd_exec_t) + ') + + ######################################## + ## +-## Use nscd services by connecting using +-## a unix domain stream socket. ++## Use NSCD services by connecting using ++## a unix stream socket. + ## + ## + ## +@@ -112,22 +112,17 @@ interface(`nscd_socket_use',` + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; +- + dontaudit $1 nscd_t:fd use; dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; +- files_search_pids($1) stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) -- dontaudit $1 nscd_var_run_t:file { getattr read }; -+ dontaudit $1 nscd_var_run_t:file read_file_perms; -+ ps_process_pattern(nscd_t, $1) + dontaudit $1 nscd_var_run_t:file read_file_perms; +- + ps_process_pattern(nscd_t, $1) + ') + + ######################################## + ## +-## Use nscd services by mapping the +-## database from an inherited nscd +-## file descriptor. ++## Use nscd services + ## + ## + ## +@@ -135,28 +130,36 @@ interface(`nscd_socket_use',` + ## + ## + # +-interface(`nscd_shm_use',` +- gen_require(` +- type nscd_t, nscd_var_run_t; +- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ++interface(`nscd_use',` ++ tunable_policy(`nscd_use_shm',` ++ nscd_shm_use($1) ++ ',` ++ nscd_socket_use($1) + ') +') -+ + +- allow $1 self:unix_stream_socket create_stream_socket_perms; +- +- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; +- allow $1 nscd_t:fd use; +- +- files_search_pids($1) +- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) +- dontaudit $1 nscd_var_run_t:file read_file_perms; +######################################## +## -+## Use nscd services ++## Do not audit attempts to write nscd sock files +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`nscd_use',` -+ tunable_policy(`nscd_use_shm',` -+ nscd_shm_use($1) -+ ',` -+ nscd_socket_use($1) ++interface(`nscd_dontaudit_write_sock_file',` ++ gen_require(` ++ type nscd_t; + ') + +- allow $1 nscd_var_run_t:dir list_dir_perms; +- allow $1 nscd_var_run_t:sock_file read_sock_file_perms; ++ dontaudit $1 nscd_t:sock_file write; ') ######################################## -@@ -146,11 +165,14 @@ interface(`nscd_shm_use',` - # nscd_socket_domain macro. need to investigate - # if they are all actually required - allow $1 self:unix_stream_socket create_stream_socket_perms; -- allow $1 nscd_t:unix_stream_socket connectto; -- allow $1 nscd_var_run_t:sock_file rw_file_perms; + ## +-## Use nscd services. ++## Use NSCD services by mapping the database from ++## an inherited NSCD file descriptor. + ## + ## + ## +@@ -164,18 +167,35 @@ interface(`nscd_shm_use',` + ## + ## + # +-interface(`nscd_use',` +- tunable_policy(`nscd_use_shm',` +- nscd_shm_use($1) +- ',` +- nscd_socket_use($1) ++interface(`nscd_shm_use',` ++ gen_require(` ++ type nscd_t, nscd_var_run_t; ++ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + ') ++ ++ allow $1 nscd_var_run_t:dir list_dir_perms; ++ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; ++ ++ # Receive fd from nscd and map the backing file with read access. ++ allow $1 nscd_t:fd use; ++ ++ # cjp: these were originally inherited from the ++ # nscd_socket_domain macro. need to investigate ++ # if they are all actually required ++ allow $1 self:unix_stream_socket create_stream_socket_perms; + + # dg: This may not be required. + allow $1 nscd_var_run_t:sock_file read_sock_file_perms; + + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - files_search_pids($1) - allow $1 nscd_t:nscd { getpwd getgrp gethost }; -- dontaudit $1 nscd_var_run_t:file { getattr read }; ++ files_search_pids($1) ++ allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_var_run_t:file read_file_perms; ') ######################################## -@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',` - type nscd_var_run_t; - ') + ## +-## Do not audit attempts to search +-## nscd pid directories. ++## Do not audit attempts to search the NSCD pid directory. + ## + ## + ## +@@ -193,7 +213,7 @@ interface(`nscd_dontaudit_search_pid',` -- dontaudit $1 nscd_var_run_t:dir search; -+ dontaudit $1 nscd_var_run_t:dir search_dir_perms; - ') + ######################################## + ## +-## Read nscd pid files. ++## Read NSCD pid file. + ## + ## + ## +@@ -212,7 +232,7 @@ interface(`nscd_read_pid',` ######################################## -@@ -224,6 +246,7 @@ interface(`nscd_unconfined',` + ## +-## Unconfined access to nscd services. ++## Unconfined access to NSCD services. + ## + ## + ## +@@ -244,20 +264,20 @@ interface(`nscd_unconfined',` ## Role allowed access. ## ## @@ -39890,10 +42041,29 @@ index 85188dc..2b37836 100644 # interface(`nscd_run',` gen_require(` -@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',` +- attribute_role nscd_roles; ++ type nscd_t; + ') + + nscd_domtrans($1) +- roleattribute $2 nscd_roles; ++ role $2 types nscd_t; + ') + + ######################################## + ## +-## Execute the nscd server init +-## script in the initrc domain. ++## Execute the nscd server init script. + ## + ## + ## +@@ -275,8 +295,31 @@ interface(`nscd_initrc_domtrans',` ######################################## ## +-## All of the rules required to +-## administrate an nscd environment. +## Execute nscd server in the nscd domain. +## +## @@ -39917,10 +42087,21 @@ index 85188dc..2b37836 100644 + +######################################## +## - ## All of the rules required to administrate - ## an nscd environment ++## All of the rules required to administrate ++## an nscd environment ## -@@ -273,10 +319,14 @@ interface(`nscd_admin',` + ## + ## +@@ -285,7 +328,7 @@ interface(`nscd_initrc_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the nscd domain. + ## + ## + ## +@@ -294,10 +337,14 @@ interface(`nscd_admin',` gen_require(` type nscd_t, nscd_log_t, nscd_var_run_t; type nscd_initrc_exec_t; @@ -39936,34 +42117,59 @@ index 85188dc..2b37836 100644 init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) -@@ -288,4 +338,8 @@ interface(`nscd_admin',` - +@@ -310,5 +357,7 @@ interface(`nscd_admin',` files_list_pids($1) admin_pattern($1, nscd_var_run_t) -+ + +- nscd_run($1, $2) + nscd_systemctl($1) + admin_pattern($1, nscd_unit_file_t) + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index 7936e09..2814186 100644 +index df4c10f..2814186 100644 --- a/nscd.te +++ b/nscd.te -@@ -4,6 +4,13 @@ gen_require(` +@@ -1,36 +1,37 @@ +-policy_module(nscd, 1.10.3) ++policy_module(nscd, 1.10.0) + + gen_require(` class nscd all_nscd_perms; ') -+## -+##

    +-######################################## +-# +-# Declarations +-# +- + ## + ##

    +-## Determine whether confined applications +-## can use nscd shared memory. +## Allow confined applications to use nscd shared memory. -+##

    -+##     -+gen_tunable(nscd_use_shm, false) -+ - ######################################## - # - # Declarations -@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t) + ##

    + ## + gen_tunable(nscd_use_shm, false) + +-attribute_role nscd_roles; ++######################################## ++# ++# Declarations ++# + ++# cjp: this is out of order because of an ++# ordering problem with loadable modules + type nscd_var_run_t; + files_pid_file(nscd_var_run_t) +-init_daemon_run_dir(nscd_var_run_t, "nscd") + ++# nscd is both the client program and the daemon. + type nscd_t; + type nscd_exec_t; + init_daemon_domain(nscd_t, nscd_exec_t) +-role nscd_roles types nscd_t; + type nscd_initrc_exec_t; init_script_file(nscd_initrc_exec_t) @@ -39973,8 +42179,23 @@ index 7936e09..2814186 100644 type nscd_log_t; logging_log_file(nscd_log_t) -@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat }; - allow nscd_t nscd_log_t:file manage_file_perms; +@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid }; + dontaudit nscd_t self:capability sys_tty_config; + allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; + allow nscd_t self:fifo_file read_fifo_file_perms; +-allow nscd_t self:unix_stream_socket { accept listen }; ++allow nscd_t self:unix_stream_socket create_stream_socket_perms; ++allow nscd_t self:unix_dgram_socket create_socket_perms; + allow nscd_t self:netlink_selinux_socket create_socket_perms; ++allow nscd_t self:tcp_socket create_socket_perms; ++allow nscd_t self:udp_socket create_socket_perms; + ++# For client program operation, invoked from sysadm_t. ++# Transition occurs to nscd_t due to direct_sysadm_daemon. + allow nscd_t self:nscd { admin getstat }; + +-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t, nscd_log_t, file) +manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) @@ -39983,32 +42204,65 @@ index 7936e09..2814186 100644 -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) - corecmd_search_bin(nscd_t) ++corecmd_search_bin(nscd_t) can_exec(nscd_t, nscd_exec_t) -+kernel_read_network_state(nscd_t) - kernel_read_kernel_sysctls(nscd_t) - kernel_list_proc(nscd_t) +-kernel_list_proc(nscd_t) +-kernel_read_kernel_sysctls(nscd_t) + kernel_read_network_state(nscd_t) ++kernel_read_kernel_sysctls(nscd_t) ++kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) -@@ -70,7 +82,6 @@ fs_list_inotifyfs(nscd_t) + +-corecmd_search_bin(nscd_t) +- + dev_read_sysfs(nscd_t) + dev_read_rand(nscd_t) + dev_read_urand(nscd_t) + +-domain_search_all_domains_state(nscd_t) +-domain_use_interactive_fds(nscd_t) +- +-files_read_generic_tmp_symlinks(nscd_t) +-files_read_etc_runtime_files(nscd_t) +- + fs_getattr_all_fs(nscd_t) + fs_search_auto_mountpoints(nscd_t) + fs_list_inotifyfs(nscd_t) + ++# for when /etc/passwd has just been updated and has the wrong type auth_getattr_shadow(nscd_t) auth_use_nsswitch(nscd_t) -corenet_all_recvfrom_unlabeled(nscd_t) corenet_all_recvfrom_netlabel(nscd_t) corenet_tcp_sendrecv_generic_if(nscd_t) - corenet_udp_sendrecv_generic_if(nscd_t) -@@ -90,8 +101,8 @@ selinux_compute_create_context(nscd_t) ++corenet_udp_sendrecv_generic_if(nscd_t) + corenet_tcp_sendrecv_generic_node(nscd_t) +- +-corenet_sendrecv_all_client_packets(nscd_t) +-corenet_tcp_connect_all_ports(nscd_t) ++corenet_udp_sendrecv_generic_node(nscd_t) + corenet_tcp_sendrecv_all_ports(nscd_t) +- ++corenet_udp_sendrecv_all_ports(nscd_t) ++corenet_udp_bind_generic_node(nscd_t) ++corenet_tcp_connect_all_ports(nscd_t) ++corenet_sendrecv_all_client_packets(nscd_t) + corenet_rw_tun_tap_dev(nscd_t) + + selinux_get_fs_mount(nscd_t) +@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t) + selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) - domain_use_interactive_fds(nscd_t) ++domain_use_interactive_fds(nscd_t) +domain_search_all_domains_state(nscd_t) ++ ++files_read_generic_tmp_symlinks(nscd_t) ++# Needed to read files created by firstboot "/etc/hesiod.conf" ++files_read_etc_runtime_files(nscd_t) --files_read_etc_files(nscd_t) - files_read_generic_tmp_symlinks(nscd_t) - # Needed to read files created by firstboot "/etc/hesiod.conf" - files_read_etc_runtime_files(nscd_t) -@@ -99,7 +110,6 @@ files_read_etc_runtime_files(nscd_t) logging_send_audit_msgs(nscd_t) logging_send_syslog_msg(nscd_t) @@ -40016,71 +42270,99 @@ index 7936e09..2814186 100644 seutil_read_config(nscd_t) seutil_read_default_contexts(nscd_t) -@@ -112,6 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) + seutil_sigchld_newrole(nscd_t) + ++sysnet_read_config(nscd_t) ++ + userdom_dontaudit_use_user_terminals(nscd_t) + userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) +@@ -121,20 +130,30 @@ optional_policy(` + ') optional_policy(` -+ accountsd_dontaudit_rw_fifo_file(nscd_t) ++ kerberos_use(nscd_t) +') + +optional_policy(` - cron_read_system_job_tmp_files(nscd_t) - ') - -@@ -127,3 +141,19 @@ optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) - ') ++ udev_read_db(nscd_t) ++') + +optional_policy(` -+ tunable_policy(`samba_domain_controller',` -+ samba_append_log(nscd_t) -+ samba_dontaudit_use_fds(nscd_t) -+ ') ++ xen_dontaudit_rw_unix_stream_sockets(nscd_t) ++ xen_append_log(nscd_t) +') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') +- +- samba_read_config(nscd_t) +- samba_read_var_files(nscd_t) + ') + + optional_policy(` +- udev_read_db(nscd_t) + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- xen_dontaudit_rw_unix_stream_sockets(nscd_t) +- xen_append_log(nscd_t) + unconfined_dontaudit_rw_packet_sockets(nscd_t) -+') + ') diff --git a/nsd.fc b/nsd.fc -index 53cc800..5348e92 100644 +index 4f2b1b6..5348e92 100644 --- a/nsd.fc +++ b/nsd.fc -@@ -1,6 +1,6 @@ +@@ -1,16 +1,13 @@ +-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) - /etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) +-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) -/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) +-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) ++/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) +/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0) - /etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) ++/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -@@ -10,5 +10,4 @@ - /usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) - - /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) +-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) +-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) ++/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) + /usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0) +-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) +- +-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) ++/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0) + ++/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/nsd.if b/nsd.if -index a1371d5..ad4f14a 100644 +index a9c60ff..ad4f14a 100644 --- a/nsd.if +++ b/nsd.if -@@ -2,6 +2,25 @@ +@@ -1,8 +1,8 @@ +-## Authoritative only name server. ++## Authoritative only name server ######################################## ## +-## Send and receive datagrams from NSD. (Deprecated) +## Read NSD pid file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ##     + ## + ## +@@ -10,13 +10,18 @@ + ## + ## + # +-interface(`nsd_udp_chat',` +- refpolicywarn(`$0($*) has been deprecated.') +interface(`nsd_read_pid',` + gen_require(` + type nsd_var_run_t; @@ -40088,67 +42370,129 @@ index a1371d5..ad4f14a 100644 + + files_search_pids($1) + read_files_pattern($1, nsd_var_run_t, nsd_var_run_t) -+') -+ -+######################################## -+## - ## Send and receive datagrams from NSD. (Deprecated) + ') + + ######################################## + ## +-## Connect to NSD over a TCP socket (Deprecated) ++## Send and receive datagrams from NSD. (Deprecated) + ## + ## + ## +@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',` + ## + ## + # +-interface(`nsd_tcp_connect',` ++interface(`nsd_udp_chat',` + refpolicywarn(`$0($*) has been deprecated.') + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an nsd environment. ++## Connect to NSD over a TCP socket (Deprecated) ## ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`nsd_admin',` +- gen_require(` +- type nsd_t, nsd_conf_t, nsd_var_run_t; +- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; +- ') +- +- allow $1 nsd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, nsd_t) +- +- init_labeled_script_domtrans($1, nsd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 nsd_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, { nsd_conf_t nsd_db_t }) +- +- files_search_var_lib($1) +- admin_pattern($1, nsd_zone_t) +- +- files_list_pids($1) +- admin_pattern($1, nsd_var_run_t) ++interface(`nsd_tcp_connect',` ++ refpolicywarn(`$0($*) has been deprecated.') + ') diff --git a/nsd.te b/nsd.te -index 4b15536..82e97aa 100644 +index dde7f42..82e97aa 100644 --- a/nsd.te +++ b/nsd.te -@@ -18,15 +18,11 @@ domain_type(nsd_crond_t) +@@ -1,4 +1,4 @@ +-policy_module(nsd, 1.7.1) ++policy_module(nsd, 1.7.0) + + ######################################## + # +@@ -9,9 +9,7 @@ type nsd_t; + type nsd_exec_t; + init_daemon_domain(nsd_t, nsd_exec_t) + +-type nsd_initrc_exec_t; +-init_script_file(nsd_initrc_exec_t) +- ++# A type for configuration files of nsd + type nsd_conf_t; + files_type(nsd_conf_t) + +@@ -20,32 +18,28 @@ domain_type(nsd_crond_t) domain_entry_file(nsd_crond_t, nsd_exec_t) role system_r types nsd_crond_t; --# a type for nsd.db -type nsd_db_t; -files_type(nsd_db_t) - type nsd_var_run_t; files_pid_file(nsd_var_run_t) - # A type for zone files -type nsd_zone_t; ++# A type for zone files +type nsd_zone_t alias nsd_db_t; files_type(nsd_zone_t) ######################################## -@@ -34,25 +30,24 @@ files_type(nsd_zone_t) - # NSD Local policy + # +-# Local policy ++# NSD Local policy # --allow nsd_t self:capability { dac_override chown setuid setgid }; -+allow nsd_t self:capability { chown dac_override kill setgid setuid }; + allow nsd_t self:capability { chown dac_override kill setgid setuid }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; - allow nsd_t self:tcp_socket create_stream_socket_perms; - allow nsd_t self:udp_socket create_socket_perms; -+allow nsd_t self:fifo_file rw_fifo_file_perms; ++allow nsd_t self:tcp_socket create_stream_socket_perms; ++allow nsd_t self:udp_socket create_socket_perms; + allow nsd_t self:fifo_file rw_fifo_file_perms; +-allow nsd_t self:tcp_socket { accept listen }; allow nsd_t nsd_conf_t:dir list_dir_perms; - read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) - read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) - +-allow nsd_t nsd_conf_t:file read_file_perms; +-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; +- -allow nsd_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) -- ++read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) ++read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) + manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) files_pid_filetrans(nsd_t, nsd_var_run_t, file) - --allow nsd_t nsd_zone_t:dir list_dir_perms; --read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) --read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -+manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -+manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -+manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) -+files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) - - can_exec(nsd_t, nsd_exec_t) - -@@ -61,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) +@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t) corecmd_exec_bin(nsd_t) @@ -40156,141 +42500,276 @@ index 4b15536..82e97aa 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -79,17 +73,17 @@ dev_read_sysfs(nsd_t) +@@ -72,16 +65,16 @@ corenet_tcp_sendrecv_all_ports(nsd_t) + corenet_udp_sendrecv_all_ports(nsd_t) + corenet_tcp_bind_generic_node(nsd_t) + corenet_udp_bind_generic_node(nsd_t) +- +-corenet_sendrecv_dns_server_packets(nsd_t) + corenet_tcp_bind_dns_port(nsd_t) + corenet_udp_bind_dns_port(nsd_t) ++corenet_sendrecv_dns_server_packets(nsd_t) + + dev_read_sysfs(nsd_t) domain_use_interactive_fds(nsd_t) --files_read_etc_files(nsd_t) files_read_etc_runtime_files(nsd_t) +files_search_var_lib(nsd_t) fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) +@@ -90,12 +83,16 @@ auth_use_nsswitch(nsd_t) --logging_send_syslog_msg(nsd_t) -+auth_use_nsswitch(nsd_t) + logging_send_syslog_msg(nsd_t) -miscfiles_read_localization(nsd_t) -+logging_send_syslog_msg(nsd_t) - --sysnet_read_config(nsd_t) +sysnet_dns_name_resolve(nsd_t) userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -121,8 +115,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms; + optional_policy(` ++ nis_use_ypbind(nsd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(nsd_t) + ') + +@@ -105,23 +102,24 @@ optional_policy(` + + ######################################## + # +-# Cron local policy ++# Zone update cron job local policy + # + ++# kill capability for root cron job and non-root daemon + allow nsd_crond_t self:capability { dac_override kill }; + dontaudit nsd_crond_t self:capability sys_nice; + allow nsd_crond_t self:process { setsched signal_perms }; + allow nsd_crond_t self:fifo_file rw_fifo_file_perms; ++allow nsd_crond_t self:tcp_socket create_socket_perms; ++allow nsd_crond_t self:udp_socket create_socket_perms; + +-allow nsd_crond_t nsd_t:process signal; +-ps_process_pattern(nsd_crond_t, nsd_t) +- +-allow nsd_crond_t nsd_conf_t:dir list_dir_perms; allow nsd_crond_t nsd_conf_t:file read_file_perms; +-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms; -allow nsd_crond_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) - files_search_var_lib(nsd_crond_t) ++files_search_var_lib(nsd_crond_t) ++ ++allow nsd_crond_t nsd_t:process signal; ++ ++ps_process_pattern(nsd_crond_t, nsd_t) - allow nsd_crond_t nsd_t:process signal; -@@ -139,7 +131,6 @@ kernel_read_system_state(nsd_crond_t) + manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) + filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) +@@ -133,29 +131,41 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) -corenet_all_recvfrom_unlabeled(nsd_crond_t) corenet_all_recvfrom_netlabel(nsd_crond_t) corenet_tcp_sendrecv_generic_if(nsd_crond_t) - corenet_udp_sendrecv_generic_if(nsd_crond_t) -@@ -155,13 +146,13 @@ dev_read_urand(nsd_crond_t) ++corenet_udp_sendrecv_generic_if(nsd_crond_t) + corenet_tcp_sendrecv_generic_node(nsd_crond_t) +- +-corenet_sendrecv_all_client_packets(nsd_crond_t) +-corenet_tcp_connect_all_ports(nsd_crond_t) ++corenet_udp_sendrecv_generic_node(nsd_crond_t) + corenet_tcp_sendrecv_all_ports(nsd_crond_t) ++corenet_udp_sendrecv_all_ports(nsd_crond_t) ++corenet_tcp_connect_all_ports(nsd_crond_t) ++corenet_sendrecv_all_client_packets(nsd_crond_t) + ++# for SSP + dev_read_urand(nsd_crond_t) domain_dontaudit_read_all_domains_state(nsd_crond_t) --files_read_etc_files(nsd_crond_t) files_read_etc_runtime_files(nsd_crond_t) - files_search_var_lib(nsd_t) ++files_search_var_lib(nsd_t) + + auth_use_nsswitch(nsd_crond_t) -+auth_use_nsswitch(nsd_crond_t) -+ logging_send_syslog_msg(nsd_crond_t) -miscfiles_read_localization(nsd_crond_t) ++ ++sysnet_read_config(nsd_crond_t) - sysnet_read_config(nsd_crond_t) + userdom_dontaudit_search_user_home_dirs(nsd_crond_t) + optional_policy(` + cron_system_entry(nsd_crond_t, nsd_exec_t) + ') ++ ++optional_policy(` ++ nis_use_ypbind(nsd_crond_t) ++') ++ ++optional_policy(` ++ nscd_read_pid(nsd_crond_t) ++') +diff --git a/nslcd.fc b/nslcd.fc +index 402100e..ce913b2 100644 +--- a/nslcd.fc ++++ b/nslcd.fc +@@ -1,7 +1,4 @@ +-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) +- +-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) +- +-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +- +-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) ++/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) ++/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) ++/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) ++/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/nslcd.if b/nslcd.if -index 23c769c..0398e70 100644 +index 97df768..0398e70 100644 --- a/nslcd.if +++ b/nslcd.if -@@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',` - # - interface(`nslcd_admin',` - gen_require(` -- type nslcd_t, nslcd_initrc_exec_t; -- type nslcd_conf_t, nslcd_var_run_t; -+ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; -+ type nslcd_conf_t; +@@ -1,4 +1,4 @@ +-## Local LDAP name service daemon. ++## nslcd - local LDAP name service daemon. + + ######################################## + ## +@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',` + type nslcd_t, nslcd_exec_t; + ') + +- corecmd_searh_bin($1) + domtrans_pattern($1, nslcd_exec_t, nslcd_t) + ') + +@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',` + + ######################################## + ## +-## Read nslcd pid files. ++## Read nslcd PID files. + ## + ## + ## +@@ -58,8 +57,7 @@ interface(`nslcd_read_pid_files',` + + ######################################## + ## +-## Connect to nslcd over an unix +-## domain stream socket. ++## Connect to nslcd over an unix stream socket. + ## + ## + ## +@@ -72,14 +70,14 @@ interface(`nslcd_stream_connect',` + type nslcd_t, nslcd_var_run_t; + ') + +- files_search_pids($1) + stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) ++ files_search_pids($1) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an nslcd environment. ++## All of the rules required to administrate ++## an nslcd environment + ## + ## + ## +@@ -99,17 +97,21 @@ interface(`nslcd_admin',` + type nslcd_conf_t; ') - ps_process_pattern($1, nslcd_t) - allow $1 nslcd_t:process { ptrace signal_perms }; + ps_process_pattern($1, nslcd_t) + allow $1 nslcd_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $1 nslcd_t:process ptrace; + ') - # Allow nslcd_t to restart the apache service ++ # Allow nslcd_t to restart the apache service nslcd_initrc_domtrans($1) -@@ -106,9 +109,9 @@ interface(`nslcd_admin',` + domain_system_change_exemption($1) role_transition $2 nslcd_initrc_exec_t system_r; allow $2 system_r; -- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) +- files_search_etc($1) + files_list_etc($1) -+ admin_pattern($1, nslcd_conf_t) + admin_pattern($1, nslcd_conf_t) -- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) -- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) -- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) +- files_search_pids($1) +- admin_pattern($1, nslcd_var_run_t) + files_list_pids($1) + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 01594c8..bcc61b5 100644 +index a3e56f0..bcc61b5 100644 --- a/nslcd.te +++ b/nslcd.te -@@ -16,15 +16,15 @@ type nslcd_var_run_t; - files_pid_file(nslcd_var_run_t) +@@ -1,4 +1,4 @@ +-policy_module(nslcd, 1.3.1) ++policy_module(nslcd, 1.3.0) - type nslcd_conf_t; --files_type(nslcd_conf_t) -+files_config_file(nslcd_conf_t) + ######################################## + # +@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) ######################################## # - # nslcd local policy +-# Local policy ++# nslcd local policy # -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; +-allow nslcd_t self:unix_stream_socket { accept listen }; +allow nslcd_t self:capability { dac_override setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal }; - allow nslcd_t self:unix_stream_socket create_stream_socket_perms; ++allow nslcd_t self:unix_stream_socket create_stream_socket_perms; allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -42,13 +42,21 @@ corenet_tcp_connect_ldap_port(nslcd_t) - corenet_sendrecv_ldap_client_packets(nslcd_t) - files_read_etc_files(nslcd_t) -+files_read_usr_symlinks(nslcd_t) -+files_list_tmp(nslcd_t) +@@ -38,13 +38,10 @@ kernel_read_system_state(nslcd_t) + + corenet_all_recvfrom_unlabeled(nslcd_t) + corenet_all_recvfrom_netlabel(nslcd_t) +-corenet_tcp_sendrecv_generic_if(nslcd_t) +-corenet_tcp_sendrecv_generic_node(nslcd_t) +- +-corenet_sendrecv_ldap_client_packets(nslcd_t) + corenet_tcp_connect_ldap_port(nslcd_t) +-corenet_tcp_sendrecv_ldap_port(nslcd_t) ++corenet_sendrecv_ldap_client_packets(nslcd_t) + ++files_read_etc_files(nslcd_t) + files_read_usr_symlinks(nslcd_t) + files_list_tmp(nslcd_t) - auth_use_nsswitch(nslcd_t) +@@ -52,10 +49,14 @@ auth_use_nsswitch(nslcd_t) logging_send_syslog_msg(nslcd_t) -miscfiles_read_localization(nslcd_t) -+ -+userdom_read_user_tmp_files(nslcd_t) -+ -+optional_policy(` -+ dirsrv_stream_connect(nslcd_t) -+') + + userdom_read_user_tmp_files(nslcd_t) optional_policy(` ++ dirsrv_stream_connect(nslcd_t) ++') ++ ++optional_policy(` ldap_stream_connect(nslcd_t) ') + @@ -40791,10 +43270,10 @@ index 0000000..fce899a +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 0000000..a333e40 +index 0000000..caac07d --- /dev/null +++ b/nsplugin.te -@@ -0,0 +1,323 @@ +@@ -0,0 +1,324 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -40892,7 +43371,8 @@ index 0000000..a333e40 + +corenet_all_recvfrom_netlabel(nsplugin_t) +corenet_tcp_connect_flash_port(nsplugin_t) -+corenet_tcp_connect_streaming_port(nsplugin_t) ++corenet_tcp_connect_ms_streaming_port(nsplugin_t) ++corenet_tcp_connect_rtsp_port(nsplugin_t) +corenet_tcp_connect_pulseaudio_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_connect_http_cache_port(nsplugin_t) @@ -41119,56 +43599,40 @@ index 0000000..a333e40 + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index ded9fb6..6b11681 100644 +index 52757d8..6519e8f 100644 --- a/ntop.te +++ b/ntop.te -@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(ntop_t) - kernel_list_proc(ntop_t) - kernel_read_proc_symlinks(ntop_t) +@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t) + kernel_read_network_state(ntop_t) + kernel_read_kernel_sysctls(ntop_t) -corenet_all_recvfrom_unlabeled(ntop_t) corenet_all_recvfrom_netlabel(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t) - corenet_udp_sendrecv_generic_if(ntop_t) -@@ -85,7 +84,6 @@ dev_rw_generic_usb_dev(ntop_t) - - domain_use_interactive_fds(ntop_t) - --files_read_etc_files(ntop_t) - files_read_usr_files(ntop_t) - - fs_getattr_all_fs(ntop_t) -@@ -95,7 +93,6 @@ auth_use_nsswitch(ntop_t) - - logging_send_syslog_msg(ntop_t) - --miscfiles_read_localization(ntop_t) - miscfiles_read_fonts(ntop_t) - - userdom_dontaudit_use_unpriv_user_fds(ntop_t) + corenet_raw_sendrecv_generic_if(ntop_t) diff --git a/ntp.fc b/ntp.fc -index e79dccc..2a3c6af 100644 +index af3c91e..6882a3f 100644 --- a/ntp.fc +++ b/ntp.fc -@@ -10,10 +10,14 @@ - - /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) +@@ -13,6 +13,8 @@ + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + - /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) -+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) + /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - - /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/ntp.if b/ntp.if -index e80f8c0..d60b451 100644 +index b59196f..d60b451 100644 --- a/ntp.if +++ b/ntp.if +@@ -1,4 +1,4 @@ +-## Network time protocol daemon. ++## Network time protocol daemon + + ######################################## + ## @@ -37,6 +37,25 @@ interface(`ntp_domtrans',` ######################################## @@ -41195,6 +43659,20 @@ index e80f8c0..d60b451 100644 ## Execute ntp in the ntp domain, and ## allow the specified role the ntp domain. ## +@@ -54,11 +73,11 @@ interface(`ntp_domtrans',` + # + interface(`ntp_run',` + gen_require(` +- attribute_role ntpd_roles; ++ type ntpd_t; + ') + + ntp_domtrans($1) +- roleattribute $2 ntpd_roles; ++ role $2 types ntpd_t; + ') + + ######################################## @@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',` init_labeled_script_domtrans($1, ntpd_initrc_exec_t) ') @@ -41244,10 +43722,12 @@ index e80f8c0..d60b451 100644 ######################################## ## ## Read and write ntpd shared memory. -@@ -122,6 +183,25 @@ interface(`ntp_rw_shm',` +@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',` ######################################## ## +-## All of the rules required to +-## administrate an ntp environment. +## Allow the domain to read ntpd state files in /proc. +## +## @@ -41267,20 +43747,31 @@ index e80f8c0..d60b451 100644 + +######################################## +## - ## All of the rules required to administrate - ## an ntp environment ++## All of the rules required to administrate ++## an ntp environment ## -@@ -140,12 +220,15 @@ interface(`ntp_rw_shm',` + ## + ## +@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the ntp domain. + ## + ## + ## +@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; -- type ntpd_key_t, ntpd_var_run_t; -- type ntpd_initrc_exec_t; +- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t; +- type ntpd_initrc_exec_t, ntp_drift_t; + type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; + type ntpd_unit_file_t; ') -- allow $1 ntpd_t:process { ptrace signal_perms getattr }; +- allow $1 ntpd_t:process { ptrace signal_perms }; + allow $1 ntpd_t:process signal_perms; ps_process_pattern($1, ntpd_t) + tunable_policy(`deny_ptrace',`',` @@ -41289,38 +43780,39 @@ index e80f8c0..d60b451 100644 init_labeled_script_domtrans($1, ntpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -162,4 +245,8 @@ interface(`ntp_admin',` + role_transition $2 ntpd_initrc_exec_t system_r; + allow $2 system_r; +- files_list_etc($1) +- admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t }) ++ admin_pattern($1, ntpd_key_t) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) +@@ -164,5 +246,7 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) -+ + +- ntp_run($1, $2) + ntp_systemctl($1) + admin_pattern($1, ntpd_unit_file_t) + allow $1 ntpd_unit_file_t:service all_service_perms; ') diff --git a/ntp.te b/ntp.te -index c61adc8..cb20a9d 100644 +index b90e343..b969766 100644 --- a/ntp.te +++ b/ntp.te -@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) +@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; type ntpd_initrc_exec_t; init_script_file(ntpd_initrc_exec_t) +type ntpd_unit_file_t; +systemd_unit_file(ntpd_unit_file_t) + - type ntpd_key_t; - files_type(ntpd_key_t) - -@@ -50,6 +53,7 @@ allow ntpd_t self:unix_stream_socket create_socket_perms; - allow ntpd_t self:tcp_socket create_stream_socket_perms; - allow ntpd_t self:udp_socket create_socket_perms; - -+manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) - manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + type ntp_conf_t; + files_config_file(ntp_conf_t) - can_exec(ntpd_t, ntpd_exec_t) -@@ -78,7 +82,6 @@ kernel_read_system_state(ntpd_t) +@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -41328,11 +43820,23 @@ index c61adc8..cb20a9d 100644 corenet_all_recvfrom_netlabel(ntpd_t) corenet_tcp_sendrecv_generic_if(ntpd_t) corenet_udp_sendrecv_generic_if(ntpd_t) -@@ -96,11 +99,15 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) - dev_read_sysfs(ntpd_t) - # for SSP - dev_read_urand(ntpd_t) -+dev_rw_realtime_clock(ntpd_t) + corenet_tcp_sendrecv_generic_node(ntpd_t) + corenet_udp_sendrecv_generic_node(ntpd_t) + corenet_udp_bind_generic_node(ntpd_t) +- +-corenet_sendrecv_ntp_server_packets(ntpd_t) + corenet_udp_bind_ntp_port(ntpd_t) +-corenet_udp_sendrecv_ntp_port(ntpd_t) +- +-corenet_sendrecv_ntp_client_packets(ntpd_t) + corenet_tcp_connect_ntp_port(ntpd_t) +-corenet_tcp_sendrecv_ntp_port(ntpd_t) ++corenet_sendrecv_ntp_server_packets(ntpd_t) ++corenet_sendrecv_ntp_client_packets(ntpd_t) + + corecmd_exec_bin(ntpd_t) + corecmd_exec_shell(ntpd_t) +@@ -115,8 +113,11 @@ files_list_var_lib(ntpd_t) fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) @@ -41344,42 +43848,38 @@ index c61adc8..cb20a9d 100644 auth_use_nsswitch(ntpd_t) -@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t) - domain_use_interactive_fds(ntpd_t) - domain_dontaudit_list_all_domains_state(ntpd_t) - --files_read_etc_files(ntpd_t) - files_read_etc_runtime_files(ntpd_t) - files_read_usr_files(ntpd_t) - files_list_var_lib(ntpd_t) -@@ -119,7 +125,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +125,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) -miscfiles_read_localization(ntpd_t) - +- userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_user_home_dirs(ntpd_t) + diff --git a/numad.fc b/numad.fc -new file mode 100644 -index 0000000..1f97624 ---- /dev/null +index 3488bb0..1f97624 100644 +--- a/numad.fc +++ b/numad.fc -@@ -0,0 +1,7 @@ +@@ -1,7 +1,7 @@ +-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0) +/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) -+ + +-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) +/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0) -+ + +-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) +/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0) -+ + +-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) +/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/numad.if b/numad.if -new file mode 100644 -index 0000000..709dda1 ---- /dev/null +index 0d3c270..709dda1 100644 +--- a/numad.if +++ b/numad.if -@@ -0,0 +1,72 @@ -+ +@@ -1,39 +1,72 @@ +-## Non-Uniform Memory Alignment Daemon. + +## policy for numad + +######################################## @@ -41400,15 +43900,19 @@ index 0000000..709dda1 + corecmd_search_bin($1) + domtrans_pattern($1, numad_exec_t, numad_t) +') -+######################################## -+## + ######################################## + ## +-## All of the rules required to +-## administrate an numad environment. +## Execute numad server in the numad domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +-## +# +interface(`numad_systemctl',` + gen_require(` @@ -41431,171 +43935,429 @@ index 0000000..709dda1 +## an numad environment +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# -+interface(`numad_admin',` -+ gen_require(` + ## + ## +-## + # + interface(`numad_admin',` + gen_require(` +- type numad_t, numad_initrc_exec_t, numad_log_t; +- type numad_var_run_t; + type numad_t; + type numad_unit_file_t; -+ ') -+ -+ allow $1 numad_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, numad_t) -+ + ') + + allow $1 numad_t:process { ptrace signal_perms }; + ps_process_pattern($1, numad_t) + +- init_labeled_script_domtrans($1, numad_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 numad_initrc_exec_t system_r; +- allow $2 system_r; +- +- logging_search_logs($1) +- admin_pattern($1, numad_log_t) +- +- files_search_pids($1) +- admin_pattern($1, numad_var_run_t) + numad_systemctl($1) + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/numad.te b/numad.te -new file mode 100644 -index 0000000..c2d4196 ---- /dev/null +index f5d145d..c2d4196 100644 +--- a/numad.te +++ b/numad.te -@@ -0,0 +1,46 @@ +@@ -1,4 +1,4 @@ +-policy_module(numad, 1.0.3) +policy_module(numad, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type numad_t; -+type numad_exec_t; -+init_daemon_domain(numad_t, numad_exec_t) -+ + + ######################################## + # +@@ -8,37 +8,39 @@ policy_module(numad, 1.0.3) + type numad_t; + type numad_exec_t; + init_daemon_domain(numad_t, numad_exec_t) +-application_executable_file(numad_exec_t) + +-type numad_initrc_exec_t; +-init_script_file(numad_initrc_exec_t) +type numad_unit_file_t; +systemd_unit_file(numad_unit_file_t) -+ + +-type numad_log_t; +-logging_log_file(numad_log_t) +type numad_var_log_t; +logging_log_file(numad_var_log_t) -+ -+type numad_var_run_t; -+files_pid_file(numad_var_run_t) -+ -+######################################## -+# + + type numad_var_run_t; + files_pid_file(numad_var_run_t) + + ######################################## + # +-# Local policy +# numad local policy -+# -+ + # + +allow numad_t self:process { fork }; -+allow numad_t self:fifo_file rw_fifo_file_perms; -+allow numad_t self:msgq create_msgq_perms; + allow numad_t self:fifo_file rw_fifo_file_perms; +-allow numad_t self:msg { send receive }; + allow numad_t self:msgq create_msgq_perms; +allow numad_t self:msg { send receive }; -+allow numad_t self:unix_stream_socket create_stream_socket_perms; -+ + allow numad_t self:unix_stream_socket create_stream_socket_perms; + +-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(numad_t, numad_log_t, file) +manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t) +logging_log_filetrans(numad_t, numad_var_log_t, { file }) -+ -+manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) + + manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) +-files_pid_filetrans(numad_t, numad_var_run_t, file) +files_pid_filetrans(numad_t, numad_var_run_t, { file }) -+ -+kernel_read_system_state(numad_t) -+ -+dev_read_sysfs(numad_t) -+ + + kernel_read_system_state(numad_t) + + dev_read_sysfs(numad_t) + +domain_use_interactive_fds(numad_t) + -+files_read_etc_files(numad_t) -+ + files_read_etc_files(numad_t) + +-miscfiles_read_localization(numad_t) +fs_search_cgroup_dirs(numad_t) diff --git a/nut.fc b/nut.fc -index 0a929ef..371119d 100644 +index 379af96..371119d 100644 --- a/nut.fc +++ b/nut.fc -@@ -3,6 +3,7 @@ +@@ -1,23 +1,13 @@ +-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) +-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) ++/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) + +-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) +- +-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) +- +-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) -+/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) - /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) + /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) ++/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) + +-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +diff --git a/nut.if b/nut.if +index 57c0161..56660c5 100644 +--- a/nut.if ++++ b/nut.if +@@ -1,39 +1 @@ +-## Network UPS Tools +- +-######################################## +-## +-## All of the rules required to +-## administrate an nut environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`nut_admin',` +- gen_require(` +- attribute nut_domain; +- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; +- ') +- +- allow $1 nut_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, nut_domain_t) +- +- init_labeled_script_domtrans($1, nut_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 nut_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, nut_conf_t) +- +- files_search_pids($1) +- admin_pattern($1, nut_var_run_t) +-') ++## nut - Network UPS Tools diff --git a/nut.te b/nut.te -index ff962dd..7c6ea74 100644 +index 0c9deb7..7c6ea74 100644 --- a/nut.te +++ b/nut.te -@@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t) +@@ -1,121 +1,106 @@ +-policy_module(nut, 1.2.4) ++policy_module(nut, 1.2.0) + + ######################################## + # + # Declarations + # + +-attribute nut_domain; +- + type nut_conf_t; + files_config_file(nut_conf_t) + +-type nut_upsd_t, nut_domain; ++type nut_upsd_t; + type nut_upsd_exec_t; + init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) + +-type nut_upsmon_t, nut_domain; ++type nut_upsmon_t; + type nut_upsmon_exec_t; + init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) + +-type nut_upsdrvctl_t, nut_domain; ++type nut_upsdrvctl_t; + type nut_upsdrvctl_exec_t; + init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) + +-type nut_initrc_exec_t; +-init_script_file(nut_initrc_exec_t) +- + type nut_var_run_t; + files_pid_file(nut_var_run_t) +-init_daemon_run_dir(nut_var_run_t, "nut") + + ######################################## + # +-# Common nut domain local policy ++# Local policy for upsd # - allow nut_upsd_t self:capability { setgid setuid dac_override }; +-allow nut_domain self:capability { setgid setuid dac_override kill }; +-allow nut_domain self:process signal_perms; +-allow nut_domain self:fifo_file rw_fifo_file_perms; +-allow nut_domain self:unix_dgram_socket sendto; +- +-allow nut_domain nut_conf_t:dir list_dir_perms; +-allow nut_domain nut_conf_t:file read_file_perms; +-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; +- +-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) ++allow nut_upsd_t self:capability { setgid setuid dac_override }; +allow nut_upsd_t self:process signal_perms; - allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; - allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; -@@ -55,7 +56,6 @@ auth_use_nsswitch(nut_upsd_t) +-kernel_read_kernel_sysctls(nut_domain) ++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; + +-logging_send_syslog_msg(nut_domain) ++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; + +-miscfiles_read_localization(nut_domain) +- +-######################################## +-# +-# Upsd local policy +-# +- +-allow nut_upsd_t self:tcp_socket { accept listen }; ++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) + ++# pid file ++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) + manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) +- +-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) ++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) + +-corenet_all_recvfrom_unlabeled(nut_upsd_t) +-corenet_all_recvfrom_netlabel(nut_upsd_t) +-corenet_tcp_sendrecv_generic_if(nut_upsd_t) +-corenet_tcp_sendrecv_generic_node(nut_upsd_t) +-corenet_tcp_sendrecv_all_ports(nut_upsd_t) +-corenet_tcp_bind_generic_node(nut_upsd_t) ++kernel_read_kernel_sysctls(nut_upsd_t) - logging_send_syslog_msg(nut_upsd_t) +-corenet_sendrecv_ups_server_packets(nut_upsd_t) + corenet_tcp_bind_ups_port(nut_upsd_t) +- +-corenet_sendrecv_generic_server_packets(nut_upsd_t) + corenet_tcp_bind_generic_port(nut_upsd_t) ++corenet_tcp_bind_all_nodes(nut_upsd_t) --miscfiles_read_localization(nut_upsd_t) + files_read_usr_files(nut_upsd_t) + auth_use_nsswitch(nut_upsd_t) + ++logging_send_syslog_msg(nut_upsd_t) ++ ++ ######################################## # -@@ -100,7 +100,6 @@ logging_send_syslog_msg(nut_upsmon_t) +-# Upsmon local policy ++# Local policy for upsmon + # - auth_use_nsswitch(nut_upsmon_t) +-allow nut_upsmon_t self:capability dac_read_search; +-allow nut_upsmon_t self:unix_stream_socket connectto; ++allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; ++allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; ++allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; ++allow nut_upsmon_t self:tcp_socket create_socket_perms; + ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) ++ ++# pid file ++manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) ++ ++kernel_read_kernel_sysctls(nut_upsmon_t) + kernel_read_system_state(nut_upsmon_t) --miscfiles_read_localization(nut_upsmon_t) + corecmd_exec_bin(nut_upsmon_t) + corecmd_exec_shell(nut_upsmon_t) +-corenet_all_recvfrom_unlabeled(nut_upsmon_t) +-corenet_all_recvfrom_netlabel(nut_upsmon_t) +-corenet_tcp_sendrecv_generic_if(nut_upsmon_t) +-corenet_tcp_sendrecv_generic_node(nut_upsmon_t) +-corenet_tcp_sendrecv_all_ports(nut_upsmon_t) +-corenet_tcp_bind_generic_node(nut_upsmon_t) +- +-corenet_sendrecv_ups_client_packets(nut_upsmon_t) + corenet_tcp_connect_ups_port(nut_upsmon_t) +- +-corenet_sendrecv_generic_client_packets(nut_upsmon_t) + corenet_tcp_connect_generic_port(nut_upsmon_t) + ++# Creates /etc/killpower + files_manage_etc_runtime_files(nut_upsmon_t) + files_etc_filetrans_etc_runtime(nut_upsmon_t, file) + files_search_usr(nut_upsmon_t) + ++# /usr/bin/wall + term_write_all_terms(nut_upsmon_t) + ++# upsmon runs shutdown, probably need a shutdown domain ++init_rw_utmp(nut_upsmon_t) ++init_telinit(nut_upsmon_t) ++ ++logging_send_syslog_msg(nut_upsmon_t) ++ + auth_use_nsswitch(nut_upsmon_t) + ++ mta_send_mail(nut_upsmon_t) -@@ -133,6 +132,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t) - # /sbin/upsdrvctl executes other drivers - corecmd_exec_bin(nut_upsdrvctl_t) + optional_policy(` +@@ -124,14 +109,27 @@ optional_policy(` -+dev_read_sysfs(nut_upsdrvctl_t) - dev_read_urand(nut_upsdrvctl_t) - dev_rw_generic_usb_dev(nut_upsdrvctl_t) + ######################################## + # +-# Upsdrvctl local policy ++# Local policy for upsdrvctl + # -@@ -144,7 +144,6 @@ init_sigchld(nut_upsdrvctl_t) ++allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; ++allow nut_upsdrvctl_t self:process { sigchld signal signull }; + allow nut_upsdrvctl_t self:fd use; ++allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; ++allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsdrvctl_t self:udp_socket create_socket_perms; ++ ++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) + ++# pid file ++manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) + manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) ++files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) ++ ++kernel_read_kernel_sysctls(nut_upsdrvctl_t) - logging_send_syslog_msg(nut_upsdrvctl_t) ++# /sbin/upsdrvctl executes other drivers + corecmd_exec_bin(nut_upsdrvctl_t) --miscfiles_read_localization(nut_upsdrvctl_t) + dev_read_sysfs(nut_upsdrvctl_t) +@@ -144,17 +142,28 @@ auth_use_nsswitch(nut_upsdrvctl_t) + init_sigchld(nut_upsdrvctl_t) + ++logging_send_syslog_msg(nut_upsdrvctl_t) ++ ++ ####################################### # -@@ -157,7 +156,6 @@ optional_policy(` +-# Cgi local policy ++# Local policy for upscgi scripts ++# requires httpd_enable_cgi and httpd_can_network_connect + # + + optional_policy(` + apache_content_template(nutups_cgi) - read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) +- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; +- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; +- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; ++ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) ++ ++ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) ++ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) ++ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) ++ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) ++ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) ++ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) -- corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) - corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) - corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) + ') diff --git a/nx.if b/nx.if -index 79a225c..d82b231 100644 +index 251d681..50ae2a9 100644 --- a/nx.if +++ b/nx.if -@@ -33,8 +33,10 @@ interface(`nx_read_home_files',` - type nx_server_home_ssh_t, nx_server_var_lib_t; +@@ -35,7 +35,9 @@ interface(`nx_read_home_files',` ') -+ files_search_var_lib($1) - allow $1 nx_server_var_lib_t:dir search_dir_perms; - read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + files_search_var_lib($1) +- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t) ++ allow $1 nx_server_var_lib_t:dir search_dir_perms; ++ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) ') ######################################## -@@ -52,6 +54,7 @@ interface(`nx_search_var_lib',` - type nx_server_var_lib_t; - ') +@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',` -+ files_search_var_lib($1) - allow $1 nx_server_var_lib_t:dir search_dir_perms; - ') - -@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',` - type nx_server_var_lib_t; - ') - -+ files_search_var_lib($1) - filetrans_pattern($1, nx_server_var_lib_t, $2, $3) + filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) ') + +######################################## @@ -41616,10 +44378,10 @@ index 79a225c..d82b231 100644 + filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") +') diff --git a/nx.te b/nx.te -index 58e2972..4633dd2 100644 +index b1832ca..df4fbb8 100644 --- a/nx.te +++ b/nx.te -@@ -28,6 +28,9 @@ files_type(nx_server_var_lib_t) +@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -41628,17 +44390,8 @@ index 58e2972..4633dd2 100644 + ######################################## # - # NX server local policy -@@ -37,7 +40,7 @@ allow nx_server_t self:fifo_file rw_fifo_file_perms; - allow nx_server_t self:tcp_socket create_socket_perms; - allow nx_server_t self:udp_socket create_socket_perms; - --allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; -+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty(nx_server_t, nx_server_devpts_t) - - manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) -@@ -51,6 +54,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) + # Local policy +@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) @@ -41648,16 +44401,15 @@ index 58e2972..4633dd2 100644 kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -@@ -58,7 +64,6 @@ kernel_read_kernel_sysctls(nx_server_t) corecmd_exec_shell(nx_server_t) corecmd_exec_bin(nx_server_t) -corenet_all_recvfrom_unlabeled(nx_server_t) corenet_all_recvfrom_netlabel(nx_server_t) corenet_tcp_sendrecv_generic_if(nx_server_t) - corenet_udp_sendrecv_generic_if(nx_server_t) -@@ -77,10 +82,6 @@ files_read_etc_runtime_files(nx_server_t) - # but users need to be able to also read the config + corenet_tcp_sendrecv_generic_node(nx_server_t) +@@ -71,10 +76,6 @@ files_read_etc_files(nx_server_t) + files_read_etc_runtime_files(nx_server_t) files_read_usr_files(nx_server_t) -miscfiles_read_localization(nx_server_t) @@ -41666,118 +44418,123 @@ index 58e2972..4633dd2 100644 - sysnet_read_config(nx_server_t) - ifdef(`TODO',` -diff --git a/oav.fc b/oav.fc -index 0a66474..cf90b6e 100644 ---- a/oav.fc -+++ b/oav.fc -@@ -6,4 +6,4 @@ - - /var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) - /var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) --/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) -+/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) -diff --git a/oav.te b/oav.te -index b4c5f86..9ecd4a3 100644 ---- a/oav.te -+++ b/oav.te -@@ -48,7 +48,6 @@ read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t) - - corecmd_exec_all_executables(oav_update_t) - --corenet_all_recvfrom_unlabeled(oav_update_t) - corenet_all_recvfrom_netlabel(oav_update_t) - corenet_tcp_sendrecv_generic_if(oav_update_t) - corenet_udp_sendrecv_generic_if(oav_update_t) -@@ -66,7 +65,7 @@ logging_send_syslog_msg(oav_update_t) - - sysnet_read_config(oav_update_t) - --userdom_use_user_terminals(oav_update_t) -+userdom_use_inherited_user_terminals(oav_update_t) - - optional_policy(` - cron_system_entry(oav_update_t, oav_update_exec_t) -@@ -101,7 +100,6 @@ kernel_read_kernel_sysctls(scannerdaemon_t) - # Can run kaffe - corecmd_exec_all_executables(scannerdaemon_t) - --corenet_all_recvfrom_unlabeled(scannerdaemon_t) - corenet_all_recvfrom_netlabel(scannerdaemon_t) - corenet_tcp_sendrecv_generic_if(scannerdaemon_t) - corenet_udp_sendrecv_generic_if(scannerdaemon_t) -@@ -130,7 +128,6 @@ libs_exec_lib_files(scannerdaemon_t) - - logging_send_syslog_msg(scannerdaemon_t) - --miscfiles_read_localization(scannerdaemon_t) - - sysnet_read_config(scannerdaemon_t) - + ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) diff --git a/obex.fc b/obex.fc -new file mode 100644 -index 0000000..7b31529 ---- /dev/null +index 03fa560..000c5fe 100644 +--- a/obex.fc +++ b/obex.fc -@@ -0,0 +1,3 @@ -+ -+ -+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) +@@ -1 +1 @@ +-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) ++/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) diff --git a/obex.if b/obex.if -new file mode 100644 -index 0000000..d3b9544 ---- /dev/null +index 8635ea2..6012235 100644 +--- a/obex.if +++ b/obex.if -@@ -0,0 +1,77 @@ -+## SELinux policy for obex-data-server -+ +@@ -1,88 +1,89 @@ + ## D-Bus service providing high-level OBEX client and server side functionality. + +-####################################### +######################################## -+## + ## +-## The role template for obex. +## Transition to obex. +## +## +## +## Domain allowed to transition. -+## -+## -+# + ## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## +-## +-## +-## The role associated with the user domain. +-## +-## +-## +-## +-## The type of the user domain. +-## + ## + # +-template(`obex_role_template',` +- gen_require(` +- attribute_role obex_roles; +- type obex_t, obex_exec_exec_t; +- ') +- +- ######################################## +- # +- # Declarations +- # +- +- roleattribute $2 obex_roles; +- +- ######################################## +- # +- # Policy +- # +- +- allow $3 obex_t:process { ptrace signal_perms }; +- ps_process_pattern($3, obex_t) +- +- dbus_spec_session_domain($1, obex_exec_t, obex_t) +interface(`obex_domtrans',` + gen_require(` + type obex_t, obex_exec_t; + ') -+ + +- obex_dbus_chat($3) + corecmd_search_bin($1) + domtrans_pattern($1, obex_exec_t, obex_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute obex in the obex domain. +## Send and receive messages from +## obex over dbus. -+## -+## + ## + ## +-## +-## Domain allowed to transition. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`obex_domtrans',` +- gen_require(` +- type obex_t, obex_exec_t; +- ') +interface(`obex_dbus_chat',` + gen_require(` + type obex_t; + class dbus send_msg; + ') -+ + +- corecmd_search_bin($1) +- domtrans_pattern($1, obex_exec_t, obex_t) + allow $1 obex_t:dbus send_msg; + allow obex_t $1:dbus send_msg; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Send and receive messages from +-## obex over dbus. +## Role access for obex domains +## that executes via dbus-session -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## The role associated with the user domain. +## +## @@ -41789,15 +44546,32 @@ index 0000000..d3b9544 +## +## +## User domain prefix to be used. -+## -+## -+# + ## + ## + # +-interface(`obex_dbus_chat',` +template(`obex_role',` -+ gen_require(` + gen_require(` +- type obex_t; +- class dbus send_msg; ++ attribute_role obex_roles; + type obex_t, obex_exec_t; -+ ') + ') + +- allow $1 obex_t:dbus send_msg; +- allow obex_t $1:dbus send_msg; ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ roleattribute $1 obex_roles; ++ #role $1 types obex_t; + -+ role $1 types obex_t; ++ ######################################## ++ # ++ # Policy ++ # + + allow $2 obex_t:process signal_perms; + ps_process_pattern($2, obex_t) @@ -41805,69 +44579,87 @@ index 0000000..d3b9544 + dbus_session_domain($3, obex_exec_t, obex_t) + + obex_dbus_chat($2) -+') + ') diff --git a/obex.te b/obex.te -new file mode 100644 -index 0000000..e9f259e ---- /dev/null +index cd29ea8..1a7e853 100644 +--- a/obex.te +++ b/obex.te -@@ -0,0 +1,37 @@ +@@ -1,4 +1,4 @@ +-policy_module(obex, 1.0.0) +policy_module(obex,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type obex_t; -+type obex_exec_t; -+application_domain(obex_t, obex_exec_t) -+ubac_constrained(obex_t) -+ -+######################################## -+# + + ######################################## + # +@@ -14,7 +14,7 @@ role obex_roles types obex_t; + + ######################################## + # +-# Local policy +# obex local policy -+# -+ -+allow obex_t self:fifo_file rw_fifo_file_perms; -+allow obex_t self:socket create_stream_socket_perms; -+ -+dev_read_urand(obex_t) -+ -+files_read_etc_files(obex_t) -+ -+logging_send_syslog_msg(obex_t) -+ -+ -+userdom_search_user_home_content(obex_t) -+ -+optional_policy(` -+ bluetooth_stream_connect(obex_t) -+ bluetooth_dbus_chat(obex_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(obex_t) -+') + # + + allow obex_t self:fifo_file rw_fifo_file_perms; +@@ -22,22 +22,15 @@ allow obex_t self:socket create_stream_socket_perms; + + dev_read_urand(obex_t) + +-files_read_etc_files(obex_t) +- + logging_send_syslog_msg(obex_t) + +-miscfiles_read_localization(obex_t) +- + userdom_search_user_home_content(obex_t) + + optional_policy(` +- bluetooth_stream_connect(obex_t) +-') +- +-optional_policy(` + dbus_system_bus_client(obex_t) + + optional_policy(` ++ bluetooth_stream_connect(obex_t) + bluetooth_dbus_chat(obex_t) + ') + ') diff --git a/oddjob.fc b/oddjob.fc -index 9c272c2..7e2287c 100644 +index dd1d9ef..7e2287c 100644 --- a/oddjob.fc +++ b/oddjob.fc -@@ -1,7 +1,7 @@ +@@ -1,10 +1,7 @@ +-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +- /usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +- + /usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) +-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) ++/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) --/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -- - /var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) ++/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if -index bd76ec2..dec6bc7 100644 +index c87bd2a..dec6bc7 100644 --- a/oddjob.if +++ b/oddjob.if -@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',` +@@ -1,4 +1,8 @@ +-## D-BUS service which runs odd jobs on behalf of client applications. ++## ++## Oddjob provides a mechanism by which unprivileged applications can ++## request that specified privileged operations be performed on their ++## behalf. ++## + + ######################################## + ## +@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',` + type oddjob_t, oddjob_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') @@ -41892,8 +44684,14 @@ index bd76ec2..dec6bc7 100644 + ######################################## ## - ## Make the specified program domain accessable -@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',` +-## Make the specified program domain +-## accessable from the oddjob. ++## Make the specified program domain accessable ++## from the oddjob. + ## + ## + ## +@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',` ') domtrans_pattern(oddjob_t, $2, $1) @@ -41901,20 +44699,24 @@ index bd76ec2..dec6bc7 100644 ') ######################################## -@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',` +@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',` allow oddjob_t $1:dbus send_msg; ') +-######################################## +###################################### -+## + ## +-## Execute a domain transition to +-## run oddjob mkhomedir. +## Send a SIGCHLD signal to oddjob. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## -+# + ## + ## + # +interface(`oddjob_sigchld',` + gen_require(` + type oddjob_t; @@ -41923,40 +44725,95 @@ index bd76ec2..dec6bc7 100644 + allow $1 oddjob_t:process sigchld; +') + ++######################################## ++## ++## Execute a domain transition to run oddjob_mkhomedir. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# + interface(`oddjob_domtrans_mkhomedir',` + gen_require(` + type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + ') + ######################################## ## - ## Execute a domain transition to run oddjob_mkhomedir. -@@ -109,3 +147,41 @@ interface(`oddjob_run_mkhomedir',` +-## Execute oddjob mkhomedir in the +-## oddjob mkhomedir domain and allow +-## the specified role the oddjob +-## mkhomedir domain. ++## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. + ## + ## + ## +@@ -105,46 +141,47 @@ interface(`oddjob_domtrans_mkhomedir',` + # + interface(`oddjob_run_mkhomedir',` + gen_require(` +- attribute_role oddjob_mkhomedir_roles; ++ type oddjob_mkhomedir_t; + ') + oddjob_domtrans_mkhomedir($1) - role $2 types oddjob_mkhomedir_t; +- roleattribute $2 oddjob_mkhomedir_roles; ++ role $2 types oddjob_mkhomedir_t; ') -+ + +-##################################### +######################################## -+## + ## +-## Do not audit attempts to read and write +-## oddjob fifo files. +## Create a domain which can be started by init, +## with a range transition. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Type to be used as a domain. -+## -+## + ## + ## +-# +-interface(`oddjob_dontaudit_rw_fifo_files',` +- gen_require(` +- type oddjob_t; +- ') +- +- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; +-') +- +-###################################### +-## +-## Send child terminated signals to oddjob. +-## +-## +## -+## + ## +-## Domain allowed access. +## Type of the program to be used as an entry point to this domain. +## +## +## +## +## Range for the domain. -+## -+## -+# + ## + ## + # +-interface(`oddjob_sigchld',` +interface(`oddjob_ranged_domain',` -+ gen_require(` -+ type oddjob_t; -+ ') -+ + gen_require(` + type oddjob_t; + ') + +- allow $1 oddjob_t:process sigchld; + oddjob_system_entry($1, $2) + + ifdef(`enable_mcs',` @@ -41967,30 +44824,82 @@ index bd76ec2..dec6bc7 100644 + range_transition oddjob_t $2:process $3; + mls_rangetrans_target($1) + ') -+') + ') diff --git a/oddjob.te b/oddjob.te -index a17ba31..467700e 100644 +index 296a1d3..467700e 100644 --- a/oddjob.te +++ b/oddjob.te -@@ -51,9 +51,9 @@ mcs_process_set_categories(oddjob_t) +@@ -1,12 +1,10 @@ +-policy_module(oddjob, 1.9.2) ++policy_module(oddjob, 1.9.0) + + ######################################## + # + # Declarations + # + +-attribute_role oddjob_mkhomedir_roles; +- + type oddjob_t; + type oddjob_exec_t; + domain_type(oddjob_t) +@@ -20,8 +18,9 @@ type oddjob_mkhomedir_exec_t; + domain_type(oddjob_mkhomedir_t) + domain_obj_id_change_exemption(oddjob_mkhomedir_t) + init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) +-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; ++oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + ++# pid files + type oddjob_var_run_t; + files_pid_file(oddjob_var_run_t) + +@@ -31,7 +30,7 @@ ifdef(`enable_mcs',` + + ######################################## + # +-# Local policy ++# oddjob local policy + # + + allow oddjob_t self:capability setgid; +@@ -43,8 +42,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) + manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) + files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) + +-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) +- + kernel_read_system_state(oddjob_t) + + corecmd_exec_bin(oddjob_t) +@@ -54,9 +51,9 @@ mcs_process_set_categories(oddjob_t) selinux_compute_create_context(oddjob_t) --files_read_etc_files(oddjob_t) ++ + auth_use_nsswitch(oddjob_t) -miscfiles_read_localization(oddjob_t) -+auth_use_nsswitch(oddjob_t) -+ locallogin_dontaudit_use_fds(oddjob_t) -@@ -78,13 +78,10 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; +@@ -71,13 +68,13 @@ optional_policy(` + + ######################################## + # +-# Mkhomedir local policy ++# oddjob_mkhomedir local policy + # + + allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; + allow oddjob_mkhomedir_t self:process setfscreate; + allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; +-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen }; ++allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(oddjob_mkhomedir_t) --files_read_etc_files(oddjob_mkhomedir_t) -- - auth_use_nsswitch(oddjob_mkhomedir_t) +@@ -85,7 +82,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) logging_send_syslog_msg(oddjob_mkhomedir_t) @@ -41998,9 +44907,11 @@ index a17ba31..467700e 100644 selinux_get_fs_mount(oddjob_mkhomedir_t) selinux_validate_context(oddjob_mkhomedir_t) -@@ -99,8 +96,9 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) +@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t) + seutil_read_file_contexts(oddjob_mkhomedir_t) + seutil_read_default_contexts(oddjob_mkhomedir_t) - # Add/remove user home directories ++# Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_files(oddjob_mkhomedir_t) @@ -42010,114 +44921,21 @@ index a17ba31..467700e 100644 +userdom_manage_user_home_content(oddjob_mkhomedir_t) +userdom_home_manager(oddjob_mkhomedir_t) +userdom_stream_connect(oddjob_mkhomedir_t) - -diff --git a/oident.if b/oident.if -index bb4fae5..4dfed8a 100644 ---- a/oident.if -+++ b/oident.if -@@ -66,3 +66,40 @@ interface(`oident_relabel_user_content', ` - allow $1 oidentd_home_t:file relabel_file_perms; - userdom_search_user_home_dirs($1) - ') + -+######################################## -+## -+## All of the rules required to administrate -+## an oident environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`oident_admin',` -+ gen_require(` -+ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; -+ ') -+ -+ allow $1 oidentd_t:process signal_perms; -+ ps_process_pattern($1, oidentd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 oidentd_t:process ptrace; -+ ') -+ -+ init_labeled_script_domtrans($1, oidentd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 oidentd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, oidentd_config_t) -+') -diff --git a/oident.te b/oident.te -index 8845174..f7b073f 100644 ---- a/oident.te -+++ b/oident.te -@@ -26,15 +26,14 @@ files_config_file(oidentd_config_t) - # - - allow oidentd_t self:capability { setuid setgid }; --allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; --allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; --allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; --allow oidentd_t self:udp_socket { write read create connect getattr ioctl }; -+allow oidentd_t self:netlink_route_socket create_netlink_socket_perms; -+allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow oidentd_t self:tcp_socket create_stream_socket_perms; -+allow oidentd_t self:udp_socket create_socket_perms; - allow oidentd_t self:unix_dgram_socket { create connect }; - - allow oidentd_t oidentd_config_t:file read_file_perms; - --corenet_all_recvfrom_unlabeled(oidentd_t) - corenet_all_recvfrom_netlabel(oidentd_t) - corenet_tcp_sendrecv_generic_if(oidentd_t) - corenet_tcp_sendrecv_generic_node(oidentd_t) -@@ -54,22 +53,7 @@ kernel_request_load_module(oidentd_t) - - logging_send_syslog_msg(oidentd_t) - --miscfiles_read_localization(oidentd_t) -- - sysnet_read_config(oidentd_t) - - oident_read_user_content(oidentd_t) -- --optional_policy(` -- nis_use_ypbind(oidentd_t) --') -- --tunable_policy(`use_samba_home_dirs', ` -- fs_list_cifs(oidentd_t) -- fs_read_cifs_files(oidentd_t) --') -- --tunable_policy(`use_nfs_home_dirs', ` -- fs_list_nfs(oidentd_t) -- fs_read_nfs_files(oidentd_t) --') -+userdom_home_reader(oidentd_t) diff --git a/openct.te b/openct.te -index 7f8fdc2..bc14bc4 100644 +index 8467596..866bd6a 100644 --- a/openct.te +++ b/openct.te -@@ -29,6 +29,8 @@ kernel_read_kernel_sysctls(openct_t) +@@ -34,6 +34,8 @@ kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) kernel_read_proc_symlinks(openct_t) +can_exec(openct_t, openct_exec_t) + dev_read_sysfs(openct_t) - # openct asks for this dev_rw_usbfs(openct_t) -@@ -45,12 +47,12 @@ fs_search_auto_mountpoints(openct_t) + dev_rw_smartcard(openct_t) +@@ -48,8 +50,6 @@ fs_search_auto_mountpoints(openct_t) logging_send_syslog_msg(openct_t) @@ -42126,13 +44944,6 @@ index 7f8fdc2..bc14bc4 100644 userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_user_home_dirs(openct_t) --openct_exec(openct_t) -+optional_policy(` -+ pcscd_stream_connect(openct_t) -+') - - optional_policy(` - seutil_sigchld_newrole(openct_t) diff --git a/openhpid.fc b/openhpid.fc new file mode 100644 index 0000000..9441fd7 @@ -42434,7 +45245,7 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..6e20e72 +index 0000000..98ce2c3 --- /dev/null +++ b/openshift.if @@ -0,0 +1,644 @@ @@ -42875,7 +45686,7 @@ index 0000000..6e20e72 + typeattribute $1_t openshift_domain, openshift_user_domain; + domain_type($1_t) + role system_r types $1_t; -+ mcs_untrusted_proc($1_t) ++ mcs_constrained($1_t) + domain_user_exemption_target($1_t) + auth_use_nsswitch($1_t) + domain_subj_id_change_exemption($1_t) @@ -42890,7 +45701,7 @@ index 0000000..6e20e72 + typeattribute $1_app_t openshift_domain; + domain_type($1_app_t) + role system_r types $1_app_t; -+ mcs_untrusted_proc($1_app_t) ++ mcs_constrained($1_app_t) + domain_user_exemption_target($1_app_t) + domain_obj_id_change_exemption($1_app_t) + domain_dyntrans_type($1_app_t) @@ -43472,27 +46283,29 @@ index 0000000..d97b009 +allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms; +read_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t) diff --git a/openvpn.if b/openvpn.if -index d883214..d6afa87 100644 +index 6837e9a..af8f9d0 100644 --- a/openvpn.if +++ b/openvpn.if -@@ -144,8 +144,11 @@ interface(`openvpn_admin',` - type openvpn_var_run_t, openvpn_initrc_exec_t; +@@ -147,9 +147,13 @@ interface(`openvpn_admin',` + type openvpn_status_t; ') - allow $1 openvpn_t:process { ptrace signal_perms }; + allow $1 openvpn_t:process signal_perms; ps_process_pattern($1, openvpn_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 openvpn_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 66a52ee..6db0311 100644 +index 3270ff9..67da060 100644 --- a/openvpn.te +++ b/openvpn.te -@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t) +@@ -26,6 +26,9 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -43502,48 +46315,26 @@ index 66a52ee..6db0311 100644 type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -40,15 +43,15 @@ files_pid_file(openvpn_var_run_t) - # openvpn local policy +@@ -43,7 +46,7 @@ files_pid_file(openvpn_var_run_t) + # Local policy # --allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; --allow openvpn_t self:process { signal getsched }; +-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; +allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; -+allow openvpn_t self:process { signal getsched setsched }; + allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; + allow openvpn_t self:unix_dgram_socket sendto; +@@ -62,6 +65,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) + allow openvpn_t openvpn_status_t:file manage_file_perms; + logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") - allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; - allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow openvpn_t self:udp_socket create_socket_perms; - allow openvpn_t self:tcp_socket server_stream_socket_perms; --allow openvpn_t self:tun_socket create; -+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom }; - allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; - - can_exec(openvpn_t, openvpn_etc_t) -@@ -58,9 +61,14 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) - manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) - filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) - --allow openvpn_t openvpn_var_log_t:file manage_file_perms; --logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + -+manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -+logging_log_filetrans(openvpn_t, openvpn_var_log_t, { dir file }) - -+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) - manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) - files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) - -@@ -68,11 +76,11 @@ kernel_read_kernel_sysctls(openvpn_t) - kernel_read_net_sysctls(openvpn_t) - kernel_read_network_state(openvpn_t) - kernel_read_system_state(openvpn_t) -+kernel_request_load_module(openvpn_t) - + manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) + append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) + create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +@@ -83,7 +89,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -43551,34 +46342,34 @@ index 66a52ee..6db0311 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -87,6 +95,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) - corenet_tcp_bind_http_port(openvpn_t) - corenet_tcp_connect_openvpn_port(openvpn_t) +@@ -105,11 +110,12 @@ corenet_tcp_bind_http_port(openvpn_t) + corenet_sendrecv_http_client_packets(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) -+corenet_tcp_connect_tor_socks_port(openvpn_t) + corenet_tcp_sendrecv_http_port(openvpn_t) +- + corenet_sendrecv_http_cache_client_packets(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) - corenet_rw_tun_tap_dev(openvpn_t) - corenet_sendrecv_openvpn_server_packets(openvpn_t) -@@ -100,33 +109,39 @@ dev_read_urand(openvpn_t) - files_read_etc_files(openvpn_t) - files_read_etc_runtime_files(openvpn_t) + corenet_tcp_sendrecv_http_cache_port(openvpn_t) -+fs_getattr_xattr_fs(openvpn_t) ++corenet_tcp_connect_tor_port(openvpn_t) + - auth_use_pam(openvpn_t) + corenet_rw_tun_tap_dev(openvpn_t) -+init_read_utmp(openvpn_t) -+ - logging_send_syslog_msg(openvpn_t) + dev_read_rand(openvpn_t) +@@ -121,18 +127,24 @@ fs_search_auto_mountpoints(openvpn_t) + + auth_use_pam(openvpn_t) -miscfiles_read_localization(openvpn_t) ++logging_send_syslog_msg(openvpn_t) ++ miscfiles_read_all_certs(openvpn_t) - sysnet_dns_name_resolve(openvpn_t) -+sysnet_use_ldap(openvpn_t) ++sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) + sysnet_use_ldap(openvpn_t) -userdom_use_user_terminals(openvpn_t) +userdom_use_inherited_user_terminals(openvpn_t) @@ -43593,77 +46384,68 @@ index 66a52ee..6db0311 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -- fs_read_nfs_files(openvpn_t) -- fs_read_nfs_symlinks(openvpn_t) --') -+ fs_read_nfs_files(openvpn_t) -+') - - tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` -- fs_read_cifs_files(openvpn_t) -- fs_read_cifs_symlinks(openvpn_t) --') -+ fs_read_cifs_files(openvpn_t) -+') - - optional_policy(` - daemontools_service_domain(openvpn_t, openvpn_exec_t) -@@ -138,3 +153,7 @@ optional_policy(` - - networkmanager_dbus_chat(openvpn_t) +@@ -155,3 +167,7 @@ optional_policy(` + networkmanager_dbus_chat(openvpn_t) + ') ') + +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') diff --git a/openvswitch.fc b/openvswitch.fc -new file mode 100644 -index 0000000..baf8d21 ---- /dev/null +index 45d7cc5..baf8d21 100644 +--- a/openvswitch.fc +++ b/openvswitch.fc -@@ -0,0 +1,15 @@ +@@ -1,12 +1,15 @@ +-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) +/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0) -+ + +-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0) +/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -+ + +-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) -+ + +-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) +/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) -+ + +-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) +/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) -+ + +-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) +/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) diff --git a/openvswitch.if b/openvswitch.if -new file mode 100644 -index 0000000..14f29e4 ---- /dev/null +index 9b15730..14f29e4 100644 +--- a/openvswitch.if +++ b/openvswitch.if -@@ -0,0 +1,242 @@ +@@ -1,13 +1,14 @@ +-## Multilayer virtual switch. + +## policy for openvswitch -+ -+######################################## -+## + + ######################################## + ## +-## Execute openvswitch in the openvswitch domain. +## Execute TEMPLATE in the openvswitch domin. -+## -+## + ## + ## +-## +## -+## Domain allowed to transition. + ## Domain allowed to transition. +-## +## -+## -+# -+interface(`openvswitch_domtrans',` -+ gen_require(` -+ type openvswitch_t, openvswitch_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) -+') + ## + # + interface(`openvswitch_domtrans',` +@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) + ') +######################################## +## +## Read openvswitch's log files. @@ -43780,9 +46562,10 @@ index 0000000..14f29e4 + files_search_var_lib($1) + manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## Read openvswitch pid files. +## Manage openvswitch lib directories. +## +## @@ -43803,31 +46586,24 @@ index 0000000..14f29e4 +######################################## +## +## Read openvswitch PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openvswitch_read_pid_files',` -+ gen_require(` -+ type openvswitch_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t) -+') -+ -+######################################## -+## + ## + ## + ## +@@ -40,44 +176,67 @@ interface(`openvswitch_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an openvswitch environment. +## Execute openvswitch server in the openvswitch domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +-## +# +interface(`openvswitch_systemctl',` + gen_require(` @@ -43850,32 +46626,44 @@ index 0000000..14f29e4 +## an openvswitch environment +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+## -+# -+interface(`openvswitch_admin',` -+ gen_require(` + ## + ## + ## + # + interface(`openvswitch_admin',` + gen_require(` +- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; +- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; + type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t; + type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t; -+ ') -+ -+ allow $1 openvswitch_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, openvswitch_t) -+ + ') + + allow $1 openvswitch_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvswitch_t) + +- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 openvswitch_initrc_exec_t system_r; +- allow $2 system_r; + logging_search_logs($1) + admin_pattern($1, openvswitch_rw_t) -+ + +- files_search_etc($1) +- admin_pattern($1, openvswitch_conf_t) + logging_search_logs($1) + admin_pattern($1, openvswitch_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, openvswitch_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, openvswitch_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, openvswitch_var_lib_t) + +- logging_search_logs($1) +- admin_pattern($1, openvswitch_log_t) +- + files_search_pids($1) + admin_pattern($1, openvswitch_var_run_t) + + openvswitch_systemctl($1) + admin_pattern($1, openvswitch_unit_file_t) @@ -43884,126 +46672,142 @@ index 0000000..14f29e4 + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/openvswitch.te b/openvswitch.te -new file mode 100644 -index 0000000..f6e0f04 ---- /dev/null +index 508fedf..b8995a2 100644 +--- a/openvswitch.te +++ b/openvswitch.te -@@ -0,0 +1,84 @@ +@@ -1,4 +1,4 @@ +-policy_module(openvswitch, 1.0.1) +policy_module(openvswitch, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type openvswitch_t; -+type openvswitch_exec_t; -+init_daemon_domain(openvswitch_t, openvswitch_exec_t) -+ + + ######################################## + # +@@ -9,11 +9,8 @@ type openvswitch_t; + type openvswitch_exec_t; + init_daemon_domain(openvswitch_t, openvswitch_exec_t) + +-type openvswitch_initrc_exec_t; +-init_script_file(openvswitch_initrc_exec_t) +- +-type openvswitch_conf_t; +-files_config_file(openvswitch_conf_t) +type openvswitch_rw_t; +files_config_file(openvswitch_rw_t) -+ -+type openvswitch_var_lib_t; -+files_type(openvswitch_var_lib_t) -+ -+type openvswitch_log_t; -+logging_log_file(openvswitch_log_t) -+ -+type openvswitch_var_run_t; -+files_pid_file(openvswitch_var_run_t) -+ + + type openvswitch_var_lib_t; + files_type(openvswitch_var_lib_t) +@@ -24,20 +21,26 @@ logging_log_file(openvswitch_log_t) + type openvswitch_var_run_t; + files_pid_file(openvswitch_var_run_t) + +type openvswitch_unit_file_t; +systemd_unit_file(openvswitch_unit_file_t) + -+######################################## -+# + ######################################## + # +-# Local policy +# openvswitch local policy -+# -+ + # + +-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; +-allow openvswitch_t self:process { setrlimit setsched signal }; +allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource }; +allow openvswitch_t self:process { fork setsched setrlimit signal }; -+allow openvswitch_t self:fifo_file rw_fifo_file_perms; + allow openvswitch_t self:fifo_file rw_fifo_file_perms; +-allow openvswitch_t self:rawip_socket create_socket_perms; +-allow openvswitch_t self:unix_stream_socket { accept connectto listen }; +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; -+ + +-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +can_exec(openvswitch_t, openvswitch_exec_t) + +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) -+ -+manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -+manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -+manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -+files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) + + manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) + manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) +@@ -45,9 +48,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l + files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) + + manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) +manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -+manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -+logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -+manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -+manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -+manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -+files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) -+ -+kernel_read_network_state(openvswitch_t) -+kernel_read_system_state(openvswitch_t) -+ -+corecmd_exec_bin(openvswitch_t) -+ -+dev_read_urand(openvswitch_t) -+ -+domain_use_interactive_fds(openvswitch_t) -+ -+files_read_etc_files(openvswitch_t) -+ -+fs_getattr_all_fs(openvswitch_t) -+fs_search_cgroup_dirs(openvswitch_t) -+ + manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) + logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) + +@@ -57,15 +58,9 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ + manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) + +-can_exec(openvswitch_t, openvswitch_exec_t) +- + kernel_read_network_state(openvswitch_t) + kernel_read_system_state(openvswitch_t) +- +-corenet_all_recvfrom_unlabeled(openvswitch_t) +-corenet_all_recvfrom_netlabel(openvswitch_t) +-corenet_raw_sendrecv_generic_if(openvswitch_t) +-corenet_raw_sendrecv_generic_node(openvswitch_t) ++kernel_request_load_module(openvswitch_t) + + corecmd_exec_bin(openvswitch_t) + +@@ -74,16 +69,22 @@ dev_read_urand(openvswitch_t) + domain_use_interactive_fds(openvswitch_t) + + files_read_etc_files(openvswitch_t) ++files_read_kernel_modules(openvswitch_t) + + fs_getattr_all_fs(openvswitch_t) + fs_search_cgroup_dirs(openvswitch_t) + +auth_read_passwd(openvswitch_t) + -+logging_send_syslog_msg(openvswitch_t) -+ -+sysnet_dns_name_resolve(openvswitch_t) -+ -+optional_policy(` -+ iptables_domtrans(openvswitch_t) -+') + logging_send_syslog_msg(openvswitch_t) + +-miscfiles_read_localization(openvswitch_t) ++modutils_exec_insmod(openvswitch_t) ++modutils_list_module_config(openvswitch_t) ++modutils_read_module_config(openvswitch_t) + + sysnet_dns_name_resolve(openvswitch_t) + + optional_policy(` + iptables_domtrans(openvswitch_t) + ') + diff --git a/pacemaker.fc b/pacemaker.fc -new file mode 100644 -index 0000000..3793461 ---- /dev/null +index 2f0ad56..d4da0b8 100644 +--- a/pacemaker.fc +++ b/pacemaker.fc -@@ -0,0 +1,12 @@ -+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) -+ +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) + +/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0) + -+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) -+ -+/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -+ -+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -+/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -+ -+/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0) + /usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) + + /var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) diff --git a/pacemaker.if b/pacemaker.if -new file mode 100644 -index 0000000..e05c78f ---- /dev/null +index 9682d9a..d47f913 100644 +--- a/pacemaker.if +++ b/pacemaker.if -@@ -0,0 +1,209 @@ -+ -+## policy for pacemaker -+ -+######################################## -+## +@@ -1,9 +1,166 @@ +-## A scalable high-availability cluster resource manager. ++## >A scalable high-availability cluster resource manager. + + ######################################## + ## +-## All of the rules required to +-## administrate an pacemaker environment. +## Transition to pacemaker. +## +## @@ -44163,41 +46967,33 @@ index 0000000..e05c78f +## +## All of the rules required to administrate +## an pacemaker environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`pacemaker_admin',` -+ gen_require(` + ## + ## + ## +@@ -19,14 +176,17 @@ + # + interface(`pacemaker_admin',` + gen_require(` +- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; + type pacemaker_t; + type pacemaker_initrc_exec_t; + type pacemaker_var_lib_t; -+ type pacemaker_var_run_t; + type pacemaker_var_run_t; + type pacemaker_unit_file_t; -+ ') -+ -+ allow $1 pacemaker_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pacemaker_t) -+ + ') + + allow $1 pacemaker_t:process { ptrace signal_perms }; + ps_process_pattern($1, pacemaker_t) + +- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) + pacemaker_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pacemaker_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, pacemaker_var_lib_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, pacemaker_var_run_t) + domain_system_change_exemption($1) + role_transition $2 pacemaker_initrc_exec_t system_r; + allow $2 system_r; +@@ -36,4 +196,13 @@ interface(`pacemaker_admin',` + + files_search_pids($1) + admin_pattern($1, pacemaker_var_run_t) + + pacemaker_systemctl($1) + admin_pattern($1, pacemaker_unit_file_t) @@ -44207,176 +47003,109 @@ index 0000000..e05c78f + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/pacemaker.te b/pacemaker.te -new file mode 100644 -index 0000000..3a97ac3 ---- /dev/null +index 3dd8ada..8b8d292 100644 +--- a/pacemaker.te +++ b/pacemaker.te -@@ -0,0 +1,86 @@ -+policy_module(pacemaker, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type pacemaker_t; -+type pacemaker_exec_t; -+init_daemon_domain(pacemaker_t, pacemaker_exec_t) -+ -+type pacemaker_initrc_exec_t; -+init_script_file(pacemaker_initrc_exec_t) -+ +@@ -12,17 +12,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) + type pacemaker_initrc_exec_t; + init_script_file(pacemaker_initrc_exec_t) + +type pacemaker_var_lib_t; +files_type(pacemaker_var_lib_t) + +type pacemaker_var_run_t; +files_pid_file(pacemaker_var_run_t) + -+type pacemaker_tmp_t; -+files_tmp_file(pacemaker_tmp_t) -+ -+type pacemaker_tmpfs_t; -+files_tmpfs_file(pacemaker_tmpfs_t) -+ + type pacemaker_tmp_t; + files_tmp_file(pacemaker_tmp_t) + + type pacemaker_tmpfs_t; + files_tmpfs_file(pacemaker_tmpfs_t) + +-type pacemaker_var_lib_t; +-files_type(pacemaker_var_lib_t) +- +-type pacemaker_var_run_t; +-files_pid_file(pacemaker_var_run_t) +type pacemaker_unit_file_t; +systemd_unit_file(pacemaker_unit_file_t) -+ -+######################################## -+# -+# pacemaker local policy -+# -+ -+allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; -+allow pacemaker_t self:process { fork setrlimit signal setpgid }; -+allow pacemaker_t self:fifo_file rw_fifo_file_perms; -+allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) -+manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) -+files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) -+manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) -+files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file }) -+ -+manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) -+manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) -+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) -+ -+manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) -+manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) -+fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file }) -+ -+kernel_read_system_state(pacemaker_t) -+kernel_read_network_state(pacemaker_t) -+kernel_read_all_sysctls(pacemaker_t) -+kernel_read_messages(pacemaker_t) -+kernel_getattr_core_if(pacemaker_t) -+kernel_read_software_raid_state(pacemaker_t) -+ -+corecmd_exec_bin(pacemaker_t) -+corecmd_exec_shell(pacemaker_t) -+ + + ######################################## + # +@@ -60,13 +63,13 @@ kernel_read_system_state(pacemaker_t) + corecmd_exec_bin(pacemaker_t) + corecmd_exec_shell(pacemaker_t) + +domain_use_interactive_fds(pacemaker_t) +domain_read_all_domains_state(pacemaker_t) + -+dev_getattr_mtrr_dev(pacemaker_t) -+dev_read_rand(pacemaker_t) -+dev_read_urand(pacemaker_t) -+ -+files_read_kernel_symbol_table(pacemaker_t) -+ -+fs_getattr_all_fs(pacemaker_t) -+ -+auth_use_nsswitch(pacemaker_t) -+ -+logging_send_syslog_msg(pacemaker_t) -+ -+optional_policy(` -+ corosync_read_log(pacemaker_t) -+ corosync_stream_connect(pacemaker_t) -+ corosync_rw_tmpfs(pacemaker_t) -+') -+ -diff --git a/pads.fc b/pads.fc -index 0870c56..6d5fb1d 100644 ---- a/pads.fc -+++ b/pads.fc -@@ -1,10 +1,10 @@ - /etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) - /etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) --/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads\.conf -- gen_context(system_u:object_r:pads_config_t, s0) - /etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) + dev_getattr_mtrr_dev(pacemaker_t) + dev_read_rand(pacemaker_t) + dev_read_urand(pacemaker_t) - /etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) +-domain_read_all_domains_state(pacemaker_t) +-domain_use_interactive_fds(pacemaker_t) +- + files_read_kernel_symbol_table(pacemaker_t) - /usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) + fs_getattr_all_fs(pacemaker_t) +@@ -75,9 +78,9 @@ auth_use_nsswitch(pacemaker_t) --/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) -+/var/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + logging_send_syslog_msg(pacemaker_t) + +-miscfiles_read_localization(pacemaker_t) +- + optional_policy(` + corosync_read_log(pacemaker_t) + corosync_stream_connect(pacemaker_t) ++ corosync_rw_tmpfs(pacemaker_t) + ') ++ diff --git a/pads.if b/pads.if -index 8ac407e..45673ad 100644 +index 6e097c9..503c97a 100644 --- a/pads.if +++ b/pads.if -@@ -25,20 +25,26 @@ +@@ -17,15 +17,19 @@ ## ## # -interface(`pads_admin', ` +interface(`pads_admin',` gen_require(` -- type pads_t, pads_config_t; -- type pads_var_run_t, pads_initrc_exec_t; -+ type pads_t, pads_config_t, pads_initrc_exec_t; -+ type pads_var_run_t; + type pads_t, pads_config_t, pads_var_run_t; + type pads_initrc_exec_t; ') - allow $1 pads_t:process { ptrace signal_perms }; + allow $1 pads_t:process signal_perms; ps_process_pattern($1, pads_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 pads_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, pads_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; - allow $2 system_r; - -+ files_list_pids($1) - admin_pattern($1, pads_var_run_t) -+ -+ files_list_etc($1) - admin_pattern($1, pads_config_t) - ') diff --git a/pads.te b/pads.te -index b246bdd..3cbcc49 100644 +index 29a7364..446e5ca 100644 --- a/pads.te +++ b/pads.te -@@ -25,10 +25,11 @@ files_pid_file(pads_var_run_t) +@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t) # allow pads_t self:capability { dac_override net_raw }; --allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; --allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; --allow pads_t self:udp_socket { create ioctl }; --allow pads_t self:unix_dgram_socket { write create connect }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; -+allow pads_t self:packet_socket create_socket_perms; -+allow pads_t self:socket create_socket_perms; + allow pads_t self:packet_socket create_socket_perms; + allow pads_t self:socket create_socket_perms; +allow pads_t self:udp_socket create_socket_perms; +allow pads_t self:unix_dgram_socket create_socket_perms; allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) -@@ -37,10 +38,10 @@ allow pads_t pads_var_run_t:file manage_file_perms; - files_pid_filetrans(pads_t, pads_var_run_t, file) - - kernel_read_sysctl(pads_t) -+kernel_read_network_state(pads_t) +@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t) corecmd_search_bin(pads_t) @@ -44384,13 +47113,11 @@ index b246bdd..3cbcc49 100644 corenet_all_recvfrom_netlabel(pads_t) corenet_tcp_sendrecv_generic_if(pads_t) corenet_tcp_sendrecv_generic_node(pads_t) -@@ -48,12 +49,11 @@ corenet_tcp_connect_prelude_port(pads_t) - - dev_read_rand(pads_t) +@@ -52,11 +54,8 @@ dev_read_rand(pads_t) dev_read_urand(pads_t) -+dev_read_sysfs(pads_t) + dev_read_sysfs(pads_t) - files_read_etc_files(pads_t) +-files_read_etc_files(pads_t) files_search_spool(pads_t) -miscfiles_read_localization(pads_t) @@ -44399,54 +47126,61 @@ index b246bdd..3cbcc49 100644 sysnet_dns_name_resolve(pads_t) diff --git a/passenger.fc b/passenger.fc -index 545518d..9155bd0 100644 +index 2c389ea..9155bd0 100644 --- a/passenger.fc +++ b/passenger.fc -@@ -1,11 +1,12 @@ --/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) --/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) --/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) --/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) +@@ -1,10 +1,12 @@ +-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) +-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) +-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -+ + +-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) +/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0) - /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) +-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) ++/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) --/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) --/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) +-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) +/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) - - /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) ++ ++/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/passenger.if b/passenger.if -index f68b573..c050b37 100644 +index bf59ef7..c050b37 100644 --- a/passenger.if +++ b/passenger.if -@@ -18,6 +18,42 @@ interface(`passenger_domtrans',` +@@ -15,17 +15,16 @@ interface(`passenger_domtrans',` + type passenger_t, passenger_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, passenger_exec_t, passenger_t) ') -+###################################### -+## + ###################################### + ## +-## Execute passenger in the caller domain. +## Execute passenger in the current domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+# -+interface(`passenger_exec',` -+ gen_require(` -+ type passenger_exec_t; -+ ') -+ -+ can_exec($1, passenger_exec_t) -+') -+ + ## + ## + # +@@ -34,13 +33,30 @@ interface(`passenger_exec',` + type passenger_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, passenger_exec_t) + ') + +####################################### +## +## Getattr passenger log files @@ -44467,11 +47201,20 @@ index f68b573..c050b37 100644 + ######################################## ## - ## Read passenger lib files -@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',` - read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) - files_search_var_lib($1) - ') +-## Read passenger lib files. ++## Read passenger lib files + ## + ## + ## +@@ -53,6 +69,88 @@ interface(`passenger_read_lib_files',` + type passenger_var_lib_t; + ') + +- files_search_var_lib($1) + read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ files_search_var_lib($1) ++') + +######################################## +## @@ -44552,39 +47295,68 @@ index f68b573..c050b37 100644 + files_search_tmp($1) + manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) -+') + ') diff --git a/passenger.te b/passenger.te -index 3470036..ca09bc0 100644 +index 4e114ff..ca09bc0 100644 --- a/passenger.te +++ b/passenger.te -@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t) - # passanger local policy +@@ -1,4 +1,4 @@ +-policy_module(passanger, 1.0.3) ++policy_module(passanger, 1.0.0) + + ######################################## # +@@ -14,6 +14,9 @@ role system_r types passenger_t; + type passenger_log_t; + logging_log_file(passenger_log_t) --allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice }; -+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; ++type passenger_tmp_t; ++files_tmp_file(passenger_tmp_t) ++ + type passenger_var_lib_t; + files_type(passenger_var_lib_t) + +@@ -22,22 +25,23 @@ files_pid_file(passenger_var_run_t) + + ######################################## + # +-# Local policy ++# passanger local policy + # + + allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; allow passenger_t self:process { setpgid setsched sigkill signal }; allow passenger_t self:fifo_file rw_fifo_file_perms; - allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -37,7 +37,7 @@ can_exec(passenger_t, passenger_exec_t) +-allow passenger_t self:unix_stream_socket { accept connectto listen }; ++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++can_exec(passenger_t, passenger_exec_t) manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) - manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -logging_log_filetrans(passenger_t, passenger_log_t, file) ++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +logging_log_filetrans(passenger_t, passenger_log_t, { dir file }) manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -@@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) ++files_search_var_lib(passenger_t) + + manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) + manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,19 +49,19 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) +-can_exec(passenger_t, passenger_exec_t) +#needed by puppet +manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file }) -+ + kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) @@ -44592,79 +47364,56 @@ index 3470036..ca09bc0 100644 -corenet_all_recvfrom_unlabeled(passenger_t) corenet_tcp_sendrecv_generic_if(passenger_t) corenet_tcp_sendrecv_generic_node(passenger_t) +- +-corenet_sendrecv_http_client_packets(passenger_t) corenet_tcp_connect_http_port(passenger_t) -@@ -63,11 +68,13 @@ corecmd_exec_shell(passenger_t) +-corenet_tcp_sendrecv_http_port(passenger_t) + + corecmd_exec_bin(passenger_t) + corecmd_exec_shell(passenger_t) +@@ -66,14 +70,12 @@ dev_read_urand(passenger_t) - dev_read_urand(passenger_t) + domain_read_all_domains_state(passenger_t) -files_read_etc_files(passenger_t) -+domain_read_all_domains_state(passenger_t) -+ +files_read_usr_files(passenger_t) auth_use_nsswitch(passenger_t) --miscfiles_read_localization(passenger_t) -+logging_send_syslog_msg(passenger_t) + logging_send_syslog_msg(passenger_t) +-miscfiles_read_localization(passenger_t) +- userdom_dontaudit_use_user_terminals(passenger_t) -@@ -75,3 +82,25 @@ optional_policy(` - apache_append_log(passenger_t) - apache_read_sys_content(passenger_t) + optional_policy(` +@@ -90,14 +92,15 @@ optional_policy(` ') -+ -+optional_policy(` -+ hostname_exec(passenger_t) -+') -+ -+optional_policy(` -+ mta_send_mail(passenger_t) -+') -+ -+optional_policy(` + + optional_policy(` +- puppet_manage_lib_files(passenger_t) + puppet_manage_lib(passenger_t) -+ puppet_read_config(passenger_t) + puppet_read_config(passenger_t) +- puppet_append_log_files(passenger_t) +- puppet_create_log_files(passenger_t) +- puppet_read_log_files(passenger_t) + puppet_append_log(passenger_t) + puppet_create_log(passenger_t) + puppet_read_log(passenger_t) + puppet_search_pid(passenger_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- rpm_exec(passenger_t) +- rpm_read_db(passenger_t) + rpm_exec(passenger_t) + rpm_read_db(passenger_t) -+') -diff --git a/pcmcia.fc b/pcmcia.fc -index 9cf0e56..2b5260a 100644 ---- a/pcmcia.fc -+++ b/pcmcia.fc -@@ -4,6 +4,9 @@ - /sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) - /sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) - -+/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) -+/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) -+ - /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) - - /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) + ') diff --git a/pcmcia.te b/pcmcia.te -index 4d06ae3..e1a4943 100644 +index 3ad10b5..49baca5 100644 --- a/pcmcia.te +++ b/pcmcia.te -@@ -62,9 +62,7 @@ dev_read_urand(cardmgr_t) - - domain_use_interactive_fds(cardmgr_t) - # Read /proc/PID directories for all domains (for fuser). --domain_read_confined_domains_state(cardmgr_t) --domain_getattr_confined_domains(cardmgr_t) --domain_dontaudit_ptrace_confined_domains(cardmgr_t) -+domain_read_all_domains_state(cardmgr_t) - # cjp: these look excessive: - domain_dontaudit_getattr_all_pipes(cardmgr_t) - domain_dontaudit_getattr_all_sockets(cardmgr_t) -@@ -96,8 +94,6 @@ libs_exec_lib_files(cardmgr_t) +@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) logging_send_syslog_msg(cardmgr_t) @@ -44673,7 +47422,6 @@ index 4d06ae3..e1a4943 100644 modutils_domtrans_insmod(cardmgr_t) sysnet_domtrans_ifconfig(cardmgr_t) -@@ -105,12 +101,11 @@ sysnet_domtrans_ifconfig(cardmgr_t) sysnet_etc_filetrans_config(cardmgr_t) sysnet_manage_config(cardmgr_t) @@ -44687,21 +47435,11 @@ index 4d06ae3..e1a4943 100644 seutil_sigchld_newrole(cardmgr_t) ') -diff --git a/pcscd.fc b/pcscd.fc -index 87f17e8..63ee18a 100644 ---- a/pcscd.fc -+++ b/pcscd.fc -@@ -1,4 +1,5 @@ - /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) -+/var/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) - /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) - /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) - /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) diff --git a/pcscd.if b/pcscd.if -index 1c2a091..3ead3cc 100644 +index 43d50f9..7f77d32 100644 --- a/pcscd.if +++ b/pcscd.if -@@ -34,7 +34,7 @@ interface(`pcscd_read_pub_files',` +@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',` ') files_search_pids($1) @@ -44711,18 +47449,22 @@ index 1c2a091..3ead3cc 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index ceafba6..47b690d 100644 +index 96db654..d23cd25 100644 --- a/pcscd.te +++ b/pcscd.te -@@ -25,6 +25,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms; - allow pcscd_t self:unix_stream_socket create_stream_socket_perms; - allow pcscd_t self:unix_dgram_socket create_socket_perms; - allow pcscd_t self:tcp_socket create_stream_socket_perms; -+allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + allow pcscd_t self:capability { dac_override dac_read_search fsetid }; + allow pcscd_t self:process signal; + allow pcscd_t self:fifo_file rw_fifo_file_perms; +-allow pcscd_t self:unix_stream_socket { accept listen }; +-allow pcscd_t self:tcp_socket { accept listen }; ++allow pcscd_t self:unix_stream_socket create_stream_socket_perms; ++allow pcscd_t self:unix_dgram_socket create_socket_perms; ++allow pcscd_t self:tcp_socket create_stream_socket_perms; + allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) - manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -@@ -34,7 +35,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) +@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) kernel_read_system_state(pcscd_t) @@ -44730,7 +47472,15 @@ index ceafba6..47b690d 100644 corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -56,8 +56,6 @@ locallogin_use_fds(pcscd_t) +@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t) + dev_rw_usbfs(pcscd_t) + dev_read_sysfs(pcscd_t) + +-files_read_etc_files(pcscd_t) + files_read_etc_runtime_files(pcscd_t) + + term_use_unallocated_ttys(pcscd_t) +@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t) logging_send_syslog_msg(pcscd_t) @@ -44739,98 +47489,190 @@ index ceafba6..47b690d 100644 sysnet_dns_name_resolve(pcscd_t) optional_policy(` -@@ -77,3 +75,7 @@ optional_policy(` - optional_policy(` - rpm_use_script_fds(pcscd_t) - ') -+ -+optional_policy(` -+ udev_read_db(pcscd_t) -+') +diff --git a/pegasus.fc b/pegasus.fc +index dfd46e4..9515043 100644 +--- a/pegasus.fc ++++ b/pegasus.fc +@@ -1,15 +1,12 @@ +-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) +-/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) +- +-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) + +-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) ++/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) + +-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) ++/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) + +-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) + +-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) + + /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) +diff --git a/pegasus.if b/pegasus.if +index d2fc677..920b13f 100644 +--- a/pegasus.if ++++ b/pegasus.if +@@ -1,52 +1 @@ + ## The Open Group Pegasus CIM/WBEM Server. +- +-######################################## +-## +-## All of the rules required to +-## administrate an pegasus environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`pegasus_admin',` +- gen_require(` +- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; +- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; +- type pegasus_mof_t, pegasus_var_run_t; +- ') +- +- allow $1 pegasus_t:process { ptrace signal_perms }; +- ps_process_pattern($1, pegasus_t) +- +- init_labeled_script_domtrans($1, pegasus_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 pegasus_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, pegasus_conf_t) +- +- files_search_usr($1) +- admin_pattern($1, pegasus_mof_t) +- +- files_search_tmp($1) +- admin_pattern($1, pegasus_tmp_t) +- +- files_search_var($1) +- admin_pattern($1, pegasus_cache_t) +- +- files_search_var_lib($1) +- admin_pattern($1, pegasus_data_t) +- +- files_search_pids($1) +- admin_pattern($1, pegasus_var_run_t) +-') diff --git a/pegasus.te b/pegasus.te -index 3185114..d459c82 100644 +index 7bcf327..d459c82 100644 --- a/pegasus.te +++ b/pegasus.te -@@ -9,6 +9,9 @@ type pegasus_t; +@@ -1,4 +1,4 @@ +-policy_module(pegasus, 1.8.3) ++policy_module(pegasus, 1.8.0) + + ######################################## + # +@@ -9,9 +9,6 @@ type pegasus_t; type pegasus_exec_t; init_daemon_domain(pegasus_t, pegasus_exec_t) -+type pegasus_cache_t; -+files_type(pegasus_cache_t) -+ - type pegasus_data_t; - files_type(pegasus_data_t) - -@@ -16,7 +19,7 @@ type pegasus_tmp_t; - files_tmp_file(pegasus_tmp_t) - - type pegasus_conf_t; --files_type(pegasus_conf_t) -+files_config_file(pegasus_conf_t) - - type pegasus_mof_t; - files_type(pegasus_mof_t) -@@ -29,18 +32,23 @@ files_pid_file(pegasus_var_run_t) - # Local policy - # +-type pegasus_initrc_exec_t; +-init_script_file(pegasus_initrc_exec_t) +- + type pegasus_cache_t; + files_type(pegasus_cache_t) --allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; -+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; +@@ -39,11 +36,12 @@ allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; - allow pegasus_t self:unix_dgram_socket create_socket_perms; --allow pegasus_t self:unix_stream_socket create_stream_socket_perms; +-allow pegasus_t self:unix_stream_socket { connectto accept listen }; +-allow pegasus_t self:tcp_socket { accept listen }; ++allow pegasus_t self:unix_dgram_socket create_socket_perms; +allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow pegasus_t self:tcp_socket create_stream_socket_perms; ++allow pegasus_t self:tcp_socket create_stream_socket_perms; allow pegasus_t pegasus_conf_t:dir rw_dir_perms; --allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; +-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; +allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; -+manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -+manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -+manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -+files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) -+ + manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) +@@ -54,22 +52,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) +-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file }) ++filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) ++ ++can_exec(pegasus_t, pegasus_exec_t) + + allow pegasus_t pegasus_mof_t:dir list_dir_perms; +-allow pegasus_t pegasus_mof_t:file read_file_perms; +-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms; ++read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) ++read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) + + manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) - files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) +-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) ++files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) --allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; +manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) + manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) --files_pid_filetrans(pegasus_t, pegasus_var_run_t, file) +-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) +-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file }) +- +-can_exec(pegasus_t, pegasus_exec_t) +files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) -+kernel_read_network_state(pegasus_t) + kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) - kernel_read_fs_sysctls(pegasus_t) - kernel_read_system_state(pegasus_t) - kernel_search_vm_sysctl(pegasus_t) - kernel_read_net_sysctls(pegasus_t) -+kernel_read_xen_state(pegasus_t) -+kernel_write_xen_state(pegasus_t) +@@ -80,27 +78,21 @@ kernel_read_net_sysctls(pegasus_t) + kernel_read_xen_state(pegasus_t) + kernel_write_xen_state(pegasus_t) -corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) corenet_tcp_sendrecv_generic_if(pegasus_t) corenet_tcp_sendrecv_generic_node(pegasus_t) -@@ -86,7 +97,7 @@ corenet_sendrecv_pegasus_https_server_packets(pegasus_t) + corenet_tcp_sendrecv_all_ports(pegasus_t) + corenet_tcp_bind_generic_node(pegasus_t) +- +-corenet_sendrecv_pegasus_http_server_packets(pegasus_t) + corenet_tcp_bind_pegasus_http_port(pegasus_t) +- +-corenet_sendrecv_pegasus_https_server_packets(pegasus_t) + corenet_tcp_bind_pegasus_https_port(pegasus_t) +- +-corenet_sendrecv_pegasus_http_client_packets(pegasus_t) + corenet_tcp_connect_pegasus_http_port(pegasus_t) +- +-corenet_sendrecv_pegasus_https_client_packets(pegasus_t) + corenet_tcp_connect_pegasus_https_port(pegasus_t) +- +-corenet_sendrecv_generic_client_packets(pegasus_t) + corenet_tcp_connect_generic_port(pegasus_t) ++corenet_sendrecv_generic_client_packets(pegasus_t) ++corenet_sendrecv_pegasus_http_client_packets(pegasus_t) ++corenet_sendrecv_pegasus_http_server_packets(pegasus_t) ++corenet_sendrecv_pegasus_https_client_packets(pegasus_t) ++corenet_sendrecv_pegasus_https_server_packets(pegasus_t) + corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) - --dev_read_sysfs(pegasus_t) -+dev_rw_sysfs(pegasus_t) - dev_read_urand(pegasus_t) - - fs_getattr_all_fs(pegasus_t) -@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +106,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -44838,24 +47680,28 @@ index 3185114..d459c82 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) - --files_read_etc_files(pegasus_t) - files_list_var_lib(pegasus_t) +@@ -122,24 +115,31 @@ files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) -@@ -112,8 +123,6 @@ init_stream_connect_script(pegasus_t) + ++hostname_exec(pegasus_t) ++ + init_rw_utmp(pegasus_t) + init_stream_connect_script(pegasus_t) + logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) -miscfiles_read_localization(pegasus_t) -- - sysnet_read_config(pegasus_t) - sysnet_domtrans_ifconfig(pegasus_t) ++sysnet_read_config(pegasus_t) ++sysnet_domtrans_ifconfig(pegasus_t) -@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) + userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_user_home_dirs(pegasus_t) optional_policy(` +- dbus_system_bus_client(pegasus_t) +- dbus_connect_system_bus(pegasus_t) + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) + @@ -44863,20 +47709,19 @@ index 3185114..d459c82 100644 + networkmanager_dbus_chat(pegasus_t) + ') +') -+ + +- optional_policy(` +- networkmanager_dbus_chat(pegasus_t) +- ') +optional_policy(` + corosync_stream_connect(pegasus_t) -+') -+ -+optional_policy(` -+ hostname_exec(pegasus_t) -+') -+ -+optional_policy(` -+ lldpad_dgram_send(pegasus_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +@@ -151,6 +151,10 @@ optional_policy(` + ') + + optional_policy(` + ricci_stream_connect_modclusterd(pegasus_t) +') + @@ -44884,362 +47729,68 @@ index 3185114..d459c82 100644 rpm_exec(pegasus_t) ') +@@ -159,8 +163,7 @@ optional_policy(` + ') + optional_policy(` -+ samba_manage_config(pegasus_t) -+') -+ -+optional_policy(` -+ sysnet_domtrans_ifconfig(pegasus_t) -+') -+ -+optional_policy(` -+ ssh_exec(pegasus_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(pegasus_t) +- seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) ++ sysnet_domtrans_ifconfig(pegasus_t) ') optional_policy(` -@@ -136,3 +181,14 @@ optional_policy(` - optional_policy(` - unconfined_signull(pegasus_t) +@@ -168,7 +171,7 @@ optional_policy(` ') -+ -+optional_policy(` -+ virt_domtrans(pegasus_t) -+ virt_stream_connect(pegasus_t) -+ virt_manage_config(pegasus_t) -+') -+ -+optional_policy(` -+ xen_stream_connect(pegasus_t) -+ xen_stream_connect_xenstore(pegasus_t) -+') -diff --git a/perdition.te b/perdition.te -index 3636277..05e65ad 100644 ---- a/perdition.te -+++ b/perdition.te -@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(perdition_t) - kernel_list_proc(perdition_t) - kernel_read_proc_symlinks(perdition_t) --corenet_all_recvfrom_unlabeled(perdition_t) - corenet_all_recvfrom_netlabel(perdition_t) - corenet_tcp_sendrecv_generic_if(perdition_t) - corenet_udp_sendrecv_generic_if(perdition_t) -@@ -59,8 +58,6 @@ files_read_etc_files(perdition_t) - - logging_send_syslog_msg(perdition_t) - --miscfiles_read_localization(perdition_t) -- - sysnet_read_config(perdition_t) + optional_policy(` +- sysnet_domtrans_ifconfig(pegasus_t) ++ seutil_sigchld_newrole(pegasus_t) + ') - userdom_dontaudit_use_unpriv_user_fds(perdition_t) -diff --git a/phpfpm.fc b/phpfpm.fc -new file mode 100644 -index 0000000..4c64b13 ---- /dev/null -+++ b/phpfpm.fc -@@ -0,0 +1,7 @@ -+/usr/lib/systemd/system/php-fpm.service -- gen_context(system_u:object_r:phpfpm_unit_file_t,s0) -+ -+/usr/sbin/php-fpm -- gen_context(system_u:object_r:phpfpm_exec_t,s0) -+ -+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_log_t,s0) -+ -+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:phpfpm_var_run_t,s0) -diff --git a/phpfpm.if b/phpfpm.if -new file mode 100644 -index 0000000..18f0425 ---- /dev/null -+++ b/phpfpm.if -@@ -0,0 +1,162 @@ -+ -+## PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. -+ -+######################################## -+## -+## Execute php-fpm in the phpfpm domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`phpfpm_domtrans',` -+ gen_require(` -+ type phpfpm_t, phpfpm_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, phpfpm_exec_t, phpfpm_t) -+') -+ -+######################################## -+## -+## Read phpfpm's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`phpfpm_read_log',` -+ gen_require(` -+ type phpfpm_log_t; -+ ') -+ -+ logging_search_logs($1) -+ read_files_pattern($1, phpfpm_log_t, phpfpm_log_t) -+') -+ -+######################################## -+## -+## Append to phpfpm log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`phpfpm_append_log',` -+ gen_require(` -+ type phpfpm_log_t; -+ ') -+ -+ logging_search_logs($1) -+ append_files_pattern($1, phpfpm_log_t, phpfpm_log_t) -+') -+ -+######################################## -+## -+## Manage phpfpm log files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`phpfpm_manage_log',` -+ gen_require(` -+ type phpfpm_log_t; -+ ') -+ -+ logging_search_logs($1) -+ manage_dirs_pattern($1, phpfpm_log_t, phpfpm_log_t) -+ manage_files_pattern($1, phpfpm_log_t, phpfpm_log_t) -+ manage_lnk_files_pattern($1, phpfpm_log_t, phpfpm_log_t) -+') -+ -+######################################## -+## -+## Read phpfpm PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`phpfpm_read_pid_files',` -+ gen_require(` -+ type phpfpm_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 phpfpm_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Execute phpfpm server in the phpfpm domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`phpfpm_systemctl',` -+ gen_require(` -+ type phpfpm_t; -+ type phpfpm_unit_file_t; -+ ') -+ -+ systemd_exec_systemctl($1) -+ allow $1 phpfpm_unit_file_t:file read_file_perms; -+ allow $1 phpfpm_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, phpfpm_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate -+## an phpfpm environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`phpfpm_admin',` -+ gen_require(` -+ type phpfpm_t; -+ type phpfpm_log_t; -+ type phpfpm_var_run_t; -+ type phpfpm_unit_file_t; -+ ') -+ -+ allow $1 phpfpm_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, phpfpm_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, phpfpm_log_t) -+ -+ files_search_pids($1) -+ admin_pattern($1, phpfpm_var_run_t) -+ -+ phpfpm_systemctl($1) -+ admin_pattern($1, phpfpm_unit_file_t) -+ allow $1 phpfpm_unit_file_t:service all_service_perms; -+ -+ optional_policy(` -+ systemd_passwd_agent_exec($1) -+ systemd_read_fifo_file_passwd_run($1) -+ ') -+') -diff --git a/phpfpm.te b/phpfpm.te -new file mode 100644 -index 0000000..78af4d7 ---- /dev/null -+++ b/phpfpm.te -@@ -0,0 +1,61 @@ -+policy_module(phpfpm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type phpfpm_t; -+type phpfpm_exec_t; -+init_daemon_domain(phpfpm_t, phpfpm_exec_t) -+ -+type phpfpm_log_t; -+logging_log_file(phpfpm_log_t) -+ -+type phpfpm_var_run_t; -+files_pid_file(phpfpm_var_run_t) -+ -+type phpfpm_unit_file_t; -+systemd_unit_file(phpfpm_unit_file_t) -+ -+######################################## -+# -+# phpfpm local policy -+# -+ -+allow phpfpm_t self:capability { chown kill setgid setuid sys_chroot sys_nice }; -+allow phpfpm_t self:process { setsched setrlimit signal sigkill }; -+ -+allow phpfpm_t self:fifo_file rw_fifo_file_perms; -+allow phpfpm_t self:tcp_socket { accept listen }; -+allow phpfpm_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) -+manage_files_pattern(phpfpm_t, phpfpm_log_t, phpfpm_log_t) -+ -+manage_dirs_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) -+manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) -+files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, dir ) -+ -+kernel_read_system_state(phpfpm_t) -+kernel_read_kernel_sysctls(phpfpm_t) -+ -+corenet_tcp_bind_generic_port(phpfpm_t) -+ -+domain_use_interactive_fds(phpfpm_t) -+ -+files_read_etc_files(phpfpm_t) -+ -+auth_use_nsswitch(phpfpm_t) -+ -+dev_read_rand(phpfpm_t) -+dev_read_urand(phpfpm_t) -+ -+logging_send_syslog_msg(phpfpm_t) -+ -+sysnet_dns_name_resolve(phpfpm_t) -+ -+optional_policy(` -+ mysql_stream_connect(phpfpm_t) -+ mysql_tcp_connect(phpfpm_t) -+') + optional_policy(` diff --git a/pingd.if b/pingd.if -index 8688aae..cf34fc1 100644 +index 21a6ecb..b99e4cb 100644 --- a/pingd.if +++ b/pingd.if -@@ -55,7 +55,6 @@ interface(`pingd_manage_config',` +@@ -55,7 +55,8 @@ interface(`pingd_manage_config',` + ') + files_search_etc($1) - manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) - manage_files_pattern($1, pingd_etc_t, pingd_etc_t) -- +- allow $1 pingd_etc_t:file manage_file_perms; ++ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) ++ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) ') ####################################### -@@ -77,12 +76,15 @@ interface(`pingd_manage_config',` - # - interface(`pingd_admin',` - gen_require(` -- type pingd_t, pingd_etc_t; -- type pingd_initrc_exec_t, pingd_modules_t; -+ type pingd_t, pingd_etc_t, pingd_modules_t; -+ type pingd_initrc_exec_t; +@@ -81,9 +82,13 @@ interface(`pingd_admin',` + type pingd_initrc_exec_t; ') - allow $1 pingd_t:process { ptrace signal_perms }; + allow $1 pingd_t:process signal_perms; ps_process_pattern($1, pingd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 pingd_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, pingd_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 pingd_initrc_exec_t system_r; diff --git a/pingd.te b/pingd.te -index e9cf8a4..c476cf4 100644 +index 0f77942..0e3f230 100644 --- a/pingd.te +++ b/pingd.te -@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t) +@@ -10,7 +10,7 @@ type pingd_exec_t; + init_daemon_domain(pingd_t, pingd_exec_t) - # type for config type pingd_etc_t; -files_type(pingd_etc_t) +files_config_file(pingd_etc_t) type pingd_initrc_exec_t; init_script_file(pingd_initrc_exec_t) -@@ -27,7 +27,7 @@ files_type(pingd_modules_t) - - allow pingd_t self:capability net_raw; - allow pingd_t self:tcp_socket create_stream_socket_perms; --allow pingd_t self:rawip_socket { write read create bind }; -+allow pingd_t self:rawip_socket create_socket_perms; - - read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) - -@@ -43,5 +43,3 @@ auth_use_nsswitch(pingd_t) +@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t) files_search_usr(pingd_t) logging_send_syslog_msg(pingd_t) @@ -45462,7 +48013,7 @@ index 0000000..8d681d1 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..b1d27d7 +index 0000000..be7f288 --- /dev/null +++ b/piranha.te @@ -0,0 +1,295 @@ @@ -45567,7 +48118,7 @@ index 0000000..b1d27d7 + +corenet_tcp_bind_http_cache_port(piranha_web_t) +corenet_tcp_bind_luci_port(piranha_web_t) -+corenet_tcp_bind_piranha_port(piranha_web_t) ++corenet_tcp_bind_servistaitsm_port(piranha_web_t) +corenet_tcp_connect_ricci_port(piranha_web_t) + +dev_read_rand(piranha_web_t) @@ -45761,6 +48312,134 @@ index 0000000..b1d27d7 +corecmd_exec_shell(piranha_domain) + +sysnet_read_config(piranha_domain) +diff --git a/pkcs.fc b/pkcs.fc +deleted file mode 100644 +index f9dc0be..0000000 +--- a/pkcs.fc ++++ /dev/null +@@ -1,7 +0,0 @@ +-/etc/rc\.d/init\.d/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0) +- +-/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcs_slotd_exec_t,s0) +- +-/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) +- +-/var/run/pkcsslotd\.pid -- gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) +diff --git a/pkcs.if b/pkcs.if +deleted file mode 100644 +index 69be2aa..0000000 +--- a/pkcs.if ++++ /dev/null +@@ -1,45 +0,0 @@ +-## Implementations of the Cryptoki specification. +- +-######################################## +-## +-## All of the rules required to +-## administrate an pkcs slotd environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`pkcs_admin_slotd',` +- gen_require(` +- type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; +- type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; +- ') +- +- allow $1 pkcs_slotd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, pkcs_slotd_t) +- +- init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 pkcs_slotd_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_var_lib($1) +- admin_pattern($1, pkcs_slotd_var_lib_t) +- +- files_search_pids($1) +- admin_pattern($1, pkcs_slotd_var_run_t) +- +- files_search_tmp($1) +- admin_pattern($1, pkcs_slotd_tmp_t) +- +- fs_search_tmpfs($1) +- admin_pattern($1, pkcs_slotd_tmpfs_t) +-') +diff --git a/pkcs.te b/pkcs.te +deleted file mode 100644 +index 977b972..0000000 +--- a/pkcs.te ++++ /dev/null +@@ -1,58 +0,0 @@ +-policy_module(pkcs, 1.0.0) +- +-######################################## +-# +-# Declarations +-# +- +-type pkcs_slotd_t; +-type pkcs_slotd_exec_t; +-init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) +- +-type pkcs_slotd_initrc_exec_t; +-init_script_file(pkcs_slotd_initrc_exec_t) +- +-type pkcs_slotd_var_lib_t; +-files_type(pkcs_slotd_var_lib_t) +- +-type pkcs_slotd_var_run_t; +-files_pid_file(pkcs_slotd_var_run_t) +- +-type pkcs_slotd_tmp_t; +-files_tmp_file(pkcs_slotd_tmp_t) +- +-type pkcs_slotd_tmpfs_t; +-files_tmpfs_file(pkcs_slotd_tmpfs_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow pkcs_slotd_t self:capability kill; +-allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; +-allow pkcs_slotd_t self:sem create_sem_perms; +-allow pkcs_slotd_t self:shm create_shm_perms; +-allow pkcs_slotd_t self:unix_stream_socket { accept listen }; +- +-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +-manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +-files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) +- +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) +-files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file) +- +-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) +-files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) +- +-manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +-manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) +-fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir) +- +-files_read_etc_files(pkcs_slotd_t) +- +-logging_send_syslog_msg(pkcs_slotd_t) +- +-miscfiles_read_localization(pkcs_slotd_t) diff --git a/pkcsslotd.fc b/pkcsslotd.fc new file mode 100644 index 0000000..dd1b8f2 @@ -46611,51 +49290,237 @@ index 0000000..dfebbd9 +') + diff --git a/plymouthd.fc b/plymouthd.fc -index 5702ca4..ef1dd7a 100644 +index 735500f..ef1dd7a 100644 --- a/plymouthd.fc +++ b/plymouthd.fc -@@ -2,6 +2,14 @@ +@@ -1,15 +1,15 @@ +-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) ++/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - /sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) +-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) ++/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) +-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) -+ - /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) -+ - /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) + +-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) ++/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) + +-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) ++/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -+ + +-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) -+ - /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) -+ + +-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) ++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) + +-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 9759ed8..17c097d 100644 +index 30e751f..17c097d 100644 --- a/plymouthd.if +++ b/plymouthd.if -@@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', ` +@@ -1,4 +1,4 @@ +-## Plymouth graphical boot. ++## Plymouth graphical boot + + ######################################## + ## +@@ -10,18 +10,17 @@ + ## + ## + # +-interface(`plymouthd_domtrans',` ++interface(`plymouthd_domtrans', ` + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) + ') + + ######################################## + ## +-## Execute plymouthd in the caller domain. ++## Execute the plymoth daemon in the current domain + ## + ## + ## +@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',` + ## + ## + # +-interface(`plymouthd_exec',` ++interface(`plymouthd_exec', ` + gen_require(` + type plymouthd_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, plymouthd_exec_t) + ') + + ######################################## + ## +-## Connect to plymouthd using a unix +-## domain stream socket. ++## Allow domain to Stream socket connect ++## to Plymouth daemon. + ## + ## + ## +@@ -49,18 +47,17 @@ interface(`plymouthd_exec',` + ## + ## + # +-interface(`plymouthd_stream_connect',` ++interface(`plymouthd_stream_connect', ` + gen_require(` +- type plymouthd_t, plymouthd_spool_t; ++ type plymouthd_t; + ') + +- files_search_spool($1) +- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) ++ allow $1 plymouthd_t:unix_stream_socket connectto; + ') + + ######################################## + ## +-## Execute plymouth in the caller domain. ++## Execute the plymoth command in the current domain + ## + ## + ## +@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',` + ## + ## + # +-interface(`plymouthd_exec_plymouth',` ++interface(`plymouthd_exec_plymouth', ` + gen_require(` + type plymouth_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, plymouth_exec_t) + ') + + ######################################## + ## +-## Execute a domain transition to run plymouth. ++## Execute a domain transition to run plymouthd. + ## + ## + ## +@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',` + ## + ## + # +-interface(`plymouthd_domtrans_plymouth',` ++interface(`plymouthd_domtrans_plymouth', ` + gen_require(` + type plymouth_t, plymouth_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, plymouth_exec_t, plymouth_t) + ') + +@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',` ## ## # --interface(`plymouthd_read_spool_files', ` -+interface(`plymouthd_read_spool_files',` +-interface(`plymouthd_search_spool',` ++interface(`plymouthd_search_spool', ` gen_require(` type plymouthd_spool_t; ') -@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', ` + +- files_search_spool($1) + allow $1 plymouthd_spool_t:dir search_dir_perms; ++ files_search_spool($1) + ') + + ######################################## +@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',` + ## + ## + # +-interface(`plymouthd_manage_spool_files',` ++interface(`plymouthd_manage_spool_files', ` + gen_require(` + type plymouthd_spool_t; + ') +@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',` + ## + ## + # +-interface(`plymouthd_search_lib',` ++interface(`plymouthd_search_lib', ` + gen_require(` + type plymouthd_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 plymouthd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## +@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',` + ## + ## + # +-interface(`plymouthd_read_lib_files',` ++interface(`plymouthd_read_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',` + ## + ## + # +-interface(`plymouthd_manage_lib_files',` ++interface(`plymouthd_manage_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') +@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',` ######################################## ## --## All of the rules required to administrate --## an plymouthd environment +-## Read plymouthd pid files. ++## Read plymouthd PID files. + ## + ## + ## +@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',` + ## + ## + # +-interface(`plymouthd_read_pid_files',` ++interface(`plymouthd_read_pid_files', ` + gen_require(` + type plymouthd_var_run_t; + ') +@@ -233,36 +228,74 @@ interface(`plymouthd_read_pid_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an plymouthd environment. +## Allow the specified domain to read +## to plymouthd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`plymouthd_read_log',` + gen_require(` @@ -46670,14 +49535,16 @@ index 9759ed8..17c097d 100644 +## +## Allow the specified domain to manage +## to plymouthd log files. - ## - ## ++## ++## ## - ## Domain allowed access. +-## Role allowed access. ++## Domain allowed access. ## ## --## -+# +-## + # +-interface(`plymouthd_admin',` +interface(`plymouthd_manage_log',` + gen_require(` + type plymouthd_var_log_t; @@ -46695,20 +49562,18 @@ index 9759ed8..17c097d 100644 +## an plymouthd environment +## +## - ## --## Role allowed access. ++## +## Domain allowed access. - ## - ## --## - # - interface(`plymouthd_admin', ` ++## ++## ++# ++interface(`plymouthd_admin', ` gen_require(` -@@ -249,12 +285,17 @@ interface(`plymouthd_admin', ` + type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; type plymouthd_var_run_t; ') -- allow $1 plymouthd_t:process { ptrace signal_perms getattr }; +- allow $1 plymouthd_t:process { ptrace signal_perms }; - read_files_pattern($1, plymouthd_t, plymouthd_t) + allow $1 plymouthd_t:process signal_perms; + ps_process_pattern($1, plymouthd_t) @@ -46716,32 +49581,28 @@ index 9759ed8..17c097d 100644 + allow $1 plymouthd_t:process ptrace; + ') +- files_search_spool($1) + files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) +- files_search_var_lib($1) admin_pattern($1, plymouthd_var_lib_t) +- files_search_pids($1) + files_list_pids($1) admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 86700ed..5772ef0 100644 +index b1f412b..5772ef0 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -1,4 +1,4 @@ --policy_module(plymouthd, 1.1.0) +-policy_module(plymouthd, 1.1.4) +policy_module(plymouthd, 1.0.1) ######################################## # -@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.1.0) - type plymouth_t; - type plymouth_exec_t; - application_domain(plymouth_t, plymouth_exec_t) -+role system_r types plymouth_t; - - type plymouthd_t; - type plymouthd_exec_t; +@@ -15,7 +15,7 @@ type plymouthd_exec_t; init_daemon_domain(plymouthd_t, plymouthd_exec_t) type plymouthd_spool_t; @@ -46750,46 +49611,37 @@ index 86700ed..5772ef0 100644 type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) +@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t) -+type plymouthd_var_log_t; -+logging_log_file(plymouthd_var_log_t) -+ - type plymouthd_var_run_t; - files_pid_file(plymouthd_var_run_t) - -@@ -28,6 +32,7 @@ files_pid_file(plymouthd_var_run_t) + ######################################## + # +-# Daemon local policy ++# Plymouthd private policy # allow plymouthd_t self:capability { sys_admin sys_tty_config }; -+allow plymouthd_t self:capability2 block_suspend; - dontaudit plymouthd_t self:capability dac_override; +-dontaudit plymouthd_t self:capability dac_override; + allow plymouthd_t self:capability2 block_suspend; ++dontaudit plymouthd_t self:capability dac_override; allow plymouthd_t self:process { signal getsched }; allow plymouthd_t self:fifo_file rw_fifo_file_perms; -@@ -42,6 +47,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) - manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) + allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; +@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) -+manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) + manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -+logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) -+ - manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) - manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) - files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -57,13 +66,42 @@ dev_write_framebuffer(plymouthd_t) + logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) - domain_use_interactive_fds(plymouthd_t) - -+fs_getattr_all_fs(plymouthd_t) -+ - files_read_etc_files(plymouthd_t) - files_read_usr_files(plymouthd_t) + manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +@@ -77,12 +75,22 @@ term_getattr_pty_fs(plymouthd_t) + term_use_all_terms(plymouthd_t) + term_use_ptmx(plymouthd_t) -miscfiles_read_localization(plymouthd_t) -+term_getattr_pty_fs(plymouthd_t) -+term_use_all_terms(plymouthd_t) -+term_use_ptmx(plymouthd_t) -+ +init_signal(plymouthd_t) + +logging_link_generic_logs(plymouthd_t) @@ -46804,31 +49656,39 @@ index 86700ed..5772ef0 100644 + +term_use_unallocated_ttys(plymouthd_t) + -+optional_policy(` + optional_policy(` +- gnome_read_generic_home_content(plymouthd_t) + gnome_read_config(plymouthd_t) -+') -+ -+optional_policy(` -+ sssd_stream_connect(plymouthd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +@@ -90,21 +98,19 @@ optional_policy(` + ') + + optional_policy(` +- xserver_manage_xdm_spool_files(plymouthd_t) +- xserver_read_xdm_state(plymouthd_t) + xserver_xdm_manage_spool(plymouthd_t) + xserver_read_state_xdm(plymouthd_t) -+') -+ + ') + ######################################## # - # Plymouth private policy -@@ -74,6 +112,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +-# Client local policy ++# Plymouth private policy + # + + allow plymouth_t self:process signal; +-allow plymouth_t self:fifo_file rw_fifo_file_perms; ++allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; +-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) +- kernel_read_system_state(plymouth_t) -+kernel_stream_connect(plymouth_t) + kernel_stream_connect(plymouth_t) - domain_use_interactive_fds(plymouth_t) - -@@ -81,7 +120,6 @@ files_read_etc_files(plymouth_t) +@@ -114,11 +120,12 @@ files_read_etc_files(plymouth_t) term_use_ptmx(plymouth_t) @@ -46836,61 +49696,84 @@ index 86700ed..5772ef0 100644 sysnet_read_config(plymouth_t) +-ifdef(`hide_broken_symptoms',` ++plymouthd_stream_connect(plymouth_t) ++ ++ifdef(`hide_broken_symptoms', ` + optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te -index 4cffb07..4170218 100644 +index a14b3bc..caa8e6c 100644 --- a/podsleuth.te +++ b/podsleuth.te -@@ -25,7 +25,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) - # podsleuth local policy +@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) # + allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; +allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; + - allow podsleuth_t self:fifo_file rw_file_perms; + allow podsleuth_t self:fifo_file rw_fifo_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:sem create_sem_perms; -@@ -66,7 +67,6 @@ fs_getattr_tmpfs(podsleuth_t) +@@ -76,8 +77,6 @@ fs_getattr_tmpfs(podsleuth_t) fs_list_tmpfs(podsleuth_t) fs_rw_removable_blk_files(podsleuth_t) -miscfiles_read_localization(podsleuth_t) - +- sysnet_dns_name_resolve(podsleuth_t) + userdom_signal_unpriv_users(podsleuth_t) diff --git a/policykit.fc b/policykit.fc -index 63d0061..4718a93 100644 +index 1d76c72..4718a93 100644 --- a/policykit.fc +++ b/policykit.fc -@@ -1,16 +1,20 @@ - /usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) --/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +@@ -1,23 +1,20 @@ +-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +- +-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) +-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) - /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) - /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) --/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) ++/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) - /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) --/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) ++/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) - /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) - /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) +-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) ++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) - /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) - /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) ++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) ++/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policykit.if b/policykit.if -index 48ff1e8..be00a65 100644 +index 032a84d..be00a65 100644 --- a/policykit.if +++ b/policykit.if -@@ -17,18 +17,43 @@ interface(`policykit_dbus_chat',` +@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',` class dbus send_msg; ') @@ -46899,44 +49782,55 @@ index 48ff1e8..be00a65 100644 allow $1 policykit_t:dbus send_msg; allow policykit_t $1:dbus send_msg; ') - +@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',` ######################################## ## --## Execute a domain transition to run polkit_auth. -+## Send and receive messages from + ## Send and receive messages from +-## policykit auth over dbus. +## policykit over dbus. ## ## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`policykit_dbus_chat_auth',` -+ gen_require(` -+ type policykit_auth_t; -+ class dbus send_msg; -+ ') -+ + ## +@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',` + class dbus send_msg; + ') + + ps_process_pattern(policykit_auth_t, $1) + -+ allow $1 policykit_auth_t:dbus send_msg; -+ allow policykit_auth_t $1:dbus send_msg; -+') -+ -+######################################## - ## --## Domain allowed to transition. -+## Execute a domain transition to run polkit_auth. + allow $1 policykit_auth_t:dbus send_msg; + allow policykit_auth_t $1:dbus send_msg; + ') +@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',` + ## Execute a domain transition to run polkit_auth. ## -+## + ## +-## +## -+## Domain allowed to transition. + ## Domain allowed to transition. +-## +## ## # interface(`policykit_domtrans_auth',` -@@ -54,6 +79,7 @@ interface(`policykit_domtrans_auth',` +@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',` + type policykit_auth_t, policykit_auth_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) + ') + + ######################################## + ## +-## Execute a policy_auth in the policy +-## auth domain, and allow the specified +-## role the policy auth domain. ++## Execute a policy_auth in the policy_auth domain, and ++## allow the specified role the policy_auth domain, + ## + ## + ## +@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',` ## Role allowed access. ## ## @@ -46944,30 +49838,89 @@ index 48ff1e8..be00a65 100644 # interface(`policykit_run_auth',` gen_require(` -@@ -62,6 +88,9 @@ interface(`policykit_run_auth',` +- attribute_role policykit_auth_roles; ++ type policykit_auth_t; + ') policykit_domtrans_auth($1) - role $2 types policykit_auth_t; +- roleattribute $2 policykit_auth_roles; ++ role $2 types policykit_auth_t; + + allow $1 policykit_auth_t:process signal; + ps_process_pattern(policykit_auth_t, $1) ') ######################################## -@@ -69,9 +98,9 @@ interface(`policykit_run_auth',` - ## Execute a domain transition to run polkit_grant. + ## +-## Execute a domain transition to run polkit grant. ++## Execute a domain transition to run polkit_grant. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`policykit_domtrans_grant',` +@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',` + type policykit_grant_t, policykit_grant_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) + ') + + ######################################## + ## +-## Execute a policy_grant in the policy +-## grant domain, and allow the specified +-## role the policy grant domain. ++## Execute a policy_grant in the policy_grant domain, and ++## allow the specified role the policy_grant domain, + ## + ## + ## +@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',` + # + interface(`policykit_run_grant',` + gen_require(` +- attribute_role policykit_grant_roles; ++ type policykit_grant_t; + ') + + policykit_domtrans_grant($1) +- roleattribute $2 policykit_grant_roles; ++ role $2 types policykit_grant_t; ++ ++ allow $1 policykit_grant_t:process signal; ++ ++ ps_process_pattern(policykit_grant_t, $1) + ') + + ######################################## + ## +-## Read policykit reload files. ++## read policykit reload files + ## + ## + ## +@@ -154,7 +162,7 @@ interface(`policykit_read_reload',` + + ######################################## + ## +-## Read and write policykit reload files. ++## rw policykit reload files ## ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`policykit_domtrans_grant',` -@@ -155,9 +184,9 @@ interface(`policykit_rw_reload',` - ## Execute a domain transition to run polkit_resolve. + ## +@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',` + + ######################################## + ## +-## Execute a domain transition to run polkit resolve. ++## Execute a domain transition to run polkit_resolve. ## ## -## @@ -46978,7 +49931,34 @@ index 48ff1e8..be00a65 100644 ## # interface(`policykit_domtrans_resolve',` -@@ -206,4 +235,50 @@ interface(`policykit_read_lib',` +@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',` + type policykit_resolve_t, policykit_resolve_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) ++ ++ ps_process_pattern(policykit_resolve_t, $1) + ') + + ######################################## +@@ -205,13 +214,13 @@ interface(`policykit_search_lib',` + type policykit_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 policykit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## + ## +-## Read policykit lib files. ++## read policykit lib files + ## + ## + ## +@@ -226,4 +235,50 @@ interface(`policykit_read_lib',` files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) @@ -47030,140 +50010,139 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 44db896..946bfb5 100644 +index 49694e8..946bfb5 100644 --- a/policykit.te +++ b/policykit.te -@@ -1,51 +1,67 @@ --policy_module(policykit, 1.2.0) +@@ -1,4 +1,4 @@ +-policy_module(policykit, 1.2.8) +policy_module(policykit, 1.1.0) ######################################## # - # Declarations - # +@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8) --type policykit_t alias polkit_t; --type policykit_exec_t alias polkit_exec_t; -+attribute policykit_domain; -+ -+type policykit_t, policykit_domain; -+type policykit_exec_t; - init_daemon_domain(policykit_t, policykit_exec_t) + attribute policykit_domain; --type policykit_auth_t alias polkit_auth_t; --type policykit_auth_exec_t alias polkit_auth_exec_t; -+type policykit_auth_t, policykit_domain; -+type policykit_auth_exec_t; +-attribute_role policykit_auth_roles; +-attribute_role policykit_grant_roles; +- + type policykit_t, policykit_domain; + type policykit_exec_t; + init_daemon_domain(policykit_t, policykit_exec_t) +@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t) + type policykit_auth_t, policykit_domain; + type policykit_auth_exec_t; init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) +-role policykit_auth_roles types policykit_auth_t; --type policykit_grant_t alias polkit_grant_t; --type policykit_grant_exec_t alias polkit_grant_exec_t; -+type policykit_grant_t, policykit_domain; -+type policykit_grant_exec_t; + type policykit_grant_t, policykit_domain; + type policykit_grant_exec_t; init_system_domain(policykit_grant_t, policykit_grant_exec_t) +-role policykit_grant_roles types policykit_grant_t; --type policykit_resolve_t alias polkit_resolve_t; --type policykit_resolve_exec_t alias polkit_resolve_exec_t; -+type policykit_resolve_t, policykit_domain; -+type policykit_resolve_exec_t; - init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) + type policykit_resolve_t, policykit_domain; + type policykit_resolve_exec_t; +@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t) - type policykit_reload_t alias polkit_reload_t; - files_type(policykit_reload_t) + ####################################### + # +-# Common policykit domain local policy ++# policykit_domain local policy + # -+type policykit_tmp_t; -+files_tmp_file(policykit_tmp_t) -+ - type policykit_var_lib_t alias polkit_var_lib_t; - files_type(policykit_var_lib_t) + allow policykit_domain self:process { execmem getattr }; + allow policykit_domain self:fifo_file rw_fifo_file_perms; - type policykit_var_run_t alias polkit_var_run_t; - files_pid_file(policykit_var_run_t) +-kernel_search_proc(policykit_domain) +- +-corecmd_exec_bin(policykit_domain) +- + dev_read_sysfs(policykit_domain) -+####################################### -+# -+# policykit_domain local policy -+# -+ -+allow policykit_domain self:process { execmem getattr }; -+allow policykit_domain self:fifo_file rw_fifo_file_perms; -+ -+dev_read_sysfs(policykit_domain) -+ +-files_read_usr_files(policykit_domain) +- +-logging_send_syslog_msg(policykit_domain) +- +-miscfiles_read_localization(policykit_domain) +- ######################################## # - # policykit local policy +-# Local policy ++# policykit local policy # --allow policykit_t self:capability { setgid setuid }; --allow policykit_t self:process getattr; --allow policykit_t self:fifo_file rw_file_perms; -+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; -+allow policykit_t self:process { getsched setsched signal }; - allow policykit_t self:unix_dgram_socket create_socket_perms; --allow policykit_t self:unix_stream_socket create_stream_socket_perms; + allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; + allow policykit_t self:process { getsched setsched signal }; +-allow policykit_t self:unix_stream_socket { accept connectto listen }; ++allow policykit_t self:unix_dgram_socket create_socket_perms; +allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++policykit_domtrans_auth(policykit_t) ++ ++can_exec(policykit_t, policykit_exec_t) ++corecmd_exec_bin(policykit_t) ++ ++dev_read_sysfs(policykit_t) - policykit_domtrans_auth(policykit_t) - - can_exec(policykit_t, policykit_exec_t) - corecmd_exec_bin(policykit_t) + rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) -+dev_read_sysfs(policykit_t) ++policykit_domtrans_resolve(policykit_t) + - rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) + manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) - policykit_domtrans_resolve(policykit_t) -@@ -56,56 +72,115 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) + manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) -+kernel_read_system_state(policykit_t) - kernel_read_kernel_sysctls(policykit_t) +-can_exec(policykit_t, policykit_exec_t) +- +-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t) +-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t) +- +-kernel_read_kernel_sysctls(policykit_t) + kernel_read_system_state(policykit_t) ++kernel_read_kernel_sysctls(policykit_t) --files_read_etc_files(policykit_t) -+domain_read_all_domains_state(policykit_t) -+ - files_read_usr_files(policykit_t) -+files_dontaudit_search_all_mountpoints(policykit_t) -+ -+fs_list_inotifyfs(policykit_t) + domain_read_all_domains_state(policykit_t) - auth_use_nsswitch(policykit_t) ++files_read_usr_files(policykit_t) + files_dontaudit_search_all_mountpoints(policykit_t) - logging_send_syslog_msg(policykit_t) + fs_list_inotifyfs(policykit_t) --miscfiles_read_localization(policykit_t) -- -+userdom_getattr_all_users(policykit_t) + auth_use_nsswitch(policykit_t) + ++logging_send_syslog_msg(policykit_t) ++ + userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) +userdom_dontaudit_search_admin_dir(policykit_t) -+ -+optional_policy(` -+ dbus_system_domain(policykit_t, policykit_exec_t) -+ + + optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + + init_dbus_chat(policykit_t) + -+ optional_policy(` -+ consolekit_dbus_chat(policykit_t) -+ ') -+ -+ optional_policy(` -+ rpm_dbus_chat(policykit_t) -+ ') -+') -+ -+optional_policy(` + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') +@@ -109,29 +105,43 @@ optional_policy(` + ') + + optional_policy(` + consolekit_list_pid_files(policykit_t) -+ consolekit_read_pid_files(policykit_t) -+') -+ -+optional_policy(` + consolekit_read_pid_files(policykit_t) + ') + + optional_policy(` +- gnome_read_generic_home_content(policykit_t) + kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0") + kerberos_manage_host_rcache(policykit_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- kerberos_manage_host_rcache(policykit_t) +- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0") + gnome_read_config(policykit_t) +') + @@ -47171,255 +50150,292 @@ index 44db896..946bfb5 100644 + systemd_read_logind_sessions_files(policykit_t) + systemd_login_list_pid_dirs(policykit_t) + systemd_login_read_pid_files(policykit_t) -+') + ') ######################################## # - # polkit_auth local policy +-# Auth local policy ++# polkit_auth local policy # --allow policykit_auth_t self:capability setgid; --allow policykit_auth_t self:process getattr; --allow policykit_auth_t self:fifo_file rw_file_perms; +-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; +allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid }; -+dontaudit policykit_auth_t self:capability sys_tty_config; + dontaudit policykit_auth_t self:capability sys_tty_config; +-allow policykit_auth_t self:process { getsched setsched signal }; +-allow policykit_auth_t self:unix_stream_socket { accept listen }; +allow policykit_auth_t self:process { setsched getsched signal }; + - allow policykit_auth_t self:unix_dgram_socket create_socket_perms; - allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; ++allow policykit_auth_t self:unix_dgram_socket create_socket_perms; ++allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; +-ps_process_pattern(policykit_auth_t, policykit_domain) +policykit_dbus_chat(policykit_auth_t) + +kernel_read_system_state(policykit_auth_t) + - can_exec(policykit_auth_t, policykit_auth_exec_t) --corecmd_search_bin(policykit_auth_t) ++can_exec(policykit_auth_t, policykit_auth_exec_t) +corecmd_exec_bin(policykit_auth_t) rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -+manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) -+manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t) -+files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir }) -+ - manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) - - manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,14 +155,12 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) +-can_exec(policykit_auth_t, policykit_auth_exec_t) +- -kernel_read_system_state(policykit_auth_t) -+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) + kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) --files_read_etc_files(policykit_auth_t) -+dev_read_video_dev(policykit_auth_t) -+ -+files_read_etc_runtime_files(policykit_auth_t) - files_read_usr_files(policykit_auth_t) -+files_search_home(policykit_auth_t) -+ -+fs_getattr_all_fs(policykit_auth_t) -+fs_search_tmpfs(policykit_auth_t) + dev_read_video_dev(policykit_auth_t) -+auth_rw_var_auth(policykit_auth_t) - auth_use_nsswitch(policykit_auth_t) -+auth_domtrans_chk_passwd(policykit_auth_t) + files_read_etc_runtime_files(policykit_auth_t) ++files_read_usr_files(policykit_auth_t) + files_search_home(policykit_auth_t) - logging_send_syslog_msg(policykit_auth_t) + fs_getattr_all_fs(policykit_auth_t) +@@ -162,48 +170,58 @@ auth_rw_var_auth(policykit_auth_t) + auth_use_nsswitch(policykit_auth_t) + auth_domtrans_chk_passwd(policykit_auth_t) --miscfiles_read_localization(policykit_auth_t) -+miscfiles_read_fonts(policykit_auth_t) -+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) ++logging_send_syslog_msg(policykit_auth_t) ++ + miscfiles_read_fonts(policykit_auth_t) + miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_dontaudit_write_user_tmp_files(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) optional_policy(` -- dbus_system_bus_client(policykit_auth_t) +- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) +- dbus_all_session_bus_client(policykit_auth_t) + dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) - dbus_session_bus_client(policykit_auth_t) ++ dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +193,26 @@ optional_policy(` + consolekit_dbus_chat(policykit_auth_t) + ') +- +- optional_policy(` +- policykit_dbus_chat(policykit_auth_t) +- ') + ') + + optional_policy(` ++ kernel_search_proc(policykit_auth_t) hal_read_state(policykit_auth_t) ') -+optional_policy(` + optional_policy(` +- kerberos_manage_host_rcache(policykit_auth_t) +- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0") + kerberos_manage_host_rcache(policykit_auth_t) -+') -+ -+optional_policy(` -+ xserver_stream_connect(policykit_auth_t) + ') + + optional_policy(` + xserver_stream_connect(policykit_auth_t) + xserver_xdm_append_log(policykit_auth_t) -+ xserver_read_xdm_pid(policykit_auth_t) + xserver_read_xdm_pid(policykit_auth_t) + xserver_search_xdm_lib(policykit_auth_t) + xserver_create_xdm_tmp_sockets(policykit_auth_t) -+') -+ + ') + ######################################## # - # polkit_grant local policy +-# Grant local policy ++# polkit_grant local policy # allow policykit_grant_t self:capability setuid; --allow policykit_grant_t self:process getattr; --allow policykit_grant_t self:fifo_file rw_file_perms; + allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -142,22 +229,22 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +-ps_process_pattern(policykit_grant_t, policykit_domain) ++policykit_domtrans_auth(policykit_grant_t) ++ ++policykit_domtrans_resolve(policykit_grant_t) ++ ++can_exec(policykit_grant_t, policykit_grant_exec_t) ++corecmd_search_bin(policykit_grant_t) + + rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) + +@@ -211,23 +229,21 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) --files_read_etc_files(policykit_grant_t) - files_read_usr_files(policykit_grant_t) +-can_exec(policykit_grant_t, policykit_grant_exec_t) +- +-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) +-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) ++files_read_usr_files(policykit_grant_t) --auth_use_nsswitch(policykit_grant_t) auth_domtrans_chk_passwd(policykit_grant_t) -+auth_use_nsswitch(policykit_grant_t) - - logging_send_syslog_msg(policykit_grant_t) + auth_use_nsswitch(policykit_grant_t) --miscfiles_read_localization(policykit_grant_t) -- ++logging_send_syslog_msg(policykit_grant_t) ++ userdom_read_all_users_state(policykit_grant_t) optional_policy(` -- dbus_system_bus_client(policykit_grant_t) -+ cron_manage_system_job_lib_files(policykit_grant_t) -+') + cron_manage_system_job_lib_files(policykit_grant_t) + ') - optional_policy(` -+ dbus_system_bus_client(policykit_grant_t) +-optional_policy(` + optional_policy(` + dbus_system_bus_client(policykit_grant_t) +- + optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') - ') -@@ -167,9 +254,8 @@ optional_policy(` - # polkit_resolve local policy +@@ -235,26 +251,29 @@ optional_policy(` + + ######################################## + # +-# Resolve local policy ++# polkit_resolve local policy # --allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; --allow policykit_resolve_t self:process getattr; --allow policykit_resolve_t self:fifo_file rw_file_perms; -+allow policykit_resolve_t self:capability { setuid sys_nice }; + allow policykit_resolve_t self:capability { setuid sys_nice }; +-allow policykit_resolve_t self:unix_stream_socket { accept listen }; + +-ps_process_pattern(policykit_resolve_t, policykit_domain) ++allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; ++allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; + - allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; - allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; ++policykit_domtrans_auth(policykit_resolve_t) -@@ -182,17 +268,12 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t - can_exec(policykit_resolve_t, policykit_resolve_exec_t) - corecmd_search_bin(policykit_resolve_t) + read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) --files_read_etc_files(policykit_resolve_t) - files_read_usr_files(policykit_resolve_t) + read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) --mcs_ptrace_all(policykit_resolve_t) + can_exec(policykit_resolve_t, policykit_resolve_exec_t) ++corecmd_search_bin(policykit_resolve_t) + +-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) - - auth_use_nsswitch(policykit_resolve_t) +-mcs_ptrace_all(policykit_resolve_t) ++files_read_usr_files(policykit_resolve_t) - logging_send_syslog_msg(policykit_resolve_t) + auth_use_nsswitch(policykit_resolve_t) --miscfiles_read_localization(policykit_resolve_t) -- ++logging_send_syslog_msg(policykit_resolve_t) ++ userdom_read_all_users_state(policykit_resolve_t) optional_policy(` +@@ -266,6 +285,7 @@ optional_policy(` + ') + + optional_policy(` ++ kernel_search_proc(policykit_resolve_t) + hal_read_state(policykit_resolve_t) + ') + diff --git a/polipo.fc b/polipo.fc -new file mode 100644 -index 0000000..11f77ee ---- /dev/null +index d35614b..11f77ee 100644 +--- a/polipo.fc +++ b/polipo.fc -@@ -0,0 +1,16 @@ -+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) -+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) -+ +@@ -1,15 +1,16 @@ +-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0) + HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) + HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) + +-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0) +/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0) -+ -+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) -+ + + /etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) + +/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0) + -+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) -+ -+/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) -+ -+/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) -+ + /usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) + + /var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) + + /var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) + +-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) +/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0) diff --git a/polipo.if b/polipo.if -new file mode 100644 -index 0000000..d00f6ba ---- /dev/null +index ae27bb7..d00f6ba 100644 +--- a/polipo.if +++ b/polipo.if -@@ -0,0 +1,219 @@ +@@ -1,8 +1,8 @@ +-## Lightweight forwarding and caching proxy server. +## Caching web proxy. -+ -+######################################## -+## + + ######################################## + ## +-## Role access for Polipo session. +## Role access for polipo session. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+## + ## + ## + ## +@@ -11,14 +11,13 @@ + ## + ## + ## +-## User domain for the role. +## Domain allowed access. -+## -+## -+# -+template(`polipo_role',` -+ gen_require(` + ## + ## + # + template(`polipo_role',` + gen_require(` +- type polipo_session_t, polipo_exec_t, polipo_config_home_t; +- type polipo_cache_home_t; + type polipo_session_t, polipo_exec_t; -+ ') -+ -+ ######################################## -+ # -+ # Declarations -+ # -+ -+ role $1 types polipo_session_t; -+ -+ ######################################## -+ # -+ # Policy -+ # -+ + ') + + ######################################## +@@ -33,15 +32,11 @@ template(`polipo_role',` + # Policy + # + +- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; +- +- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") +- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") +- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") +- +- allow $2 polipo_session_t:process { ptrace signal_perms }; + allow $2 polipo_session_t:process signal_perms; -+ ps_process_pattern($2, polipo_session_t) + ps_process_pattern($2, polipo_session_t) + tunable_policy(`deny_ptrace',`',` + allow $2 polipo_session_t:process ptrace; + ') -+ -+ tunable_policy(`polipo_session_users',` -+ domtrans_pattern($2, polipo_exec_t, polipo_session_t) -+ ',` -+ can_exec($2, polipo_exec_t) -+ ') -+') -+ -+######################################## -+## + + tunable_policy(`polipo_session_users',` + domtrans_pattern($2, polipo_exec_t, polipo_session_t) +@@ -52,57 +47,129 @@ template(`polipo_role',` + + ######################################## + ## +-## Execute Polipo in the Polipo +-## system domain. +## Create configuration files in user +## home directories with a named file +## type transition. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`polipo_initrc_domtrans',` +interface(`polipo_named_filetrans_config_home_files',` -+ gen_require(` + gen_require(` +- type polipo_initrc_exec_t; + type polipo_config_home_t; -+ ') -+ + ') + +- init_labeled_script_domtrans($1, polipo_initrc_exec_t) + userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") +') + @@ -47441,19 +50457,23 @@ index 0000000..d00f6ba + ') + + userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create specified objects in generic +-## log directories with the polipo +-## log file type. +## Create configuration files in admin +## home directories with a named file +## type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`polipo_named_filetrans_admin_config_home_files',` + gen_require(` @@ -47470,10 +50490,12 @@ index 0000000..d00f6ba +## type transition. +## +## -+## + ## +-## Class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`polipo_named_filetrans_admin_cache_home_dirs',` + gen_require(` @@ -47489,16 +50511,19 @@ index 0000000..d00f6ba +## type transition. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`polipo_log_filetrans_log',` +interface(`polipo_named_filetrans_log_files',` -+ gen_require(` -+ type polipo_log_t; -+ ') -+ + gen_require(` + type polipo_log_t; + ') + +- logging_log_filetrans($1, polipo_log_t, $2, $3) + logging_log_named_filetrans($1, polipo_log_t, file, "polipo") +') + @@ -47523,48 +50548,55 @@ index 0000000..d00f6ba + allow $1 polipo_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, polipo_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an polipo environment. +## Administrate an polipo environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`polipo_admin',` -+ gen_require(` + ## + ## + ## +@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',` + # + interface(`polipo_admin',` + gen_require(` +- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; +- type polipo_conf_t, polipo_log_t, polipo_var_run_t; + type polipo_t, polipo_pid_t, polipo_cache_t; + type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; + type polipo_unit_file_t; -+ ') -+ + ') + +- allow $1 polipo_system_t:process { ptrace signal_perms }; +- ps_process_pattern($1, polipo_system_t) + allow $1 polipo_t:process signal_perms; + ps_process_pattern($1, polipo_t) + tunable_policy(`deny_ptrace',`',` + allow $1 polipo_t:process ptrace; + ') -+ + +- polipo_initrc_domtrans($1) + init_labeled_script_domtrans($1, polipo_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 polipo_initrc_exec_t system_r; -+ allow $2 system_r; -+ + domain_system_change_exemption($1) + role_transition $2 polipo_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_var($1) +- admin_pattern($1, polipo_cache_t) +- +- files_search_etc($1) +- admin_pattern($1, polipo_conf_t) + files_list_etc($1) + admin_pattern($1, polipo_etc_t) -+ + +- logging_search_logs($1) + logging_list_logs($1) -+ admin_pattern($1, polipo_log_t) -+ + admin_pattern($1, polipo_log_t) + +- files_search_pids($1) +- admin_pattern($1, polipo_var_run_t) + files_list_var($1) + admin_pattern($1, polipo_cache_t) + @@ -47574,34 +50606,39 @@ index 0000000..d00f6ba + polipo_systemctl($1) + admin_pattern($1, polipo_unit_file_t) + allow $1 polipo_unit_file_t:service all_service_perms; -+') + ') diff --git a/polipo.te b/polipo.te -new file mode 100644 -index 0000000..a0b37ad ---- /dev/null +index 316d53a..a0b37ad 100644 +--- a/polipo.te +++ b/polipo.te -@@ -0,0 +1,159 @@ +@@ -1,4 +1,4 @@ +-policy_module(polipo, 1.0.4) +policy_module(polipo, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

    + + ######################################## + # +@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4) + + ## + ##

    +-## Determine whether Polipo system +-## daemon can access CIFS file systems. +## Determine whether polipo can +## access cifs file systems. -+##

    -+##     + ##

    + ## +-gen_tunable(polipo_system_use_cifs, false) +gen_tunable(polipo_use_cifs, false) -+ -+## -+##

    + + ## + ##

    +-## Determine whether Polipo system +-## daemon can access NFS file systems. +## Determine whether Polipo can +## access nfs file systems. -+##

    -+##     + ##

    + ## +-gen_tunable(polipo_system_use_nfs, false) +gen_tunable(polipo_use_nfs, false) + +## @@ -47611,65 +50648,84 @@ index 0000000..a0b37ad +##

    +##     +gen_tunable(polipo_session_bind_all_unreserved_ports, false) -+ -+## -+##

    -+## Determine whether calling user domains -+## can execute Polipo daemon in the -+## polipo_session_t domain. -+##

    -+##     -+gen_tunable(polipo_session_users, false) -+ -+## + + ## + ##

    +@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false) + gen_tunable(polipo_session_users, false) + + ## +-##

    +-## Determine whether Polipo session daemon +-## can send syslog messages. +-##

    +##

    +## Allow polipo to connect to all ports > 1023 +##

    -+##     + ##     +-gen_tunable(polipo_session_send_syslog_msg, false) +gen_tunable(polipo_connect_all_unreserved, false) -+ -+attribute polipo_daemon; -+ + + attribute polipo_daemon; + +-type polipo_system_t, polipo_daemon; +type polipo_t, polipo_daemon; -+type polipo_exec_t; + type polipo_exec_t; +-init_daemon_domain(polipo_system_t, polipo_exec_t) +init_daemon_domain(polipo_t, polipo_exec_t) -+ -+type polipo_initrc_exec_t; -+init_script_file(polipo_initrc_exec_t) -+ + + type polipo_initrc_exec_t; + init_script_file(polipo_initrc_exec_t) + +-type polipo_conf_t; +-files_config_file(polipo_conf_t) +type polipo_etc_t; +files_config_file(polipo_etc_t) -+ -+type polipo_cache_t; -+files_type(polipo_cache_t) -+ -+type polipo_log_t; -+logging_log_file(polipo_log_t) -+ + + type polipo_cache_t; + files_type(polipo_cache_t) +@@ -56,112 +63,97 @@ files_type(polipo_cache_t) + type polipo_log_t; + logging_log_file(polipo_log_t) + +-type polipo_var_run_t; +-files_pid_file(polipo_var_run_t) +type polipo_pid_t; +files_pid_file(polipo_pid_t) -+ -+type polipo_session_t, polipo_daemon; + + type polipo_session_t, polipo_daemon; +-userdom_user_application_domain(polipo_session_t, polipo_exec_t) +application_domain(polipo_session_t, polipo_exec_t) +ubac_constrained(polipo_session_t) + +type polipo_config_home_t; +userdom_user_home_content(polipo_config_home_t) -+ -+type polipo_cache_home_t; -+userdom_user_home_content(polipo_cache_home_t) -+ + + type polipo_cache_home_t; + userdom_user_home_content(polipo_cache_home_t) + +-type polipo_config_home_t; +-userdom_user_home_content(polipo_config_home_t) +type polipo_unit_file_t; +systemd_unit_file(polipo_unit_file_t) -+ -+######################################## -+# + + ######################################## + # +-# Session local policy +# Global local policy -+# -+ + # + +-allow polipo_session_t polipo_config_home_t:file read_file_perms; +- +-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) +-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) +-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache") +- +-auth_use_nsswitch(polipo_session_t) +allow polipo_daemon self:fifo_file rw_fifo_file_perms; +allow polipo_daemon self:tcp_socket { listen accept }; -+ + +-userdom_use_user_terminals(polipo_session_t) +corenet_tcp_bind_generic_node(polipo_daemon) +corenet_tcp_sendrecv_generic_if(polipo_daemon) +corenet_tcp_sendrecv_generic_node(polipo_daemon) @@ -47677,300 +50733,146 @@ index 0000000..a0b37ad +corenet_tcp_bind_http_cache_port(polipo_daemon) +corenet_sendrecv_http_cache_server_packets(polipo_daemon) +corenet_tcp_connect_http_port(polipo_daemon) -+ + +-tunable_policy(`polipo_session_send_syslog_msg',` +- logging_send_syslog_msg(polipo_session_t) +-') +files_read_usr_files(polipo_daemon) -+ + +-tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files(polipo_session_t) +-',` +- fs_dontaudit_read_nfs_files(polipo_session_t) +-') +fs_search_auto_mountpoints(polipo_daemon) -+ -+ -+######################################## -+# + +-tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files(polipo_session_t) +-',` +- fs_dontaudit_read_cifs_files(polipo_session_t) +-') + + ######################################## + # +-# System local policy +# Polipo local policy -+# -+ -+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t) -+ -+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t) -+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t) -+files_var_filetrans(polipo_t, polipo_cache_t, dir) -+ -+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t) -+logging_log_filetrans(polipo_t, polipo_log_t, file) -+ -+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t) -+files_pid_filetrans(polipo_t, polipo_pid_t, file) -+ -+auth_use_nsswitch(polipo_t) -+ -+logging_send_syslog_msg(polipo_t) -+ -+optional_policy(` -+ cron_system_entry(polipo_t, polipo_exec_t) -+') -+ -+tunable_policy(`polipo_connect_all_unreserved',` -+ corenet_tcp_connect_all_unreserved_ports(polipo_t) -+') -+ -+tunable_policy(`polipo_use_cifs',` -+ fs_manage_cifs_files(polipo_t) -+') -+ -+tunable_policy(`polipo_use_nfs',` -+ fs_manage_nfs_files(polipo_t) -+') -+ -+######################################## -+# -+# Polipo session local policy -+# -+ -+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) -+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) -+ -+auth_use_nsswitch(polipo_session_t) -+ -+userdom_use_user_terminals(polipo_session_t) -+ -+tunable_policy(`polipo_session_bind_all_unreserved_ports',` -+ corenet_tcp_sendrecv_all_ports(polipo_session_t) -+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t) -+') -+ -+logging_send_syslog_msg(polipo_session_t) -+ -+userdom_home_manager(polipo_session_t) -diff --git a/portage.fc b/portage.fc -index d9b2a90..5b0e6f8 100644 ---- a/portage.fc -+++ b/portage.fc -@@ -25,7 +25,7 @@ - /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) - /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) - /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) --/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) -+/var/log/emerge-fetch.log.* -- gen_context(system_u:object_r:portage_log_t,s0) - /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) - /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) - /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) -diff --git a/portage.if b/portage.if -index 08ac5af..9c4aa3c 100644 ---- a/portage.if -+++ b/portage.if -@@ -43,11 +43,15 @@ interface(`portage_domtrans',` - # - interface(`portage_run',` - gen_require(` -- attribute_role portage_roles; -+ type portage_t, portage_fetch_t, portage_sandbox_t; -+ #attribute_role portage_roles; - ') + # -- portage_domtrans($1) -- roleattribute $2 portage_roles; -+ #portage_domtrans($1) -+ #roleattribute $2 portage_roles; -+ portage_domtrans($1) -+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }; -+ - ') +-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t) ++read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t) - ######################################## -@@ -139,7 +143,6 @@ interface(`portage_compile_domain',` - # really shouldnt need this but some packages test - # network access, such as during configure - # also distcc--need to reinvestigate confining distcc client -- corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) -diff --git a/portage.te b/portage.te -index 630f16f..64fb1f5 100644 ---- a/portage.te -+++ b/portage.te -@@ -12,7 +12,7 @@ policy_module(portage, 1.13.0) - ## - gen_tunable(portage_use_nfs, false) - --attribute_role portage_roles; -+#attribute_role portage_roles; - - type gcc_config_t; - type gcc_config_exec_t; -@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t) - domain_obj_id_change_exemption(portage_t) - rsync_entry_type(portage_t) - corecmd_shell_entry_type(portage_t) --role portage_roles types portage_t; -+#role portage_roles types portage_t; -+role system_r types portage_t; - - # portage compile sandbox domain - type portage_sandbox_t; -@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t) - # the shell is the entrypoint if regular sandbox is disabled - # portage_exec_t is the entrypoint if regular sandbox is enabled - corecmd_shell_entry_type(portage_sandbox_t) --role portage_roles types portage_sandbox_t; -+#role portage_roles types portage_sandbox_t; -+role system_r types portage_sandbox_t; - - # portage package fetching domain - type portage_fetch_t; -@@ -41,7 +43,8 @@ type portage_fetch_exec_t; - application_domain(portage_fetch_t, portage_fetch_exec_t) - corecmd_shell_entry_type(portage_fetch_t) - rsync_entry_type(portage_fetch_t) --role portage_roles types portage_fetch_t; -+#role portage_roles types portage_fetch_t; -+role system_r types portage_fetch_t; - - type portage_devpts_t; - term_pty(portage_devpts_t) -@@ -56,7 +59,7 @@ type portage_db_t; - files_type(portage_db_t) - - type portage_conf_t; --files_type(portage_conf_t) -+files_config_file(portage_conf_t) - - type portage_cache_t; - files_type(portage_cache_t) -@@ -115,18 +118,19 @@ files_list_all(gcc_config_t) - init_dontaudit_read_script_status_files(gcc_config_t) - - libs_read_lib_files(gcc_config_t) --libs_run_ldconfig(gcc_config_t, portage_roles) -+#libs_run_ldconfig(gcc_config_t, portage_roles) -+libs_domtrans_ldconfig(gcc_config_t) - libs_manage_shared_libs(gcc_config_t) - # gcc-config creates a temp dir for the libs - libs_manage_lib_dirs(gcc_config_t) - - logging_send_syslog_msg(gcc_config_t) - --miscfiles_read_localization(gcc_config_t) -+userdom_use_inherited_user_terminals(gcc_config_t) - --userdom_use_user_terminals(gcc_config_t) -- --consoletype_exec(gcc_config_t) -+optional_policy(` -+ consoletype_exec(gcc_config_t) -+') +-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) +-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) +-files_var_filetrans(polipo_system_t, polipo_cache_t, dir) ++manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t) ++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t) ++files_var_filetrans(polipo_t, polipo_cache_t, dir) - ifdef(`distro_gentoo',` - init_exec_rc(gcc_config_t) -@@ -198,33 +202,41 @@ auth_manage_shadow(portage_t) - init_exec(portage_t) - - # run setfiles -r --seutil_run_setfiles(portage_t, portage_roles) -+#seutil_run_setfiles(portage_t, portage_roles) - # run semodule --seutil_run_semanage(portage_t, portage_roles) -+#seutil_run_semanage(portage_t, portage_roles) - --portage_run_gcc_config(portage_t, portage_roles) -+#portage_run_gcc_config(portage_t, portage_roles) - # if sesandbox is disabled, compiling is performed in this domain - portage_compile_domain(portage_t) +-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) +-logging_log_filetrans(polipo_system_t, polipo_log_t, file) ++manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t) ++logging_log_filetrans(polipo_t, polipo_log_t, file) --optional_policy(` -- bootloader_run(portage_t, portage_roles) --') -+#optional_policy(` -+# bootloader_run(portage_t, portage_roles) -+#') +-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) +-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) ++manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t) ++files_pid_filetrans(polipo_t, polipo_pid_t, file) + +-auth_use_nsswitch(polipo_system_t) ++auth_use_nsswitch(polipo_t) + +-logging_send_syslog_msg(polipo_system_t) ++logging_send_syslog_msg(polipo_t) optional_policy(` - cron_system_entry(portage_t, portage_exec_t) - cron_system_entry(portage_fetch_t, portage_fetch_exec_t) +- cron_system_entry(polipo_system_t, polipo_exec_t) ++ cron_system_entry(polipo_t, polipo_exec_t) ') --optional_policy(` -- modutils_run_depmod(portage_t, portage_roles) -- modutils_run_update_mods(portage_t, portage_roles) -+#optional_policy(` -+# modutils_run_depmod(portage_t, portage_roles) -+# modutils_run_update_mods(portage_t, portage_roles) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; +-tunable_policy(`polipo_system_use_cifs',` +- fs_manage_cifs_files(polipo_system_t) +-',` +- fs_dontaudit_read_cifs_files(polipo_system_t) ++tunable_policy(`polipo_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(polipo_t) ') --optional_policy(` -- usermanage_run_groupadd(portage_t, portage_roles) -- usermanage_run_useradd(portage_t, portage_roles) --') -+#optional_policy(` -+# usermanage_run_groupadd(portage_t, portage_roles) -+# usermanage_run_useradd(portage_t, portage_roles) -+#') +-tunable_policy(`polipo_system_use_nfs',` +- fs_manage_nfs_files(polipo_system_t) +-',` +- fs_dontaudit_read_nfs_files(polipo_system_t) ++tunable_policy(`polipo_use_cifs',` ++ fs_manage_cifs_files(polipo_t) ++') + -+seutil_domtrans_setfiles(portage_t) -+seutil_domtrans_semanage(portage_t) -+bootloader_domtrans(portage_t) -+modutils_domtrans_depmod(portage_t) -+modutils_domtrans_update_mods(portage_t) -+usermanage_domtrans_groupadd(portage_t) -+usermanage_domtrans_useradd(portage_t) - - ifdef(`TODO',` - # seems to work ok without these -@@ -271,7 +283,6 @@ kernel_read_kernel_sysctls(portage_fetch_t) - corecmd_exec_bin(portage_fetch_t) - corecmd_exec_shell(portage_fetch_t) ++tunable_policy(`polipo_use_nfs',` ++ fs_manage_nfs_files(polipo_t) + ') --corenet_all_recvfrom_unlabeled(portage_fetch_t) - corenet_all_recvfrom_netlabel(portage_fetch_t) - corenet_tcp_sendrecv_generic_if(portage_fetch_t) - corenet_tcp_sendrecv_generic_node(portage_fetch_t) -@@ -303,16 +314,13 @@ logging_dontaudit_search_logs(portage_fetch_t) + ######################################## + # +-# Polipo global local policy ++# Polipo session local policy + # - term_search_ptys(portage_fetch_t) +-allow polipo_daemon self:fifo_file rw_fifo_file_perms; +-allow polipo_daemon self:tcp_socket { listen accept }; +- +-corenet_all_recvfrom_unlabeled(polipo_daemon) +-corenet_all_recvfrom_netlabel(polipo_daemon) +-corenet_tcp_sendrecv_generic_if(polipo_daemon) +-corenet_tcp_sendrecv_generic_node(polipo_daemon) +-corenet_tcp_bind_generic_node(polipo_daemon) ++read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) ++manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) --miscfiles_read_localization(portage_fetch_t) +-corenet_sendrecv_http_client_packets(polipo_daemon) +-corenet_tcp_sendrecv_http_port(polipo_daemon) +-corenet_tcp_connect_http_port(polipo_daemon) ++auth_use_nsswitch(polipo_session_t) - sysnet_read_config(portage_fetch_t) - sysnet_dns_name_resolve(portage_fetch_t) +-corenet_sendrecv_http_cache_server_packets(polipo_daemon) +-corenet_tcp_sendrecv_http_cache_port(polipo_daemon) +-corenet_tcp_bind_http_cache_port(polipo_daemon) ++userdom_use_user_terminals(polipo_session_t) --userdom_use_user_terminals(portage_fetch_t) -+userdom_use_inherited_user_terminals(portage_fetch_t) - userdom_dontaudit_read_user_home_content_files(portage_fetch_t) +-files_read_usr_files(polipo_daemon) ++tunable_policy(`polipo_session_bind_all_unreserved_ports',` ++ corenet_tcp_sendrecv_all_ports(polipo_session_t) ++ corenet_tcp_bind_all_unreserved_ports(polipo_session_t) ++') --rsync_exec(portage_fetch_t) -- - ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; - ') -@@ -328,6 +336,10 @@ optional_policy(` - gpg_exec(portage_fetch_t) - ') +-fs_search_auto_mountpoints(polipo_daemon) ++logging_send_syslog_msg(polipo_session_t) -+optional_policy(` -+ rsync_exec(portage_fetch_t) -+') -+ - ########################################## - # - # Portage sandbox domain +-miscfiles_read_localization(polipo_daemon) ++userdom_home_manager(polipo_session_t) diff --git a/portmap.fc b/portmap.fc -index 3cdcd9f..2061efe 100644 +index cd45831..69406ee 100644 --- a/portmap.fc +++ b/portmap.fc -@@ -1,6 +1,8 @@ +@@ -4,9 +4,14 @@ + /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) ++ifdef(`distro_debian',` ++/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) ++/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) ++', ` + /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) ++') -+/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) -+ - ifdef(`distro_debian',` - /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) - /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) + /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) + /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/portmap.te b/portmap.te -index c1db652..66590bd 100644 +index 738c13b..04a202e 100644 --- a/portmap.te +++ b/portmap.te -@@ -43,7 +43,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) +@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) kernel_read_system_state(portmap_t) kernel_read_kernel_sysctls(portmap_t) @@ -47978,21 +50880,20 @@ index c1db652..66590bd 100644 corenet_all_recvfrom_netlabel(portmap_t) corenet_tcp_sendrecv_generic_if(portmap_t) corenet_udp_sendrecv_generic_if(portmap_t) -@@ -73,12 +72,10 @@ fs_search_auto_mountpoints(portmap_t) +@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t) domain_use_interactive_fds(portmap_t) --files_read_etc_files(portmap_t) +auth_use_nsswitch(portmap_t) - ++ logging_send_syslog_msg(portmap_t) -miscfiles_read_localization(portmap_t) -- - sysnet_read_config(portmap_t) ++sysnet_read_config(portmap_t) userdom_dontaudit_use_unpriv_user_fds(portmap_t) -@@ -113,7 +110,6 @@ allow portmap_helper_t self:udp_socket create_socket_perms; + userdom_dontaudit_search_user_home_dirs(portmap_t) +@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen }; allow portmap_helper_t portmap_var_run_t:file manage_file_perms; files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) @@ -48000,45 +50901,32 @@ index c1db652..66590bd 100644 corenet_all_recvfrom_netlabel(portmap_helper_t) corenet_tcp_sendrecv_generic_if(portmap_helper_t) corenet_udp_sendrecv_generic_if(portmap_helper_t) -@@ -133,7 +129,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t) - - domain_dontaudit_use_interactive_fds(portmap_helper_t) - --files_read_etc_files(portmap_helper_t) - files_rw_generic_pids(portmap_helper_t) +@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t) - init_rw_utmp(portmap_helper_t) -@@ -142,7 +137,7 @@ logging_send_syslog_msg(portmap_helper_t) - - sysnet_read_config(portmap_helper_t) + logging_send_syslog_msg(portmap_helper_t) -userdom_use_user_terminals(portmap_helper_t) ++sysnet_read_config(portmap_helper_t) ++ +userdom_use_inherited_user_terminals(portmap_helper_t) userdom_dontaudit_use_all_users_fds(portmap_helper_t) - - optional_policy(` diff --git a/portreserve.fc b/portreserve.fc -index 4313a6f..cc334a3 100644 +index 1b2b4f9..575b7d6 100644 --- a/portreserve.fc +++ b/portreserve.fc -@@ -1,7 +1,10 @@ --/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) +@@ -1,6 +1,6 @@ + /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) -/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) -+ -+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -+/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -+ - /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) diff --git a/portreserve.if b/portreserve.if -index 7719d16..d283895 100644 +index 5ad5291..7f1ae2a 100644 --- a/portreserve.if +++ b/portreserve.if -@@ -104,8 +104,11 @@ interface(`portreserve_admin',` +@@ -105,8 +105,11 @@ interface(`portreserve_admin',` type portreserve_initrc_exec_t; ') @@ -48052,31 +50940,22 @@ index 7719d16..d283895 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 152af92..d67fea5 100644 +index a38b57a..614785d 100644 --- a/portreserve.te +++ b/portreserve.te -@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t; - init_script_file(portreserve_initrc_exec_t) - - type portreserve_etc_t; --files_type(portreserve_etc_t) -+files_config_file(portreserve_etc_t) - - type portreserve_var_run_t; - files_pid_file(portreserve_var_run_t) -@@ -42,7 +42,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } +@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } corecmd_getattr_bin_files(portreserve_t) -corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) - corenet_tcp_bind_generic_node(portreserve_t) - corenet_udp_bind_generic_node(portreserve_t) + corenet_tcp_sendrecv_generic_if(portreserve_t) + corenet_udp_sendrecv_generic_if(portreserve_t) diff --git a/portslave.te b/portslave.te -index 69c331e..528f2d8 100644 +index e85e33d..a7d7c55 100644 --- a/portslave.te +++ b/portslave.te -@@ -54,7 +54,6 @@ kernel_read_kernel_sysctls(portslave_t) +@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t) corecmd_exec_bin(portslave_t) corecmd_exec_shell(portslave_t) @@ -48084,7 +50963,7 @@ index 69c331e..528f2d8 100644 corenet_all_recvfrom_netlabel(portslave_t) corenet_tcp_sendrecv_generic_if(portslave_t) corenet_udp_sendrecv_generic_if(portslave_t) -@@ -79,7 +78,7 @@ fs_getattr_xattr_fs(portslave_t) +@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t) term_use_unallocated_ttys(portslave_t) term_setattr_unallocated_ttys(portslave_t) @@ -48092,23 +50971,45 @@ index 69c331e..528f2d8 100644 +term_use_all_inherited_ttys(portslave_t) term_search_ptys(portslave_t) - auth_rw_login_records(portslave_t) + auth_domtrans_chk_passwd(portslave_t) diff --git a/postfix.fc b/postfix.fc -index 1ddfa16..c0e0959 100644 +index c0e8785..c0e0959 100644 --- a/postfix.fc +++ b/postfix.fc -@@ -1,5 +1,6 @@ - # postfix --/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) +@@ -1,38 +1,38 @@ +-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) +-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) +- +-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) +- ++# postfix +/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) +/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) - ifdef(`distro_redhat', ` - /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -@@ -22,16 +23,17 @@ ifdef(`distro_redhat', ` ++ifdef(`distro_redhat', ` ++/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) ++/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) ++/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) ++/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) ++/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) ++/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) ++/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) ++/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) ++/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) ++/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) ++/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) ++/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) ++/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) ++/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ++', ` + /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) ++/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) + /usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) /usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) - /usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) ++/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) /usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) @@ -48116,132 +51017,207 @@ index 1ddfa16..c0e0959 100644 /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) - ') - /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) -+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +- +-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) +-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) +-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) +-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) +-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) +-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) +-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +- ++') ++/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) ++/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) + /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) - /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -42,9 +44,11 @@ ifdef(`distro_redhat', ` +@@ -44,14 +44,14 @@ /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0) +-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) +/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) --/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) +-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) +-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) +-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) +-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) +-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) +/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) - /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) - /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) - /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) ++/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) ++/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) ++/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) ++/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) ++/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) + /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/postfix.if b/postfix.if -index 46bee12..20a3ccd 100644 +index 2e23946..41da729 100644 --- a/postfix.if +++ b/postfix.if -@@ -28,75 +28,23 @@ interface(`postfix_stub',` +@@ -1,4 +1,4 @@ +-## Postfix email server. ++## Postfix email server + + ######################################## + ## +@@ -16,13 +16,14 @@ interface(`postfix_stub',` + ') + ') + +-####################################### ++######################################## + ## +-## The template to define a postfix domain. ++## Creates types and rules for a basic ++## postfix process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## ## # - template(`postfix_domain_template',` -- type postfix_$1_t; -+ gen_require(` -+ attribute postfix_domain; -+ ') -+ -+ type postfix_$1_t, postfix_domain; +@@ -31,73 +32,69 @@ template(`postfix_domain_template',` + attribute postfix_domain; + ') + +- ######################################## +- # +- # Declarations +- # +- + type postfix_$1_t, postfix_domain; type postfix_$1_exec_t; domain_type(postfix_$1_t) domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; -- dontaudit postfix_$1_t self:capability sys_tty_config; -- allow postfix_$1_t self:process { signal_perms setpgid }; -- allow postfix_$1_t self:unix_dgram_socket create_socket_perms; -- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; -- allow postfix_$1_t self:unix_stream_socket connectto; -- -- allow postfix_master_t postfix_$1_t:process signal; -- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 -- allow postfix_$1_t postfix_master_t:file read; -- -- allow postfix_$1_t postfix_etc_t:dir list_dir_perms; -- read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) -- read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t) +- ######################################## +- # +- # Policy +- # - - can_exec(postfix_$1_t, postfix_$1_exec_t) -- -- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl }; -- -- allow postfix_$1_t postfix_master_t:process sigchld; -- -- allow postfix_$1_t postfix_spool_t:dir list_dir_perms; -- -- allow postfix_$1_t postfix_var_run_t:file manage_file_perms; -- files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) -- - kernel_read_system_state(postfix_$1_t) -- kernel_read_network_state(postfix_$1_t) -- kernel_read_all_sysctls(postfix_$1_t) -- -- dev_read_sysfs(postfix_$1_t) -- dev_read_rand(postfix_$1_t) -- dev_read_urand(postfix_$1_t) -- -- fs_search_auto_mountpoints(postfix_$1_t) -- fs_getattr_xattr_fs(postfix_$1_t) -- fs_rw_anon_inodefs_files(postfix_$1_t) -- -- term_dontaudit_use_console(postfix_$1_t) -- -- corecmd_exec_shell(postfix_$1_t) -- -- files_read_etc_files(postfix_$1_t) -- files_read_etc_runtime_files(postfix_$1_t) -- files_read_usr_symlinks(postfix_$1_t) -- files_search_spool(postfix_$1_t) -- files_getattr_tmp_dirs(postfix_$1_t) -- files_search_all_mountpoints(postfix_$1_t) -- -- init_dontaudit_use_fds(postfix_$1_t) -- init_sigchld(postfix_$1_t) ++ kernel_read_system_state(postfix_$1_t) auth_use_nsswitch(postfix_$1_t) ++ ++ logging_send_syslog_msg(postfix_$1_t) ++ ++ can_exec(postfix_$1_t, postfix_$1_exec_t) + ') - logging_send_syslog_msg(postfix_$1_t) - -- miscfiles_read_localization(postfix_$1_t) -- miscfiles_read_generic_certs(postfix_$1_t) +-####################################### ++######################################## + ## +-## The template to define a postfix server domain. ++## Creates a postfix server process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix of the domain. + ## + ## + # + template(`postfix_server_domain_template',` +- gen_require(` +- attribute postfix_server_domain, postfix_server_tmp_content; +- ') - -- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) +- ######################################## +- # +- # Declarations +- # - -- optional_policy(` -- udev_read_db(postfix_$1_t) -- ') -+ can_exec(postfix_$1_t, postfix_$1_exec_t) - ') + postfix_domain_template($1) - ######################################## -@@ -115,7 +63,7 @@ template(`postfix_server_domain_template',` - type postfix_$1_tmp_t; +- typeattribute postfix_$1_t postfix_server_domain; +- +- type postfix_$1_tmp_t, postfix_server_tmp_content; ++ type postfix_$1_tmp_t; files_tmp_file(postfix_$1_tmp_t) -- allow postfix_$1_t self:capability { setuid setgid dac_override }; +- ######################################## +- # +- # Declarations +- # + allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; - allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; - allow postfix_$1_t self:tcp_socket create_socket_perms; - allow postfix_$1_t self:udp_socket create_socket_perms; -@@ -126,7 +74,6 @@ template(`postfix_server_domain_template',` ++ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; ++ allow postfix_$1_t self:tcp_socket create_socket_perms; ++ allow postfix_$1_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) ++ ++ corenet_all_recvfrom_netlabel(postfix_$1_t) ++ corenet_tcp_sendrecv_generic_if(postfix_$1_t) ++ corenet_udp_sendrecv_generic_if(postfix_$1_t) ++ corenet_tcp_sendrecv_generic_node(postfix_$1_t) ++ corenet_udp_sendrecv_generic_node(postfix_$1_t) ++ corenet_tcp_sendrecv_all_ports(postfix_$1_t) ++ corenet_udp_sendrecv_all_ports(postfix_$1_t) ++ corenet_tcp_bind_generic_node(postfix_$1_t) ++ corenet_udp_bind_generic_node(postfix_$1_t) ++ corenet_tcp_connect_all_ports(postfix_$1_t) ++ corenet_sendrecv_all_client_packets(postfix_$1_t) + ') + +-####################################### ++######################################## + ## +-## The template to define a postfix user domain. ++## Creates a process domain for programs ++## that are ran by users. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix of the domain. + ## + ## + # +@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',` + attribute postfix_user_domains, postfix_user_domtrans; + ') + +- ######################################## +- # +- # Declarations +- # +- + postfix_domain_template($1) + + typeattribute postfix_$1_t postfix_user_domains; + +- ######################################## +- # +- # Policy +- # +- + allow postfix_$1_t self:capability dac_override; -- corenet_all_recvfrom_unlabeled(postfix_$1_t) - corenet_all_recvfrom_netlabel(postfix_$1_t) - corenet_tcp_sendrecv_generic_if(postfix_$1_t) - corenet_udp_sendrecv_generic_if(postfix_$1_t) -@@ -165,6 +112,8 @@ template(`postfix_user_domain_template',` domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) @@ -48250,99 +51226,189 @@ index 46bee12..20a3ccd 100644 ') ######################################## -@@ -208,6 +157,11 @@ interface(`postfix_read_config',` - ## The object class of the object being created. - ## - ## -+## -+## -+## The name of the object being created. -+## -+## - # - interface(`postfix_config_filetrans',` - gen_require(` -@@ -215,7 +169,7 @@ interface(`postfix_config_filetrans',` + ## +-## Read postfix configuration content. ++## Read postfix configuration files. + ## + ## + ## +@@ -143,16 +132,15 @@ interface(`postfix_read_config',` + type postfix_etc_t; ') ++ read_files_pattern($1, postfix_etc_t, postfix_etc_t) ++ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) files_search_etc($1) -- filetrans_pattern($1, postfix_etc_t, $2, $3) -+ filetrans_pattern($1, postfix_etc_t, $2, $3, $4) +- allow $1 postfix_etc_t:dir list_dir_perms; +- allow $1 postfix_etc_t:file read_file_perms; +- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Create specified object in postfix +-## etc directories with a type transition. ++## Create files with the specified type in ++## the postfix configuration directories. + ## + ## + ## +@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',` + type postfix_etc_t; + ') + ++ files_search_etc($1) + filetrans_pattern($1, postfix_etc_t, $2, $3, $4) ') +@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` + ######################################## -@@ -257,6 +211,25 @@ interface(`postfix_rw_local_pipes',` + ## +-## Read and write postfix local pipes. ++## Allow read/write postfix local pipes ++## TCP sockets. + ## + ## + ## +@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',` allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; ') +-######################################## +####################################### -+## + ## +-## Read postfix local process state files. +## Allow read/write postfix public pipes +## TCP sockets. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`postfix_read_local_state',` +- gen_require(` +- type postfix_local_t; +- ') +interface(`postfix_rw_public_pipes',` + gen_require(` + type postfix_public_t; + ') -+ + +- kernel_search_proc($1) +- allow $1 postfix_local_t:dir list_dir_perms; +- allow $1 postfix_local_t:file read_file_perms; +- allow $1 postfix_local_t:lnk_file read_lnk_file_perms; + allow $1 postfix_public_t:fifo_file rw_fifo_file_perms; -+') -+ + ') + ######################################## ## - ## Allow domain to read postfix local process state -@@ -272,7 +245,8 @@ interface(`postfix_read_local_state',` - type postfix_local_t; +-## Read and write inherited postfix master pipes. ++## Allow domain to read postfix local process state + ## + ## + ## +@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',` + ## + ## + # +-interface(`postfix_rw_inherited_master_pipes',` ++interface(`postfix_read_local_state',` + gen_require(` +- type postfix_master_t; ++ type postfix_local_t; ') -- read_files_pattern($1, postfix_local_t, postfix_local_t) +- allow $1 postfix_master_t:fd use; +- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; + kernel_search_proc($1) + ps_process_pattern($1, postfix_local_t) ') ######################################## -@@ -290,7 +264,27 @@ interface(`postfix_read_master_state',` - type postfix_master_t; + ## +-## Read postfix master process state files. ++## Allow domain to read postfix master process state + ## + ## + ## +@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',` ') -- read_files_pattern($1, postfix_master_t, postfix_master_t) -+ kernel_search_proc($1) + kernel_search_proc($1) +- allow $1 postfix_master_t:dir list_dir_perms; +- allow $1 postfix_master_t:file read_file_perms; +- allow $1 postfix_master_t:lnk_file read_lnk_file_perms; + ps_process_pattern($1, postfix_master_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Use postfix master file descriptors. +## Use postfix master process file +## file descriptors. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_use_fds_master',` -+ gen_require(` -+ type postfix_master_t; -+ ') -+ -+ allow $1 postfix_master_t:fd use; + ## + ## + ## +@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',` + type postfix_map_t, postfix_map_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) + ') + + ######################################## + ## +-## Execute postfix map in the postfix +-## map domain, and allow the specified +-## role the postfix_map domain. ++## Execute postfix_map in the postfix_map domain, and ++## allow the specified role the postfix_map domain. + ## + ## + ## +@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',` + # + interface(`postfix_run_map',` + gen_require(` +- attribute_role postfix_map_roles; ++ type postfix_map_t; + ') + + postfix_domtrans_map($1) +- roleattribute $2 postfix_map_roles; ++ role $2 types postfix_map_t; ') ######################################## -@@ -376,6 +370,25 @@ interface(`postfix_domtrans_master',` + ## +-## Execute the master postfix program +-## in the postfix_master domain. ++## Execute the master postfix program in the ++## postfix_master domain. + ## + ## + ## +@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',` + type postfix_master_t, postfix_master_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') + -+######################################## -+## + ######################################## + ## +-## Execute the master postfix program +-## in the caller domain. +## Execute the master postfix in the postfix master domain. +## +## @@ -48359,10 +51425,29 @@ index 46bee12..20a3ccd 100644 + init_labeled_script_domtrans($1, postfix_initrc_exec_t) +') + - ######################################## ++######################################## ++## ++## Execute the master postfix program in the ++## caller domain. + ## + ## + ## +@@ -402,21 +405,18 @@ interface(`postfix_exec_master',` + type postfix_master_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, postfix_master_exec_t) + ') + + ####################################### ## - ## Execute the master postfix program in the -@@ -404,7 +417,6 @@ interface(`postfix_exec_master',` +-## Connect to postfix master process +-## using a unix domain stream socket. ++## Connect to postfix master process using a unix domain stream socket. + ## + ## + ## ## Domain allowed access. ## ## @@ -48370,52 +51455,87 @@ index 46bee12..20a3ccd 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -416,6 +428,24 @@ interface(`postfix_stream_connect_master',` +@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',` ######################################## ## +-## Read and write postfix master +-## unnamed pipes. (Deprecated) +## Allow read/write postfix master pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_rw_master_pipes',` + ## + ## + ## +@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',` + ## + ## + # +-interface(`postfix_rw_master_pipes',` +- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.') +- postfix_rw_inherited_master_pipes($1) ++interface(`postfix_rw_inherited_master_pipes',` + gen_require(` + type postfix_master_t; + ') + + allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## ## Execute the master postdrop in the - ## postfix_postdrop domain. +-## postfix postdrop domain. ++## postfix_postdrop domain. + ## + ## + ## +@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',` + type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) + ') + + ######################################## + ## + ## Execute the master postqueue in the +-## postfix postqueue domain. ++## postfix_postqueue domain. ## -@@ -452,6 +482,61 @@ interface(`postfix_domtrans_postqueue',` + ## + ## +@@ -478,30 +479,67 @@ interface(`postfix_domtrans_postqueue',` + type postfix_postqueue_t, postfix_postqueue_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) ') +-####################################### +######################################## -+## + ## +-## Execute the master postqueue in +-## the caller domain. (Deprecated) +## Execute the master postqueue in the +## postfix_postdrop domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +## +## +## The role to be allowed the iptables domain. +## +## +## -+# + # +-interface(`posftix_exec_postqueue',` +- refpolicywarn(`$0($*) has been deprecated.') +- postfix_exec_postqueue($1) + +interface(`postfix_run_postqueue',` + gen_require(` @@ -48425,8 +51545,8 @@ index 46bee12..20a3ccd 100644 + postfix_domtrans_postqueue($1) + role $2 types postfix_postqueue_t; + allow postfix_postqueue_t $1:unix_stream_socket { read write getattr }; -+') -+ + ') + +######################################## +## +## Execute postfix_postgqueue in the postfix_postgqueue domain, and @@ -48456,43 +51576,86 @@ index 46bee12..20a3ccd 100644 + ####################################### ## - ## Execute the master postqueue in the caller domain. -@@ -462,7 +547,7 @@ interface(`postfix_domtrans_postqueue',` - ## - ## - # --interface(`posftix_exec_postqueue',` -+interface(`postfix_exec_postqueue',` - gen_require(` +-## Execute postfix postqueue in +-## the caller domain. ++## Execute the master postqueue in the caller domain. + ## + ## + ## +@@ -514,13 +552,12 @@ interface(`postfix_exec_postqueue',` type postfix_postqueue_exec_t; ') -@@ -529,6 +614,25 @@ interface(`postfix_domtrans_smtp',` + +- corecmd_search_bin($1) + can_exec($1, postfix_postqueue_exec_t) + ') + + ######################################## + ## +-## Create postfix private sock files. ++## Create a named socket in a postfix private directory. + ## + ## + ## +@@ -533,13 +570,13 @@ interface(`postfix_create_private_sockets',` + type postfix_private_t; + ') + ++ allow $1 postfix_private_t:dir list_dir_perms; + create_sock_files_pattern($1, postfix_private_t, postfix_private_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## postfix private sock files. ++## manage named socket in a postfix private directory. + ## + ## + ## +@@ -552,13 +589,14 @@ interface(`postfix_manage_private_sockets',` + type postfix_private_t; + ') + ++ allow $1 postfix_private_t:dir list_dir_perms; + manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) + ') + + ######################################## + ## +-## Execute the smtp postfix program +-## in the postfix smtp domain. ++## Execute the master postfix program in the ++## postfix_master domain. + ## + ## + ## +@@ -571,14 +609,12 @@ interface(`postfix_domtrans_smtp',` + type postfix_smtp_t, postfix_smtp_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) + ') ######################################## ## +-## Get attributes of all postfix mail +-## spool files. +## Getattr postfix mail spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`postfix_getattr_spool_files',` -+ gen_require(` -+ attribute postfix_spool_type; -+ ') -+ -+ files_search_spool($1) -+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) -+') -+ -+######################################## -+## - ## Search postfix mail spool directories. ## ## -@@ -539,10 +643,10 @@ interface(`postfix_domtrans_smtp',` + ## +@@ -586,7 +622,7 @@ interface(`postfix_domtrans_smtp',` + ## + ## + # +-interface(`postfix_getattr_all_spool_files',` ++interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; + ') +@@ -607,11 +643,11 @@ interface(`postfix_getattr_all_spool_files',` # interface(`postfix_search_spool',` gen_require(` @@ -48500,12 +51663,13 @@ index 46bee12..20a3ccd 100644 + attribute postfix_spool_type; ') -- allow $1 postfix_spool_t:dir search_dir_perms; + allow $1 postfix_spool_type:dir search_dir_perms; files_search_spool($1) +- allow $1 postfix_spool_t:dir search_dir_perms; ') -@@ -558,10 +662,10 @@ interface(`postfix_search_spool',` + ######################################## +@@ -626,11 +662,11 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -48513,12 +51677,13 @@ index 46bee12..20a3ccd 100644 + attribute postfix_spool_type; ') -- allow $1 postfix_spool_t:dir list_dir_perms; + allow $1 postfix_spool_type:dir list_dir_perms; files_search_spool($1) +- allow $1 postfix_spool_t:dir list_dir_perms; ') -@@ -577,11 +681,11 @@ interface(`postfix_list_spool',` + ######################################## +@@ -645,17 +681,16 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -48532,7 +51697,14 @@ index 46bee12..20a3ccd 100644 ') ######################################## -@@ -596,11 +700,31 @@ interface(`postfix_read_spool_files',` + ## +-## Create, read, write, and delete +-## postfix mail spool files. ++## Create, read, write, and delete postfix mail spool files. + ## + ## + ## +@@ -665,11 +700,31 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -48566,44 +51738,42 @@ index 46bee12..20a3ccd 100644 ') ######################################## -@@ -621,3 +745,157 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -693,8 +748,8 @@ interface(`postfix_domtrans_user_mail_handler',` - typeattribute $1 postfix_user_domtrans; - ') -+ -+######################################## -+## + ######################################## + ## +-## All of the rules required to +-## administrate an postfix environment. +## All of the rules required to administrate +## an postfix environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`postfix_admin',` -+ gen_require(` + ## + ## + ## +@@ -710,37 +765,137 @@ interface(`postfix_domtrans_user_mail_handler',` + # + interface(`postfix_admin',` + gen_require(` +- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; +- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; +- type postfix_data_t, postfix_var_run_t, postfix_public_t; +- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; + attribute postfix_spool_type; + type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; + type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; + type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; + type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + type postfix_smtpd_t, postfix_var_run_t; -+ ') -+ + ') + +- allow $1 postfix_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, postfix_domain) + allow $1 postfix_bounce_t:process signal_perms; + ps_process_pattern($1, postfix_bounce_t) + tunable_policy(`deny_ptrace',`',` + allow $1 postfix_bounce_t:process ptrace; + ') -+ + +- init_labeled_script_domtrans($1, postfix_initrc_exec_t) + allow $1 postfix_cleanup_t:process signal_perms; + ps_process_pattern($1, postfix_cleanup_t) + tunable_policy(`deny_ptrace',`',` @@ -48635,25 +51805,38 @@ index 46bee12..20a3ccd 100644 + postfix_run_postqueue($1, $2) + + postfix_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 postfix_initrc_exec_t system_r; -+ allow $2 system_r; -+ + domain_system_change_exemption($1) + role_transition $2 postfix_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) +- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t }) + admin_pattern($1, postfix_data_t) -+ + +- files_search_spool($1) +- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) + files_list_etc($1) + admin_pattern($1, postfix_etc_t) -+ + +- files_search_var_lib($1) +- admin_pattern($1, postfix_data_t) + files_list_spool($1) + admin_pattern($1, postfix_spool_type) -+ -+ admin_pattern($1, postfix_var_run_t) -+ + +- files_search_pids($1) + admin_pattern($1, postfix_var_run_t) + +- files_search_tmp($1) +- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) + files_list_tmp($1) + admin_pattern($1, postfix_map_tmp_t) + + admin_pattern($1, postfix_prng_t) -+ + +- postfix_exec_master($1) +- postfix_exec_postqueue($1) +- postfix_stream_connect_master($1) +- postfix_run_map($1, $2) + admin_pattern($1, postfix_public_t) + + postfix_filetrans_named_content($1) @@ -48723,94 +51906,211 @@ index 46bee12..20a3ccd 100644 + + postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") -+') + ') diff --git a/postfix.te b/postfix.te -index a1e0f60..ae56a3e 100644 +index 191a66f..ca44603 100644 --- a/postfix.te +++ b/postfix.te -@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0) - # Declarations +@@ -1,4 +1,4 @@ +-policy_module(postfix, 1.14.10) ++policy_module(postfix, 1.14.0) + + ######################################## + # +@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10) # -+## + ## +-##

    +-## Determine whether postfix local +-## can manage mail spool content. +-##

    +##

    +## Allow postfix_local domain full write access to mail_spool directories +##

    -+##     -+gen_tunable(postfix_local_write_mail_spool, true) -+ -+attribute postfix_domain; -+attribute postfix_spool_type; + ##     + gen_tunable(postfix_local_write_mail_spool, true) + + attribute postfix_domain; +-attribute postfix_server_domain; +-attribute postfix_server_tmp_content; + attribute postfix_spool_type; attribute postfix_user_domains; - # domains that transition to the - # postfix user domains -@@ -12,8 +21,8 @@ attribute postfix_user_domtrans; ++# domains that transition to the ++# postfix user domains + attribute postfix_user_domtrans; +-attribute_role postfix_map_roles; +-roleattribute system_r postfix_map_roles; +- postfix_server_domain_template(bounce) --type postfix_spool_bounce_t; + type postfix_spool_bounce_t, postfix_spool_type; -files_type(postfix_spool_bounce_t) -+type postfix_spool_bounce_t, postfix_spool_type; +files_spool_file(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) -@@ -41,6 +50,9 @@ typealias postfix_master_t alias postfix_t; - # generation macro work - mta_mailserver(postfix_t, postfix_master_exec_t) - -+type postfix_initrc_exec_t; -+init_script_file(postfix_initrc_exec_t) -+ - postfix_server_domain_template(pickup) +@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t) + postfix_server_domain_template(local) + mta_mailserver_delivery(postfix_local_t) - postfix_server_domain_template(pipe) -@@ -49,6 +61,7 @@ postfix_user_domain_template(postdrop) - mta_mailserver_user_agent(postfix_postdrop_t) ++# Program for creating database files + type postfix_map_t; + type postfix_map_exec_t; + application_domain(postfix_map_t, postfix_map_exec_t) +-role postfix_map_roles types postfix_map_t; ++role system_r types postfix_map_t; - postfix_user_domain_template(postqueue) -+mta_mailserver_user_agent(postfix_postqueue_t) + type postfix_map_tmp_t; + files_tmp_file(postfix_map_tmp_t) - type postfix_private_t; - files_type(postfix_private_t) -@@ -65,14 +78,14 @@ mta_mailserver_sender(postfix_smtp_t) + postfix_domain_template(master) + typealias postfix_master_t alias postfix_t; ++# alias is a hack to make the disable trans bool ++# generation macro work + mta_mailserver(postfix_t, postfix_master_exec_t) + type postfix_initrc_exec_t; +@@ -80,13 +79,13 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) --type postfix_spool_t; + type postfix_spool_t, postfix_spool_type; -files_type(postfix_spool_t) -+type postfix_spool_t, postfix_spool_type; +files_spool_file(postfix_spool_t) --type postfix_spool_maildrop_t; + type postfix_spool_maildrop_t, postfix_spool_type; -files_type(postfix_spool_maildrop_t) -+type postfix_spool_maildrop_t, postfix_spool_type; +files_spool_file(postfix_spool_maildrop_t) --type postfix_spool_flush_t; + type postfix_spool_flush_t, postfix_spool_type; -files_type(postfix_spool_flush_t) -+type postfix_spool_flush_t, postfix_spool_type; +files_spool_file(postfix_spool_flush_t) type postfix_public_t; files_type(postfix_public_t) -@@ -94,23 +107,26 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -94,6 +93,7 @@ files_type(postfix_public_t) + type postfix_var_run_t; + files_pid_file(postfix_var_run_t) + ++# the data_directory config parameter + type postfix_data_t; + files_type(postfix_data_t) + +@@ -102,160 +102,63 @@ mta_mailserver_delivery(postfix_virtual_t) + + ######################################## + # +-# Common postfix domain local policy ++# Postfix master process local policy + # - # chown is to set the correct ownership of queue dirs - allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; --allow postfix_master_t self:fifo_file rw_fifo_file_perms; -+allow postfix_master_t self:capability2 block_suspend; +-allow postfix_domain self:capability { sys_nice sys_chroot }; +-dontaudit postfix_domain self:capability sys_tty_config; +-allow postfix_domain self:process { signal_perms setpgid setsched }; +-allow postfix_domain self:fifo_file rw_fifo_file_perms; +-allow postfix_domain self:unix_stream_socket { accept connectto listen }; +- +-allow postfix_domain postfix_etc_t:dir list_dir_perms; +-allow postfix_domain postfix_etc_t:file read_file_perms; +-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; +- +-allow postfix_domain postfix_master_t:file read_file_perms; +- +-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock }; +- +-allow postfix_domain postfix_master_t:process sigchld; +- +-allow postfix_domain postfix_spool_t:dir list_dir_perms; +- +-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) +-files_pid_filetrans(postfix_domain, postfix_var_run_t, file) +- +-kernel_read_system_state(postfix_domain) +-kernel_read_network_state(postfix_domain) +-kernel_read_all_sysctls(postfix_domain) +- +-dev_read_sysfs(postfix_domain) +-dev_read_rand(postfix_domain) +-dev_read_urand(postfix_domain) +- +-fs_search_auto_mountpoints(postfix_domain) +-fs_getattr_all_fs(postfix_domain) +-fs_rw_anon_inodefs_files(postfix_domain) +- +-term_dontaudit_use_console(postfix_domain) +- +-corecmd_exec_shell(postfix_domain) +- +-files_read_etc_runtime_files(postfix_domain) +-files_read_usr_files(postfix_domain) +-files_search_spool(postfix_domain) +-files_getattr_tmp_dirs(postfix_domain) +-files_search_all_mountpoints(postfix_domain) +- +-init_dontaudit_use_fds(postfix_domain) +-init_sigchld(postfix_domain) +- +-logging_send_syslog_msg(postfix_domain) +- +-miscfiles_read_localization(postfix_domain) +-miscfiles_read_generic_certs(postfix_domain) +- +-userdom_dontaudit_use_unpriv_user_fds(postfix_domain) +- +-optional_policy(` +- udev_read_db(postfix_domain) +-') +- +-######################################## +-# +-# Common postfix server domain local policy +-# +- +-allow postfix_server_domain self:capability { setuid setgid dac_override }; +- +-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; +- +-corenet_all_recvfrom_unlabeled(postfix_server_domain) +-corenet_all_recvfrom_netlabel(postfix_server_domain) +-corenet_tcp_sendrecv_generic_if(postfix_server_domain) +-corenet_tcp_sendrecv_generic_node(postfix_server_domain) +- +-corenet_sendrecv_all_client_packets(postfix_server_domain) +-corenet_tcp_connect_all_ports(postfix_server_domain) +-corenet_tcp_sendrecv_all_ports(postfix_server_domain) +- +-######################################## +-# +-# Common postfix user domain local policy +-# +- +-allow postfix_user_domains self:capability dac_override; +- +-domain_use_interactive_fds(postfix_user_domains) +- +-######################################## +-# +-# Master local policy +-# +- +-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; ++# chown is to set the correct ownership of queue dirs ++allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; + allow postfix_master_t self:capability2 block_suspend; + -+allow postfix_master_t self:process setrlimit; + allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; --allow postfix_master_t self:process setrlimit; -+allow postfix_master_t postfix_etc_t:dir rw_dir_perms; +-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms; +-allow postfix_master_t postfix_domain:process signal; +- + allow postfix_master_t postfix_etc_t:dir rw_dir_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms; +mta_filetrans_aliases(postfix_master_t, postfix_etc_t) - - can_exec(postfix_master_t, postfix_exec_t) ++ ++can_exec(postfix_master_t, postfix_exec_t) allow postfix_master_t postfix_data_t:dir manage_dir_perms; allow postfix_master_t postfix_data_t:file manage_file_perms; @@ -48818,37 +52118,71 @@ index a1e0f60..ae56a3e 100644 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; --allow postfix_master_t postfix_postdrop_exec_t:file getattr; +-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; +allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; - --allow postfix_master_t postfix_postqueue_exec_t:file getattr; ++ +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; ++ ++manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) ++manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) ++ ++domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) - manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) - manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -@@ -130,7 +146,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) + allow postfix_master_t postfix_prng_t:file rw_file_perms; + ++manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) ++manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) ++ ++domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) ++ ++# allow access to deferred queue and allow removing bogus incoming entries + manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; --allow postfix_master_t postfix_spool_bounce_t:file getattr; -+allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; + allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce") manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -@@ -138,11 +154,11 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ - + manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush") +- +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t) +-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private") + +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t) +-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") +- +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") +- +-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) +-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) +-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") - kernel_read_all_sysctls(postfix_master_t) +-can_exec(postfix_master_t, postfix_exec_t) ++kernel_read_all_sysctls(postfix_master_t) +-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) +-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +- -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -150,6 +166,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,50 +166,47 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -48856,41 +52190,72 @@ index a1e0f60..ae56a3e 100644 +corenet_udp_bind_all_unreserved_ports(postfix_master_t) +corenet_dontaudit_udp_bind_all_ports(postfix_master_t) corenet_tcp_bind_generic_node(postfix_master_t) +- +-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) +- +-corenet_sendrecv_smtp_server_packets(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -157,6 +176,8 @@ corenet_tcp_connect_all_ports(postfix_master_t) - corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) - corenet_sendrecv_smtp_server_packets(postfix_master_t) - corenet_sendrecv_all_client_packets(postfix_master_t) +- +-corenet_sendrecv_spamd_server_packets(postfix_master_t) +-corenet_tcp_bind_spamd_port(postfix_master_t) +- +-corenet_sendrecv_all_client_packets(postfix_master_t) + corenet_tcp_connect_all_ports(postfix_master_t) ++corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) ++corenet_sendrecv_smtp_server_packets(postfix_master_t) ++corenet_sendrecv_all_client_packets(postfix_master_t) +# for spampd +corenet_tcp_bind_spamd_port(postfix_master_t) - # for a find command +-# Can this be conditional? +-corenet_sendrecv_all_server_packets(postfix_master_t) +-corenet_udp_bind_all_unreserved_ports(postfix_master_t) +-corenet_dontaudit_udp_bind_all_ports(postfix_master_t) +- ++# for a find command selinux_dontaudit_search_fs(postfix_master_t) -@@ -167,14 +188,14 @@ corecmd_exec_bin(postfix_master_t) + ++corecmd_exec_shell(postfix_master_t) + corecmd_exec_bin(postfix_master_t) + domain_use_interactive_fds(postfix_master_t) - files_read_usr_files(postfix_master_t) ++files_read_usr_files(postfix_master_t) +files_search_var_lib(postfix_master_t) -+files_search_tmp(postfix_master_t) + files_search_tmp(postfix_master_t) --term_dontaudit_search_ptys(postfix_master_t) -+mcs_file_read_all(postfix_master_t) + mcs_file_read_all(postfix_master_t) --miscfiles_read_man_pages(postfix_master_t) -+term_dontaudit_search_ptys(postfix_master_t) + term_dontaudit_search_ptys(postfix_master_t) +-miscfiles_read_man_pages(postfix_master_t) +- seutil_sigchld_newrole(postfix_master_t) --# postfix does a "find" on startup for some reason - keep it quiet -seutil_dontaudit_search_config(postfix_master_t) - mta_rw_aliases(postfix_master_t) +-mta_manage_aliases(postfix_master_t) +-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") +-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") +-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp") +-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file) ++mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) -@@ -195,15 +216,11 @@ optional_policy(` + mta_getattr_spool(postfix_master_t) + ++ifdef(`distro_redhat',` ++ # for newer main.cf that uses /etc/aliases ++ mta_manage_aliases(postfix_master_t) ++ mta_etc_filetrans_aliases(postfix_master_t) ++') ++ + optional_policy(` + cyrus_stream_connect(postfix_master_t) + ') +@@ -316,14 +216,11 @@ optional_policy(` ') optional_policy(` --# for postalias +# for postalias mailman_manage_data_files(postfix_master_t) ') @@ -48903,32 +52268,41 @@ index a1e0f60..ae56a3e 100644 postgrey_search_spool(postfix_master_t) ') -@@ -220,13 +237,17 @@ allow postfix_bounce_t self:capability dac_read_search; - allow postfix_bounce_t self:tcp_socket create_socket_perms; +@@ -333,12 +230,14 @@ optional_policy(` + + ######################################## + # +-# Bounce local policy ++# Postfix bounce local policy + # + + allow postfix_bounce_t self:capability dac_read_search; ++allow postfix_bounce_t self:tcp_socket create_socket_perms; - allow postfix_bounce_t postfix_public_t:sock_file write; --allow postfix_bounce_t postfix_public_t:dir search; +-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t) ++allow postfix_bounce_t postfix_public_t:sock_file write; +allow postfix_bounce_t postfix_public_t:dir search_dir_perms; manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) - manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) - files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) +@@ -355,35 +254,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool -+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; -+ - manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) - manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) - manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -237,22 +258,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool + ######################################## + # +-# Cleanup local policy ++# Postfix cleanup local policy # allow postfix_cleanup_t self:process setrlimit; -+allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; +- + allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; +-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; +- +-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; +-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; +-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - # connect to master process ++# connect to master process stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -48948,47 +52322,52 @@ index a1e0f60..ae56a3e 100644 corecmd_exec_bin(postfix_cleanup_t) +-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t) +-corenet_tcp_connect_kismet_port(postfix_cleanup_t) +-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) +# allow postfix to connect to sqlgrey +corenet_tcp_connect_rtsclient_port(postfix_cleanup_t) -+ + mta_read_aliases(postfix_cleanup_t) - optional_policy(` -@@ -264,7 +294,6 @@ optional_policy(` - # Postfix local local policy +@@ -393,29 +291,45 @@ optional_policy(` + + ######################################## + # +-# Local local policy ++# Postfix local local policy # --allow postfix_local_t self:fifo_file rw_fifo_file_perms; - allow postfix_local_t self:process { setsched setrlimit }; +-allow postfix_local_t self:capability chown; +-allow postfix_local_t self:process setrlimit; ++allow postfix_local_t self:process { setsched setrlimit }; - # connect to master process -@@ -272,28 +301,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post ++# connect to master process + stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) - # for .forward - maybe we need a new type for it? ++# for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) +- +-allow postfix_local_t postfix_spool_t:file rw_file_perms; +rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -+ -+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) - allow postfix_local_t postfix_spool_t:file rw_file_perms; + domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) - corecmd_exec_shell(postfix_local_t) ++allow postfix_local_t postfix_spool_t:file rw_file_perms; ++ ++corecmd_exec_shell(postfix_local_t) corecmd_exec_bin(postfix_local_t) --files_read_etc_files(postfix_local_t) -- logging_dontaudit_search_logs(postfix_local_t) +-mta_delete_spool(postfix_local_t) mta_read_aliases(postfix_local_t) - mta_delete_spool(postfix_local_t) - # For reading spamassasin ++mta_delete_spool(postfix_local_t) ++# For reading spamassasin mta_read_config(postfix_local_t) +# Handle vacation script -+mta_send_mail(postfix_local_t) + mta_send_mail(postfix_local_t) --domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) --# Might be a leak, but I need a postfix expert to explain --allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +userdom_read_user_home_content_files(postfix_local_t) +userdom_exec_user_bin_files(postfix_local_t) + @@ -49000,33 +52379,29 @@ index a1e0f60..ae56a3e 100644 + fs_exec_cifs_files(postfix_local_t) +') + -+tunable_policy(`postfix_local_write_mail_spool',` -+ mta_manage_spool(postfix_local_t) -+') - + tunable_policy(`postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) + ') +@@ -423,6 +337,7 @@ tunable_policy(`postfix_local_write_mail_spool',` optional_policy(` clamav_search_lib(postfix_local_t) clamav_exec_clamscan(postfix_local_t) + clamav_stream_connect(postfix_domain) -+') -+ -+optional_policy(` -+ dovecot_domtrans_deliver(postfix_local_t) -+') -+ -+optional_policy(` -+ dspam_domtrans(postfix_local_t) ') optional_policy(` -@@ -304,9 +356,26 @@ optional_policy(` +@@ -434,6 +349,7 @@ optional_policy(` + ') + + optional_policy(` ++# for postalias + mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) +@@ -444,6 +360,10 @@ optional_policy(` ') optional_policy(` -+ nagios_search_spool(postfix_local_t) -+') -+ -+optional_policy(` + openshift_search_lib(postfix_local_t) +') + @@ -49034,35 +52409,51 @@ index a1e0f60..ae56a3e 100644 procmail_domtrans(postfix_local_t) ') -+optional_policy(` -+ sendmail_rw_pipes(postfix_local_t) -+') -+ -+optional_policy(` -+ zarafa_domtrans_deliver(postfix_local_t) -+ zarafa_stream_connect_server(postfix_local_t) -+') -+ +@@ -458,15 +378,17 @@ optional_policy(` + ######################################## # - # Postfix map local policy -@@ -329,7 +398,6 @@ kernel_read_kernel_sysctls(postfix_map_t) +-# Map local policy ++# Postfix map local policy + # +- + allow postfix_map_t self:capability { dac_override setgid setuid }; +-allow postfix_map_t self:tcp_socket { accept listen }; ++allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; ++allow postfix_map_t self:unix_dgram_socket create_socket_perms; ++allow postfix_map_t self:tcp_socket create_stream_socket_perms; ++allow postfix_map_t self:udp_socket create_socket_perms; + +-allow postfix_map_t postfix_etc_t:dir manage_dir_perms; +-allow postfix_map_t postfix_etc_t:file manage_file_perms; +-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; ++manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) ++manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) ++manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) + + manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) + manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) +@@ -476,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) -corenet_all_recvfrom_unlabeled(postfix_map_t) corenet_all_recvfrom_netlabel(postfix_map_t) corenet_tcp_sendrecv_generic_if(postfix_map_t) - corenet_udp_sendrecv_generic_if(postfix_map_t) -@@ -348,7 +416,6 @@ corecmd_read_bin_sockets(postfix_map_t) - - files_list_home(postfix_map_t) - files_read_usr_files(postfix_map_t) --files_read_etc_files(postfix_map_t) - files_read_etc_runtime_files(postfix_map_t) - files_dontaudit_search_var(postfix_map_t) ++corenet_udp_sendrecv_generic_if(postfix_map_t) + corenet_tcp_sendrecv_generic_node(postfix_map_t) +- +-corenet_sendrecv_all_client_packets(postfix_map_t) +-corenet_tcp_connect_all_ports(postfix_map_t) ++corenet_udp_sendrecv_generic_node(postfix_map_t) + corenet_tcp_sendrecv_all_ports(postfix_map_t) ++corenet_udp_sendrecv_all_ports(postfix_map_t) ++corenet_tcp_connect_all_ports(postfix_map_t) ++corenet_sendrecv_all_client_packets(postfix_map_t) -@@ -356,8 +423,6 @@ auth_use_nsswitch(postfix_map_t) + corecmd_list_bin(postfix_map_t) + corecmd_read_bin_symlinks(postfix_map_t) +@@ -500,21 +423,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -49071,193 +52462,292 @@ index a1e0f60..ae56a3e 100644 optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') -@@ -379,18 +444,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p - rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) - rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -+allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; -+read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) -+delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) + optional_policy(` ++# for postalias + mailman_manage_data_files(postfix_map_t) + ') + + ######################################## + # +-# Pickup local policy ++# Postfix pickup local policy + # + ++allow postfix_pickup_t self:tcp_socket create_socket_perms; + - postfix_list_spool(postfix_pickup_t) + stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) + + rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) +@@ -524,6 +448,8 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; + read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) + delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) ++postfix_list_spool(postfix_pickup_t) ++ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +@@ -533,7 +459,7 @@ mcs_file_write_all(postfix_pickup_t) -+mcs_file_read_all(postfix_pickup_t) -+mcs_file_write_all(postfix_pickup_t) -+ ######################################## # - # Postfix pipe local policy +-# Pipe local policy ++# Postfix pipe local policy # --allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; allow postfix_pipe_t self:process setrlimit; +@@ -576,20 +502,28 @@ optional_policy(` + + ######################################## + # +-# Postdrop local policy ++# Postfix postdrop local policy + # + ++# usually it does not need a UDP socket + allow postfix_postdrop_t self:capability sys_resource; ++allow postfix_postdrop_t self:tcp_socket create; ++allow postfix_postdrop_t self:udp_socket create_socket_perms; ++ ++# Might be a leak, but I need a postfix expert to explain ++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; + + rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +472,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) ++postfix_list_spool(postfix_postdrop_t) + manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) +-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +- + mcs_file_read_all(postfix_postdrop_t) + mcs_file_write_all(postfix_postdrop_t) -+corecmd_exec_bin(postfix_pipe_t) ++corenet_udp_sendrecv_generic_if(postfix_postdrop_t) ++corenet_udp_sendrecv_generic_node(postfix_postdrop_t) + - optional_policy(` - dovecot_domtrans_deliver(postfix_pipe_t) + term_dontaudit_use_all_ptys(postfix_postdrop_t) + term_dontaudit_use_all_ttys(postfix_postdrop_t) + +@@ -603,10 +537,7 @@ optional_policy(` + cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -420,6 +493,7 @@ optional_policy(` +-optional_policy(` +- fail2ban_dontaudit_use_fds(postfix_postdrop_t) +-') +- ++# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 optional_policy(` - spamassassin_domtrans_client(postfix_pipe_t) -+ spamassassin_kill_client(postfix_pipe_t) + fstools_read_pipes(postfix_postdrop_t) ') +@@ -621,17 +552,23 @@ optional_policy(` - optional_policy(` -@@ -436,11 +510,17 @@ allow postfix_postdrop_t self:capability sys_resource; - allow postfix_postdrop_t self:tcp_socket create; - allow postfix_postdrop_t self:udp_socket create_socket_perms; + ####################################### + # +-# Postqueue local policy ++# Postfix postqueue local policy + # -+# Might be a leak, but I need a postfix expert to explain -+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; ++allow postfix_postqueue_t self:tcp_socket create; ++allow postfix_postqueue_t self:udp_socket { create ioctl }; + - rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - - postfix_list_spool(postfix_postdrop_t) - manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++# wants to write to /var/spool/postfix/public/showq + stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) -+mcs_file_read_all(postfix_postdrop_t) -+mcs_file_write_all(postfix_postdrop_t) -+ - corenet_udp_sendrecv_generic_if(postfix_postdrop_t) - corenet_udp_sendrecv_generic_node(postfix_postdrop_t) ++# write to /var/spool/postfix/public/qmgr + write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) -@@ -487,8 +567,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) - # to write the mailq output, it really should not need read access! -term_use_all_ptys(postfix_postqueue_t) -term_use_all_ttys(postfix_postqueue_t) ++# to write the mailq output, it really should not need read access! +term_use_all_inherited_ptys(postfix_postqueue_t) +term_use_all_inherited_ttys(postfix_postqueue_t) init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +599,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -647,67 +584,80 @@ optional_policy(` + + ######################################## + # +-# Qmgr local policy ++# Postfix qmgr local policy + # + +-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; +- + stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) + + rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) - allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; - allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; --allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; +- ++# for /var/spool/postfix/active + manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) + ++allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; ++allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - ++ corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +623,9 @@ postfix_list_spool(postfix_showq_t) + ######################################## + # +-# Showq local policy ++# Postfix showq local policy + # + + allow postfix_showq_t self:capability { setuid setgid }; ++allow postfix_showq_t self:tcp_socket create_socket_perms; + allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; + ++allow postfix_showq_t postfix_spool_t:file read_file_perms; ++ ++postfix_list_spool(postfix_showq_t) ++ allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; --allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read }; -+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; -+ -+mcs_file_read_all(postfix_showq_t) + allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - # to write the mailq output, it really should not need read access! +-allow postfix_showq_t postfix_spool_t:file read_file_perms; +- + mcs_file_read_all(postfix_showq_t) + ++# to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +644,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; + term_use_all_ttys(postfix_showq_t) + + ######################################## + # +-# Smtp delivery local policy ++# Postfix smtp delivery local policy + # - allow postfix_smtp_t postfix_spool_t:file rw_file_perms; ++# connect to master process + allow postfix_smtp_t self:capability sys_chroot; +- + stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) -+rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms; ++allow postfix_smtp_t postfix_prng_t:file rw_file_perms; + ++allow postfix_smtp_t postfix_spool_t:file rw_file_perms; + + rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + +# for spampd +corenet_tcp_connect_spamd_port(postfix_master_t) +corenet_tcp_bind_spamd_port(postfix_master_t) + - files_search_all_mountpoints(postfix_smtp_t) - ++files_search_all_mountpoints(postfix_smtp_t) ++ optional_policy(` -@@ -565,6 +657,14 @@ optional_policy(` + cyrus_stream_connect(postfix_smtp_t) ') optional_policy(` +- dovecot_stream_connect(postfix_smtp_t) + dovecot_stream_connect(postfix_smtp_t) -+') -+ -+optional_policy(` -+ dspam_stream_connect(postfix_smtp_t) -+') -+ -+optional_policy(` - milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +681,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, - corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) + optional_policy(` +@@ -720,24 +670,28 @@ optional_policy(` + + ######################################## + # +-# Smtpd local policy ++# Postfix smtpd local policy + # +- + allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; + ++# connect to master process + stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - # for prng_exch --allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; -+manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) -+manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) -+manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) ++# Connect to policy server ++corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) ++ ++# for prng_exch + manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; +-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t) +-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) +-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t) +- corecmd_exec_bin(postfix_smtpd_t) - # for OpenSSL certificates - files_read_usr_files(postfix_smtpd_t) ++# for OpenSSL certificates ++files_read_usr_files(postfix_smtpd_t) + +# postfix checks the size of all mounted file systems -+fs_getattr_all_dirs(postfix_smtpd_t) -+fs_getattr_all_fs(postfix_smtpd_t) -+ - mta_read_aliases(postfix_smtpd_t) + fs_getattr_all_dirs(postfix_smtpd_t) + fs_getattr_all_fs(postfix_smtpd_t) - optional_policy(` - dovecot_stream_connect_auth(postfix_smtpd_t) -+ dovecot_stream_connect(postfix_smtpd_t) - ') +@@ -754,6 +708,7 @@ optional_policy(` optional_policy(` -@@ -599,6 +707,11 @@ optional_policy(` + milter_stream_connect_all(postfix_smtpd_t) ++ spamassassin_read_pid_files(postfix_smtpd_t) ') optional_policy(` -+ milter_stream_connect_all(postfix_smtpd_t) -+ spamassassin_read_pid_files(postfix_smtpd_t) -+') -+ -+optional_policy(` - postgrey_stream_connect(postfix_smtpd_t) +@@ -764,31 +719,102 @@ optional_policy(` + sasl_connect(postfix_smtpd_t) ') -@@ -611,7 +724,6 @@ optional_policy(` - # Postfix virtual local policy +-optional_policy(` +- spamassassin_read_spamd_pid_files(postfix_smtpd_t) +- spamassassin_stream_connect_spamd(postfix_smtpd_t) +-') +- + ######################################## + # +-# Virtual local policy ++# Postfix virtual local policy # --allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; - allow postfix_virtual_t self:process { setsched setrlimit }; +-allow postfix_virtual_t self:process setrlimit; ++allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +734,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } - corecmd_exec_shell(postfix_virtual_t) - corecmd_exec_bin(postfix_virtual_t) --files_read_etc_files(postfix_virtual_t) - files_read_usr_files(postfix_virtual_t) ++# connect to master process + stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) ++corecmd_exec_shell(postfix_virtual_t) + corecmd_exec_bin(postfix_virtual_t) + ++files_read_usr_files(postfix_virtual_t) ++ mta_read_aliases(postfix_virtual_t) -@@ -630,3 +741,80 @@ mta_delete_spool(postfix_virtual_t) - # For reading spamassasin + mta_delete_spool(postfix_virtual_t) ++# For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) -+ -+userdom_manage_user_home_dirs(postfix_virtual_t) + + userdom_manage_user_home_dirs(postfix_virtual_t) +-userdom_manage_user_home_content_dirs(postfix_virtual_t) +-userdom_manage_user_home_content_files(postfix_virtual_t) +userdom_manage_user_home_content(postfix_virtual_t) -+userdom_home_filetrans_user_home_dir(postfix_virtual_t) + userdom_home_filetrans_user_home_dir(postfix_virtual_t) +-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir }) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) + +######################################## @@ -49308,7 +52798,7 @@ index a1e0f60..ae56a3e 100644 +files_read_usr_files(postfix_domain) +files_read_usr_symlinks(postfix_domain) +files_search_spool(postfix_domain) -+files_getattr_tmp_dirs(postfix_domain) ++files_list_tmp(postfix_domain) +files_search_all_mountpoints(postfix_domain) + +init_dontaudit_use_fds(postfix_domain) @@ -49332,16 +52822,11 @@ index a1e0f60..ae56a3e 100644 + udev_read_db(postfix_domain) +') diff --git a/postfixpolicyd.if b/postfixpolicyd.if -index feae93b..b2af729 100644 +index 5de8173..985b877 100644 --- a/postfixpolicyd.if +++ b/postfixpolicyd.if -@@ -20,12 +20,14 @@ - interface(`postfixpolicyd_admin',` - gen_require(` - type postfix_policyd_t, postfix_policyd_conf_t; -- type postfix_policyd_var_run_t; -- type postfix_policyd_initrc_exec_t; -+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; +@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') - allow $1 postfix_policyd_t:process { ptrace signal_perms }; @@ -49354,33 +52839,18 @@ index feae93b..b2af729 100644 init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/postfixpolicyd.te b/postfixpolicyd.te -index 7257526..e69e0d4 100644 +index 70f0533..3eed489 100644 --- a/postfixpolicyd.te +++ b/postfixpolicyd.te -@@ -23,19 +23,18 @@ files_pid_file(postfix_policyd_var_run_t) - # Local Policy - # - --allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; - allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; - allow postfix_policyd_t self:process setrlimit; --allow postfix_policyd_t self:unix_dgram_socket { connect create write}; -+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; -+allow postfix_policyd_t self:unix_dgram_socket create_socket_perms; - - allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; - allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; --allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read }; -+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; - +@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) -corenet_all_recvfrom_unlabeled(postfix_policyd_t) corenet_tcp_sendrecv_generic_if(postfix_policyd_t) corenet_tcp_sendrecv_generic_node(postfix_policyd_t) - corenet_tcp_sendrecv_all_ports(postfix_policyd_t) -@@ -48,6 +47,4 @@ files_read_usr_files(postfix_policyd_t) + corenet_tcp_bind_generic_node(postfix_policyd_t) +@@ -52,6 +51,4 @@ files_read_usr_files(postfix_policyd_t) logging_send_syslog_msg(postfix_policyd_t) @@ -49388,50 +52858,44 @@ index 7257526..e69e0d4 100644 - sysnet_dns_name_resolve(postfix_policyd_t) diff --git a/postgrey.if b/postgrey.if -index ad15fde..12202e1 100644 +index b9e71b5..a7502cd 100644 --- a/postgrey.if +++ b/postgrey.if -@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',` +@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',` type postgrey_var_run_t, postgrey_t, postgrey_spool_t; ') -- stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t) -- stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t) + stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) files_search_pids($1) -+ files_search_spool($1) + files_search_spool($1) +- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) ') ######################################## -@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',` - type postgrey_spool_t; - ') - -+ files_search_spool($1) - allow $1 postgrey_spool_t:dir search_dir_perms; - ') - -@@ -57,13 +58,15 @@ interface(`postgrey_search_spool',` +@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',` # interface(`postgrey_admin',` gen_require(` -- type postgrey_t, postgrey_etc_t; -+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; - type postgrey_var_lib_t, postgrey_var_run_t; +- type postgrey_t, postgrey_etc_t, postgrey_spool_t; +- type postgrey_var_lib_t, postgrey_var_run_t; - type postgrey_initrc_exec_t; ++ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; ++ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t; ') - allow $1 postgrey_t:process { ptrace signal_perms }; + allow $1 postgrey_t:process signal_perms; ps_process_pattern($1, postgrey_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 postgrey_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, postgrey_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index db843e2..570cf36 100644 +index 3b11496..8c3efb2 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -49443,8 +52907,8 @@ index db843e2..570cf36 100644 type postgrey_var_lib_t; files_type(postgrey_var_lib_t) -@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(postgrey_t) - # for perl +@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t) + corecmd_search_bin(postgrey_t) -corenet_all_recvfrom_unlabeled(postgrey_t) @@ -49464,50 +52928,268 @@ index db843e2..570cf36 100644 sysnet_read_config(postgrey_t) diff --git a/ppp.fc b/ppp.fc -index 2d82c6d..ff2c96a 100644 +index efcb653..ff2c96a 100644 --- a/ppp.fc +++ b/ppp.fc -@@ -11,19 +11,24 @@ - # Fix /etc/ppp {up,down} family scripts (see man pppd) - /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - +@@ -1,30 +1,45 @@ +-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) ++# ++# /etc ++# ++/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) ++/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) ++/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) ++/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) ++/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) ++/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) ++# Fix /etc/ppp {up,down} family scripts (see man pppd) ++/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) + +-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) +-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0) +-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -+ - /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) - # - # /sbin - # --/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) + +-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) ++# ++# /sbin ++# +/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) - # - # /usr - # +-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) +- +-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0) ++# ++# /usr ++# +/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) - /usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) ++/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) - /usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) --/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) - - # - # /var -@@ -34,5 +39,7 @@ - # Fix pptp sockets - /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) ++/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) ++# ++# /var ++# + /var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) + /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) +-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) +-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) ++/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) ++# Fix pptp sockets ++/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) ++ +/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) + - /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) --/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) ++/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/ppp.if b/ppp.if -index de4bdb7..a4cad0b 100644 +index cd8b8b9..cde0d62 100644 --- a/ppp.if +++ b/ppp.if -@@ -66,7 +66,6 @@ interface(`ppp_sigchld',` +@@ -1,110 +1,91 @@ +-## Point to Point Protocol daemon creates links in ppp networks. ++## Point to Point Protocol daemon creates links in ppp networks + +-######################################## ++####################################### + ## +-## Role access for ppp. ++## Create, read, write, and delete ++## ppp home files. + ## +-## +-## +-## Role allowed access. +-## +-## + ## +-## +-## User domain for the role. +-## +-## +-# +-interface(`ppp_role',` +- refpolicywarn(`$0($*) has been deprecated') +-') +- +-######################################## +-## +-## Create, read, write, and delete +-## ppp home files. +-## +-## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`ppp_manage_home_files',` +- gen_require(` +- type ppp_home_t; +- ') ++ gen_require(` ++ type ppp_home_t; ++ ') + +- userdom_search_user_home_dirs($1) +- allow $1 ppp_home_t:file manage_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 ppp_home_t:file manage_file_perms; + ') + +-######################################## ++####################################### + ## +-## Read ppp user home content files. ++## Read ppp user home content files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`ppp_read_home_files',` +- gen_require(` +- type ppp_home_t; ++ gen_require(` ++ type ppp_home_t; + +- ') ++ ') + +- userdom_search_user_home_dirs($1) +- allow $1 ppp_home_t:file read_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 ppp_home_t:file read_file_perms; + ') + +-######################################## ++####################################### + ## +-## Relabel ppp home files. ++## Relabel ppp home files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`ppp_relabel_home_files',` +- gen_require(` +- type ppp_home_t; +- ') ++ gen_require(` ++ type ppp_home_t; ++ ') + +- userdom_search_user_home_dirs($1) +- allow $1 ppp_home_t:file relabel_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 ppp_home_t:file relabel_file_perms; + ') + +-######################################## ++####################################### + ## +-## Create objects in user home +-## directories with the ppp home type. ++## Create objects in user home ++## directories with the ppp home type. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + ## +-## +-## Class of the object being created. +-## ++## ++## Class of the object being created. ++## + ## + ## +-## +-## The name of the object being created. +-## ++## ++## The name of the object being created. ++## + ## + # + interface(`ppp_home_filetrans_ppp_home',` +- gen_require(` +- type ppp_home_t; +- ') ++ gen_require(` ++ type ppp_home_t; ++ ') + +- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) ++ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) + ') + + ######################################## +@@ -128,7 +109,7 @@ interface(`ppp_use_fds',` + ######################################## + ## + ## Do not audit attempts to inherit +-## and use ppp file discriptors. ++## and use PPP file discriptors. + ## + ## + ## +@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',` + + ######################################## + ## +-## Send child terminated signals to ppp. ++## Send a SIGCHLD signal to PPP. + ## + ## + ## +@@ -165,7 +146,7 @@ interface(`ppp_sigchld',` + + ######################################## + ## +-## Send kill signals to ppp. ++## Send ppp a kill signal + ## + ## + ## +@@ -173,7 +154,6 @@ interface(`ppp_sigchld',` ## ## # @@ -49515,57 +53197,205 @@ index de4bdb7..a4cad0b 100644 interface(`ppp_kill',` gen_require(` type pppd_t; -@@ -176,11 +175,18 @@ interface(`ppp_run_cond',` - # - interface(`ppp_run',` - gen_require(` -- attribute_role pppd_roles; -+ #attribute_role pppd_roles; -+ type pppd_t; +@@ -184,7 +164,7 @@ interface(`ppp_kill',` + + ######################################## + ## +-## Send generic signals to ppp. ++## Send a generic signal to PPP. + ## + ## + ## +@@ -202,7 +182,7 @@ interface(`ppp_signal',` + + ######################################## + ## +-## Send null signals to ppp. ++## Send a generic signull to PPP. + ## + ## + ## +@@ -220,7 +200,7 @@ interface(`ppp_signull',` + + ######################################## + ## +-## Execute pppd in the pppd domain. ++## Execute domain in the ppp domain. + ## + ## + ## +@@ -239,8 +219,7 @@ interface(`ppp_domtrans',` + + ######################################## + ## +-## Conditionally execute pppd on +-## behalf of a user or staff type. ++## Conditionally execute ppp daemon on behalf of a user or staff type. + ## + ## + ## +@@ -249,7 +228,7 @@ interface(`ppp_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the ppp domain. + ## + ## + ## +@@ -268,8 +247,7 @@ interface(`ppp_run_cond',` + + ######################################## + ## +-## Unconditionally execute ppp daemon +-## on behalf of a user or staff type. ++## Unconditionally execute ppp daemon on behalf of a user or staff type. + ## + ## + ## +@@ -278,7 +256,7 @@ interface(`ppp_run_cond',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the ppp domain. + ## + ## + ## +@@ -294,7 +272,7 @@ interface(`ppp_run',` + + ######################################## + ## +-## Execute domain in the caller domain. ++## Execute domain in the ppp caller. + ## + ## + ## +@@ -326,13 +304,13 @@ interface(`ppp_read_config',` + type pppd_etc_t; ') -- ppp_domtrans($1) -- roleattribute $2 pppd_roles; -+ #ppp_domtrans($1) -+ #roleattribute $2 pppd_roles; -+ -+ role $2 types pppd_t; -+ -+ tunable_policy(`pppd_for_user',` -+ ppp_domtrans($1) -+ ') +- files_search_etc($1) + read_files_pattern($1, pppd_etc_t, pppd_etc_t) ++ files_search_etc($1) ') ######################################## -@@ -276,7 +282,8 @@ interface(`ppp_read_pid_files',` - type pppd_var_run_t; + ## +-## Read ppp writable configuration content. ++## Read PPP-writable configuration files. + ## + ## + ## +@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',` + type pppd_etc_t, pppd_etc_rw_t; + ') + +- files_search_etc($1) +- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; ++ allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_etc_rw_t:file read_file_perms; +- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ######################################## + ## +-## Read ppp secret files. ++## Read PPP secrets. + ## + ## + ## +@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',` + type pppd_etc_t, pppd_secret_t; + ') + +- files_search_etc($1) + allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_secret_t:file read_file_perms; +- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; ++ files_search_etc($1) + ') + + ######################################## + ## +-## Read ppp pid files. ++## Read PPP pid files. + ## + ## + ## +@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',` ') + files_search_pids($1) - allow $1 pppd_var_run_t:file read_file_perms; -+ files_search_pids($1) + read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) ') ######################################## -@@ -294,6 +301,7 @@ interface(`ppp_manage_pid_files',` + ## +-## Create, read, write, and delete +-## ppp pid files. ++## Create, read, write, and delete PPP pid files. + ## + ## + ## +@@ -413,37 +388,25 @@ interface(`ppp_manage_pid_files',` + + ######################################## + ## +-## Create specified pppd pid objects +-## with a type transition. ++## Create, read, write, and delete PPP pid files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # + interface(`ppp_pid_filetrans',` + gen_require(` type pppd_var_run_t; ') -+ files_search_pids($1) - allow $1 pppd_var_run_t:file manage_file_perms; +- files_pid_filetrans($1, pppd_var_run_t, $2, $3) ++ files_pid_filetrans($1, pppd_var_run_t, file) ') -@@ -335,6 +343,29 @@ interface(`ppp_initrc_domtrans',` + ######################################## + ## +-## Execute pppd init script in +-## the initrc domain. ++## Execute ppp server in the ntpd domain. + ## + ## + ## +@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',` ######################################## ## +-## All of the rules required to +-## administrate an ppp environment. +## Execute pppd server in the pppd domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +-## +# +interface(`ppp_systemctl',` + gen_require(` @@ -49582,11 +53412,13 @@ index de4bdb7..a4cad0b 100644 + +######################################## +## - ## All of the rules required to administrate - ## an ppp environment - ## -@@ -343,20 +374,31 @@ interface(`ppp_initrc_domtrans',` - ## Domain allowed access. ++## All of the rules required to administrate ++## an ppp environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. ## ## +## @@ -49599,120 +53431,173 @@ index de4bdb7..a4cad0b 100644 interface(`ppp_admin',` gen_require(` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; -- type pppd_etc_t, pppd_secret_t; -- type pppd_etc_rw_t, pppd_var_run_t; -- +- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; +- type pppd_var_run_t, pppd_initrc_exec_t; + type pppd_etc_t, pppd_secret_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; -- type pppd_initrc_exec_t; + type pppd_initrc_exec_t, pppd_etc_rw_t; + type pppd_unit_file_t; - ') - -- allow $1 pppd_t:process { ptrace signal_perms getattr }; ++ ') ++ + allow $1 pppd_t:process signal_perms; - ps_process_pattern($1, pppd_t) ++ ps_process_pattern($1, pppd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 pppd_t:process ptrace; + allow $1 pptp_t:process ptrace; -+ ') -+ + ') + +- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { pptp_t pppd_t }) + allow $1 pptp_t:process signal_perms; + ps_process_pattern($1, pptp_t) ppp_initrc_domtrans($1) domain_system_change_exemption($1) -@@ -369,6 +411,7 @@ interface(`ppp_admin',` +@@ -496,14 +490,26 @@ interface(`ppp_admin',` + admin_pattern($1, pppd_tmp_t) + logging_list_logs($1) - admin_pattern($1, pppd_log_t) +- admin_pattern($1, { pptp_log_t pppd_log_t }) ++ admin_pattern($1, pppd_log_t) -+ files_list_locks($1) + files_list_locks($1) admin_pattern($1, pppd_lock_t) files_list_etc($1) -@@ -381,10 +424,11 @@ interface(`ppp_admin',` - files_list_pids($1) - admin_pattern($1, pppd_var_run_t) - -- allow $1 pptp_t:process { ptrace signal_perms getattr }; -- ps_process_pattern($1, pptp_t) -- - admin_pattern($1, pptp_log_t) +- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) ++ admin_pattern($1, pppd_etc_t) ++ ++ admin_pattern($1, pppd_etc_rw_t) ++ ++ admin_pattern($1, pppd_secret_t) - admin_pattern($1, pptp_var_run_t) + files_list_pids($1) +- admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) ++ admin_pattern($1, pppd_var_run_t) ++ ++ admin_pattern($1, pptp_log_t) ++ ++ admin_pattern($1, pptp_var_run_t) + + ppp_systemctl($1) + admin_pattern($1, pppd_unit_file_t) + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..5a550bb 100644 +index b2b5dba..2a04cb0 100644 --- a/ppp.te +++ b/ppp.te -@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) +@@ -1,4 +1,4 @@ +-policy_module(ppp, 1.13.5) ++policy_module(ppp, 1.13.0) + + ######################################## + # +@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5) + # + + ## +-##

    +-## Determine whether pppd can +-## load kernel modules. +-##

    ++##

    ++## Allow pppd to load kernel modules for certain modems ++##

    + ##     + gen_tunable(pppd_can_insmod, false) + + ## +-##

    +-## Determine whether common users can +-## run pppd with a domain transition. +-##

    ++##

    ++## Allow pppd to be run for a regular user ++##

    ##     gen_tunable(pppd_for_user, false) --attribute_role pppd_roles; -+#attribute_role pppd_roles; + attribute_role pppd_roles; +-attribute_role pptp_roles; - # pppd_t is the domain for the pppd program. - # pppd_exec_t is the type of the pppd executable. ++# pppd_t is the domain for the pppd program. ++# pppd_exec_t is the type of the pppd executable. type pppd_t; type pppd_exec_t; init_daemon_domain(pppd_t, pppd_exec_t) --role pppd_roles types pppd_t; -+#role pppd_roles types pppd_t; + role pppd_roles types pppd_t; +role system_r types pppd_t; type pppd_devpts_t; term_pty(pppd_devpts_t) -@@ -42,6 +43,9 @@ files_type(pppd_etc_rw_t) + ++# Define a separate type for /etc/ppp + type pppd_etc_t; + files_config_file(pppd_etc_t) + ++# Define a separate type for writable files under /etc/ppp + type pppd_etc_rw_t; + files_type(pppd_etc_rw_t) + type pppd_initrc_exec_t alias pppd_script_exec_t; init_script_file(pppd_initrc_exec_t) +type pppd_unit_file_t; +systemd_unit_file(pppd_unit_file_t) + - # pppd_secret_t is the type of the pap and chap password files ++# pppd_secret_t is the type of the pap and chap password files type pppd_secret_t; files_type(pppd_secret_t) -@@ -61,7 +65,8 @@ files_pid_file(pppd_var_run_t) + +@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t) type pptp_t; type pptp_exec_t; init_daemon_domain(pptp_t, pptp_exec_t) --role pppd_roles types pptp_t; +-role pptp_roles types pptp_t; +#role pppd_roles types pptp_t; +role system_r types pptp_t; type pptp_log_t; logging_log_file(pptp_log_t) -@@ -74,9 +79,9 @@ files_pid_file(pptp_var_run_t) - # PPPD Local policy +@@ -67,12 +74,9 @@ logging_log_file(pptp_log_t) + type pptp_var_run_t; + files_pid_file(pptp_var_run_t) + +-type ppp_home_t; +-userdom_user_home_content(ppp_home_t) +- + ######################################## + # +-# PPPD local policy ++# PPPD Local policy # --allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; -+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; - dontaudit pppd_t self:capability sys_tty_config; --allow pppd_t self:process { getsched signal }; -+allow pppd_t self:process { getsched setsched signal }; + allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; +@@ -80,41 +84,47 @@ dontaudit pppd_t self:capability sys_tty_config; + allow pppd_t self:process { getsched setsched signal }; allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; - allow pppd_t self:unix_dgram_socket create_socket_perms; -@@ -88,28 +93,29 @@ allow pppd_t self:packet_socket create_socket_perms; +-allow pppd_t self:netlink_route_socket nlmsg_write; +-allow pppd_t self:tcp_socket { accept listen }; ++allow pppd_t self:unix_dgram_socket create_socket_perms; ++allow pppd_t self:unix_stream_socket create_socket_perms; ++allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; ++allow pppd_t self:tcp_socket create_stream_socket_perms; ++allow pppd_t self:udp_socket { connect connected_socket_perms }; + allow pppd_t self:packet_socket create_socket_perms; - domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) - --allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr }; -+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; ++domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) ++ + allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; allow pppd_t pppd_etc_t:dir rw_dir_perms; - allow pppd_t pppd_etc_t:file read_file_perms; --allow pppd_t pppd_etc_t:lnk_file { getattr read }; -+allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; +-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms; ++allow pppd_t pppd_etc_t:file read_file_perms; + allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) - # Automatically label newly created files under /etc/ppp with this type ++# Automatically label newly created files under /etc/ppp with this type filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) -allow pppd_t pppd_lock_t:file manage_file_perms; @@ -49720,22 +53605,39 @@ index bcbf9ac..5a550bb 100644 +manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) +files_search_locks(pppd_t) --allow pppd_t pppd_log_t:file manage_file_perms; +-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) logging_log_filetrans(pppd_t, pppd_log_t, file) manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) - files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) +-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) ++files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) -+manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) + manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) --files_pid_filetrans(pppd_t, pppd_var_run_t, file) -+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) + files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) +-can_exec(pppd_t, pppd_exec_t) +- +-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) +- allow pppd_t pptp_t:process signal; -@@ -130,7 +136,6 @@ dev_search_sysfs(pppd_t) ++# for SSP ++# Access secret files + allow pppd_t pppd_secret_t:file read_file_perms; + ++ppp_initrc_domtrans(pppd_t) ++ + kernel_read_kernel_sysctls(pppd_t) + kernel_read_system_state(pppd_t) + kernel_rw_net_sysctls(pppd_t) +@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t) + kernel_request_load_module(pppd_t) + + dev_read_urand(pppd_t) ++dev_search_sysfs(pppd_t) dev_read_sysfs(pppd_t) dev_rw_modem(pppd_t) @@ -49743,36 +53645,56 @@ index bcbf9ac..5a550bb 100644 corenet_all_recvfrom_netlabel(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t) corenet_raw_sendrecv_generic_if(pppd_t) -@@ -147,10 +152,12 @@ fs_getattr_all_fs(pppd_t) - fs_search_auto_mountpoints(pppd_t) +@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t) + corenet_udp_sendrecv_generic_node(pppd_t) + corenet_tcp_sendrecv_all_ports(pppd_t) + corenet_udp_sendrecv_all_ports(pppd_t) +- ++# Access /dev/ppp. + corenet_rw_ppp_dev(pppd_t) - term_use_unallocated_ttys(pppd_t) ++fs_getattr_all_fs(pppd_t) ++fs_search_auto_mountpoints(pppd_t) ++ ++term_use_unallocated_ttys(pppd_t) +term_use_usb_ttys(pppd_t) - term_setattr_unallocated_ttys(pppd_t) - term_ioctl_generic_ptys(pppd_t) - # for pppoe - term_create_pty(pppd_t, pppd_devpts_t) ++term_setattr_unallocated_ttys(pppd_t) ++term_ioctl_generic_ptys(pppd_t) ++# for pppoe ++term_create_pty(pppd_t, pppd_devpts_t) +term_use_generic_ptys(pppd_t) - - # allow running ip-up and ip-down scripts and running chat. ++ ++# allow running ip-up and ip-down scripts and running chat. corecmd_exec_bin(pppd_t) -@@ -161,43 +168,54 @@ domain_use_interactive_fds(pppd_t) + corecmd_exec_shell(pppd_t) + +@@ -146,37 +168,32 @@ domain_use_interactive_fds(pppd_t) files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) +files_read_usr_files(pppd_t) - # for scripts --files_read_etc_files(pppd_t) +-fs_getattr_all_fs(pppd_t) +-fs_search_auto_mountpoints(pppd_t) ++# for scripts +-term_use_unallocated_ttys(pppd_t) +-term_setattr_unallocated_ttys(pppd_t) +-term_ioctl_generic_ptys(pppd_t) +-term_create_pty(pppd_t, pppd_devpts_t) +-term_use_generic_ptys(pppd_t) +- +-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) init_read_utmp(pppd_t) +-init_signal_script(pppd_t) init_dontaudit_write_utmp(pppd_t) - init_signal_script(pppd_t) ++init_signal_script(pppd_t) +-auth_run_chk_passwd(pppd_t, pppd_roles) auth_use_nsswitch(pppd_t) +auth_domtrans_chk_passwd(pppd_t) +#auth_run_chk_passwd(pppd_t,pppd_roles) -+auth_write_login_records(pppd_t) + auth_write_login_records(pppd_t) logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) @@ -49788,20 +53710,12 @@ index bcbf9ac..5a550bb 100644 userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) +userdom_search_admin_dir(pppd_t) - - ppp_exec(pppd_t) ++ ++ppp_exec(pppd_t) optional_policy(` -- ddclient_run(pppd_t, pppd_roles) -+ #ddclient_run(pppd_t, pppd_roles) -+ ddclient_domtrans(pppd_t) -+') -+ -+optional_policy(` -+ l2tpd_dgram_send(pppd_t) -+ l2tpd_rw_socket(pppd_t) -+ l2tpd_stream_connect(pppd_t) - ') + ddclient_run(pppd_t, pppd_roles) +@@ -190,7 +207,7 @@ optional_policy(` optional_policy(` tunable_policy(`pppd_can_insmod',` @@ -49810,33 +53724,60 @@ index bcbf9ac..5a550bb 100644 ') ') - optional_policy(` - mta_send_mail(pppd_t) -+ mta_system_content(pppd_etc_t) -+ mta_system_content(pppd_etc_rw_t) - ') +@@ -218,16 +235,19 @@ optional_policy(` - optional_policy(` -@@ -247,21 +265,24 @@ allow pptp_t pppd_log_t:file append_file_perms; - allow pptp_t pptp_log_t:file manage_file_perms; + ######################################## + # +-# PPTP local policy ++# PPTP Local policy + # + + allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; + dontaudit pptp_t self:capability sys_tty_config; + allow pptp_t self:process signal; + allow pptp_t self:fifo_file rw_fifo_file_perms; +-allow pptp_t self:unix_stream_socket { accept connectto listen }; ++allow pptp_t self:unix_dgram_socket create_socket_perms; ++allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow pptp_t self:rawip_socket create_socket_perms; +-allow pptp_t self:netlink_route_socket nlmsg_write; ++allow pptp_t self:tcp_socket create_socket_perms; ++allow pptp_t self:udp_socket create_socket_perms; ++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; + + allow pptp_t pppd_etc_t:dir list_dir_perms; + allow pptp_t pppd_etc_t:file read_file_perms; +@@ -236,45 +256,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; + allow pptp_t pppd_etc_rw_t:dir list_dir_perms; + allow pptp_t pppd_etc_rw_t:file read_file_perms; + allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; ++can_exec(pptp_t, pppd_etc_rw_t) + ++# Allow pptp to append to pppd log files + allow pptp_t pppd_log_t:file append_file_perms; + +-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) +manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -files_pid_filetrans(pptp_t, pptp_var_run_t, file) +- +-can_exec(pptp_t, pppd_etc_rw_t) +files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) - kernel_list_proc(pptp_t) ++kernel_list_proc(pptp_t) +kernel_signal(pptp_t) kernel_read_kernel_sysctls(pptp_t) -+kernel_read_network_state(pptp_t) - kernel_read_proc_symlinks(pptp_t) + kernel_read_network_state(pptp_t) ++kernel_read_proc_symlinks(pptp_t) kernel_read_system_state(pptp_t) -+kernel_signal(pptp_t) - - dev_read_sysfs(pptp_t) + kernel_signal(pptp_t) ++dev_read_sysfs(pptp_t) ++ corecmd_exec_shell(pptp_t) corecmd_read_bin_symlinks(pptp_t) @@ -49844,17 +53785,33 @@ index bcbf9ac..5a550bb 100644 corenet_all_recvfrom_netlabel(pptp_t) corenet_tcp_sendrecv_generic_if(pptp_t) corenet_raw_sendrecv_generic_if(pptp_t) -@@ -272,8 +293,7 @@ corenet_tcp_bind_generic_node(pptp_t) + corenet_tcp_sendrecv_generic_node(pptp_t) + corenet_raw_sendrecv_generic_node(pptp_t) + corenet_tcp_sendrecv_all_ports(pptp_t) +- +-corenet_tcp_connect_all_reserved_ports(pptp_t) ++corenet_tcp_bind_generic_node(pptp_t) corenet_tcp_connect_generic_port(pptp_t) - corenet_tcp_connect_all_reserved_ports(pptp_t) ++corenet_tcp_connect_all_reserved_ports(pptp_t) corenet_sendrecv_generic_client_packets(pptp_t) - --files_read_etc_files(pptp_t) -+corenet_tcp_connect_pptp_port(pptp_t) +-corenet_sendrecv_pptp_client_packets(pptp_t) + corenet_tcp_connect_pptp_port(pptp_t) +-dev_read_sysfs(pptp_t) +- +-domain_use_interactive_fds(pptp_t) +- fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -288,8 +308,6 @@ auth_use_nsswitch(pptp_t) + +@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t) + term_search_ptys(pptp_t) + term_use_ptmx(pptp_t) + ++domain_use_interactive_fds(pptp_t) ++ + auth_use_nsswitch(pptp_t) logging_send_syslog_msg(pptp_t) @@ -49864,23 +53821,146 @@ index bcbf9ac..5a550bb 100644 userdom_dontaudit_use_unpriv_user_fds(pptp_t) diff --git a/prelink.fc b/prelink.fc -index ec0e76a..62af9a4 100644 +index a90d623..62af9a4 100644 --- a/prelink.fc +++ b/prelink.fc -@@ -4,7 +4,7 @@ +@@ -1,11 +1,11 @@ + /etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) + +-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) ++/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) --/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) +-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) +-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) +/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) - /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) ++/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) - /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) ++/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) ++/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/prelink.if b/prelink.if -index 93ec175..e6605c1 100644 +index 20d4697..e6605c1 100644 --- a/prelink.if +++ b/prelink.if -@@ -202,3 +202,21 @@ interface(`prelink_relabel_lib',` +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Execute prelink in the prelink domain. ++## Execute the prelink program in the prelink domain. + ## + ## + ## +@@ -18,15 +18,15 @@ interface(`prelink_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) + +- ifdef(`hide_broken_symptoms',` ++ ifdef(`hide_broken_symptoms', ` + dontaudit prelink_t $1:socket_class_set { read write }; +- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; ++ dontaudit prelink_t $1:fifo_file setattr; + ') + ') + + ######################################## + ## +-## Execute prelink in the caller domain. ++## Execute the prelink program in the current domain. + ## + ## + ## +@@ -45,9 +45,7 @@ interface(`prelink_exec',` + + ######################################## + ## +-## Execute prelink in the prelink +-## domain, and allow the specified role +-## the prelink domain. ++## Execute the prelink program in the prelink domain. + ## + ## + ## +@@ -56,18 +54,18 @@ interface(`prelink_exec',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the prelink domain. + ## + ## + ## + # + interface(`prelink_run',` + gen_require(` +- attribute_role prelink_roles; ++ type prelink_t; + ') + + prelink_domtrans($1) +- roleattribute $2 prelink_roles; ++ role $2 types prelink_t; + ') + + ######################################## +@@ -80,6 +78,7 @@ interface(`prelink_run',` + ## + ## + # ++# cjp: added for misc non-entrypoint objects + interface(`prelink_object_file',` + gen_require(` + attribute prelink_object; +@@ -90,7 +89,7 @@ interface(`prelink_object_file',` + + ######################################## + ## +-## Read prelink cache files. ++## Read the prelink cache. + ## + ## + ## +@@ -109,7 +108,7 @@ interface(`prelink_read_cache',` + + ######################################## + ## +-## Delete prelink cache files. ++## Delete the prelink cache. + ## + ## + ## +@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',` + type prelink_cache_t; + ') + ++ allow $1 prelink_cache_t:file unlink; + files_rw_etc_dirs($1) +- allow $1 prelink_cache_t:file delete_file_perms; + ') + + ######################################## +@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',` + + ######################################## + ## +-## Relabel from prelink lib files. ++## Relabel from files in the /boot directory. + ## + ## + ## +@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',` + + ######################################## + ## +-## Relabel prelink lib files. ++## Relabel from files in the /boot directory. + ## + ## + ## +@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',` files_search_var_lib($1) relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') @@ -49903,118 +53983,194 @@ index 93ec175..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index af55369..9f1d1b5 100644 +index c0f047a..9f1d1b5 100644 --- a/prelink.te +++ b/prelink.te -@@ -18,6 +18,7 @@ type prelink_cron_system_t; - type prelink_cron_system_exec_t; - domain_type(prelink_cron_system_t) - domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) -+domain_obj_id_change_exemption(prelink_cron_system_t) - - type prelink_log_t; - logging_log_file(prelink_log_t) -@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t) - # Local policy +@@ -1,4 +1,4 @@ +-policy_module(prelink, 1.10.2) ++policy_module(prelink, 1.10.0) + + ######################################## # +@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2) --allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource }; -+allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; - allow prelink_t self:process { execheap execmem execstack signal }; - allow prelink_t self:fifo_file rw_fifo_file_perms; + attribute prelink_object; -@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +-attribute_role prelink_roles; +- + type prelink_t; + type prelink_exec_t; + init_system_domain(prelink_t, prelink_exec_t) + domain_obj_id_change_exemption(prelink_t) +-role prelink_roles types prelink_t; + + type prelink_cache_t; + files_type(prelink_cache_t) +@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms; + allow prelink_t prelink_cache_t:file manage_file_perms; + files_etc_filetrans(prelink_t, prelink_cache_t, file) + +-allow prelink_t prelink_log_t:dir setattr_dir_perms; ++allow prelink_t prelink_log_t:dir setattr; + create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) + append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) + read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) + logging_log_filetrans(prelink_t, prelink_log_t, file) + +-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; ++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; + files_tmp_filetrans(prelink_t, prelink_tmp_t, file) + +-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; ++allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; + fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) + + manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) +files_search_var_lib(prelink_t) - # prelink misc objects that are not system - # libraries or entrypoints --allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; +-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms }; ++# prelink misc objects that are not system ++# libraries or entrypoints +allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) -@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t) +@@ -75,25 +75,24 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) +dev_getattr_all_chr_files(prelink_t) +-files_getattr_all_files(prelink_t) files_list_all(prelink_t) - files_getattr_all_files(prelink_t) -@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t) - - fs_getattr_xattr_fs(prelink_t) - -+storage_getattr_fixed_disk_dev(prelink_t) +-files_manage_usr_files(prelink_t) +-files_manage_var_files(prelink_t) ++files_getattr_all_files(prelink_t) ++files_write_non_security_dirs(prelink_t) + files_read_etc_files(prelink_t) + files_read_etc_runtime_files(prelink_t) +-files_relabelfrom_usr_files(prelink_t) +-files_search_var_lib(prelink_t) +-files_write_non_security_dirs(prelink_t) + files_dontaudit_read_all_symlinks(prelink_t) ++files_manage_usr_files(prelink_t) ++files_manage_var_files(prelink_t) ++files_relabelfrom_usr_files(prelink_t) + +-fs_getattr_all_fs(prelink_t) +-fs_search_auto_mountpoints(prelink_t) +- +-selinux_get_enforce_mode(prelink_t) ++fs_getattr_xattr_fs(prelink_t) + + storage_getattr_fixed_disk_dev(prelink_t) + ++selinux_get_enforce_mode(prelink_t) + - selinux_get_enforce_mode(prelink_t) - libs_exec_ld_so(prelink_t) -@@ -96,9 +101,16 @@ libs_manage_shared_libs(prelink_t) + libs_legacy_use_shared_libs(prelink_t) + libs_manage_ld_so(prelink_t) +@@ -102,32 +101,16 @@ libs_manage_shared_libs(prelink_t) libs_relabel_shared_libs(prelink_t) libs_delete_lib_symlinks(prelink_t) -miscfiles_read_localization(prelink_t) -userdom_use_user_terminals(prelink_t) +-userdom_manage_user_home_content_files(prelink_t) +-# pending +-# userdom_relabel_user_home_content_files(prelink_t) +-# userdom_execmod_user_home_content_files(prelink_t) +userdom_use_inherited_user_terminals(prelink_t) +userdom_manage_user_home_content(prelink_t) +userdom_relabel_user_home_files(prelink_t) +userdom_execmod_user_home_files(prelink_t) -+userdom_exec_user_home_content_files(prelink_t) -+ + userdom_exec_user_home_content_files(prelink_t) + +-ifdef(`hide_broken_symptoms',` +- miscfiles_read_man_pages(prelink_t) +- +- optional_policy(` +- dbus_read_config(prelink_t) +- ') +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files(prelink_t) +- fs_manage_nfs_files(prelink_t) +-') +systemd_read_unit_files(prelink_t) -+ + +-tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files(prelink_t) +- fs_manage_cifs_files(prelink_t) +-') +term_use_all_inherited_terms(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +121,15 @@ optional_policy(` +@@ -138,11 +121,12 @@ optional_policy(` ') optional_policy(` + gnome_dontaudit_read_config(prelink_t) -+ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) -+') -+ -+optional_policy(` + gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) + ') + + optional_policy(` +- mozilla_manage_plugin_rw_files(prelink_t) + mozilla_plugin_manage_rw_files(prelink_t) -+') -+ -+optional_policy(` - rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +150,7 @@ optional_policy(` + optional_policy(` +@@ -155,17 +139,18 @@ optional_policy(` + + ######################################## + # +-# Cron system local policy ++# Prelink Cron system Policy + # + + optional_policy(` + allow prelink_cron_system_t self:capability setuid; + allow prelink_cron_system_t self:process { setsched setfscreate signal }; + allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; +- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; ++ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) - allow prelink_cron_system_t prelink_cache_t:file unlink; +- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms; ++ allow prelink_cron_system_t prelink_cache_t:file unlink; + files_delete_etc_dir_entry(prelink_cron_system_t) domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -144,21 +166,38 @@ optional_policy(` - corecmd_exec_bin(prelink_cron_system_t) - corecmd_exec_shell(prelink_cron_system_t) +@@ -174,7 +159,7 @@ optional_policy(` -+ dev_list_sysfs(prelink_cron_system_t) -+ dev_read_sysfs(prelink_cron_system_t) -+ - files_dontaudit_search_all_mountpoints(prelink_cron_system_t) - files_read_etc_files(prelink_cron_system_t) - files_search_var_lib(prelink_cron_system_t) + manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) +- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms; ++ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; -+ fs_search_cgroup_dirs(prelink_cron_system_t) -+ -+ auth_use_nsswitch(prelink_cron_system_t) + kernel_read_system_state(prelink_cron_system_t) + +@@ -184,8 +169,11 @@ optional_policy(` + dev_list_sysfs(prelink_cron_system_t) + dev_read_sysfs(prelink_cron_system_t) + +- files_rw_etc_dirs(prelink_cron_system_t) + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) ++ files_read_etc_files(prelink_cron_system_t) ++ files_search_var_lib(prelink_cron_system_t) + -+ init_telinit(prelink_cron_system_t) - init_exec(prelink_cron_system_t) ++ fs_search_cgroup_dirs(prelink_cron_system_t) - libs_exec_ld_so(prelink_cron_system_t) + auth_use_nsswitch(prelink_cron_system_t) + +@@ -196,11 +184,20 @@ optional_policy(` logging_search_logs(prelink_cron_system_t) @@ -50036,78 +54192,169 @@ index af55369..9f1d1b5 100644 + dbus_read_config(prelink_t) + ') +') -diff --git a/prelude.fc b/prelude.fc -index 3bd847a..a52b025 100644 ---- a/prelude.fc -+++ b/prelude.fc -@@ -5,6 +5,7 @@ - - /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - -+/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - /usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) - /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) - /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) diff --git a/prelude.if b/prelude.if -index 2316653..f41a4f7 100644 +index c83a838..f41a4f7 100644 --- a/prelude.if +++ b/prelude.if -@@ -112,22 +112,24 @@ interface(`prelude_manage_spool',` +@@ -1,13 +1,13 @@ +-## Prelude hybrid intrusion detection system. ++## Prelude hybrid intrusion detection system + + ######################################## + ## + ## Execute a domain transition to run prelude. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`prelude_domtrans',` +@@ -15,19 +15,17 @@ interface(`prelude_domtrans',` + type prelude_t, prelude_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, prelude_exec_t, prelude_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run prelude audisp. ++## Execute a domain transition to run prelude_audisp. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`prelude_domtrans_audisp',` +@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',` + type prelude_audisp_t, prelude_audisp_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) + ') + + ######################################## + ## +-## Send generic signals to prelude audisp. ++## Signal the prelude_audisp domain. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed acccess. ++## + ## + # + interface(`prelude_signal_audisp',` +@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',` + + ######################################## + ## +-## Read prelude spool files. ++## Read the prelude spool files + ## + ## + ## +@@ -78,13 +75,12 @@ interface(`prelude_read_spool',` + + ######################################## + ## +-## Create, read, write, and delete +-## prelude manager spool files. ++## Manage to prelude-manager spool files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`prelude_manage_spool',` +@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',` + + ######################################## + ## +-## All of the rules required to +-## administrate an prelude environment. ++## All of the rules required to administrate ++## an prelude environment + ## + ## + ## +@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',` # interface(`prelude_admin',` gen_require(` -- type prelude_t, prelude_spool_t; -- type prelude_var_run_t, prelude_var_lib_t; +- type prelude_t, prelude_spool_t, prelude_lml_var_run_t; +- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; - type prelude_audisp_t, prelude_audisp_var_run_t; -- type prelude_initrc_exec_t; -- -- type prelude_lml_t, prelude_lml_tmp_t; -- type prelude_lml_var_run_t; +- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; + type prelude_t, prelude_spool_t, prelude_initrc_exec_t; + type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; + type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; + type prelude_lml_t; ') -- allow $1 prelude_t:process { ptrace signal_perms }; +- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) + allow $1 prelude_t:process signal_perms; - ps_process_pattern($1, prelude_t) ++ ps_process_pattern($1, prelude_t) + tunable_policy(`deny_ptrace',`',` + allow $1 prelude_t:process ptrace; + allow $1 prelude_audisp_t:process ptrace; + allow $1 prelude_lml_t:process ptrace; + ') - -- allow $1 prelude_audisp_t:process { ptrace signal_perms }; ++ + allow $1 prelude_audisp_t:process signal_perms; - ps_process_pattern($1, prelude_audisp_t) - -- allow $1 prelude_lml_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, prelude_audisp_t) ++ + allow $1 prelude_lml_t:process signal_perms; - ps_process_pattern($1, prelude_lml_t) ++ ps_process_pattern($1, prelude_lml_t) init_labeled_script_domtrans($1, prelude_initrc_exec_t) -@@ -135,10 +137,17 @@ interface(`prelude_admin',` + domain_system_change_exemption($1) role_transition $2 prelude_initrc_exec_t system_r; allow $2 system_r; +- files_search_spool($1) + files_list_spool($1) admin_pattern($1, prelude_spool_t) -+ + +- logging_search_logs($1) +- admin_pattern($1, prelude_log_t) +- +- files_search_var_lib($1) + files_list_var_lib($1) admin_pattern($1, prelude_var_lib_t) -+ + +- files_search_pids($1) +- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) + files_list_pids($1) - admin_pattern($1, prelude_var_run_t) - admin_pattern($1, prelude_audisp_var_run_t) -- admin_pattern($1, prelude_lml_tmp_t) - admin_pattern($1, prelude_lml_var_run_t) -+ ++ admin_pattern($1, prelude_var_run_t) ++ admin_pattern($1, prelude_audisp_var_run_t) ++ admin_pattern($1, prelude_lml_var_run_t) + +- files_search_tmp($1) + files_list_tmp($1) -+ admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index b1bc02c..a06f448 100644 +index db864df..6cff94f 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -50119,7 +54366,7 @@ index b1bc02c..a06f448 100644 type prelude_log_t; logging_log_file(prelude_log_t) -@@ -82,7 +82,6 @@ kernel_read_sysctl(prelude_t) +@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t) corecmd_search_bin(prelude_t) @@ -50127,24 +54374,16 @@ index b1bc02c..a06f448 100644 corenet_all_recvfrom_netlabel(prelude_t) corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) -@@ -95,7 +94,6 @@ corenet_tcp_connect_mysqld_port(prelude_t) - dev_read_rand(prelude_t) - dev_read_urand(prelude_t) - --files_read_etc_files(prelude_t) - files_read_etc_runtime_files(prelude_t) - files_read_usr_files(prelude_t) - files_search_tmp(prelude_t) -@@ -107,8 +105,6 @@ auth_use_nsswitch(prelude_t) +@@ -108,8 +107,6 @@ auth_use_nsswitch(prelude_t) logging_send_audit_msgs(prelude_t) logging_send_syslog_msg(prelude_t) -miscfiles_read_localization(prelude_t) - optional_policy(` - mysql_search_db(prelude_t) mysql_stream_connect(prelude_t) -@@ -143,7 +139,6 @@ kernel_read_system_state(prelude_audisp_t) + mysql_tcp_connect(prelude_t) +@@ -141,7 +138,6 @@ kernel_read_system_state(prelude_audisp_t) corecmd_search_bin(prelude_audisp_t) @@ -50152,12 +54391,13 @@ index b1bc02c..a06f448 100644 corenet_all_recvfrom_netlabel(prelude_audisp_t) corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) -@@ -156,14 +151,11 @@ dev_read_urand(prelude_audisp_t) - # Init script handling +@@ -155,15 +151,12 @@ dev_read_urand(prelude_audisp_t) + domain_use_interactive_fds(prelude_audisp_t) -files_read_etc_files(prelude_audisp_t) files_read_etc_runtime_files(prelude_audisp_t) + files_search_spool(prelude_audisp_t) files_search_tmp(prelude_audisp_t) logging_send_syslog_msg(prelude_audisp_t) @@ -50167,7 +54407,7 @@ index b1bc02c..a06f448 100644 sysnet_dns_name_resolve(prelude_audisp_t) ######################################## -@@ -183,7 +175,6 @@ kernel_read_sysctl(prelude_correlator_t) +@@ -184,7 +177,6 @@ kernel_read_sysctl(prelude_correlator_t) corecmd_search_bin(prelude_correlator_t) @@ -50175,7 +54415,7 @@ index b1bc02c..a06f448 100644 corenet_all_recvfrom_netlabel(prelude_correlator_t) corenet_tcp_sendrecv_generic_if(prelude_correlator_t) corenet_tcp_sendrecv_generic_node(prelude_correlator_t) -@@ -192,14 +183,11 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t) +@@ -196,14 +188,11 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) dev_read_rand(prelude_correlator_t) dev_read_urand(prelude_correlator_t) @@ -50189,57 +54429,27 @@ index b1bc02c..a06f448 100644 - sysnet_dns_name_resolve(prelude_correlator_t) - prelude_manage_spool(prelude_correlator_t) -@@ -210,8 +198,8 @@ prelude_manage_spool(prelude_correlator_t) + ######################################## +@@ -212,6 +201,8 @@ sysnet_dns_name_resolve(prelude_correlator_t) # allow prelude_lml_t self:capability dac_override; --allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; --allow prelude_lml_t self:unix_dgram_socket { write create connect }; +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; +allow prelude_lml_t self:unix_dgram_socket create_socket_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; -@@ -236,10 +224,10 @@ kernel_read_sysctl(prelude_lml_t) - - corecmd_exec_bin(prelude_lml_t) - -+corenet_all_recvfrom_netlabel(prelude_lml_t) - corenet_tcp_sendrecv_generic_if(prelude_lml_t) - corenet_tcp_sendrecv_generic_node(prelude_lml_t) - corenet_tcp_recvfrom_netlabel(prelude_lml_t) --corenet_tcp_recvfrom_unlabeled(prelude_lml_t) - corenet_sendrecv_unlabeled_packets(prelude_lml_t) - corenet_tcp_connect_prelude_port(prelude_lml_t) - -@@ -247,7 +235,6 @@ dev_read_rand(prelude_lml_t) - dev_read_urand(prelude_lml_t) - - files_list_etc(prelude_lml_t) --files_read_etc_files(prelude_lml_t) - files_read_etc_runtime_files(prelude_lml_t) - - fs_getattr_all_fs(prelude_lml_t) -@@ -262,8 +249,6 @@ libs_read_lib_files(prelude_lml_t) +@@ -262,8 +253,6 @@ libs_read_lib_files(prelude_lml_t) logging_send_syslog_msg(prelude_lml_t) logging_read_generic_logs(prelude_lml_t) -miscfiles_read_localization(prelude_lml_t) - - sysnet_dns_name_resolve(prelude_lml_t) - userdom_read_all_users_state(prelude_lml_t) -@@ -283,7 +268,6 @@ optional_policy(` - - can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) - -- files_read_etc_files(httpd_prewikka_script_t) - files_search_tmp(httpd_prewikka_script_t) - kernel_read_sysctl(httpd_prewikka_script_t) + optional_policy(` diff --git a/privoxy.if b/privoxy.if -index afd1751..5aff531 100644 +index bdcee30..34f3143 100644 --- a/privoxy.if +++ b/privoxy.if @@ -23,8 +23,11 @@ interface(`privoxy_admin',` @@ -50256,37 +54466,18 @@ index afd1751..5aff531 100644 init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff --git a/privoxy.te b/privoxy.te -index 2dbf4d4..daa7c93 100644 +index 85b1c9a..072d425 100644 --- a/privoxy.te +++ b/privoxy.te -@@ -46,10 +46,10 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file) - manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) - files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) - --kernel_read_system_state(privoxy_t) - kernel_read_kernel_sysctls(privoxy_t) -+kernel_read_network_state(privoxy_t) -+kernel_read_system_state(privoxy_t) - --corenet_all_recvfrom_unlabeled(privoxy_t) - corenet_all_recvfrom_netlabel(privoxy_t) - corenet_tcp_sendrecv_generic_if(privoxy_t) - corenet_tcp_sendrecv_generic_node(privoxy_t) -@@ -62,6 +62,7 @@ corenet_tcp_connect_squid_port(privoxy_t) - corenet_tcp_connect_ftp_port(privoxy_t) - corenet_tcp_connect_pgpkeyserver_port(privoxy_t) +@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t) corenet_tcp_connect_tor_port(privoxy_t) -+corenet_tcp_connect_tor_socks_port(privoxy_t) - corenet_sendrecv_http_cache_client_packets(privoxy_t) - corenet_sendrecv_squid_client_packets(privoxy_t) - corenet_sendrecv_http_cache_server_packets(privoxy_t) -@@ -76,18 +77,15 @@ fs_search_auto_mountpoints(privoxy_t) - - domain_use_interactive_fds(privoxy_t) + corenet_tcp_sendrecv_tor_port(privoxy_t) --files_read_etc_files(privoxy_t) ++ + dev_read_sysfs(privoxy_t) - auth_use_nsswitch(privoxy_t) + domain_use_interactive_fds(privoxy_t) +@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t) logging_send_syslog_msg(privoxy_t) @@ -50294,153 +54485,347 @@ index 2dbf4d4..daa7c93 100644 - userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) - # cjp: this should really not be needed --userdom_use_user_terminals(privoxy_t) -+userdom_use_inherited_user_terminals(privoxy_t) - tunable_policy(`privoxy_connect_any',` - corenet_tcp_connect_all_ports(privoxy_t) diff --git a/procmail.fc b/procmail.fc -index 1343621..4b36a13 100644 +index bdff6c9..4b36a13 100644 --- a/procmail.fc +++ b/procmail.fc -@@ -1,3 +1,5 @@ +@@ -1,6 +1,7 @@ +-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) +-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) ++/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) ++/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/procmail.if b/procmail.if -index b64b02f..166e9c3 100644 +index 00edeab..166e9c3 100644 --- a/procmail.if +++ b/procmail.if -@@ -77,3 +77,22 @@ interface(`procmail_rw_tmp_files',` +@@ -1,4 +1,4 @@ +-## Procmail mail delivery agent. ++## Procmail mail delivery agent + + ######################################## + ## +@@ -15,6 +15,7 @@ interface(`procmail_domtrans',` + type procmail_exec_t, procmail_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, procmail_exec_t, procmail_t) + ') +@@ -34,101 +35,33 @@ interface(`procmail_exec',` + type procmail_exec_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + can_exec($1, procmail_exec_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## procmail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`procmail_manage_home_files',` +- gen_require(` +- type procmail_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 procmail_home_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Read procmail user home content files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`procmail_read_home_files',` +- gen_require(` +- type procmail_home_t; +- +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 procmail_home_t:file read_file_perms; +-') +- +-######################################## +-## +-## Relabel procmail home files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`procmail_relabel_home_files',` +- gen_require(` +- type ppp_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 procmail_home_t:file relabel_file_perms; +-') +- +-######################################## +-## +-## Create objects in user home +-## directories with the procmail home type. ++## Read procmail tmp files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`procmail_home_filetrans_procmail_home',` ++interface(`procmail_read_tmp_files',` + gen_require(` +- type procmail_home_t; ++ type procmail_tmp_t; + ') + +- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) ++ files_search_tmp($1) ++ allow $1 procmail_tmp_t:file read_file_perms; + ') + + ######################################## + ## +-## Read procmail tmp files. ++## Read/write procmail tmp files. + ## + ## + ## +@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',` + ## + ## + # +-interface(`procmail_read_tmp_files',` ++interface(`procmail_rw_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + files_search_tmp($1) - rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +- allow $1 procmail_tmp_t:file read_file_perms; ++ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ') -+ -+######################################## -+## + + ######################################## + ## +-## Read and write procmail tmp files. +## Read procmail home directory content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',` + ## + ## + # +-interface(`procmail_rw_tmp_files',` +interface(`procmail_read_home_files',` -+ gen_require(` + gen_require(` +- type procmail_tmp_t; + type procmail_home_t; -+ ') -+ + ') + +- files_search_tmp($1) +- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) + userdom_search_user_home_dirs($1) + read_files_pattern($1, procmail_home_t, procmail_home_t) -+') + ') diff --git a/procmail.te b/procmail.te -index 29b9295..23625fc 100644 +index d447152..170ed82 100644 --- a/procmail.te +++ b/procmail.te -@@ -10,6 +10,9 @@ type procmail_exec_t; - application_domain(procmail_t, procmail_exec_t) - role system_r types procmail_t; - -+type procmail_home_t; -+userdom_user_home_content(procmail_home_t) -+ - type procmail_log_t; - logging_log_file(procmail_log_t) +@@ -1,4 +1,4 @@ +-policy_module(procmail, 1.12.2) ++policy_module(procmail, 1.12.0) -@@ -32,7 +35,7 @@ allow procmail_t self:udp_socket create_socket_perms; - can_exec(procmail_t, procmail_exec_t) + ######################################## + # +@@ -14,7 +14,7 @@ type procmail_home_t; + userdom_user_home_content(procmail_home_t) - # Write log to /var/log/procmail.log or /var/log/procmail/.* --allow procmail_t procmail_log_t:dir setattr; -+allow procmail_t procmail_log_t:dir setattr_dir_perms; + type procmail_log_t; +-logging_log_file(procmail_log_t) ++logging_log_file(procmail_log_t) + + type procmail_tmp_t; + files_tmp_file(procmail_tmp_t) +@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t) + allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; + allow procmail_t self:process { setsched signal signull }; + allow procmail_t self:fifo_file rw_fifo_file_perms; +-allow procmail_t self:tcp_socket { accept listen }; ++allow procmail_t self:unix_stream_socket create_socket_perms; ++allow procmail_t self:unix_dgram_socket create_socket_perms; ++allow procmail_t self:tcp_socket create_stream_socket_perms; ++allow procmail_t self:udp_socket create_socket_perms; + +-allow procmail_t procmail_home_t:file read_file_perms; ++can_exec(procmail_t, procmail_exec_t) + ++# Write log to /var/log/procmail.log or /var/log/procmail/.* + allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) - read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -44,7 +47,6 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file) +@@ -40,56 +44,69 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) + allow procmail_t procmail_tmp_t:file manage_file_perms; + files_tmp_filetrans(procmail_t, procmail_tmp_t, file) + +-can_exec(procmail_t, procmail_exec_t) +- kernel_read_system_state(procmail_t) kernel_read_kernel_sysctls(procmail_t) -corenet_all_recvfrom_unlabeled(procmail_t) corenet_all_recvfrom_netlabel(procmail_t) corenet_tcp_sendrecv_generic_if(procmail_t) - corenet_udp_sendrecv_generic_if(procmail_t) -@@ -67,17 +69,23 @@ auth_use_nsswitch(procmail_t) ++corenet_udp_sendrecv_generic_if(procmail_t) + corenet_tcp_sendrecv_generic_node(procmail_t) +- +-corenet_sendrecv_spamd_client_packets(procmail_t) ++corenet_udp_sendrecv_generic_node(procmail_t) ++corenet_tcp_sendrecv_all_ports(procmail_t) ++corenet_udp_sendrecv_all_ports(procmail_t) ++corenet_udp_bind_generic_node(procmail_t) + corenet_tcp_connect_spamd_port(procmail_t) +-corenet_tcp_sendrecv_spamd_port(procmail_t) +- ++corenet_sendrecv_spamd_client_packets(procmail_t) + corenet_sendrecv_comsat_client_packets(procmail_t) +-corenet_tcp_connect_comsat_port(procmail_t) +-corenet_tcp_sendrecv_comsat_port(procmail_t) +- +-corecmd_exec_bin(procmail_t) +-corecmd_exec_shell(procmail_t) - corecmd_exec_bin(procmail_t) - corecmd_exec_shell(procmail_t) --corecmd_read_bin_symlinks(procmail_t) + dev_read_urand(procmail_t) --files_read_etc_files(procmail_t) +-fs_getattr_all_fs(procmail_t) ++fs_getattr_xattr_fs(procmail_t) + fs_search_auto_mountpoints(procmail_t) + fs_rw_anon_inodefs_files(procmail_t) + + auth_use_nsswitch(procmail_t) + ++corecmd_exec_bin(procmail_t) ++corecmd_exec_shell(procmail_t) ++ files_read_etc_runtime_files(procmail_t) - files_search_pids(procmail_t) - # for spamassasin ++files_search_pids(procmail_t) ++# for spamassasin files_read_usr_files(procmail_t) +-logging_send_syslog_msg(procmail_t) +application_exec_all(procmail_t) + +init_read_utmp(procmail_t) -+ - logging_send_syslog_msg(procmail_t) -+logging_append_all_logs(procmail_t) -miscfiles_read_localization(procmail_t) ++logging_send_syslog_msg(procmail_t) ++logging_append_all_logs(procmail_t) + +list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t) +read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) -+userdom_search_user_home_dirs(procmail_t) + userdom_search_user_home_dirs(procmail_t) +userdom_search_admin_dir(procmail_t) - # only works until we define a different type for maildir - userdom_manage_user_home_content_dirs(procmail_t) -@@ -87,8 +95,8 @@ userdom_manage_user_home_content_pipes(procmail_t) - userdom_manage_user_home_content_sockets(procmail_t) - userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) - --# Do not audit attempts to access /root. --userdom_dontaudit_search_user_home_dirs(procmail_t) -+# Execute user executables -+userdom_exec_user_bin_files(procmail_t) - - mta_manage_spool(procmail_t) - mta_read_queue(procmail_t) -@@ -97,21 +105,19 @@ ifdef(`hide_broken_symptoms',` - mta_dontaudit_rw_queue(procmail_t) - ') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(procmail_t) - fs_manage_nfs_files(procmail_t) - fs_manage_nfs_symlinks(procmail_t) -+userdom_home_manager(procmail_t) +-') ++# only works until we define a different type for maildir ++userdom_manage_user_home_content_dirs(procmail_t) ++userdom_manage_user_home_content_files(procmail_t) ++userdom_manage_user_home_content_symlinks(procmail_t) ++userdom_manage_user_home_content_pipes(procmail_t) ++userdom_manage_user_home_content_sockets(procmail_t) ++userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) + -+optional_policy(` -+ clamav_domtrans_clamscan(procmail_t) -+ clamav_search_lib(procmail_t) - ') ++# Execute user executables ++userdom_exec_user_bin_files(procmail_t) ++ ++mta_manage_spool(procmail_t) ++mta_read_queue(procmail_t) -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(procmail_t) - fs_manage_cifs_files(procmail_t) - fs_manage_cifs_symlinks(procmail_t) -+optional_policy(` -+ cyrus_stream_connect(procmail_t) ++ifdef(`hide_broken_symptoms',` ++ mta_dontaudit_rw_queue(procmail_t) + ') + ++userdom_home_manager(procmail_t) ++ + optional_policy(` + clamav_domtrans_clamscan(procmail_t) + clamav_search_lib(procmail_t) +@@ -100,12 +117,7 @@ optional_policy(` ') optional_policy(` -- clamav_domtrans_clamscan(procmail_t) -- clamav_search_lib(procmail_t) +- mta_manage_spool(procmail_t) +- mta_read_config(procmail_t) +- mta_read_queue(procmail_t) +- mta_manage_mail_home_rw_content(procmail_t) +- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir") +- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") + gnome_manage_data(procmail_t) ') optional_policy(` -@@ -125,6 +131,11 @@ optional_policy(` +@@ -113,16 +125,17 @@ optional_policy(` + ') + + optional_policy(` +- nagios_search_spool(procmail_t) +-') +- +-optional_policy(` ++ # for a bug in the postfix local program + postfix_dontaudit_rw_local_tcp_sockets(procmail_t) + postfix_dontaudit_use_fds(procmail_t) postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) -+ postfix_rw_master_pipes(procmail_t) +- postfix_rw_master_pipes(procmail_t) ++ postfix_rw_inherited_master_pipes(procmail_t) +') + +optional_policy(` @@ -50448,36 +54833,41 @@ index 29b9295..23625fc 100644 ') optional_policy(` -@@ -134,6 +145,7 @@ optional_policy(` +@@ -131,6 +144,8 @@ optional_policy(` + ') optional_policy(` - mta_read_config(procmail_t) ++ mta_read_config(procmail_t) + mta_manage_home_rw(procmail_t) sendmail_domtrans(procmail_t) sendmail_signal(procmail_t) sendmail_dontaudit_rw_tcp_sockets(procmail_t) diff --git a/psad.if b/psad.if -index bc329d1..20bb463 100644 +index d4dcf78..59ab964 100644 --- a/psad.if +++ b/psad.if -@@ -91,7 +91,6 @@ interface(`psad_manage_config',` +@@ -93,9 +93,8 @@ interface(`psad_manage_config',` + ') + files_search_etc($1) - manage_dirs_pattern($1, psad_etc_t, psad_etc_t) - manage_files_pattern($1, psad_etc_t, psad_etc_t) -- +- allow $1 psad_etc_t:dir manage_dir_perms; +- allow $1 psad_etc_t:file manage_file_perms; +- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; ++ manage_dirs_pattern($1, psad_etc_t, psad_etc_t) ++ manage_files_pattern($1, psad_etc_t, psad_etc_t) ') ######################################## -@@ -115,7 +114,7 @@ interface(`psad_read_pid_files',` +@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',` ######################################## ## --## Read psad PID files. +-## Read and write psad pid files. +## Read and write psad PID files. ## ## ## -@@ -176,6 +175,45 @@ interface(`psad_append_log',` +@@ -179,6 +178,45 @@ interface(`psad_append_log',` ######################################## ## @@ -50523,16 +54913,7 @@ index bc329d1..20bb463 100644 ## Read and write psad fifo files. ## ## -@@ -186,7 +224,7 @@ interface(`psad_append_log',` - # - interface(`psad_rw_fifo_file',` - gen_require(` -- type psad_t; -+ type psad_t, psad_var_lib_t; - ') - - files_search_var_lib($1) -@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',` +@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',` ####################################### ## @@ -50556,10 +54937,10 @@ index bc329d1..20bb463 100644 + +####################################### +## - ## Read and write psad tmp files. + ## Read and write psad temporary files. ## ## -@@ -233,30 +291,33 @@ interface(`psad_rw_tmp_files',` +@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; @@ -50571,10 +54952,11 @@ index bc329d1..20bb463 100644 - allow $1 psad_t:process { ptrace signal_perms }; + allow $1 psad_t:process signal_perms; ps_process_pattern($1, psad_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 psad_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, psad_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 psad_initrc_exec_t system_r; @@ -50601,60 +54983,26 @@ index bc329d1..20bb463 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te -index d4000e0..7fbcae1 100644 +index 5427bb6..718c847 100644 --- a/psad.te +++ b/psad.te -@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) - - # config files - type psad_etc_t; --files_type(psad_etc_t) -+files_config_file(psad_etc_t) - - type psad_initrc_exec_t; - init_script_file(psad_initrc_exec_t) -@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t) - - allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; - dontaudit psad_t self:capability sys_tty_config; --allow psad_t self:process signull; -+allow psad_t self:process signal_perms; - allow psad_t self:fifo_file rw_fifo_file_perms; - allow psad_t self:rawip_socket create_socket_perms; - -@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) - logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) - - # pid file -+manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) - manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) - manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) --files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file }) -+files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) - - # tmp files - manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -@@ -73,7 +74,6 @@ kernel_read_net_sysctls(psad_t) - corecmd_exec_shell(psad_t) +@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t) corecmd_exec_bin(psad_t) + corecmd_exec_shell(psad_t) -corenet_all_recvfrom_unlabeled(psad_t) corenet_all_recvfrom_netlabel(psad_t) corenet_tcp_sendrecv_generic_if(psad_t) corenet_tcp_sendrecv_generic_node(psad_t) -@@ -85,22 +85,23 @@ corenet_sendrecv_whois_client_packets(psad_t) +@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t) dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) -+files_read_usr_files(psad_t) +-files_read_usr_files(psad_t) fs_getattr_all_fs(psad_t) - auth_use_nsswitch(psad_t) - --iptables_domtrans(psad_t) -- - logging_read_generic_logs(psad_t) +@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t) logging_read_syslog_config(psad_t) logging_send_syslog_msg(psad_t) @@ -50662,119 +55010,308 @@ index d4000e0..7fbcae1 100644 - sysnet_exec_ifconfig(psad_t) - optional_policy(` -+ iptables_domtrans(psad_t) -+') -+ -+optional_policy(` - mta_send_mail(psad_t) - mta_read_queue(psad_t) - ') -diff --git a/ptchown.if b/ptchown.if -index 96cc023..5919bbd 100644 ---- a/ptchown.if -+++ b/ptchown.if -@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',` - domtrans_pattern($1, ptchown_exec_t, ptchown_t) - ') - -+####################################### -+## -+## Execute ptchown in the caller domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ptchown_exec',` -+ gen_require(` -+ type ptchown_exec_t; -+ ') -+ -+ can_exec($1, ptchown_exec_t) -+') -+ - ######################################## - ## - ## Execute ptchown in the ptchown domain, and + optional_policy(` diff --git a/ptchown.te b/ptchown.te -index d90245a..546474f 100644 +index d67905e..d54cb62 100644 --- a/ptchown.te +++ b/ptchown.te -@@ -28,4 +28,4 @@ term_setattr_all_ptys(ptchown_t) +@@ -31,4 +31,4 @@ term_setattr_all_ptys(ptchown_t) term_use_generic_ptys(ptchown_t) term_use_ptmx(ptchown_t) -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) diff --git a/pulseaudio.fc b/pulseaudio.fc -index 84f23dc..0e7d875 100644 +index 6864479..0e7d875 100644 --- a/pulseaudio.fc +++ b/pulseaudio.fc -@@ -1,5 +1,12 @@ --HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) -+HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) -+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) - HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +@@ -1,9 +1,14 @@ + HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) + HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) ++HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) -+ + +-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) +/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) +-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) ++/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) +-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) ++/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) ++/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --git a/pulseaudio.if b/pulseaudio.if -index f40c64d..7015dce 100644 +index fa3dc8e..ec47fb6 100644 --- a/pulseaudio.if +++ b/pulseaudio.if -@@ -35,6 +35,9 @@ interface(`pulseaudio_role',` - allow pulseaudio_t $2:unix_stream_socket connectto; - allow $2 pulseaudio_t:unix_stream_socket connectto; +@@ -2,47 +2,44 @@ + + ######################################## + ## +-## Role access for pulseaudio. ++## Role access for pulseaudio + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role + ## + ## + # + interface(`pulseaudio_role',` + gen_require(` +- attribute pulseaudio_tmpfsfile; +- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; +- type pulseaudio_tmp_t; ++ type pulseaudio_t, pulseaudio_exec_t; ++ class dbus { acquire_svc send_msg }; + ') +- pulseaudio_run($2, $1) ++ role $1 types pulseaudio_t; + +- allow $2 pulseaudio_t:process { ptrace signal_perms }; +- ps_process_pattern($2, pulseaudio_t) ++ # Transition from the user domain to the derived domain. ++ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) + +- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; +- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; ++ ps_process_pattern($2, pulseaudio_t) + +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse") +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth") +- userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie") ++ allow pulseaudio_t $2:process { signal signull }; ++ allow $2 pulseaudio_t:process { signal signull sigkill }; ++ ps_process_pattern(pulseaudio_t, $2) + +- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; ++ allow pulseaudio_t $2:unix_stream_socket connectto; ++ allow $2 pulseaudio_t:unix_stream_socket connectto; + +- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; +- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_manage_tmp_role($1, pulseaudio_t) + userdom_manage_tmpfs_role($1, pulseaudio_t) -+ - allow $2 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $2:dbus { acquire_svc send_msg }; + +- allow pulseaudio_t $2:unix_stream_socket connectto; ++ allow $2 pulseaudio_t:dbus send_msg; ++ allow pulseaudio_t $2:dbus { acquire_svc send_msg }; + ') + + ######################################## +@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',` + + ######################################## + ## +-## Execute pulseaudio in the pulseaudio +-## domain, and allow the specified role +-## the pulseaudio domain. ++## Execute pulseaudio in the pulseaudio domain, and ++## allow the specified role the pulseaudio domain. + ## + ## + ## +@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',` + # + interface(`pulseaudio_run',` + gen_require(` +- attribute_role pulseaudio_roles; ++ type pulseaudio_t; + ') + + pulseaudio_domtrans($1) +- roleattribute $2 pulseaudio_roles; ++ role $2 types pulseaudio_t; + ') + + ######################################## + ## +-## Execute pulseaudio in the caller domain. ++## Execute a pulseaudio in the current domain. + ## + ## + ## +@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',` + type pulseaudio_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, pulseaudio_exec_t) ') -@@ -151,12 +154,14 @@ interface(`pulseaudio_signull',` + + ######################################## + ## +-## Do not audit attempts to execute pulseaudio. ++## Do not audit to execute a pulseaudio. + ## + ## + ## +@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',` + + ######################################## + ## +-## Send null signals to pulseaudio. ++## Send signull signal to pulseaudio + ## processes. + ## + ## +@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',` + + ##################################### + ## +-## Connect to pulseaudio with a unix +-## domain stream socket. ++## Connect to pulseaudio over a unix domain ++## stream socket. + ## + ## + ## +@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',` + # interface(`pulseaudio_stream_connect',` gen_require(` - type pulseaudio_t, pulseaudio_var_run_t; +- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; ++ type pulseaudio_t, pulseaudio_var_run_t; + type pulseaudio_home_t; ') files_search_pids($1) - allow $1 pulseaudio_t:process signull; - allow pulseaudio_t $1:process signull; - stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) +- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) ++ allow $1 pulseaudio_t:process signull; ++ allow pulseaudio_t $1:process signull; ++ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) + stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t) ') ######################################## -@@ -257,4 +262,88 @@ interface(`pulseaudio_manage_home_files',` +@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',` + + ######################################## + ## +-## Set attributes of pulseaudio home directories. ++## Set the attributes of the pulseaudio homedir. + ## +-## ++## + ## + ## Domain allowed access. + ## +@@ -205,85 +204,95 @@ interface(`pulseaudio_setattr_home_dir',` + type pulseaudio_home_t; + ') + +- allow $1 pulseaudio_home_t:dir setattr_dir_perms; ++ allow $1 pulseaudio_home_t:dir setattr; + ') + + ######################################## + ## +-## Read pulseaudio home content. ++## Read pulseaudio homedir files. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # + interface(`pulseaudio_read_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.') +- pulseaudio_read_home($1) ++ gen_require(` ++ type pulseaudio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + ') + + ######################################## + ## +-## Read pulseaudio home content. ++## Read and write Pulse Audio files. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_read_home',` ++interface(`pulseaudio_rw_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + ++ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + userdom_search_user_home_dirs($1) +- allow $1 pulseaudio_home_t:dir list_dir_perms; +- allow $1 pulseaudio_home_t:file read_file_perms; +- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Read and write Pulse Audio files. ++## Create, read, write, and delete pulseaudio ++## home directory files. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_rw_home_files',` ++interface(`pulseaudio_manage_home_files',` + gen_require(` + type pulseaudio_home_t; + ') + userdom_search_user_home_dirs($1) - manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) +- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + pulseaudio_filetrans_home_content($1) -+ pulseaudio_filetrans_admin_home_content($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## pulseaudio home content. +## Create, read, write, and delete pulseaudio +## home directory symlinks. -+## + ## +-## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-interface(`pulseaudio_manage_home_files',` +- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.') +- pulseaudio_manage_home($1) +interface(`pulseaudio_manage_home_symlinks',` + gen_require(` + type pulseaudio_home_t; @@ -50782,49 +55319,93 @@ index f40c64d..7015dce 100644 + + userdom_search_user_home_dirs($1) + manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## pulseaudio home content. +## Create pulseaudio content in the user home directory +## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -291,62 +300,72 @@ interface(`pulseaudio_manage_home_files',` + ## + ## + # +-interface(`pulseaudio_manage_home',` +interface(`pulseaudio_filetrans_home_content',` -+ gen_require(` -+ type pulseaudio_home_t; -+ ') -+ + gen_require(` + type pulseaudio_home_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 pulseaudio_home_t:dir manage_dir_perms; +- allow $1 pulseaudio_home_t:file manage_file_perms; +- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") + gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the pulseaudio +-## home type. +## Create pulseaudio content in the admin home directory +## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`pulseaudio_home_filetrans_pulseaudio_home',` +interface(`pulseaudio_filetrans_admin_home_content',` -+ gen_require(` -+ type pulseaudio_home_t; -+ ') -+ + gen_require(` + type pulseaudio_home_t; + ') + +- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") + ') + +-######################################## ++####################################### + ## +-## Make the specified tmpfs file type +-## pulseaudio tmpfs content. ++## Make the specified tmpfs file type ++## pulseaudio tmpfs content. + ## + ## ++## ++## File type to make pulseaudio tmpfs content. ++## ++## ++# ++interface(`pulseaudio_tmpfs_content',` ++ gen_require(` ++ attribute pulseaudio_tmpfsfile; ++ ') ++ ++ typeattribute $1 pulseaudio_tmpfsfile; +') + +######################################## @@ -50832,71 +55413,164 @@ index f40c64d..7015dce 100644 +## Allow the domain to read pulseaudio state files in /proc. +## +## -+## + ## +-## File type to make pulseaudio tmpfs content. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`pulseaudio_tmpfs_content',` +interface(`pulseaudio_read_state',` -+ gen_require(` + gen_require(` +- attribute pulseaudio_tmpfsfile; + type pulseaudio_t; -+ ') -+ + ') + +- typeattribute $1 pulseaudio_tmpfsfile; + kernel_search_proc($1) + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 901ac9b..bef43f7 100644 +index e31bbe1..276636a 100644 --- a/pulseaudio.te +++ b/pulseaudio.te -@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -1,4 +1,4 @@ +-policy_module(pulseaudio, 1.5.4) ++policy_module(pulseaudio, 1.5.0) + + ######################################## + # +@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4) + attribute pulseaudio_client; + attribute pulseaudio_tmpfsfile; + +-attribute_role pulseaudio_roles; +- + type pulseaudio_t; + type pulseaudio_exec_t; + init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) + userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) +-role pulseaudio_roles types pulseaudio_t; ++role system_r types pulseaudio_t; + + type pulseaudio_home_t; + userdom_user_home_content(pulseaudio_home_t) + +-type pulseaudio_tmp_t; +-userdom_user_tmp_file(pulseaudio_tmp_t) +- + type pulseaudio_tmpfs_t; + userdom_user_tmpfs_file(pulseaudio_tmpfs_t) + + type pulseaudio_var_lib_t; + files_type(pulseaudio_var_lib_t) ++ubac_constrained(pulseaudio_var_lib_t) - manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) - manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) + type pulseaudio_var_run_t; + files_pid_file(pulseaudio_var_run_t) ++ubac_constrained(pulseaudio_var_run_t) + + ######################################## + # +-# Local policy ++# pulseaudio local policy + # + + allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; + allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; +-allow pulseaudio_t self:fifo_file rw_fifo_file_perms; +-allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; +-allow pulseaudio_t self:unix_dgram_socket sendto; +-allow pulseaudio_t self:tcp_socket { accept listen }; ++allow pulseaudio_t self:fifo_file rw_file_perms; ++allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; ++allow pulseaudio_t self:tcp_socket create_stream_socket_perms; ++allow pulseaudio_t self:udp_socket create_socket_perms; + allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; + +-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; +-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms; +-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; +- +-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") +-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth") +-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie") +- +-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) +-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) +-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") +-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") +-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") ++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) - userdom_search_user_home_dirs(pulseaudio_t) ++userdom_search_user_home_dirs(pulseaudio_t) +pulseaudio_filetrans_home_content(pulseaudio_t) -+ + +-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) +# ~/.esd_auth - maybe we should label this pulseaudio_home_t? +userdom_read_user_home_content_files(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -51,7 +57,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) +@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) +- +-allow pulseaudio_t pulseaudio_client:process signull; +-ps_process_pattern(pulseaudio_t, pulseaudio_client) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -61,7 +67,6 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,24 +70,15 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) -corenet_all_recvfrom_unlabeled(pulseaudio_t) corenet_all_recvfrom_netlabel(pulseaudio_t) +-corenet_tcp_sendrecv_generic_if(pulseaudio_t) +-corenet_udp_sendrecv_generic_if(pulseaudio_t) +-corenet_tcp_sendrecv_generic_node(pulseaudio_t) +-corenet_udp_sendrecv_generic_node(pulseaudio_t) +- +-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t) corenet_tcp_bind_pulseaudio_port(pulseaudio_t) +-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t) +- +-corenet_sendrecv_soundd_server_packets(pulseaudio_t) corenet_tcp_bind_soundd_port(pulseaudio_t) -@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t) +-corenet_tcp_sendrecv_soundd_port(pulseaudio_t) +- +-corenet_sendrecv_sap_server_packets(pulseaudio_t) ++corenet_tcp_sendrecv_generic_if(pulseaudio_t) ++corenet_tcp_sendrecv_generic_node(pulseaudio_t) corenet_udp_bind_sap_port(pulseaudio_t) - corenet_udp_sendrecv_generic_if(pulseaudio_t) - corenet_udp_sendrecv_generic_node(pulseaudio_t) +-corenet_udp_sendrecv_sap_port(pulseaudio_t) ++corenet_udp_sendrecv_generic_if(pulseaudio_t) ++corenet_udp_sendrecv_generic_node(pulseaudio_t) +corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t) dev_read_sound(pulseaudio_t) dev_write_sound(pulseaudio_t) - dev_read_sysfs(pulseaudio_t) - dev_read_urand(pulseaudio_t) +@@ -111,34 +87,35 @@ dev_read_urand(pulseaudio_t) --files_read_etc_files(pulseaudio_t) files_read_usr_files(pulseaudio_t) - fs_rw_anon_inodefs_files(pulseaudio_t) ++fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) +-fs_getattr_all_fs(pulseaudio_t) fs_list_inotifyfs(pulseaudio_t) +-fs_rw_anon_inodefs_files(pulseaudio_t) +-fs_search_auto_mountpoints(pulseaudio_t) -term_use_all_ttys(pulseaudio_t) -term_use_all_ptys(pulseaudio_t) @@ -50908,37 +55582,44 @@ index 901ac9b..bef43f7 100644 logging_send_syslog_msg(pulseaudio_t) -miscfiles_read_localization(pulseaudio_t) -+tunable_policy(`use_nfs_home_dirs',` +- +-userdom_search_user_home_dirs(pulseaudio_t) +-userdom_write_user_tmp_sockets(pulseaudio_t) +- + tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs(pulseaudio_t) + fs_mounton_nfs(pulseaudio_t) -+ fs_manage_nfs_dirs(pulseaudio_t) -+ fs_manage_nfs_files(pulseaudio_t) -+ fs_manage_nfs_symlinks(pulseaudio_t) + fs_manage_nfs_dirs(pulseaudio_t) + fs_manage_nfs_files(pulseaudio_t) + fs_manage_nfs_symlinks(pulseaudio_t) + fs_manage_nfs_named_sockets(pulseaudio_t) + fs_manage_nfs_named_pipes(pulseaudio_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` + ') + + tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs(pulseaudio_t) + fs_mounton_cifs(pulseaudio_t) -+ fs_manage_cifs_dirs(pulseaudio_t) -+ fs_manage_cifs_files(pulseaudio_t) -+ fs_manage_cifs_symlinks(pulseaudio_t) + fs_manage_cifs_dirs(pulseaudio_t) + fs_manage_cifs_files(pulseaudio_t) + fs_manage_cifs_symlinks(pulseaudio_t) + fs_manage_cifs_named_sockets(pulseaudio_t) + fs_manage_cifs_named_pipes(pulseaudio_t) -+') + ') --# cjp: this seems excessive. need to confirm --userdom_manage_user_home_content_files(pulseaudio_t) --userdom_manage_user_tmp_files(pulseaudio_t) --userdom_manage_user_tmpfs_files(pulseaudio_t) -+optional_policy(` -+ alsa_read_rw_config(pulseaudio_t) -+') + optional_policy(` +@@ -151,8 +128,9 @@ optional_policy(` optional_policy(` - bluetooth_stream_connect(pulseaudio_t) -@@ -125,16 +147,37 @@ optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) +- dbus_all_session_bus_client(pulseaudio_t) +- dbus_connect_all_session_bus(pulseaudio_t) ++ dbus_system_bus_client(pulseaudio_t) ++ dbus_session_bus_client(pulseaudio_t) ++ dbus_connect_session_bus(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) +@@ -172,16 +150,33 @@ optional_policy(` ') optional_policy(` @@ -50958,10 +55639,6 @@ index 901ac9b..bef43f7 100644 +') + +optional_policy(` -+ mpd_read_tmpfs_files(pulseaudio_t) -+') -+ -+optional_policy(` policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) @@ -50976,226 +55653,378 @@ index 901ac9b..bef43f7 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -146,3 +189,7 @@ optional_policy(` - xserver_read_xdm_pid(pulseaudio_t) +@@ -194,7 +189,11 @@ optional_policy(` xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') -+ + +-######################################## +optional_policy(` + virt_manage_tmpfs_files(pulseaudio_t) +') ++ ++####################################### + # + # Client local policy + # +@@ -208,8 +207,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi + + fs_getattr_tmpfs(pulseaudio_client) + +-corenet_all_recvfrom_unlabeled(pulseaudio_client) +-corenet_all_recvfrom_netlabel(pulseaudio_client) + corenet_tcp_sendrecv_generic_if(pulseaudio_client) + corenet_tcp_sendrecv_generic_node(pulseaudio_client) + +@@ -218,36 +215,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) + corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) + + pulseaudio_stream_connect(pulseaudio_client) +-pulseaudio_manage_home(pulseaudio_client) +-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") +-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") +-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") ++pulseaudio_manage_home_files(pulseaudio_client) + pulseaudio_signull(pulseaudio_client) + +-# TODO: ~/.cache + userdom_manage_user_home_content_files(pulseaudio_client) + + userdom_read_user_tmpfs_files(pulseaudio_client) +-# userdom_delete_user_tmpfs_files(pulseaudio_client) + + tunable_policy(`use_nfs_home_dirs',` +- fs_getattr_nfs(pulseaudio_client) +- fs_manage_nfs_dirs(pulseaudio_client) +- fs_manage_nfs_files(pulseaudio_client) +- fs_read_nfs_symlinks(pulseaudio_client) ++ fs_getattr_nfs(pulseaudio_client) ++ fs_manage_nfs_dirs(pulseaudio_client) ++ fs_manage_nfs_files(pulseaudio_client) ++ fs_read_nfs_symlinks(pulseaudio_client) + ') + + tunable_policy(`use_samba_home_dirs',` +- fs_getattr_cifs(pulseaudio_client) +- fs_manage_cifs_dirs(pulseaudio_client) +- fs_manage_cifs_files(pulseaudio_client) +- fs_read_cifs_symlinks(pulseaudio_client) ++ fs_getattr_cifs(pulseaudio_client) ++ fs_manage_cifs_dirs(pulseaudio_client) ++ fs_manage_cifs_files(pulseaudio_client) ++ fs_read_cifs_symlinks(pulseaudio_client) + ') + + optional_policy(` +- pulseaudio_dbus_chat(pulseaudio_client) ++ pulseaudio_dbus_chat(pulseaudio_client) + ') + + optional_policy(` +- rtkit_scheduled(pulseaudio_client) ++ rtkit_scheduled(pulseaudio_client) + ') diff --git a/puppet.fc b/puppet.fc -index 2f1e529..8c0b242 100644 +index 4ecda09..8c0b242 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -3,6 +3,7 @@ +@@ -1,14 +1,12 @@ +-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) ++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) - /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) +-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) - /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) - /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) ++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +- +-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +- +-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) ++/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) ++/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) ++/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 2855a44..b7b5ee7 100644 +index 7cb8b1f..b7b5ee7 100644 --- a/puppet.if +++ b/puppet.if -@@ -8,6 +8,53 @@ - ##

    - ## +@@ -1,4 +1,12 @@ +-## Configuration management system. ++## Puppet client daemon ++## ++##

    ++## Puppet is a configuration management system written in Ruby. ++## The client daemon is responsible for periodically requesting the ++## desired system state from the server and ensuring the state of ++## the client system matches. ++##

    ++##     -+######################################## -+## -+## Execute puppetca in the puppetca -+## domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`puppet_domtrans_puppetca',` -+ gen_require(` -+ type puppetca_t, puppetca_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, puppetca_exec_t, puppetca_t) -+') -+ -+##################################### -+## -+## Execute puppetca in the puppetca -+## domain and allow the specified -+## role the puppetca domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`puppet_run_puppetca',` -+ gen_require(` + ######################################## + ## +@@ -40,16 +48,19 @@ interface(`puppet_domtrans_puppetca',` + # + interface(`puppet_run_puppetca',` + gen_require(` +- attribute_role puppetca_roles; + type puppetca_t, puppetca_exec_t; -+ ') -+ -+ puppet_domtrans_puppetca($1) + ') + + puppet_domtrans_puppetca($1) +- roleattribute $2 puppetca_roles; + role $2 types puppetca_t; -+') -+ - ################################################ + ') + +-#################################### ++################################################ ## - ## Read / Write to Puppet temp files. Puppet uses -@@ -26,6 +73,178 @@ interface(`puppet_rw_tmp', ` - type puppet_tmp_t; +-## Read puppet configuration content. ++## Read / Write to Puppet temp files. Puppet uses ++## some system binaries (groupadd, etc) that run in ++## a non-puppet domain and redirects output into temp ++## files. + ## + ## + ## +@@ -57,15 +68,13 @@ interface(`puppet_run_puppetca',` + ## + ## + # +-interface(`puppet_read_config',` ++interface(`puppet_rw_tmp', ` + gen_require(` +- type puppet_etc_t; ++ type puppet_tmp_t; ') -- allow $1 puppet_tmp_t:file rw_file_perms; +- files_search_etc($1) +- allow $1 puppet_etc_t:dir list_dir_perms; +- allow $1 puppet_etc_t:file read_file_perms; +- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; + allow $1 puppet_tmp_t:file rw_inherited_file_perms; - files_search_tmp($1) ++ files_search_tmp($1) ') -+ -+################################################ -+## -+## Read Puppet lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + + ################################################ +@@ -78,158 +87,164 @@ interface(`puppet_read_config',` + ## + ## + # +-interface(`puppet_read_lib_files',` +interface(`puppet_read_lib',` -+ gen_require(` -+ type puppet_var_lib_t; -+ ') -+ -+ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + gen_require(` + type puppet_var_lib_t; + ') + +- files_search_var_lib($1) + read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + files_search_var_lib($1) -+') -+ -+############################################### -+## + ') + + ############################################### + ## +-## Create, read, write, and delete +-## puppet lib files. +## Manage Puppet lib files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`puppet_manage_lib_files',` +- gen_require(` +- type puppet_var_lib_t; +- ') +interface(`puppet_manage_lib',` + gen_require(` + type puppet_var_lib_t; + ') -+ + +- files_search_var_lib($1) +- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + files_search_var_lib($1) -+') -+ + ') + +-##################################### +###################################### -+## + ## +-## Append puppet log files. +## Allow the specified domain to search puppet's log files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`puppet_append_log_files',` +- gen_require(` +- type puppet_log_t; +- ') +interface(`puppet_search_log',` + gen_require(` + type puppet_log_t; + ') -+ + +- logging_search_logs($1) +- append_files_pattern($1, puppet_log_t, puppet_log_t) + logging_search_logs($1) + allow $1 puppet_log_t:dir search_dir_perms; -+') -+ -+##################################### -+## + ') + + ##################################### + ## +-## Create puppet log files. +## Allow the specified domain to read puppet's log files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`puppet_create_log_files',` +- gen_require(` +- type puppet_log_t; +- ') +interface(`puppet_read_log',` + gen_require(` + type puppet_log_t; + ') -+ + +- logging_search_logs($1) +- create_files_pattern($1, puppet_log_t, puppet_log_t) + logging_search_logs($1) + read_files_pattern($1, puppet_log_t, puppet_log_t) -+') -+ -+##################################### -+## + ') + + ##################################### + ## +-## Read puppet log files. +## Allow the specified domain to create puppet's log files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`puppet_read_log_files',` +- gen_require(` +- type puppet_log_t; +- ') +interface(`puppet_create_log',` + gen_require(` + type puppet_log_t; + ') -+ + +- logging_search_logs($1) +- read_files_pattern($1, puppet_log_t, puppet_log_t) + logging_search_logs($1) + create_files_pattern($1, puppet_log_t, puppet_log_t) -+') -+ + ') + +-################################################ +#################################### -+## + ## +-## Read and write to puppet tempoprary files. +## Allow the specified domain to append puppet's log files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`puppet_rw_tmp', ` +- gen_require(` +- type puppet_tmp_t; +- ') +interface(`puppet_append_log',` + gen_require(` + type puppet_log_t; + ') -+ + +- files_search_tmp($1) +- allow $1 puppet_tmp_t:file rw_file_perms; + logging_search_logs($1) + append_files_pattern($1, puppet_log_t, puppet_log_t) -+') -+ + ') + +-######################################## +#################################### -+## + ## +-## All of the rules required to +-## administrate an puppet environment. +## Allow the specified domain to manage puppet's log files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`puppet_admin',` +- gen_require(` +- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; +- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; +- type puppet_var_run_t, puppetmaster_tmp_t; +- type puppet_t, puppetca_t, puppetmaster_t; +- ') +- +- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) +- +- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; +- allow $2 system_r; +interface(`puppet_manage_log',` + gen_require(` + type puppet_log_t; + ') -+ + +- files_search_etc($1) +- admin_pattern($1, puppet_etc_t) + logging_search_logs($1) + manage_files_pattern($1, puppet_log_t, puppet_log_t) +') -+ + +- logging_search_logs($1) +- admin_pattern($1, puppet_log_t) +#################################### +## +## Allow the specified domain to read puppet's config files. @@ -51210,12 +56039,14 @@ index 2855a44..b7b5ee7 100644 + gen_require(` + type puppet_etc_t; + ') -+ + +- files_search_var_lib($1) +- admin_pattern($1, puppet_var_lib_t) + logging_search_logs($1) + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) + read_files_pattern($1, puppet_etc_t, puppet_etc_t) +') -+ + +##################################### +## +## Allow the specified domain to search puppet's pid files. @@ -51231,87 +56062,156 @@ index 2855a44..b7b5ee7 100644 + type puppet_var_run_t; + ') + -+ files_search_pids($1) + files_search_pids($1) +- admin_pattern($1, puppet_var_run_t) +- +- files_search_tmp($1) +- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) +- +- puppet_run_puppetca($1, $2) + allow $1 puppet_var_run_t:dir search_dir_perms; -+') + ') diff --git a/puppet.te b/puppet.te -index baa88f6..050d953 100644 +index f2309f4..050d953 100644 --- a/puppet.te +++ b/puppet.te -@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0) +@@ -1,4 +1,4 @@ +-policy_module(puppet, 1.3.7) ++policy_module(puppet, 1.3.0) + + ######################################## + # +@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7) + # + + ## +-##

    +-## Determine whether puppet can +-## manage all non-security files. +-##

    ++##

    ++## Allow Puppet client to manage all file ++## types. ++##

    ##     gen_tunable(puppet_manage_all_files, false) +-attribute_role puppetca_roles; +-roleattribute system_r puppetca_roles; +## +##

    +## Allow Puppet master to use connect to MySQL and PostgreSQL database +##

    +##     +gen_tunable(puppetmaster_use_db, false) -+ + type puppet_t; type puppet_exec_t; - init_daemon_domain(puppet_t, puppet_exec_t) -@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t) +@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t) + type puppet_var_run_t; files_pid_file(puppet_var_run_t) +-init_daemon_run_dir(puppet_var_run_t, "puppet") -+type puppetca_t; -+type puppetca_exec_t; -+application_domain(puppetca_t, puppetca_exec_t) + type puppetca_t; + type puppetca_exec_t; + application_domain(puppetca_t, puppetca_exec_t) +-role puppetca_roles types puppetca_t; +role system_r types puppetca_t; -+ + type puppetmaster_t; type puppetmaster_exec_t; - init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) -@@ -50,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t) - # Puppet personal policy +@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t) + + ######################################## + # +-# Local policy ++# Puppet personal policy # --allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; +-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +-allow puppet_t self:tcp_socket { accept listen }; ++allow puppet_t self:tcp_socket create_stream_socket_perms; + allow puppet_t self:udp_socket create_socket_perms; + +-allow puppet_t puppet_etc_t:dir list_dir_perms; +-allow puppet_t puppet_etc_t:file read_file_perms; +-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; ++read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) + + manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) - files_search_var_lib(puppet_t) +-can_exec(puppet_t, puppet_var_lib_t) ++files_search_var_lib(puppet_t) -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -80,12 +92,14 @@ kernel_dontaudit_search_sysctl(puppet_t) +-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; +-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) ++create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) + create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) ++append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) + logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) + + manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +@@ -91,30 +90,28 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) kernel_dontaudit_search_kernel_sysctl(puppet_t) - kernel_read_system_state(puppet_t) ++kernel_read_system_state(puppet_t) kernel_read_crypto_sysctls(puppet_t) -+kernel_read_kernel_sysctls(puppet_t) + kernel_read_kernel_sysctls(puppet_t) +-kernel_read_net_sysctls(puppet_t) +-kernel_read_network_state(puppet_t) +corecmd_read_all_executables(puppet_t) +corecmd_dontaudit_access_all_executables(puppet_t) corecmd_exec_bin(puppet_t) corecmd_exec_shell(puppet_t) +-corecmd_read_all_executables(puppet_t) corenet_all_recvfrom_netlabel(puppet_t) -corenet_all_recvfrom_unlabeled(puppet_t) corenet_tcp_sendrecv_generic_if(puppet_t) corenet_tcp_sendrecv_generic_node(puppet_t) - corenet_tcp_bind_generic_node(puppet_t) -@@ -103,11 +117,11 @@ files_manage_config_files(puppet_t) +- +-corenet_sendrecv_puppet_client_packets(puppet_t) ++corenet_tcp_bind_generic_node(puppet_t) + corenet_tcp_connect_puppet_port(puppet_t) +-corenet_tcp_sendrecv_puppet_port(puppet_t) ++corenet_sendrecv_puppet_client_packets(puppet_t) + + dev_read_rand(puppet_t) + dev_read_sysfs(puppet_t) + dev_read_urand(puppet_t) + +-domain_interactive_fd(puppet_t) + domain_read_all_domains_state(puppet_t) ++domain_interactive_fd(puppet_t) + + files_manage_config_files(puppet_t) files_manage_config_dirs(puppet_t) - files_manage_etc_dirs(puppet_t) - files_manage_etc_files(puppet_t) -+files_read_usr_files(puppet_t) +@@ -124,10 +121,7 @@ files_read_usr_files(puppet_t) files_read_usr_symlinks(puppet_t) files_relabel_config_dirs(puppet_t) files_relabel_config_files(puppet_t) +-files_search_var_lib(puppet_t) +-selinux_get_fs_mount(puppet_t) -selinux_search_fs(puppet_t) selinux_set_all_booleans(puppet_t) selinux_set_generic_booleans(puppet_t) selinux_validate_context(puppet_t) -@@ -115,6 +129,8 @@ selinux_validate_context(puppet_t) +@@ -135,6 +129,8 @@ selinux_validate_context(puppet_t) term_dontaudit_getattr_unallocated_ttys(puppet_t) term_dontaudit_getattr_all_ttys(puppet_t) @@ -51320,7 +56220,7 @@ index baa88f6..050d953 100644 init_all_labeled_script_domtrans(puppet_t) init_domtrans_script(puppet_t) init_read_utmp(puppet_t) -@@ -123,22 +139,23 @@ init_signull_script(puppet_t) +@@ -143,18 +139,15 @@ init_signull_script(puppet_t) logging_send_syslog_msg(puppet_t) miscfiles_read_hwdata(puppet_t) @@ -51332,40 +56232,16 @@ index baa88f6..050d953 100644 seutil_domtrans_semanage(puppet_t) +seutil_read_file_contexts(puppet_t) --sysnet_dns_name_resolve(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) +-sysnet_use_ldap(puppet_t) tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) + files_manage_non_security_files(puppet_t) -+') -+ -+optional_policy(` -+ cfengine_read_lib_files(puppet_t) - ') - - optional_policy(` -- consoletype_domtrans(puppet_t) -+ consoletype_exec(puppet_t) - ') - - optional_policy(` -@@ -146,6 +163,14 @@ optional_policy(` ') optional_policy(` -+ mount_domtrans(puppet_t) -+') -+ -+optional_policy(` -+ mta_send_mail(puppet_t) -+') -+ -+optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) -@@ -164,8 +189,134 @@ optional_policy(` +@@ -196,21 +189,92 @@ optional_policy(` ') optional_policy(` @@ -51446,51 +56322,51 @@ index baa88f6..050d953 100644 + +optional_policy(` + ssh_filetrans_admin_home_content(puppet_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Ca local policy +# PuppetCA personal policy -+# -+ -+allow puppetca_t self:capability { dac_override setgid setuid }; -+allow puppetca_t self:fifo_file rw_fifo_file_perms; -+ + # + + allow puppetca_t self:capability { dac_override setgid setuid }; + allow puppetca_t self:fifo_file rw_fifo_file_perms; + +-allow puppetca_t puppet_etc_t:dir list_dir_perms; +-allow puppetca_t puppet_etc_t:file read_file_perms; +-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms; +read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t) -+ -+allow puppetca_t puppet_var_lib_t:dir list_dir_perms; -+manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -+manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -+ -+allow puppetca_t puppet_log_t:dir search_dir_perms; -+ -+allow puppetca_t puppet_var_run_t:dir search_dir_perms; -+ -+kernel_read_system_state(puppetca_t) + + allow puppetca_t puppet_var_lib_t:dir list_dir_perms; + manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) +@@ -221,6 +285,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; + allow puppetca_t puppet_var_run_t:dir search_dir_perms; + + kernel_read_system_state(puppetca_t) +# Maybe dontaudit this like we did with other puppet domains? -+kernel_read_kernel_sysctls(puppetca_t) -+ -+corecmd_exec_bin(puppetca_t) -+corecmd_exec_shell(puppetca_t) -+ -+dev_read_urand(puppetca_t) -+dev_search_sysfs(puppetca_t) -+ -+files_read_etc_files(puppetca_t) -+files_search_var_lib(puppetca_t) -+ -+selinux_validate_context(puppetca_t) -+ -+logging_search_logs(puppetca_t) -+ -+miscfiles_read_generic_certs(puppetca_t) -+ -+seutil_read_file_contexts(puppetca_t) -+ -+optional_policy(` -+ hostname_exec(puppetca_t) -+') -+ + kernel_read_kernel_sysctls(puppetca_t) + + corecmd_exec_bin(puppetca_t) +@@ -230,14 +295,12 @@ dev_read_urand(puppetca_t) + dev_search_sysfs(puppetca_t) + + files_read_etc_files(puppetca_t) +-files_search_pids(puppetca_t) + files_search_var_lib(puppetca_t) + + selinux_validate_context(puppetca_t) + + logging_search_logs(puppetca_t) + +-miscfiles_read_localization(puppetca_t) + miscfiles_read_generic_certs(puppetca_t) + + seutil_read_file_contexts(puppetca_t) +@@ -246,38 +309,52 @@ optional_policy(` + hostname_exec(puppetca_t) + ') + +optional_policy(` + mta_sendmail_access_check(puppetca_t) +') @@ -51499,43 +56375,64 @@ index baa88f6..050d953 100644 + usermanage_access_check_groupadd(puppet_t) + usermanage_access_check_passwd(puppet_t) + usermanage_access_check_useradd(puppet_t) - ') - ++') ++ ######################################## -@@ -184,51 +335,83 @@ allow puppetmaster_t self:udp_socket create_socket_perms; - list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) - read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) - --allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; --allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; + # +-# Master local policy ++# Pupper master personal policy + # + + allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; + allow puppetmaster_t self:process { signal_perms getsched setsched }; + allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +-allow puppetmaster_t self:netlink_route_socket nlmsg_write; ++allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; + allow puppetmaster_t self:socket create; +-allow puppetmaster_t self:tcp_socket { accept listen }; ++allow puppetmaster_t self:tcp_socket create_stream_socket_perms; ++allow puppetmaster_t self:udp_socket create_socket_perms; + +-allow puppetmaster_t puppet_etc_t:dir list_dir_perms; +-allow puppetmaster_t puppet_etc_t:file read_file_perms; +-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; ++list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) ++read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + +-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; +-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; +allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) +allow puppetmaster_t puppet_log_t:file relabel_file_perms; - manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) - manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; +-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; ++manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; +allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; - setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; +-allow puppetmaster_t puppet_var_run_t:file manage_file_perms; ++setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) - manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; - manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) - manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; ++manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) ++manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) +allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) -+kernel_read_network_state(puppetmaster_t) - kernel_read_system_state(puppetmaster_t) - kernel_read_crypto_sysctls(puppetmaster_t) -+kernel_read_kernel_sysctls(puppetmaster_t) - - corecmd_exec_bin(puppetmaster_t) + kernel_read_network_state(puppetmaster_t) +@@ -289,21 +366,23 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -51543,8 +56440,11 @@ index baa88f6..050d953 100644 corenet_tcp_sendrecv_generic_if(puppetmaster_t) corenet_tcp_sendrecv_generic_node(puppetmaster_t) corenet_tcp_bind_generic_node(puppetmaster_t) +- +-corenet_sendrecv_puppet_server_packets(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) - corenet_sendrecv_puppet_server_packets(puppetmaster_t) +-corenet_tcp_sendrecv_puppet_port(puppetmaster_t) ++corenet_sendrecv_puppet_server_packets(puppetmaster_t) +corenet_tcp_connect_ntop_port(puppetmaster_t) + +# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. @@ -51553,47 +56453,50 @@ index baa88f6..050d953 100644 dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) -+dev_search_sysfs(puppetmaster_t) + dev_search_sysfs(puppetmaster_t) +-domain_obj_id_change_exemption(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t) +domain_obj_id_change_exemption(puppetmaster_t) --files_read_etc_files(puppetmaster_t) --files_search_var_lib(puppetmaster_t) -+files_read_usr_files(puppetmaster_t) -+ -+selinux_validate_context(puppetmaster_t) -+ -+auth_use_nsswitch(puppetmaster_t) + files_read_usr_files(puppetmaster_t) +@@ -314,26 +393,27 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) + miscfiles_read_generic_certs(puppetmaster_t) -miscfiles_read_localization(puppetmaster_t) -+miscfiles_read_generic_certs(puppetmaster_t) -+ -+seutil_read_file_contexts(puppetmaster_t) --sysnet_dns_name_resolve(puppetmaster_t) + seutil_read_file_contexts(puppetmaster_t) + sysnet_run_ifconfig(puppetmaster_t, system_r) +-optional_policy(` +- hostname_exec(puppetmaster_t) +-') +mta_send_mail(puppetmaster_t) -+ -+optional_policy(` + + optional_policy(` +- mta_send_mail(puppetmaster_t) + tunable_policy(`puppetmaster_use_db',` + mysql_stream_connect(puppetmaster_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mysql_stream_connect(puppetmaster_t) + tunable_policy(`puppetmaster_use_db',` + postgresql_stream_connect(puppetmaster_t) + ') -+') -+ + ') + optional_policy(` - hostname_exec(puppetmaster_t) +- postgresql_stream_connect(puppetmaster_t) ++ hostname_exec(puppetmaster_t) ') -@@ -239,3 +422,9 @@ optional_policy(` + + optional_policy(` +@@ -342,3 +422,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -51604,156 +56507,181 @@ index baa88f6..050d953 100644 + usermanage_access_check_useradd(puppetmaster_t) +') diff --git a/pwauth.fc b/pwauth.fc -new file mode 100644 -index 0000000..e2f8687 ---- /dev/null +index 7e7b444..e2f8687 100644 +--- a/pwauth.fc +++ b/pwauth.fc -@@ -0,0 +1,3 @@ +@@ -1,3 +1,3 @@ +-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) +/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) -+ + +-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) +/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) diff --git a/pwauth.if b/pwauth.if -new file mode 100644 -index 0000000..86d25ea ---- /dev/null +index 1148dce..86d25ea 100644 +--- a/pwauth.if +++ b/pwauth.if -@@ -0,0 +1,74 @@ +@@ -1,72 +1,74 @@ +-## External plugin for mod_authnz_external authenticator. + +## policy for pwauth -+ -+######################################## -+## + + ######################################## + ## +-## Role access for pwauth. +## Transition to pwauth. -+## -+## + ## +-## +-## +-## Role allowed access. +-## +-## + ## +-## +-## User domain for the role. +-## +## +## Domain allowed to transition. +## -+## -+# + ## + # +-interface(`pwauth_role',` +interface(`pwauth_domtrans',` -+ gen_require(` + gen_require(` +- type pwauth_t; + type pwauth_t, pwauth_exec_t; -+ ') -+ + ') + +- pwauth_run($2, $1) +- +- ps_process_pattern($2, pwauth_t) +- allow $2 pwauth_t:process { ptrace signal_perms }; + corecmd_search_bin($1) + domtrans_pattern($1, pwauth_exec_t, pwauth_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute pwauth in the pwauth domain. +## Execute pwauth in the pwauth domain, and +## allow the specified role the pwauth domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed to transition +## +## +## +## +## The role to be allowed the pwauth domain. -+## -+## -+# + ## + ## + # +-interface(`pwauth_domtrans',` +interface(`pwauth_run',` -+ gen_require(` + gen_require(` +- type pwauth_t, pwauth_exec_t; + type pwauth_t; -+ ') -+ + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, pwauth_exec_t, pwauth_t) + pwauth_domtrans($1) + role $2 types pwauth_t; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute pwauth in the pwauth +-## domain, and allow the specified +-## role the pwauth domain. +## Role access for pwauth -+## + ## +-## +## -+## + ## +-## Domain allowed to transition. +## Role allowed access -+## -+## + ## + ## +-## +## -+## + ## +-## Role allowed access. +## User domain for the role -+## -+## -+# + ## + ## + # +-interface(`pwauth_run',` +interface(`pwauth_role',` -+ gen_require(` + gen_require(` +- attribute_role pwauth_roles; + type pwauth_t; -+ ') -+ + ') + +- pwauth_domtrans($1) +- roleattribute $2 pwauth_roles; + role $1 types pwauth_t; + + pwauth_domtrans($2) + + ps_process_pattern($2, pwauth_t) + allow $2 pwauth_t:process signal; -+') + ') diff --git a/pwauth.te b/pwauth.te -new file mode 100644 -index 0000000..8f357cc ---- /dev/null +index 3078e34..8f357cc 100644 +--- a/pwauth.te +++ b/pwauth.te -@@ -0,0 +1,39 @@ -+policy_module(pwauth, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type pwauth_t; -+type pwauth_exec_t; -+application_domain(pwauth_t, pwauth_exec_t) +@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0) + # Declarations + # + +-attribute_role pwauth_roles; +-roleattribute system_r pwauth_roles; +- + type pwauth_t; + type pwauth_exec_t; + application_domain(pwauth_t, pwauth_exec_t) +-role pwauth_roles types pwauth_t; +role system_r types pwauth_t; -+ -+type pwauth_var_run_t; -+files_pid_file(pwauth_var_run_t) -+ -+######################################## -+# + + type pwauth_var_run_t; + files_pid_file(pwauth_var_run_t) + + ######################################## + # +-# Local policy +# pwauth local policy -+# -+allow pwauth_t self:capability setuid; -+allow pwauth_t self:process setrlimit; + # +- + allow pwauth_t self:capability setuid; + allow pwauth_t self:process setrlimit; + -+allow pwauth_t self:fifo_file manage_fifo_file_perms; + allow pwauth_t self:fifo_file manage_fifo_file_perms; +-allow pwauth_t self:unix_stream_socket { accept listen }; +allow pwauth_t self:unix_stream_socket create_stream_socket_perms; + + manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) + files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) + + domain_use_interactive_fds(pwauth_t) + + -+manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) -+files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) -+ -+domain_use_interactive_fds(pwauth_t) -+ -+ -+auth_domtrans_chkpwd(pwauth_t) -+auth_use_nsswitch(pwauth_t) + auth_domtrans_chkpwd(pwauth_t) + auth_use_nsswitch(pwauth_t) +auth_read_shadow(pwauth_t) -+ -+init_read_utmp(pwauth_t) -+ -+logging_send_syslog_msg(pwauth_t) -+logging_send_audit_msgs(pwauth_t) -diff --git a/pxe.fc b/pxe.fc -index 44b3a0c..5d247cb 100644 ---- a/pxe.fc -+++ b/pxe.fc -@@ -1,6 +1,6 @@ - /usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) + init_read_utmp(pwauth_t) --/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0) -+/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0) - - /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) + logging_send_syslog_msg(pwauth_t) + logging_send_audit_msgs(pwauth_t) +- +-miscfiles_read_localization(pwauth_t) diff --git a/pxe.te b/pxe.te -index fec69eb..848c311 100644 +index 72db707..270bf8a 100644 --- a/pxe.te +++ b/pxe.te -@@ -49,8 +49,6 @@ fs_search_auto_mountpoints(pxe_t) +@@ -57,8 +57,6 @@ fs_search_auto_mountpoints(pxe_t) logging_send_syslog_msg(pxe_t) @@ -51762,58 +56690,211 @@ index fec69eb..848c311 100644 userdom_dontaudit_use_unpriv_user_fds(pxe_t) userdom_dontaudit_search_user_home_dirs(pxe_t) +diff --git a/pyicqt.fc b/pyicqt.fc +deleted file mode 100644 +index 0c143e3..0000000 +--- a/pyicqt.fc ++++ /dev/null +@@ -1,11 +0,0 @@ +-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0) +- +-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0) +- +-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) +- +-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0) +- +-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) +- +-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) +diff --git a/pyicqt.if b/pyicqt.if +deleted file mode 100644 +index 0ccea82..0000000 +--- a/pyicqt.if ++++ /dev/null +@@ -1,45 +0,0 @@ +-## ICQ transport for XMPP server. +- +-######################################## +-## +-## All of the rules required to +-## administrate an pyicqt environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`pyicqt_admin',` +- gen_require(` +- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; +- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t; +- ') +- +- allow $1 pyicqt_t:process { ptrace signal_perms }; +- ps_process_pattern($1, pyicqt_t) +- +- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 pyicqt_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, pyicqt_conf_t) +- +- logging_search_logs($1) +- admin_pattern($1, pyicqt_log_t) +- +- files_search_spool($1) +- admin_pattern($1, pyicqt_spool_t) +- +- files_search_pids($1) +- admin_pattern($1, pyicqt_var_run_t) +-') diff --git a/pyicqt.te b/pyicqt.te -index a841221..c653e4a 100644 +deleted file mode 100644 +index 99bebbd..0000000 --- a/pyicqt.te -+++ b/pyicqt.te -@@ -13,7 +13,7 @@ type pyicqt_conf_t; - files_config_file(pyicqt_conf_t) - - type pyicqt_spool_t; ++++ /dev/null +@@ -1,92 +0,0 @@ +-policy_module(pyicqt, 1.0.1) +- +-######################################## +-# +-# Declarations +-# +- +-type pyicqt_t; +-type pyicqt_exec_t; +-init_daemon_domain(pyicqt_t, pyicqt_exec_t) +- +-type pyicqt_initrc_exec_t; +-init_script_file(pyicqt_initrc_exec_t) +- +-type pyicqt_conf_t; +-files_config_file(pyicqt_conf_t) +- +-type pyicqt_log_t; +-logging_log_file(pyicqt_log_t) +- +-type pyicqt_spool_t; -files_type(pyicqt_spool_t) -+files_spool_file(pyicqt_spool_t) - - type pyicqt_var_run_t; - files_pid_file(pyicqt_var_run_t) -@@ -40,7 +40,6 @@ kernel_read_system_state(pyicqt_t) - - corecmd_exec_bin(pyicqt_t) - +- +-type pyicqt_var_run_t; +-files_pid_file(pyicqt_var_run_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow pyicqt_t self:process signal_perms; +-allow pyicqt_t self:fifo_file rw_fifo_file_perms; +-allow pyicqt_t self:tcp_socket { accept listen }; +- +-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t) +- +-allow pyicqt_t pyicqt_log_t:file append_file_perms; +-allow pyicqt_t pyicqt_log_t:file create_file_perms; +-allow pyicqt_t pyicqt_log_t:file setattr_file_perms; +-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) +- +-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) +-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir) +- +-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) +-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) +- +-kernel_read_system_state(pyicqt_t) +- +-corecmd_exec_bin(pyicqt_t) +- -corenet_all_recvfrom_unlabeled(pyicqt_t) - corenet_all_recvfrom_netlabel(pyicqt_t) - corenet_tcp_sendrecv_generic_if(pyicqt_t) - corenet_tcp_sendrecv_generic_node(pyicqt_t) -@@ -54,6 +53,5 @@ files_read_usr_files(pyicqt_t) - - libs_read_lib_files(pyicqt_t) - +-corenet_all_recvfrom_netlabel(pyicqt_t) +-corenet_tcp_sendrecv_generic_if(pyicqt_t) +-corenet_tcp_sendrecv_generic_node(pyicqt_t) +-corenet_tcp_bind_generic_node(pyicqt_t) +- +-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t) +-# corenet_tcp_bind_jabber_router_port(pyicqt_t) +-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t) +-# corenet_tcp_connect_jabber_router_port(pyicqt_t) +-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t) +- +-dev_read_sysfs(pyicqt_t) +-dev_read_urand(pyicqt_t) +- +-files_read_usr_files(pyicqt_t) +- +-fs_getattr_all_fs(pyicqt_t) +- +-auth_use_nsswitch(pyicqt_t) +- +-libs_read_lib_files(pyicqt_t) +- +-logging_send_syslog_msg(pyicqt_t) +- -miscfiles_read_localization(pyicqt_t) - - sysnet_read_config(pyicqt_t) +- +-optional_policy(` +- jabber_manage_lib_files(pyicqt_t) +-') +- +-optional_policy(` +- mysql_stream_connect(pyicqt_t) +- mysql_tcp_connect(pyicqt_t) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(pyicqt_t) +-') diff --git a/pyzor.fc b/pyzor.fc -index d4a7750..a927c5a 100644 +index af13139..a927c5a 100644 --- a/pyzor.fc +++ b/pyzor.fc -@@ -1,9 +1,13 @@ - /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) +@@ -1,12 +1,13 @@ +-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +- +-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +- ++/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) + /etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) +-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) ++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) - /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) +-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) ++/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) ++/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) - /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) --/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) -+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) ++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) + /var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/pyzor.if b/pyzor.if -index 494f7e2..2c411af 100644 +index 593c03d..2c411af 100644 --- a/pyzor.if +++ b/pyzor.if -@@ -14,6 +14,7 @@ +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Role access for pyzor. ++## Role access for pyzor + ## + ## + ## +@@ -14,31 +14,30 @@ ## User domain for the role ## ## @@ -51821,11 +56902,28 @@ index 494f7e2..2c411af 100644 # interface(`pyzor_role',` gen_require(` -@@ -28,7 +29,10 @@ interface(`pyzor_role',` +- attribute_role pyzor_roles; +- type pyzor_t, pyzor_exec_t, pyzor_home_t; +- type pyzor_tmp_t; ++ type pyzor_t, pyzor_exec_t; ++ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; + ') - # allow ps to show pyzor and allow the user to kill it +- roleattribute $1 pyzor_roles; ++ role $1 types pyzor_t; + ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, pyzor_exec_t, pyzor_t) + +- allow $2 pyzor_t:process { ptrace signal_perms }; ++ # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) -- allow $2 pyzor_t:process signal; +- +- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor") + allow $2 pyzor_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $2 pyzor_t:process ptrace; @@ -51833,63 +56931,92 @@ index 494f7e2..2c411af 100644 ') ######################################## -@@ -88,3 +92,50 @@ interface(`pyzor_exec',` + ## +-## Send generic signals to pyzor. ++## Send generic signals to pyzor + ## + ## + ## +@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',` + type pyzor_exec_t, pyzor_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, pyzor_exec_t, pyzor_t) + ') +@@ -88,14 +88,15 @@ interface(`pyzor_exec',` + type pyzor_exec_t; + ') + ++ files_search_usr($1) corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an pyzor environment. +## All of the rules required to administrate +## an pyzor environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## + ## + ## + ## +@@ -104,33 +105,37 @@ interface(`pyzor_exec',` + ## + ## + ## +-## Role allowed access. +## The role to be allowed to manage the pyzor domain. -+## -+## -+## -+# -+interface(`pyzor_admin',` -+ gen_require(` + ## + ## + ## + # + interface(`pyzor_admin',` + gen_require(` +- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; +- type pyzor_var_lib_t, pyzor_etc_t; + type pyzord_t, pyzor_tmp_t, pyzord_log_t; + type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; -+ ') -+ + ') + +- allow $1 pyzord_t:process { ptrace signal_perms }; + allow $1 pyzord_t:process signal_perms; -+ ps_process_pattern($1, pyzord_t) + ps_process_pattern($1, pyzord_t) + tunable_policy(`deny_ptrace',`',` + allow $1 pyzord_t:process ptrace; + ') -+ -+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 pyzord_initrc_exec_t system_r; -+ allow $2 system_r; -+ + + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pyzord_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_etc($1) +- admin_pattern($1, pyzor_etc_t) + files_list_tmp($1) + admin_pattern($1, pyzor_tmp_t) -+ + +- logging_search_logs($1) + logging_list_logs($1) -+ admin_pattern($1, pyzord_log_t) -+ + admin_pattern($1, pyzord_log_t) + +- files_search_var_lib($1) +- admin_pattern($1, pyzor_var_lib_t) + files_list_etc($1) + admin_pattern($1, pyzor_etc_t) -+ + +- pyzor_role($2, $1) + files_list_var_lib($1) + admin_pattern($1, pyzor_var_lib_t) -+') + ') diff --git a/pyzor.te b/pyzor.te -index c8fb70b..f7bf36e 100644 +index 6c456d2..f7bf36e 100644 --- a/pyzor.te +++ b/pyzor.te -@@ -1,42 +1,66 @@ --policy_module(pyzor, 2.2.0) +@@ -1,61 +1,82 @@ +-policy_module(pyzor, 2.2.1) +policy_module(pyzor, 2.1.0) ######################################## @@ -51897,12 +57024,15 @@ index c8fb70b..f7bf36e 100644 # Declarations # +-attribute_role pyzor_roles; +-roleattribute system_r pyzor_roles; +- -type pyzor_t; -type pyzor_exec_t; -typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t }; -userdom_user_application_domain(pyzor_t, pyzor_exec_t) --role system_r types pyzor_t; +-role pyzor_roles types pyzor_t; - -type pyzor_etc_t; -files_type(pyzor_etc_t) @@ -51927,6 +57057,9 @@ index c8fb70b..f7bf36e 100644 -type pyzord_exec_t; -init_daemon_domain(pyzord_t, pyzord_exec_t) - +-type pyzord_initrc_exec_t; +-init_script_file(pyzord_initrc_exec_t) +- -type pyzord_log_t; -logging_log_file(pyzord_log_t) +ifdef(`distro_redhat',` @@ -51988,34 +57121,104 @@ index c8fb70b..f7bf36e 100644 ######################################## # -@@ -74,11 +98,13 @@ corenet_tcp_connect_http_port(pyzor_t) +-# Local policy ++# Pyzor client local policy + # + ++allow pyzor_t self:udp_socket create_socket_perms; ++ + manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) + manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) + manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) +-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor") ++userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) + + allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; + read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) ++files_search_var_lib(pyzor_t) + + manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) + manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) +@@ -67,37 +88,25 @@ kernel_read_system_state(pyzor_t) + corecmd_list_bin(pyzor_t) + corecmd_getattr_bin_files(pyzor_t) + +-corenet_all_recvfrom_unlabeled(pyzor_t) +-corenet_all_recvfrom_netlabel(pyzor_t) + corenet_tcp_sendrecv_generic_if(pyzor_t) ++corenet_udp_sendrecv_generic_if(pyzor_t) + corenet_tcp_sendrecv_generic_node(pyzor_t) +- +-corenet_sendrecv_http_client_packets(pyzor_t) ++corenet_udp_sendrecv_generic_node(pyzor_t) ++corenet_tcp_sendrecv_all_ports(pyzor_t) ++corenet_udp_sendrecv_all_ports(pyzor_t) + corenet_tcp_connect_http_port(pyzor_t) +-corenet_tcp_sendrecv_http_port(pyzor_t) dev_read_urand(pyzor_t) --files_read_etc_files(pyzor_t) +-fs_getattr_all_fs(pyzor_t) +-fs_search_auto_mountpoints(pyzor_t) +fs_getattr_xattr_fs(pyzor_t) + auth_use_nsswitch(pyzor_t) -miscfiles_read_localization(pyzor_t) -+ -+mta_read_queue(pyzor_t) - userdom_dontaudit_search_user_home_dirs(pyzor_t) + mta_read_queue(pyzor_t) + +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(pyzor_t) +- fs_manage_nfs_files(pyzor_t) +- fs_manage_nfs_symlinks(pyzor_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(pyzor_t) +- fs_manage_cifs_files(pyzor_t) +- fs_manage_cifs_symlinks(pyzor_t) +-') ++userdom_dontaudit_search_user_home_dirs(pyzor_t) + + optional_policy(` + amavis_manage_lib_files(pyzor_t) +@@ -111,25 +120,24 @@ optional_policy(` + + ######################################## + # +-# Daemon local policy ++# Pyzor server local policy + # + +-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms; ++allow pyzord_t self:udp_socket create_socket_perms; ++ + manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) ++allow pyzord_t pyzor_var_lib_t:dir setattr; + files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) -@@ -109,8 +135,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms; - can_exec(pyzord_t, pyzor_exec_t) ++read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) + allow pyzord_t pyzor_etc_t:dir list_dir_perms; +-allow pyzord_t pyzor_etc_t:file read_file_perms; +-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms; - manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) --allow pyzord_t pyzord_log_t:dir setattr; --logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir } ) -+allow pyzord_t pyzord_log_t:dir setattr_dir_perms; -+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) ++can_exec(pyzord_t, pyzor_exec_t) ++ ++manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) + allow pyzord_t pyzord_log_t:dir setattr_dir_perms; +-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) +-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) + logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) +-can_exec(pyzord_t, pyzor_exec_t) +- kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) -@@ -119,7 +145,6 @@ dev_read_urand(pyzord_t) + +@@ -137,24 +145,25 @@ dev_read_urand(pyzord_t) corecmd_exec_bin(pyzord_t) @@ -52023,25 +57226,84 @@ index c8fb70b..f7bf36e 100644 corenet_all_recvfrom_netlabel(pyzord_t) corenet_udp_sendrecv_generic_if(pyzord_t) corenet_udp_sendrecv_generic_node(pyzord_t) -@@ -128,13 +153,11 @@ corenet_udp_bind_generic_node(pyzord_t) ++corenet_udp_sendrecv_all_ports(pyzord_t) + corenet_udp_bind_generic_node(pyzord_t) +- +-corenet_sendrecv_pyzor_server_packets(pyzord_t) corenet_udp_bind_pyzor_port(pyzord_t) - corenet_sendrecv_pyzor_server_packets(pyzord_t) +-corenet_udp_sendrecv_pyzor_port(pyzord_t) ++corenet_sendrecv_pyzor_server_packets(pyzord_t) --files_read_etc_files(pyzord_t) +-auth_use_nsswitch(pyzord_t) - auth_use_nsswitch(pyzord_t) +-logging_send_syslog_msg(pyzord_t) ++auth_use_nsswitch(pyzord_t) locallogin_dontaudit_use_fds(pyzord_t) -miscfiles_read_localization(pyzord_t) - # Do not audit attempts to access /root. - userdom_dontaudit_search_user_home_dirs(pyzord_t) -diff --git a/qemu.if b/qemu.if -index 268d691..580f9ee 100644 ---- a/qemu.if -+++ b/qemu.if -@@ -43,7 +43,6 @@ template(`qemu_domain_template',` ++# Do not audit attempts to access /root. + userdom_dontaudit_search_user_home_dirs(pyzord_t) + + mta_manage_spool(pyzord_t) ++ ++optional_policy(` ++ logging_send_syslog_msg(pyzord_t) ++') +diff --git a/qemu.fc b/qemu.fc +index 6b53fa4..64d877e 100644 +--- a/qemu.fc ++++ b/qemu.fc +@@ -1,5 +1,4 @@ +-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +- + /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +diff --git a/qemu.if b/qemu.if +index eaf56b8..580f9ee 100644 +--- a/qemu.if ++++ b/qemu.if +@@ -1,19 +1,21 @@ +-## QEMU machine emulator and virtualizer. ++## QEMU machine emulator and virtualizer + +-####################################### ++######################################## + ## +-## The template to define a qemu domain. ++## Creates types and rules for a basic ++## qemu process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`qemu_domain_template',` ++ + ############################## + # +- # Declarations ++ # Local Policy + # + + type $1_t; +@@ -24,7 +26,7 @@ template(`qemu_domain_template',` + + ############################## + # +- # Policy ++ # Local Policy + # + + allow $1_t self:capability { dac_read_search dac_override }; +@@ -41,7 +43,6 @@ template(`qemu_domain_template',` kernel_read_system_state($1_t) @@ -52049,7 +57311,7 @@ index 268d691..580f9ee 100644 corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_generic_node($1_t) -@@ -72,11 +71,10 @@ template(`qemu_domain_template',` +@@ -70,11 +71,10 @@ template(`qemu_domain_template',` term_getattr_pty_fs($1_t) term_use_generic_ptys($1_t) @@ -52062,86 +57324,158 @@ index 268d691..580f9ee 100644 userdom_attach_admin_tun_iface($1_t) optional_policy(` -@@ -98,61 +96,40 @@ template(`qemu_domain_template',` - ') - ') +@@ -98,38 +98,12 @@ template(`qemu_domain_template',` --####################################### -+######################################## + ######################################## ## --## The per role template for the qemu module. -+## Execute a domain transition to run qemu. -+## -+## -+## -+## Domain allowed to transition. - ## --## --##

    --## This template creates a derived domains which are used --## for qemu web browser. --##

    --##

    --## This template is invoked automatically for each user, and --## generally does not need to be invoked directly --## by policy writers. --##

    --##     --## +-## Role access for qemu. +-##     +-## -## --## The role associated with the user domain. +-## Role allowed access. -## -## --## +-## -## --## The type of the user domain. +-## User domain for the role. +-## +-## +-# +-template(`qemu_role',` +- gen_require(` +- type qemu_t; +- ') +- +- qemu_run($2, $1) +- +- allow $2 qemu_t:process { ptrace signal_perms }; +- ps_process_pattern($2, qemu_t) +-') +- +-######################################## +-## + ## Execute a domain transition to run qemu. + ## + ## +-## ++## + ## Domain allowed to transition. -## ++## ## # --template(`qemu_role',` -+interface(`qemu_domtrans',` - gen_require(` + interface(`qemu_domtrans',` +@@ -137,18 +111,17 @@ interface(`qemu_domtrans',` type qemu_t, qemu_exec_t; -- type qemu_config_t, qemu_config_exec_t; ') -- role $1 types { qemu_t qemu_config_t }; -- -- domtrans_pattern($2, qemu_exec_t, qemu_t) -- domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) -- allow qemu_t $2:process signull; -+ domtrans_pattern($1, qemu_exec_t, qemu_t) +- corecmd_search_bin($1) + domtrans_pattern($1, qemu_exec_t, qemu_t) ') ######################################## ## --## Execute a domain transition to run qemu. +-## Execute a qemu in the caller domain. +## Execute a qemu in the callers domain ## ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`qemu_exec',` +@@ -156,15 +129,12 @@ interface(`qemu_exec',` + type qemu_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, qemu_exec_t) + ') + + ######################################## ## --## Domain allowed to transition. -+## Domain allowed access. +-## Execute qemu in the qemu domain, +-## and allow the specified role the +-## qemu domain. ++## Execute qemu in the qemu domain. ## + ## + ## +@@ -173,23 +143,25 @@ interface(`qemu_exec',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the qemu domain. + ## ## + ## # --interface(`qemu_domtrans',` -+interface(`qemu_exec',` + interface(`qemu_run',` gen_require(` -- type qemu_t, qemu_exec_t; -+ type qemu_exec_t; +- attribute_role qemu_roles; ++ type qemu_t; ') -- domtrans_pattern($1, qemu_exec_t, qemu_t) -+ can_exec($1, qemu_exec_t) + qemu_domtrans($1) +- roleattribute $2 qemu_roles; ++ role $2 types qemu_t; ++ allow qemu_t $1:process signull; ++ allow $1 qemu_t:process signull; + ') + + ######################################## + ## +-## Read qemu process state files. ++## Allow the domain to read state files in /proc. + ## + ## + ## +@@ -202,15 +174,12 @@ interface(`qemu_read_state',` + type qemu_t; + ') + +- kernel_search_proc($1) +- allow $1 qemu_t:dir list_dir_perms; +- allow $1 qemu_t:file read_file_perms; +- allow $1 qemu_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, qemu_t, qemu_t) ') ######################################## -@@ -256,20 +233,63 @@ interface(`qemu_kill',` + ## +-## Set qemu scheduler. ++## Set the schedule on qemu. + ## + ## + ## +@@ -228,7 +197,7 @@ interface(`qemu_setsched',` + + ######################################## + ## +-## Send generic signals to qemu. ++## Send a signal to qemu. + ## + ## + ## +@@ -246,7 +215,7 @@ interface(`qemu_signal',` + + ######################################## + ## +-## Send kill signals to qemu. ++## Send a sigill to qemu + ## + ## + ## +@@ -264,48 +233,68 @@ interface(`qemu_kill',` ######################################## ## --## Execute a domain transition to run qemu unconfined. +-## Execute a domain transition to +-## run qemu unconfined. +## Execute qemu_exec_t +## in the specified domain but do not +## do it automatically. This is an explicit @@ -52157,20 +57491,26 @@ index 268d691..580f9ee 100644 +##

    +## ## -+## + ## +-## Domain allowed to transition. +## Domain allowed access. +## +## +## +## +## The type of the new process. -+## -+## -+# + ## + ## + # +-interface(`qemu_domtrans_unconfined',` +interface(`qemu_spec_domtrans',` -+ gen_require(` + gen_require(` +- type unconfined_qemu_t, qemu_exec_t; + type qemu_exec_t; -+ ') + ') +- +- corecmd_search_bin($1) +- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) + + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) + domain_transition_pattern($1, qemu_exec_t, $2) @@ -52180,156 +57520,416 @@ index 268d691..580f9ee 100644 + allow $2 $1:fd use; + allow $2 $1:fifo_file rw_fifo_file_perms; + allow $2 $1:process sigchld; -+') -+ -+######################################## + ') + + ######################################## ## --## Domain allowed to transition. +-## Create, read, write, and delete +-## qemu temporary directories. +## Execute qemu unconfined programs in the role. ## +-## +## -+## + ## +-## Domain allowed access. +## The role to allow the qemu unconfined domain. -+## + ## ## # --interface(`qemu_domtrans_unconfined',` +-interface(`qemu_manage_tmp_dirs',` +interface(`qemu_unconfined_role',` gen_require(` -- type unconfined_qemu_t, qemu_exec_t; +- type qemu_tmp_t; + type unconfined_qemu_t; + type qemu_t; ') - -- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) +- files_search_tmp($1) +- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) + role $1 types unconfined_qemu_t; + role $1 types qemu_t; ') ######################################## -@@ -307,3 +327,22 @@ interface(`qemu_manage_tmp_files',` + ## +-## Create, read, write, and delete +-## qemu temporary files. ++## Manage qemu temporary dirs. + ## + ## + ## +@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',` + ## + ## + # +-interface(`qemu_manage_tmp_files',` ++interface(`qemu_manage_tmp_dirs',` + gen_require(` + type qemu_tmp_t; + ') - manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +- files_search_tmp($1) +- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ++ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) ') -+ + + ######################################## + ## +-## Execute qemu in a specified domain. ++## Manage qemu temporary files. + ## +-## +-##

    +-## Execute qemu in a specified domain. +-##

    +-##

    +-## No interprocess communication (signals, pipes, +-## etc.) is provided by this interface since +-## the domains are not owned by this module. +-##

    +-##     +-## +-## +-## Domain allowed to transition. +-## +-## +-## ++## + ## +-## Domain to transition to. ++## Domain allowed access. + ## + ## + # +-interface(`qemu_spec_domtrans',` ++interface(`qemu_manage_tmp_files',` + gen_require(` +- type qemu_exec_t; ++ type qemu_tmp_t; + ') + +- corecmd_search_bin($1) +- domain_auto_trans($1, qemu_exec_t, $2) ++ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) + ') + +-###################################### +######################################## -+## + ## +-## Make qemu executable files an +-## entrypoint for the specified domain. +## Make qemu_exec_t an entrypoint for +## the specified domain. -+## -+## + ## + ## +-## +-## The domain for which qemu_exec_t is an entrypoint. +-## +## +## The domain for which qemu_exec_t is an entrypoint. +## -+## -+# -+interface(`qemu_entry_type',` -+ gen_require(` -+ type qemu_exec_t; -+ ') -+ -+ domain_entry_file($1, qemu_exec_t) -+') + ## + # + interface(`qemu_entry_type',` diff --git a/qemu.te b/qemu.te -index 9681d82..695c857 100644 +index 2e824eb..695c857 100644 --- a/qemu.te +++ b/qemu.te -@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true) +@@ -1,4 +1,4 @@ +-policy_module(qemu, 1.7.4) ++policy_module(qemu, 1.7.0) + + ######################################## + # +@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4) + # + + ## +-##

    +-## Determine whether qemu has full +-## access to the network. +-##

    ++##

    ++## Allow qemu to connect fully to the network ++##

    ##     - gen_tunable(qemu_use_usb, true) + gen_tunable(qemu_full_network, false) + +-attribute_role qemu_roles; +-roleattribute system_r qemu_roles; ++## ++##

    ++## Allow qemu to use cifs/Samba file systems ++##

    ++##     ++gen_tunable(qemu_use_cifs, true) ++ ++## ++##

    ++## Allow qemu to use serial/parallel communication ports ++##

    ++##     ++gen_tunable(qemu_use_comm, false) -type qemu_exec_t; +-application_executable_file(qemu_exec_t) ++## ++##

    ++## Allow qemu to use nfs file systems ++##

    ++##     ++gen_tunable(qemu_use_nfs, true) ++ ++## ++##

    ++## Allow qemu to use usb devices ++##

    ++##     ++gen_tunable(qemu_use_usb, true) + virt_domain_template(qemu) --application_domain(qemu_t, qemu_exec_t) - role system_r types qemu_t; +-role qemu_roles types qemu_t; ++role system_r types qemu_t; ######################################## -@@ -50,13 +48,12 @@ role system_r types qemu_t; - # qemu local policy + # +-# Local policy ++# qemu local policy # --can_exec(qemu_t, qemu_exec_t) -- - storage_raw_write_removable_device(qemu_t) - storage_raw_read_removable_device(qemu_t) - - userdom_search_user_home_content(qemu_t) - userdom_read_user_tmpfs_files(qemu_t) ++storage_raw_write_removable_device(qemu_t) ++storage_raw_read_removable_device(qemu_t) ++ ++userdom_search_user_home_content(qemu_t) ++userdom_read_user_tmpfs_files(qemu_t) +userdom_stream_connect(qemu_t) - ++ tunable_policy(`qemu_full_network',` - allow qemu_t self:udp_socket create_socket_perms; -@@ -101,6 +98,17 @@ optional_policy(` ++ allow qemu_t self:udp_socket create_socket_perms; ++ + corenet_udp_sendrecv_generic_if(qemu_t) + corenet_udp_sendrecv_generic_node(qemu_t) + corenet_udp_sendrecv_all_ports(qemu_t) +@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',` + corenet_tcp_connect_all_ports(qemu_t) ') - optional_policy(` -+ tunable_policy(`qemu_use_cifs',` -+ samba_domtrans_smbd(qemu_t) -+ ') ++tunable_policy(`qemu_use_cifs',` ++ fs_manage_cifs_dirs(qemu_t) ++ fs_manage_cifs_files(qemu_t) +') + -+optional_policy(` -+ virt_domtrans_bridgehelper(qemu_t) ++tunable_policy(`qemu_use_comm',` ++ term_use_unallocated_ttys(qemu_t) ++ dev_rw_printer(qemu_t) +') + -+optional_policy(` -+ virt_manage_home_files(qemu_t) - virt_manage_images(qemu_t) - virt_append_log(qemu_t) - ') -@@ -113,18 +121,3 @@ optional_policy(` - xserver_read_xdm_pid(qemu_t) - xserver_stream_connect(qemu_t) ++tunable_policy(`qemu_use_nfs',` ++ fs_manage_nfs_dirs(qemu_t) ++ fs_manage_nfs_files(qemu_t) ++') ++ ++tunable_policy(`qemu_use_usb',` ++ dev_rw_usbfs(qemu_t) ++ fs_manage_dos_dirs(qemu_t) ++ fs_manage_dos_files(qemu_t) ++') ++ + optional_policy(` +- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) ++ dbus_read_lib_files(qemu_t) ') -- + -######################################## -# --# Unconfined qemu local policy +-# Unconfined local policy -# -- --optional_policy(` ++optional_policy(` ++ pulseaudio_manage_home_files(qemu_t) ++ pulseaudio_stream_connect(qemu_t) ++') ++ ++optional_policy(` ++ tunable_policy(`qemu_use_cifs',` ++ samba_domtrans_smbd(qemu_t) ++ ') ++') + + optional_policy(` - type unconfined_qemu_t; - typealias unconfined_qemu_t alias qemu_unconfined_t; - application_type(unconfined_qemu_t) - unconfined_domain(unconfined_qemu_t) -- ++ virt_domtrans_bridgehelper(qemu_t) ++') ++ ++optional_policy(` ++ virt_manage_home_files(qemu_t) ++ virt_manage_images(qemu_t) ++ virt_append_log(qemu_t) ++') + - allow unconfined_qemu_t self:process { execstack execmem }; - allow unconfined_qemu_t qemu_exec_t:file execmod; --') ++optional_policy(` ++ xen_rw_image_files(qemu_t) ++') ++ ++optional_policy(` ++ xserver_read_xdm_pid(qemu_t) ++ xserver_stream_connect(qemu_t) + ') diff --git a/qmail.fc b/qmail.fc -index 0055e54..edee505 100644 +index e53fe5a..edee505 100644 --- a/qmail.fc +++ b/qmail.fc -@@ -17,6 +17,7 @@ - /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - - /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) +@@ -1,22 +1,6 @@ +-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) +- +-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) +- +-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) +-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) +-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) +-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) +-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) +-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) +-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) +-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) +-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) +-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +- +-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) +-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) ++ ++/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) ++/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) + + /var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) + /var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +@@ -29,9 +13,36 @@ + /var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) + /var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) + /var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) +-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) +-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) ++/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) ++/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) ++ ++/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) +/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - - /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) - -@@ -25,7 +26,7 @@ ifdef(`distro_debian', ` - - /usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) - --#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) ++ ++/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) ++ ++ifdef(`distro_debian', ` ++/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++ ++/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) ++ +#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0) ++ ++/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) ++/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) ++/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0) ++/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0) ++/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0) ++/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0) ++/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0) ++/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0) ++/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0) ++/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0) ++/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0) ++/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) ++ ++/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + +-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) ++') - /usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) - /usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) +-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/qmail.if b/qmail.if -index a55bf44..05e219e 100644 +index e4f0000..05e219e 100644 --- a/qmail.if +++ b/qmail.if -@@ -44,7 +44,6 @@ template(`qmail_child_domain_template',` +@@ -1,12 +1,12 @@ +-## Qmail Mail Server. ++## Qmail Mail Server - fs_getattr_xattr_fs($1_t) + ######################################## + ## +-## Template for qmail parent/sub-domain pairs. ++## Template for qmail parent/sub-domain pairs + ## + ## + ## +-## The prefix of the child domain. ++## The prefix of the child domain + ## + ## + ## +@@ -16,35 +16,39 @@ + ## + # + template(`qmail_child_domain_template',` +- gen_require(` +- attribute qmail_child_domain; +- ') +- +- ######################################## +- # +- # Declarations +- # +- +- type $1_t, qmail_child_domain; +- type $1_exec_t; ++ type $1_t; + domain_type($1_t) ++ type $1_exec_t; + domain_entry_file($1_t, $1_exec_t) +- ++ domain_auto_trans($2, $1_exec_t, $1_t) + role system_r types $1_t; -- miscfiles_read_localization($1_t) +- ######################################## +- # +- # Policy +- # ++ allow $1_t self:process signal_perms; ++ ++ allow $1_t $2:fd use; ++ allow $1_t $2:fifo_file rw_file_perms; ++ allow $1_t $2:process sigchld; ++ ++ allow $1_t qmail_etc_t:dir list_dir_perms; ++ allow $1_t qmail_etc_t:file read_file_perms; ++ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; ++ ++ allow $1_t qmail_start_t:fd use; ++ ++ kernel_list_proc($2) ++ kernel_read_proc_symlinks($2) + +- domtrans_pattern($2, $1_exec_t, $1_t) ++ corecmd_search_bin($1_t) ++ ++ files_search_var($1_t) ++ ++ fs_getattr_xattr_fs($1_t) + +- kernel_read_system_state($2) ') ######################################## -@@ -62,14 +61,13 @@ interface(`qmail_domtrans_inject',` + ## +-## Transition to qmail_inject_t. ++## Transition to qmail_inject_t + ## + ## + ## +@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',` type qmail_inject_t, qmail_inject_exec_t; ') @@ -52341,11 +57941,17 @@ index a55bf44..05e219e 100644 - corecmd_search_bin($1) ',` files_search_var($1) -- corecmd_search_bin($1) ') - ') +@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',` -@@ -88,14 +86,13 @@ interface(`qmail_domtrans_queue',` + ######################################## + ## +-## Transition to qmail_queue_t. ++## Transition to qmail_queue_t + ## + ## + ## +@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',` type qmail_queue_t, qmail_queue_exec_t; ') @@ -52357,11 +57963,33 @@ index a55bf44..05e219e 100644 - corecmd_search_bin($1) ',` files_search_var($1) -- corecmd_search_bin($1) + ') +@@ -108,20 +112,21 @@ interface(`qmail_read_config',` + type qmail_etc_t; + ') + +- files_search_var($1) + allow $1 qmail_etc_t:dir list_dir_perms; + allow $1 qmail_etc_t:file read_file_perms; + allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; ++ files_search_var($1) + + ifdef(`distro_debian',` ++ # handle /etc/qmail + files_search_etc($1) ') ') -@@ -149,3 +146,59 @@ interface(`qmail_smtpd_service_domain',` + ######################################## + ## +-## Define the specified domain as a +-## qmail-smtp service. ++## Define the specified domain as a qmail-smtp service. ++## Needed by antivirus/antispam filters. + ## + ## + ## +@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',` domtrans_pattern(qmail_smtpd_t, $2, $1) ') @@ -52422,10 +58050,48 @@ index a55bf44..05e219e 100644 + allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/qmail.te b/qmail.te -index 355b2a2..af2850e 100644 +index 1bef513..af2850e 100644 --- a/qmail.te +++ b/qmail.te -@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) +@@ -1,11 +1,11 @@ +-policy_module(qmail, 1.5.1) ++policy_module(qmail, 1.5.0) + + ######################################## + # + # Declarations + # + +-attribute qmail_child_domain; ++attribute qmail_user_domains; + + type qmail_alias_home_t; + files_type(qmail_alias_home_t) +@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t) + type qmail_exec_t; + files_type(qmail_exec_t) + +-type qmail_inject_t; ++type qmail_inject_t, qmail_user_domains; + type qmail_inject_exec_t; + domain_type(qmail_inject_t) + domain_entry_file(qmail_inject_t, qmail_inject_exec_t) +@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t) + mta_mailserver_delivery(qmail_lspawn_t) + + qmail_child_domain_template(qmail_queue, qmail_inject_t) ++typeattribute qmail_queue_t qmail_user_domains; + mta_mailserver_user_agent(qmail_queue_t) + + qmail_child_domain_template(qmail_remote, qmail_rspawn_t) + mta_mailserver_sender(qmail_remote_t) + + qmail_child_domain_template(qmail_rspawn, qmail_start_t) ++ + qmail_child_domain_template(qmail_send, qmail_start_t) ++ + qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) ++ qmail_child_domain_template(qmail_splogger, qmail_start_t) type qmail_spool_t; @@ -52434,20 +58100,43 @@ index 355b2a2..af2850e 100644 type qmail_start_t; type qmail_start_exec_t; -@@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) +@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) + ######################################## # - # qmail-clean local policy --# this component cleans up the queue directory +-# Common qmail child domain local policy +-# +- +-allow qmail_child_domain self:process signal_perms; +- +-allow qmail_child_domain qmail_etc_t:dir list_dir_perms; +-allow qmail_child_domain qmail_etc_t:file read_file_perms; +-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms; +- +-allow qmail_child_domain qmail_start_t:fd use; +- +-corecmd_search_bin(qmail_child_domain) +- +-files_search_var(qmail_child_domain) +- +-fs_getattr_xattr_fs(qmail_child_domain) +- +-miscfiles_read_localization(qmail_child_domain) +- +-######################################## +-# +-# Clean local policy ++# qmail-clean local policy +# this component cleans up the queue directory # read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) -@@ -69,11 +69,11 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) +@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) + ######################################## # - # qmail-inject local policy --# this component preprocesses mail from stdin and invokes qmail-queue +-# Inject local policy ++# qmail-inject local policy +# this component preprocesses mail from stdin and invokes qmail-queue # @@ -52457,7 +58146,7 @@ index 355b2a2..af2850e 100644 allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; -@@ -81,18 +81,17 @@ corecmd_search_bin(qmail_inject_t) +@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t) files_search_var(qmail_inject_t) @@ -52467,26 +58156,20 @@ index 355b2a2..af2850e 100644 ######################################## # - # qmail-local local policy --# this component delivers a mail message +-# Local local policy ++# qmail-local local policy +# this component delivers a mail message # --allow qmail_local_t self:fifo_file write_file_perms; +-allow qmail_local_t self:fifo_file write_fifo_file_perms; allow qmail_local_t self:process signal_perms; +-allow qmail_local_t self:unix_stream_socket { accept listen }; +allow qmail_local_t self:fifo_file write_file_perms; - allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; ++allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -@@ -109,7 +108,6 @@ kernel_read_system_state(qmail_local_t) - corecmd_exec_bin(qmail_local_t) - corecmd_exec_shell(qmail_local_t) - --files_read_etc_files(qmail_local_t) - files_read_etc_runtime_files(qmail_local_t) - - auth_use_nsswitch(qmail_local_t) -@@ -121,13 +119,17 @@ mta_append_spool(qmail_local_t) + manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) +@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t) qmail_domtrans_queue(qmail_local_t) optional_policy(` @@ -52499,24 +58182,26 @@ index 355b2a2..af2850e 100644 ######################################## # - # qmail-lspawn local policy --# this component schedules local deliveries +-# Lspawn local policy ++# qmail-lspawn local policy +# this component schedules local deliveries # allow qmail_lspawn_t self:capability { setuid setgid }; -@@ -143,22 +145,21 @@ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) +@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; - corecmd_search_bin(qmail_lspawn_t) + read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) -files_read_etc_files(qmail_lspawn_t) ++corecmd_search_bin(qmail_lspawn_t) ++ files_search_pids(qmail_lspawn_t) files_search_tmp(qmail_lspawn_t) ######################################## # - # qmail-queue local policy --# this component places a mail in a delivery queue, later to be processed by qmail-send +-# Queue local policy ++# qmail-queue local policy +# this component places a mail in a delivery queue, later to be processed by qmail-send # @@ -52530,55 +58215,78 @@ index 355b2a2..af2850e 100644 manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -@@ -175,7 +176,7 @@ optional_policy(` +@@ -183,28 +175,34 @@ optional_policy(` + ######################################## # - # qmail-remote local policy --# this component sends mail via SMTP +-# Remote local policy ++# qmail-remote local policy +# this component sends mail via SMTP # - allow qmail_remote_t self:tcp_socket create_socket_perms; -@@ -183,7 +184,6 @@ allow qmail_remote_t self:udp_socket create_socket_perms; - ++allow qmail_remote_t self:tcp_socket create_socket_perms; ++allow qmail_remote_t self:udp_socket create_socket_perms; ++ rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) -corenet_all_recvfrom_unlabeled(qmail_remote_t) corenet_all_recvfrom_netlabel(qmail_remote_t) corenet_tcp_sendrecv_generic_if(qmail_remote_t) - corenet_udp_sendrecv_generic_if(qmail_remote_t) -@@ -202,7 +202,7 @@ sysnet_read_config(qmail_remote_t) ++corenet_udp_sendrecv_generic_if(qmail_remote_t) + corenet_tcp_sendrecv_generic_node(qmail_remote_t) +- +-corenet_sendrecv_smtp_client_packets(qmail_remote_t) +-corenet_tcp_connect_smtp_port(qmail_remote_t) ++corenet_udp_sendrecv_generic_node(qmail_remote_t) + corenet_tcp_sendrecv_smtp_port(qmail_remote_t) ++corenet_udp_sendrecv_dns_port(qmail_remote_t) ++corenet_tcp_connect_smtp_port(qmail_remote_t) ++corenet_sendrecv_smtp_client_packets(qmail_remote_t) + + dev_read_rand(qmail_remote_t) + dev_read_urand(qmail_remote_t) + +-sysnet_dns_name_resolve(qmail_remote_t) ++sysnet_read_config(qmail_remote_t) + ######################################## # - # qmail-rspawn local policy --# this component scedules remote deliveries +-# Rspawn local policy ++# qmail-rspawn local policy +# this component scedules remote deliveries # allow qmail_rspawn_t self:process signal_perms; -@@ -217,7 +217,7 @@ corecmd_search_bin(qmail_rspawn_t) +@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; + + rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) + ++corecmd_search_bin(qmail_rspawn_t) ++ ######################################## # - # qmail-send local policy --# this component delivers mail messages from the queue +-# Send local policy ++# qmail-send local policy +# this component delivers mail messages from the queue # allow qmail_send_t self:process signal_perms; -@@ -236,7 +236,7 @@ optional_policy(` +@@ -234,7 +235,8 @@ optional_policy(` + ######################################## # - # qmail-smtpd local policy --# this component receives mails via SMTP +-# Smtpd local policy ++# qmail-smtpd local policy +# this component receives mails via SMTP # allow qmail_smtpd_t self:process signal_perms; -@@ -265,27 +265,25 @@ optional_policy(` +@@ -262,26 +264,26 @@ optional_policy(` + ######################################## # - # splogger local policy --# this component creates entries in syslog +-# Splogger local policy ++# splogger local policy +# this component creates entries in syslog # @@ -52592,8 +58300,8 @@ index 355b2a2..af2850e 100644 ######################################## # - # qmail-start local policy --# this component starts up the mail delivery component +-# Start local policy ++# qmail-start local policy +# this component starts up the mail delivery component # @@ -52605,31 +58313,18 @@ index 355b2a2..af2850e 100644 can_exec(qmail_start_t, qmail_start_exec_t) -@@ -303,7 +301,7 @@ optional_policy(` +@@ -298,7 +300,8 @@ optional_policy(` + ######################################## # - # tcp-env local policy --# this component sets up TCP-related environment variables +-# Tcp-env local policy ++# tcp-env local policy +# this component sets up TCP-related environment variables # allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; -diff --git a/qpid.fc b/qpid.fc -index 4f94229..f3b89e4 100644 ---- a/qpid.fc -+++ b/qpid.fc -@@ -1,6 +1,7 @@ --/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) - --/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) -+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) -+ -+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0) - - /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) - diff --git a/qpid.if b/qpid.if -index 5a9630c..bedca3a 100644 +index cd51b96..f7e9c70 100644 --- a/qpid.if +++ b/qpid.if @@ -1,4 +1,4 @@ @@ -52638,19 +58333,23 @@ index 5a9630c..bedca3a 100644 ######################################## ## -@@ -18,9 +18,9 @@ interface(`qpidd_domtrans',` +@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',` + type qpidd_t, qpidd_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, qpidd_exec_t, qpidd_t) ') -##################################### +######################################## ## --## Allow read and write access to qpidd semaphores. +-## Read and write access qpidd semaphores. +## Execute qpidd server in the qpidd domain. ## ## ## -@@ -28,17 +28,17 @@ interface(`qpidd_domtrans',` +@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',` ## ## # @@ -52667,12 +58366,12 @@ index 5a9630c..bedca3a 100644 ######################################## ## --## Read and write to qpidd shared memory. +-## Read and write qpidd shared memory. +## Read qpidd PID files. ## ## ## -@@ -46,17 +46,18 @@ interface(`qpidd_rw_semaphores',` +@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',` ## ## # @@ -52690,12 +58389,14 @@ index 5a9630c..bedca3a 100644 ######################################## ## --## Execute qpidd server in the qpidd domain. +-## Execute qpidd init script in +-## the initrc domain. +## Manage qpidd var_run files. ## ## ## -@@ -64,17 +65,20 @@ interface(`qpidd_rw_shm',` +-## Domain allowed to transition. ++## Domain allowed access. ## ## # @@ -52715,12 +58416,12 @@ index 5a9630c..bedca3a 100644 ######################################## ## --## Read qpidd PID files. +-## Read qpidd pid files. +## Search qpidd lib directories. ## ## ## -@@ -82,18 +86,18 @@ interface(`qpidd_initrc_domtrans',` +@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',` ## ## # @@ -52744,7 +58445,7 @@ index 5a9630c..bedca3a 100644 ## ## ## -@@ -101,18 +105,19 @@ interface(`qpidd_read_pid_files',` +@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',` ## ## # @@ -52754,8 +58455,8 @@ index 5a9630c..bedca3a 100644 type qpidd_var_lib_t; ') -- allow $1 qpidd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) +- allow $1 qpidd_var_lib_t:dir search_dir_perms; + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') @@ -52767,7 +58468,7 @@ index 5a9630c..bedca3a 100644 ## ## ## -@@ -120,19 +125,18 @@ interface(`qpidd_search_lib',` +@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',` ## ## # @@ -52790,7 +58491,7 @@ index 5a9630c..bedca3a 100644 ## ## ## -@@ -140,13 +144,15 @@ interface(`qpidd_read_lib_files',` +@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',` ## ## # @@ -52806,40 +58507,18 @@ index 5a9630c..bedca3a 100644 + manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') - ######################################## -@@ -171,8 +177,11 @@ interface(`qpidd_admin',` - type qpidd_t, qpidd_initrc_exec_t; - ') - -- allow $1 qpidd_t:process { ptrace signal_perms }; -+ allow $1 qpidd_t:process signal_perms; - ps_process_pattern($1, qpidd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 qpidd_t:process ptrace; -+ ') - - # Allow qpidd_t to restart the apache service - qpidd_initrc_domtrans($1) -@@ -180,7 +189,46 @@ interface(`qpidd_admin',` - role_transition $2 qpidd_initrc_exec_t system_r; - allow $2 system_r; - -- admin_pattern($1, qpidd_var_lib_t) -+ qpidd_manage_var_run($1) - -- admin_pattern($1, qpidd_var_run_t) -+ qpidd_manage_var_lib($1) -+') -+ +-######################################## +##################################### -+## + ## +-## All of the rules required to +-## administrate an qpidd environment. +## Allow read and write access to qpidd semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +# +interface(`qpidd_rw_semaphores',` + gen_require(` @@ -52868,32 +58547,73 @@ index 5a9630c..bedca3a 100644 + allow $1 qpidd_t:shm rw_shm_perms; + fs_search_tmpfs($1) + manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) - ') -diff --git a/qpid.te b/qpid.te -index cb7ecb5..68f26ad 100644 ---- a/qpid.te -+++ b/qpid.te -@@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) - type qpidd_initrc_exec_t; - init_script_file(qpidd_initrc_exec_t) ++') ++ ++####################################### ++## ++## All of the rules required to ++## administrate an qpidd environment. ++## ++## ++## ++## Domain allowed access. ++## ++## + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## + ## + # + interface(`qpidd_admin',` +- gen_require(` +- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; +- type qpidd_var_run_t; +- ') ++ gen_require(` ++ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; ++ type qpidd_var_run_t; ++ ') + +- allow $1 qpidd_t:process { ptrace signal_perms }; +- ps_process_pattern($1, qpidd_t) ++ allow $1 qpidd_t:process { signal_perms }; ++ ps_process_pattern($1, qpidd_t) --type qpidd_var_lib_t; --files_type(qpidd_var_lib_t) -+type qpidd_tmpfs_t; -+files_tmpfs_file(qpidd_tmpfs_t) +- qpidd_initrc_domtrans($1) +- domain_system_change_exemption($1) +- role_transition $2 qpidd_initrc_exec_t system_r; +- allow $2 system_r; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 qpidd_t:process ptrace; ++ ') - type qpidd_var_run_t; - files_pid_file(qpidd_var_run_t) +- files_search_var_lib($1( +- admin_pattern($1, qpidd_var_lib_t) ++ qpidd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 qpidd_initrc_exec_t system_r; ++ allow $2 system_r; -+type qpidd_var_lib_t; -+files_type(qpidd_var_lib_t) +- files_search_pids($1) +- admin_pattern($1, qpidd_var_run_t) ++ files_search_var_lib($1) ++ admin_pattern($1, qpidd_var_lib_t) + - ######################################## - # - # qpidd local policy -@@ -30,34 +33,41 @@ allow qpidd_t self:shm create_shm_perms; - allow qpidd_t self:tcp_socket create_stream_socket_perms; - allow qpidd_t self:unix_stream_socket create_stream_socket_perms; ++ files_search_pids($1) ++ admin_pattern($1, qpidd_var_run_t) + ') +diff --git a/qpid.te b/qpid.te +index 76f5b39..8bf531a 100644 +--- a/qpid.te ++++ b/qpid.te +@@ -37,18 +37,22 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) + manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) + fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) @@ -52918,19 +58638,20 @@ index cb7ecb5..68f26ad 100644 +corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) corenet_tcp_sendrecv_generic_node(qpidd_t) - corenet_tcp_sendrecv_all_ports(qpidd_t) --corenet_tcp_bind_generic_node(qpidd_t) + corenet_tcp_bind_generic_node(qpidd_t) +@@ -57,17 +61,18 @@ corenet_sendrecv_amqp_server_packets(qpidd_t) corenet_tcp_bind_amqp_port(qpidd_t) + corenet_tcp_sendrecv_amqp_port(qpidd_t) + ++ +corenet_tcp_bind_matahari_port(qpidd_t) -+corenet_tcp_connect_amqp_port(qpidd_t) +corenet_tcp_connect_matahari_port(qpidd_t) - -+dev_read_sysfs(qpidd_t) ++ + dev_read_sysfs(qpidd_t) dev_read_urand(qpidd_t) - files_read_etc_files(qpidd_t) -+files_read_usr_files(qpidd_t) - +-files_read_etc_files(qpidd_t) +- logging_send_syslog_msg(qpidd_t) -miscfiles_read_localization(qpidd_t) @@ -52942,31 +58663,25 @@ index cb7ecb5..68f26ad 100644 ') + diff --git a/quantum.fc b/quantum.fc -new file mode 100644 -index 0000000..9108437 ---- /dev/null +index 70ab68b..9ac57eb 100644 +--- a/quantum.fc +++ b/quantum.fc -@@ -0,0 +1,10 @@ -+/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) -+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -+ +@@ -1,3 +1,5 @@ +/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:quantum_unit_file_t,s0) + -+/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) -+ -+/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) + /etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) + + /usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) diff --git a/quantum.if b/quantum.if -new file mode 100644 -index 0000000..010b2be ---- /dev/null +index afc0068..7616aa4 100644 +--- a/quantum.if +++ b/quantum.if -@@ -0,0 +1,218 @@ -+## Quantum is a virtual network service for Openstack -+ -+######################################## -+## +@@ -2,41 +2,217 @@ + + ######################################## + ## +-## All of the rules required to +-## administrate an quantum environment. +## Transition to quantum. +## +## @@ -52987,12 +58702,13 @@ index 0000000..010b2be +######################################## +## +## Read quantum's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +# +interface(`quantum_read_log',` @@ -53009,7 +58725,8 @@ index 0000000..010b2be +## Append to quantum log files. +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. +## +## @@ -53152,27 +58869,37 @@ index 0000000..010b2be +## +## +## -+## Domain allowed access. -+## -+## -+# -+interface(`quantum_admin',` -+ gen_require(` ++## Domain allowed access. + ##     + ## +-## + # + interface(`quantum_admin',` + gen_require(` +- type quantum_t, quantum_initrc_exec_t, quantum_log_t; +- type quantum_var_lib_t, quantum_tmp_t; + type quantum_t; + type quantum_log_t; + type quantum_var_lib_t; + type quantum_unit_file_t; -+ ') -+ -+ allow $1 quantum_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, quantum_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, quantum_log_t) -+ -+ files_search_var_lib($1) -+ admin_pattern($1, quantum_var_lib_t) -+ + ') + + allow $1 quantum_t:process { ptrace signal_perms }; + ps_process_pattern($1, quantum_t) + +- init_labeled_script_domtrans($1, quantum_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 quantum_initrc_exec_t system_r; +- allow $2 system_r; +- + logging_search_logs($1) + admin_pattern($1, quantum_log_t) + + files_search_var_lib($1) + admin_pattern($1, quantum_var_lib_t) + +- files_search_tmp($1) +- admin_pattern($1, quantum_tmp_t) + quantum_systemctl($1) + admin_pattern($1, quantum_unit_file_t) + allow $1 quantum_unit_file_t:service all_service_perms; @@ -53180,201 +58907,293 @@ index 0000000..010b2be + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/quantum.te b/quantum.te -new file mode 100644 -index 0000000..6e15504 ---- /dev/null +index 769d1fd..e08eabf 100644 +--- a/quantum.te +++ b/quantum.te -@@ -0,0 +1,80 @@ -+policy_module(quantum, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type quantum_t; -+type quantum_exec_t; -+init_daemon_domain(quantum_t, quantum_exec_t) -+ -+type quantum_log_t; -+logging_log_file(quantum_log_t) -+ -+type quantum_tmp_t; -+files_tmp_file(quantum_tmp_t) -+ -+type quantum_var_lib_t; -+files_type(quantum_var_lib_t) -+ +@@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t) + type quantum_var_lib_t; + files_type(quantum_var_lib_t) + +type quantum_unit_file_t; +systemd_unit_file(quantum_unit_file_t) + -+######################################## -+# -+# quantum local policy -+# -+allow quantum_t self:capability { setuid sys_resource setgid audit_write }; -+allow quantum_t self:process { setsched setrlimit }; -+allow quantum_t self:key manage_key_perms; -+ -+allow quantum_t self:fifo_file rw_fifo_file_perms; -+allow quantum_t self:unix_stream_socket create_stream_socket_perms; -+allow quantum_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -+manage_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -+logging_log_filetrans(quantum_t, quantum_log_t, { dir file }) -+ -+manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) -+files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+can_exec(quantum_t, quantum_tmp_t) -+ -+manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -+manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -+files_var_lib_filetrans(quantum_t, quantum_var_lib_t, { dir file }) -+ -+kernel_read_kernel_sysctls(quantum_t) -+kernel_read_system_state(quantum_t) -+ -+corecmd_exec_shell(quantum_t) -+corecmd_exec_bin(quantum_t) -+ + ######################################## + # + # Local policy +@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t) + corenet_tcp_sendrecv_all_ports(quantum_t) + corenet_tcp_bind_generic_node(quantum_t) + +corenet_tcp_bind_generic_node(quantum_t) +corenet_tcp_bind_quantum_port(quantum_t) +corenet_tcp_connect_mysqld_port(quantum_t) + -+dev_read_urand(quantum_t) -+dev_list_sysfs(quantum_t) -+ -+domain_use_interactive_fds(quantum_t) -+ -+files_read_usr_files(quantum_t) -+ -+auth_use_nsswitch(quantum_t) -+ -+libs_exec_ldconfig(quantum_t) -+ -+logging_send_audit_msgs(quantum_t) -+logging_send_syslog_msg(quantum_t) -+ -+sysnet_domtrans_ifconfig(quantum_t) -+ -+optional_policy(` -+ brctl_domtrans(quantum_t) -+') + dev_list_sysfs(quantum_t) + dev_read_urand(quantum_t) + +-files_read_usr_files(quantum_t) +- + auth_use_nsswitch(quantum_t) + + libs_exec_ldconfig(quantum_t) +@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t) + logging_send_audit_msgs(quantum_t) + logging_send_syslog_msg(quantum_t) + +-miscfiles_read_localization(quantum_t) +- + sysnet_domtrans_ifconfig(quantum_t) + + optional_policy(` +@@ -94,3 +97,7 @@ optional_policy(` + + postgresql_tcp_connect(quantum_t) + ') + +optional_policy(` + sudo_exec(quantum_t) +') diff --git a/quota.fc b/quota.fc -index f387230..0ee2489 100644 +index cadabe3..0ee2489 100644 --- a/quota.fc +++ b/quota.fc -@@ -1,4 +1,5 @@ +@@ -1,6 +1,5 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +- +-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -@@ -8,12 +9,21 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) + /etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0) +- +-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) ++/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) + +-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) + /usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) +-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) -+/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) -+ /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) --/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) ++/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) +/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - ifdef(`distro_redhat',` - /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) - ',` - /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) - ') -+ +-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) ++ifdef(`distro_redhat',` ++/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ++',` ++/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ++') + +-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) +/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) -+ + +-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -+ + +-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) diff --git a/quota.if b/quota.if -index bf75d99..3fb8575 100644 +index da64218..3fb8575 100644 --- a/quota.if +++ b/quota.if -@@ -45,6 +45,24 @@ interface(`quota_run',` - role $2 types quota_t; +@@ -1,4 +1,4 @@ +-## File system quota management. ++## File system quota management + + ######################################## + ## +@@ -21,9 +21,8 @@ interface(`quota_domtrans',` + + ######################################## + ## +-## Execute quota management tools in +-## the quota domain, and allow the +-## specified role the quota domain. ++## Execute quota management tools in the quota domain, and ++## allow the specified role the quota domain. + ## + ## + ## +@@ -39,90 +38,54 @@ interface(`quota_domtrans',` + # + interface(`quota_run',` + gen_require(` +- attribute_role quota_roles; ++ type quota_t; + ') + + quota_domtrans($1) +- roleattribute $2 quota_roles; ++ role $2 types quota_t; ') -+####################################### -+## + ####################################### + ## +-## Execute quota nld in the quota nld domain. +## Alow to read of filesystem quota data files. -+## -+## + ## + ## +-## +-## Domain allowed to transition. +-## +## +## Domain to not audit. +## -+## -+# + ## + # +-interface(`quota_domtrans_nld',` +- gen_require(` +- type quota_nld_t, quota_nld_exec_t; +- ') +interface(`quota_read_db',` + gen_require(` + type quota_db_t; + ') -+ + +- corecmd_search_bin($1) +- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) + allow $1 quota_db_t:file read_file_perms; -+') -+ + ') + ######################################## ## - ## Do not audit attempts to get the attributes -@@ -67,6 +85,25 @@ interface(`quota_dontaudit_getattr_db',` +-## Create, read, write, and delete +-## quota db files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`quota_manage_db_files',` +- gen_require(` +- type quota_db_t; +- ') +- +- allow $1 quota_db_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in specified +-## directories with a type transition to +-## the quota db file type. ++## Do not audit attempts to get the attributes ++## of filesystem quota data files. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Directory to transition on. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain to not audit. + ## + ## + # +-interface(`quota_spec_filetrans_db',` ++interface(`quota_dontaudit_getattr_db',` + gen_require(` + type quota_db_t; + ') + +- filetrans_pattern($1, $2, quota_db_t, $3, $4) ++ dontaudit $1 quota_db_t:file getattr_file_perms; + ') + ######################################## ## - ## Create, read, write, and delete quota +-## Do not audit attempts to get attributes +-## of filesystem quota data files. ++## Create, read, write, and delete quota +## db files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',` + ## + ## + # +-interface(`quota_dontaudit_getattr_db',` +interface(`quota_manage_db',` -+ gen_require(` -+ type quota_db_t; -+ ') -+ + gen_require(` + type quota_db_t; + ') + +- dontaudit $1 quota_db_t:file getattr_file_perms; + allow $1 quota_db_t:file manage_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## quota flag files. +## Create, read, write, and delete quota - ## flag files. ++## flag files. ## ## -@@ -83,3 +120,59 @@ interface(`quota_manage_flags',` - files_search_var_lib($1) - manage_files_pattern($1, quota_flag_t, quota_flag_t) - ') -+ -+######################################## -+## + ## +@@ -160,37 +123,56 @@ interface(`quota_manage_flags',` + + ######################################## + ## +-## All of the rules required to +-## administrate an quota environment. +## Transition to quota named content -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`quota_admin',` +interface(`quota_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type quota_nld_t, quota_t, quota_db_t; +- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; + type quota_db_t; -+ ') -+ + ') + +- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { quota_nld_t quota_t }) +- +- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 quota_nld_initrc_exec_t system_r; +- allow $2 system_r; + files_root_filetrans($1, quota_db_t, file, "aquota.user") + files_root_filetrans($1, quota_db_t, file, "aquota.group") + files_boot_filetrans($1, quota_db_t, file, "aquota.user") @@ -53396,7 +59215,9 @@ index bf75d99..3fb8575 100644 + mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user") + mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group") +') -+ + +- files_list_all($1) +- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t }) +####################################### +## +## Transition to quota_nld. @@ -53411,44 +59232,58 @@ index bf75d99..3fb8575 100644 + gen_require(` + type quota_nld_t, quota_nld_exec_t; + ') -+ + +- quota_run($1, $2) + corecmd_search_bin($1) + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) -+') + ') diff --git a/quota.te b/quota.te -index 5dd42f5..0df6e21 100644 +index 4b2c272..0df6e21 100644 --- a/quota.te +++ b/quota.te -@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0) +@@ -1,16 +1,14 @@ +-policy_module(quota, 1.5.2) ++policy_module(quota, 1.5.0) + + ######################################## + # + # Declarations + # +-attribute_role quota_roles; +- type quota_t; type quota_exec_t; -init_system_domain(quota_t, quota_exec_t) +-role quota_roles types quota_t; +application_domain(quota_t, quota_exec_t) +#init_system_domain(quota_t, quota_exec_t) type quota_db_t; files_type(quota_db_t) -@@ -15,6 +16,13 @@ files_type(quota_db_t) - type quota_flag_t; - files_type(quota_flag_t) +@@ -22,9 +20,6 @@ type quota_nld_t; + type quota_nld_exec_t; + init_daemon_domain(quota_nld_t, quota_nld_exec_t) -+type quota_nld_t; -+type quota_nld_exec_t; -+init_daemon_domain(quota_nld_t, quota_nld_exec_t) -+ -+type quota_nld_var_run_t; -+files_pid_file(quota_nld_var_run_t) -+ - ######################################## - # - # Local policy -@@ -34,6 +42,17 @@ files_home_filetrans(quota_t, quota_db_t, file) - files_usr_filetrans(quota_t, quota_db_t, file) - files_var_filetrans(quota_t, quota_db_t, file) +-type quota_nld_initrc_exec_t; +-init_script_file(quota_nld_initrc_exec_t) +- + type quota_nld_var_run_t; + files_pid_file(quota_nld_var_run_t) + +@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override }; + dontaudit quota_t self:capability sys_tty_config; + allow quota_t self:process signal_perms; + ++# for /quota.* + allow quota_t quota_db_t:file { manage_file_perms quotaon }; + files_root_filetrans(quota_t, quota_db_t, file) + files_boot_filetrans(quota_t, quota_db_t, file) +@@ -48,7 +44,16 @@ files_var_filetrans(quota_t, quota_db_t, file) files_spool_filetrans(quota_t, quota_db_t, file) -+userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) -+ + userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) + +-kernel_request_load_module(quota_t) +optional_policy(` + mta_spool_filetrans(quota_t, quota_db_t, file) + mta_spool_filetrans(quota_t, quota_db_t, file) @@ -53458,10 +59293,40 @@ index 5dd42f5..0df6e21 100644 +optional_policy(` + openshift_lib_filetrans(quota_t, quota_db_t, file) +') - ++ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) -@@ -72,7 +91,7 @@ init_use_script_ptys(quota_t) + kernel_read_kernel_sysctls(quota_t) +@@ -58,14 +63,6 @@ dev_read_sysfs(quota_t) + dev_getattr_all_blk_files(quota_t) + dev_getattr_all_chr_files(quota_t) + +-files_list_all(quota_t) +-files_read_all_files(quota_t) +-files_read_all_symlinks(quota_t) +-files_getattr_all_pipes(quota_t) +-files_getattr_all_sockets(quota_t) +-files_getattr_all_file_type_fs(quota_t) +-files_read_etc_runtime_files(quota_t) +- + fs_get_xattr_fs_quotas(quota_t) + fs_set_xattr_fs_quotas(quota_t) + fs_getattr_xattr_fs(quota_t) +@@ -80,20 +77,24 @@ term_dontaudit_use_console(quota_t) + + domain_use_interactive_fds(quota_t) + ++files_list_all(quota_t) ++files_read_all_files(quota_t) ++files_read_all_symlinks(quota_t) ++files_getattr_all_pipes(quota_t) ++files_getattr_all_sockets(quota_t) ++files_getattr_all_file_type_fs(quota_t) ++# Read /etc/mtab. ++files_read_etc_runtime_files(quota_t) ++ + init_use_fds(quota_t) + init_use_script_ptys(quota_t) logging_send_syslog_msg(quota_t) @@ -53470,167 +59335,77 @@ index 5dd42f5..0df6e21 100644 userdom_dontaudit_use_unpriv_user_fds(quota_t) optional_policy(` -@@ -82,3 +101,30 @@ optional_policy(` - optional_policy(` - udev_read_db(quota_t) +- mta_queue_filetrans(quota_t, quota_db_t, file) +- mta_spool_filetrans(quota_t, quota_db_t, file) +-') +- +-optional_policy(` + seutil_sigchld_newrole(quota_t) ') -+ -+####################################### -+# + +@@ -103,12 +104,12 @@ optional_policy(` + + ####################################### + # +-# Nld local policy +# Local policy -+# -+ -+allow quota_nld_t self:fifo_file rw_fifo_file_perms; -+allow quota_nld_t self:netlink_socket create_socket_perms; + # + + allow quota_nld_t self:fifo_file rw_fifo_file_perms; + allow quota_nld_t self:netlink_socket create_socket_perms; +-allow quota_nld_t self:unix_stream_socket { accept listen }; +allow quota_nld_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) -+files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) -+ -+kernel_read_network_state(quota_nld_t) -+ -+auth_use_nsswitch(quota_nld_t) -+ -+init_read_utmp(quota_nld_t) -+ -+logging_send_syslog_msg(quota_nld_t) -+ -+userdom_use_user_terminals(quota_nld_t) -+ -+optional_policy(` + + manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) + files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) +@@ -121,11 +122,9 @@ init_read_utmp(quota_nld_t) + + logging_send_syslog_msg(quota_nld_t) + +-miscfiles_read_localization(quota_nld_t) +- + userdom_use_user_terminals(quota_nld_t) + + optional_policy(` +- dbus_system_bus_client(quota_nld_t) +- dbus_connect_system_bus(quota_nld_t) + dbus_system_bus_client(quota_nld_t) + dbus_connect_system_bus(quota_nld_t) -+') -diff --git a/rabbitmq.fc b/rabbitmq.fc -new file mode 100644 -index 0000000..594c110 ---- /dev/null -+++ b/rabbitmq.fc -@@ -0,0 +1,7 @@ -+ -+/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) -+ -+/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+ -+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) -diff --git a/rabbitmq.if b/rabbitmq.if -new file mode 100644 -index 0000000..491bd1f ---- /dev/null -+++ b/rabbitmq.if -@@ -0,0 +1,21 @@ -+ -+## policy for rabbitmq -+ -+######################################## -+## -+## Transition to rabbitmq. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`rabbitmq_domtrans',` -+ gen_require(` -+ type rabbitmq_t, rabbitmq_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) -+') + ') diff --git a/rabbitmq.te b/rabbitmq.te -new file mode 100644 -index 0000000..4cb2ad8 ---- /dev/null +index 3698b51..62a5977 100644 +--- a/rabbitmq.te +++ b/rabbitmq.te -@@ -0,0 +1,82 @@ -+policy_module(rabbitmq, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type rabbitmq_epmd_t; -+type rabbitmq_epmd_exec_t; -+init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t) -+ -+type rabbitmq_beam_t; -+type rabbitmq_beam_exec_t; -+init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t) -+ -+type rabbitmq_var_lib_t; -+files_type(rabbitmq_var_lib_t) -+ -+type rabbitmq_var_log_t; -+logging_log_file(rabbitmq_var_log_t) -+ -+###################################### -+# -+# beam local policy -+# -+ -+allow rabbitmq_beam_t self:process { setsched signal signull }; -+ -+allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; -+allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) -+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) -+ -+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -+ -+can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) -+ -+kernel_read_system_state(rabbitmq_beam_t) -+ -+corecmd_exec_bin(rabbitmq_beam_t) -+corecmd_exec_shell(rabbitmq_beam_t) -+ -+corenet_tcp_bind_generic_node(rabbitmq_beam_t) -+corenet_udp_bind_generic_node(rabbitmq_beam_t) -+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) -+corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -+corenet_tcp_connect_epmd_port(rabbitmq_beam_t) -+ -+dev_read_sysfs(rabbitmq_beam_t) -+ -+files_read_etc_files(rabbitmq_beam_t) -+ -+ -+optional_policy(` -+ sysnet_dns_name_resolve(rabbitmq_beam_t) -+') -+ -+######################################## -+# -+# epmd local policy -+# -+ -+domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -+ -+allow rabbitmq_epmd_t self:process signal; -+ -+allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; -+allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -+allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms; -+ -+# should be append -+allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms; -+ -+corenet_tcp_bind_generic_node(rabbitmq_epmd_t) -+corenet_udp_bind_generic_node(rabbitmq_epmd_t) -+corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) -+ -+files_read_etc_files(rabbitmq_epmd_t) -+ -+logging_send_syslog_msg(rabbitmq_epmd_t) +@@ -70,10 +70,6 @@ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) + + dev_read_sysfs(rabbitmq_beam_t) + +-files_read_etc_files(rabbitmq_beam_t) +- +-miscfiles_read_localization(rabbitmq_beam_t) +- + sysnet_dns_name_resolve(rabbitmq_beam_t) + + ######################################## +@@ -81,7 +77,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t) + # Epmd local policy + # + +- + allow rabbitmq_epmd_t self:process signal; + allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; + allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; +@@ -99,8 +94,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) + corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) + corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) + +-files_read_etc_files(rabbitmq_epmd_t) +- + logging_send_syslog_msg(rabbitmq_epmd_t) + +-miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/radius.fc b/radius.fc -index 09f7b50..61c6d34 100644 +index c84b7ae..29c453e 100644 --- a/radius.fc +++ b/radius.fc @@ -9,6 +9,8 @@ @@ -53639,20 +59414,11 @@ index 09f7b50..61c6d34 100644 +/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0) + - /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) + /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) -@@ -16,7 +18,7 @@ - /var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) - /var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0) - /var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) --/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0) -+/var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) - /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) - - /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) diff --git a/radius.if b/radius.if -index 75e5dc4..a366f85 100644 +index 4460582..60cf556 100644 --- a/radius.if +++ b/radius.if @@ -14,6 +14,29 @@ interface(`radius_use',` @@ -53684,7 +59450,7 @@ index 75e5dc4..a366f85 100644 + ######################################## ## - ## All of the rules required to administrate + ## All of the rules required to @@ -35,11 +58,14 @@ interface(`radius_admin',` gen_require(` type radiusd_t, radiusd_etc_t, radiusd_log_t; @@ -53702,7 +59468,7 @@ index 75e5dc4..a366f85 100644 init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) -@@ -59,4 +85,9 @@ interface(`radius_admin',` +@@ -57,4 +83,9 @@ interface(`radius_admin',` files_list_pids($1) admin_pattern($1, radiusd_var_run_t) @@ -53713,7 +59479,7 @@ index 75e5dc4..a366f85 100644 + ') diff --git a/radius.te b/radius.te -index b1ed1bf..8b3f408 100644 +index 1e7927f..ff81482 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -53726,7 +59492,7 @@ index b1ed1bf..8b3f408 100644 ######################################## # # Local policy -@@ -62,11 +65,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -53739,40 +59505,20 @@ index b1ed1bf..8b3f408 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -77,6 +80,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t) - corenet_udp_bind_generic_node(radiusd_t) - corenet_udp_bind_radacct_port(radiusd_t) - corenet_udp_bind_radius_port(radiusd_t) -+corenet_tcp_connect_postgresql_port(radiusd_t) - corenet_tcp_connect_mysqld_port(radiusd_t) - corenet_tcp_connect_snmp_port(radiusd_t) - corenet_sendrecv_radius_server_packets(radiusd_t) -@@ -99,7 +103,6 @@ corecmd_exec_shell(radiusd_t) - domain_use_interactive_fds(radiusd_t) - - files_read_usr_files(radiusd_t) --files_read_etc_files(radiusd_t) - files_read_etc_runtime_files(radiusd_t) - - auth_use_nsswitch(radiusd_t) -@@ -110,9 +113,10 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) -miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) -+sysnet_use_ldap(radiusd_t) -+ - userdom_dontaudit_use_unpriv_user_fds(radiusd_t) - userdom_dontaudit_search_user_home_dirs(radiusd_t) - + sysnet_use_ldap(radiusd_t) diff --git a/radvd.if b/radvd.if -index be05bff..924fc0c 100644 +index ac7058d..48739ac 100644 --- a/radvd.if +++ b/radvd.if @@ -1,5 +1,24 @@ - ## IPv6 router advertisement daemon + ## IPv6 router advertisement daemon. +###################################### +## @@ -53795,15 +59541,9 @@ index be05bff..924fc0c 100644 + ######################################## ## - ## All of the rules required to administrate -@@ -19,12 +38,15 @@ - # - interface(`radvd_admin',` - gen_require(` -- type radvd_t, radvd_etc_t; -- type radvd_var_run_t, radvd_initrc_exec_t; -+ type radvd_t, radvd_etc_t, radvd_initrc_exec_t; -+ type radvd_var_run_t; + ## All of the rules required to +@@ -23,8 +42,11 @@ interface(`radvd_admin',` + type radvd_var_run_t; ') - allow $1 radvd_t:process { ptrace signal_perms }; @@ -53816,25 +59556,10 @@ index be05bff..924fc0c 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te -index f9a2162..903be76 100644 +index b31f2d7..046f5b8 100644 --- a/radvd.te +++ b/radvd.te -@@ -43,7 +43,6 @@ kernel_read_network_state(radvd_t) - kernel_read_system_state(radvd_t) - kernel_request_load_module(radvd_t) - --corenet_all_recvfrom_unlabeled(radvd_t) - corenet_all_recvfrom_netlabel(radvd_t) - corenet_tcp_sendrecv_generic_if(radvd_t) - corenet_udp_sendrecv_generic_if(radvd_t) -@@ -61,15 +60,12 @@ fs_search_auto_mountpoints(radvd_t) - - domain_use_interactive_fds(radvd_t) - --files_read_etc_files(radvd_t) - files_list_usr(radvd_t) - - auth_use_nsswitch(radvd_t) +@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t) logging_send_syslog_msg(radvd_t) @@ -53843,103 +59568,157 @@ index f9a2162..903be76 100644 userdom_dontaudit_use_unpriv_user_fds(radvd_t) userdom_dontaudit_search_user_home_dirs(radvd_t) -diff --git a/raid.fc b/raid.fc -index ed9c70d..c298507 100644 ---- a/raid.fc -+++ b/raid.fc -@@ -1,6 +1,14 @@ --/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) -+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) -+/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0) - - /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) - /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) - -+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) -+ - /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index b1a85b5..db0d815 100644 +index 951db7f..db0d815 100644 --- a/raid.if +++ b/raid.if -@@ -47,6 +47,24 @@ interface(`raid_run_mdadm',` +@@ -1,9 +1,8 @@ +-## RAID array management tools. ++## RAID array management tools + + ######################################## + ## +-## Execute software raid tools in +-## the mdadm domain. ++## Execute software raid tools in the mdadm domain. + ## + ## + ## +@@ -22,34 +21,33 @@ interface(`raid_domtrans_mdadm',` + + ###################################### + ## +-## Execute mdadm in the mdadm +-## domain, and allow the specified +-## role the mdadm domain. ++## Execute a domain transition to mdadm_t for the ++## specified role, allowing it to use the mdadm_t ++## domain + ## + ## + ## +-## Role allowed access. ++## Role allowed to access mdadm_t domain + ## + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed to transition to mdadm_t + ## + ## + # + interface(`raid_run_mdadm',` + gen_require(` +- attribute_role mdadm_roles; ++ type mdadm_t; + ') + ++ role $1 types mdadm_t; + raid_domtrans_mdadm($2) +- roleattribute $1 mdadm_roles; + ') ######################################## ## +-## Create, read, write, and delete +-## mdadm pid files. +## read the mdadm pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -57,47 +55,39 @@ interface(`raid_run_mdadm',` + ## + ## + # +-interface(`raid_manage_mdadm_pid',` +interface(`raid_read_mdadm_pid',` -+ gen_require(` -+ type mdadm_var_run_t; -+ ') -+ + gen_require(` + type mdadm_var_run_t; + ') + +- files_search_pids($1) +- allow $1 mdadm_var_run_t:file manage_file_perms; + read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete the mdadm pid files. + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mdadm environment. ++## Create, read, write, and delete the mdadm pid files. ## - ## ++## ++##

    ++## Create, read, write, and delete the mdadm pid files. ++##

    ++##

    ++## Added for use in the init module. ++##

    ++##     + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`raid_admin_mdadm',` ++interface(`raid_manage_mdadm_pid',` + gen_require(` +- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; ++ type mdadm_var_run_t; + ') + +- allow $1 mdadm_t:process { ptrace signal_perms }; +- ps_process_pattern($1, mdadm_t) +- +- init_labeled_script_domtrans($1, mdadm_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 mdadm_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_pids($1) +- admin_pattern($1, mdadm_var_run_t) +- +- raid_run_mdadm($2, $1) ++ # FIXME: maybe should have a type_transition. not ++ # clear what this is doing, from the original ++ # mdadm policy ++ allow $1 mdadm_var_run_t:file manage_file_perms; + ') diff --git a/raid.te b/raid.te -index a8a12b7..a6cbba3 100644 +index 2c1730b..c27bb23 100644 --- a/raid.te +++ b/raid.te -@@ -10,11 +10,9 @@ type mdadm_exec_t; - init_daemon_domain(mdadm_t, mdadm_exec_t) - role system_r types mdadm_t; - --type mdadm_map_t; --files_type(mdadm_map_t) -- --type mdadm_var_run_t; -+type mdadm_var_run_t alias mdadm_map_t; - files_pid_file(mdadm_var_run_t) -+dev_associate(mdadm_var_run_t) - - ######################################## - # -@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t) +@@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t) allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; dontaudit mdadm_t self:capability sys_tty_config; --allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; +-allow mdadm_t self:process { getsched setsched signal_perms }; +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; -+allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; + allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; --# create .mdadm files in /dev --allow mdadm_t mdadm_map_t:file manage_file_perms; --dev_filetrans(mdadm_t, mdadm_map_t, file) -- -+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +@@ -34,8 +34,8 @@ manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) --files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) -+manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) + manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) + manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +-dev_filetrans(mdadm_t, mdadm_var_run_t, file) +-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) +dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) - kernel_read_system_state(mdadm_t) - kernel_read_kernel_sysctls(mdadm_t) -+kernel_request_load_module(mdadm_t) - kernel_rw_software_raid_state(mdadm_t) kernel_getattr_core_if(mdadm_t) - -@@ -52,15 +52,18 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) + kernel_read_system_state(mdadm_t) +@@ -51,17 +51,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t) + dev_dontaudit_getattr_all_chr_files(mdadm_t) dev_read_realtime_clock(mdadm_t) - # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) +dev_read_generic_files(mdadm_t) @@ -53951,20 +59730,15 @@ index a8a12b7..a6cbba3 100644 -files_dontaudit_getattr_all_files(mdadm_t) +files_dontaudit_getattr_tmpfs_files(mdadm_t) --fs_search_auto_mountpoints(mdadm_t) -+fs_list_hugetlbfs(mdadm_t) -+fs_list_auto_mountpoints(mdadm_t) + fs_list_auto_mountpoints(mdadm_t) + fs_list_hugetlbfs(mdadm_t) + fs_rw_cgroup_files(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) +fs_manage_cgroup_files(mdadm_t) mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -69,16 +72,17 @@ mls_file_write_all_levels(mdadm_t) - storage_manage_fixed_disk(mdadm_t) - storage_dev_filetrans_fixed_disk(mdadm_t) - storage_read_scsi_generic(mdadm_t) -+storage_write_scsi_generic(mdadm_t) - +@@ -74,12 +76,12 @@ storage_write_scsi_generic(mdadm_t) term_dontaudit_list_ptys(mdadm_t) term_dontaudit_use_unallocated_ttys(mdadm_t) @@ -53979,8 +59753,8 @@ index a8a12b7..a6cbba3 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) userdom_dontaudit_use_user_terminals(mdadm_t) -@@ -86,6 +90,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) - mta_send_mail(mdadm_t) +@@ -89,6 +91,10 @@ optional_policy(` + ') optional_policy(` + cron_system_entry(mdadm_t, mdadm_exec_t) @@ -53991,127 +59765,267 @@ index a8a12b7..a6cbba3 100644 ') diff --git a/razor.fc b/razor.fc -index 1efba0c..6e26673 100644 +index 6723f4d..6e26673 100644 --- a/razor.fc +++ b/razor.fc -@@ -1,8 +1,9 @@ --HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) +@@ -1,9 +1,9 @@ +-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) +#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) +#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) --/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) +-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) +#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) +#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) --/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) --/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0) +-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) +- +-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) +#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) +#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/razor.if b/razor.if -index f04a595..fee3b7c 100644 +index 1e4b523..fee3b7c 100644 --- a/razor.if +++ b/razor.if -@@ -26,6 +26,7 @@ template(`razor_common_domain_template',` +@@ -1,72 +1,147 @@ + ## A distributed, collaborative, spam detection and filtering network. ++## ++##

    ++## A distributed, collaborative, spam detection and filtering network. ++##

    ++##

    ++## This policy will work with either the ATrpms provided config ++## file in /etc/razor, or with the default of dumping everything into ++## $HOME/.razor. ++##

    ++##     + + ####################################### + ## +-## The template to define a razor domain. ++## Template to create types and rules common to ++## all razor domains. + ## +-## ++## + ## +-## Domain prefix to be used. ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). + ## + ## + # + template(`razor_common_domain_template',` gen_require(` - type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; +- attribute razor_domain; +- type razor_exec_t; ++ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; ') -+ - type $1_t; + +- ######################################## +- # +- # Declarations +- # +- +- type $1_t, razor_domain; ++ type $1_t; domain_type($1_t) domain_entry_file($1_t, razor_exec_t) -@@ -46,7 +47,7 @@ template(`razor_common_domain_template',` - # Read system config file - allow $1_t razor_etc_t:dir list_dir_perms; - allow $1_t razor_etc_t:file read_file_perms; -- allow $1_t razor_etc_t:lnk_file { getattr read }; -+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern($1_t, razor_log_t, razor_log_t) - manage_files_pattern($1_t, razor_log_t, razor_log_t) -@@ -93,7 +94,6 @@ template(`razor_common_domain_template',` - libs_read_lib_files($1_t) - -- miscfiles_read_localization($1_t) +- ######################################## +- # +- # Declarations +- # +- +- auth_use_nsswitch($1_t) ++ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ allow $1_t self:fd use; ++ allow $1_t self:fifo_file rw_fifo_file_perms; ++ allow $1_t self:unix_dgram_socket create_socket_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:unix_dgram_socket sendto; ++ allow $1_t self:unix_stream_socket connectto; ++ allow $1_t self:shm create_shm_perms; ++ allow $1_t self:sem create_sem_perms; ++ allow $1_t self:msgq create_msgq_perms; ++ allow $1_t self:msg { send receive }; ++ allow $1_t self:tcp_socket create_socket_perms; ++ ++ # Read system config file ++ allow $1_t razor_etc_t:dir list_dir_perms; ++ allow $1_t razor_etc_t:file read_file_perms; ++ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; ++ ++ manage_dirs_pattern($1_t, razor_log_t, razor_log_t) ++ manage_files_pattern($1_t, razor_log_t, razor_log_t) ++ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) ++ logging_log_filetrans($1_t, razor_log_t, file) ++ ++ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) ++ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) ++ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) ++ files_search_var_lib($1_t) ++ ++ # Razor is one executable and several symlinks ++ allow $1_t razor_exec_t:file read_file_perms; ++ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; ++ ++ kernel_read_system_state($1_t) ++ kernel_read_network_state($1_t) ++ kernel_read_software_raid_state($1_t) ++ kernel_getattr_core_if($1_t) ++ kernel_getattr_message_if($1_t) ++ kernel_read_kernel_sysctls($1_t) ++ ++ corecmd_exec_bin($1_t) ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ corenet_all_recvfrom_netlabel($1_t) ++ corenet_tcp_sendrecv_generic_if($1_t) ++ corenet_raw_sendrecv_generic_if($1_t) ++ corenet_tcp_sendrecv_generic_node($1_t) ++ corenet_raw_sendrecv_generic_node($1_t) ++ corenet_tcp_sendrecv_razor_port($1_t) ++ ++ # mktemp and other randoms ++ dev_read_rand($1_t) ++ dev_read_urand($1_t) ++ ++ files_search_pids($1_t) ++ # Allow access to various files in the /etc/directory including mtab ++ # and nsswitch ++ files_read_etc_files($1_t) ++ files_read_etc_runtime_files($1_t) ++ ++ fs_search_auto_mountpoints($1_t) ++ ++ libs_read_lib_files($1_t) ++ ++ ++ sysnet_read_config($1_t) ++ sysnet_dns_name_resolve($1_t) ++ ++ optional_policy(` ++ nis_use_ypbind($1_t) ++ ') + ') - sysnet_read_config($1_t) - sysnet_dns_name_resolve($1_t) -@@ -117,6 +117,7 @@ template(`razor_common_domain_template',` - ## User domain for the role + ######################################## + ## +-## Role access for razor. ++## Role access for razor + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role ## ## +## # interface(`razor_role',` gen_require(` -@@ -130,7 +131,10 @@ interface(`razor_role',` +- attribute_role razor_roles; + type razor_t, razor_exec_t, razor_home_t; +- type razor_tmp_t; + ') + +- roleattribute $1 razor_roles; ++ role $1 types razor_t; - # allow ps to show razor and allow the user to kill it ++ # Transition from the user domain to the derived domain. + domtrans_pattern($2, razor_exec_t, razor_t) + ++ # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; +- +- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; + allow $2 razor_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $2 razor_t:process ptrace; + ') - manage_dirs_pattern($2, razor_home_t, razor_home_t) - manage_files_pattern($2, razor_home_t, razor_home_t) -@@ -157,3 +161,43 @@ interface(`razor_domtrans',` +- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") ++ manage_dirs_pattern($2, razor_home_t, razor_home_t) ++ manage_files_pattern($2, razor_home_t, razor_home_t) ++ manage_lnk_files_pattern($2, razor_home_t, razor_home_t) ++ relabel_dirs_pattern($2, razor_home_t, razor_home_t) ++ relabel_files_pattern($2, razor_home_t, razor_home_t) ++ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) + ') + + ######################################## +@@ -81,17 +156,16 @@ interface(`razor_role',` + # + interface(`razor_domtrans',` + gen_require(` +- type system_razor_t, razor_exec_t; ++ type razor_t, razor_exec_t; + ') - domtrans_pattern($1, razor_exec_t, razor_t) +- corecmd_search_bin($1) +- domtrans_pattern($1, razor_exec_t, system_razor_t) ++ domtrans_pattern($1, razor_exec_t, razor_t) ') -+ -+######################################## -+## + + ######################################## + ## +-## Create, read, write, and delete +-## razor home content. +## Create, read, write, and delete razor files +## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -99,20 +173,19 @@ interface(`razor_domtrans',` + ## + ## + # +-interface(`razor_manage_home_content',` +interface(`razor_manage_user_home_files',` -+ gen_require(` -+ type razor_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) + gen_require(` + type razor_home_t; + ') + + userdom_search_user_home_dirs($1) +- allow $1 razor_home_t:dir manage_dir_perms; +- allow $1 razor_home_t:file manage_file_perms; +- allow $1 razor_home_t:lnk_file manage_lnk_file_perms; + manage_files_pattern($1, razor_home_t, razor_home_t) + read_lnk_files_pattern($1, razor_home_t, razor_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read razor lib files. +## read razor lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`razor_read_lib_files',` -+ gen_require(` -+ type razor_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) -+') + ## + ## + ## diff --git a/razor.te b/razor.te -index 9353d5e..4e15f29 100644 +index 5ddedbc..4e15f29 100644 --- a/razor.te +++ b/razor.te -@@ -5,117 +5,124 @@ policy_module(razor, 2.3.0) +@@ -1,139 +1,128 @@ +-policy_module(razor, 2.3.2) ++policy_module(razor, 2.3.0) + + ######################################## + # # Declarations # --type razor_exec_t; --corecmd_executable_file(razor_exec_t) +-attribute razor_domain; +ifdef(`distro_redhat',` + gen_require(` + type spamc_t, spamc_exec_t, spamd_log_t; @@ -54222,21 +60136,26 @@ index 9353d5e..4e15f29 100644 + + auth_use_nsswitch(razor_t) +-attribute_role razor_roles; ++ logging_send_syslog_msg(razor_t) + +-type razor_exec_t; +-corecmd_executable_file(razor_exec_t) ++ userdom_search_user_home_dirs(razor_t) ++ userdom_use_inherited_user_terminals(razor_t) + -type razor_etc_t; -files_config_file(razor_etc_t) -+ logging_send_syslog_msg(razor_t) ++ userdom_home_manager(razor_t) -type razor_home_t; -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; -userdom_user_home_content(razor_home_t) -+ userdom_search_user_home_dirs(razor_t) -+ userdom_use_inherited_user_terminals(razor_t) - +- -type razor_log_t; -logging_log_file(razor_log_t) -+ userdom_home_manager(razor_t) - +- -type razor_tmp_t; -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; @@ -54245,81 +60164,99 @@ index 9353d5e..4e15f29 100644 -type razor_var_lib_t; -files_type(razor_var_lib_t) - --# these are here due to ordering issues: -razor_common_domain_template(razor) -typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t }; -typealias razor_t alias { auditadm_razor_t secadm_razor_t }; -userdom_user_application_type(razor_t) +-role razor_roles types razor_t; - -razor_common_domain_template(system_razor) -role system_r types system_razor_t; - -######################################## -# --# System razor local policy +-# Common razor domain local policy -# - --# this version of razor is invoked typically --# via the system spam filter +-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-allow razor_domain self:fd use; +-allow razor_domain self:fifo_file rw_fifo_file_perms; +-allow razor_domain self:unix_dgram_socket sendto; +-allow razor_domain self:unix_stream_socket { accept connectto listen }; - --allow system_razor_t self:tcp_socket create_socket_perms; +-allow razor_domain razor_etc_t:dir list_dir_perms; +-allow razor_domain razor_etc_t:file read_file_perms; +-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms; - --manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) --manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) --manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) --files_search_etc(system_razor_t) +-allow razor_domain razor_exec_t:file read_file_perms; +-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms; - --allow system_razor_t razor_log_t:file manage_file_perms; --logging_log_filetrans(system_razor_t, razor_log_t, file) +-kernel_read_system_state(razor_domain) +-kernel_read_network_state(razor_domain) +-kernel_read_software_raid_state(razor_domain) +-kernel_getattr_core_if(razor_domain) +-kernel_getattr_message_if(razor_domain) +-kernel_read_kernel_sysctls(razor_domain) - --manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) --files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) +-corecmd_exec_bin(razor_domain) - --corenet_all_recvfrom_unlabeled(system_razor_t) --corenet_all_recvfrom_netlabel(system_razor_t) --corenet_tcp_sendrecv_generic_if(system_razor_t) --corenet_raw_sendrecv_generic_if(system_razor_t) --corenet_tcp_sendrecv_generic_node(system_razor_t) --corenet_raw_sendrecv_generic_node(system_razor_t) --corenet_tcp_sendrecv_razor_port(system_razor_t) --corenet_tcp_connect_razor_port(system_razor_t) --corenet_sendrecv_razor_client_packets(system_razor_t) +-corenet_all_recvfrom_unlabeled(razor_domain) +-corenet_all_recvfrom_netlabel(razor_domain) +-corenet_tcp_sendrecv_generic_if(razor_domain) +-corenet_tcp_sendrecv_generic_node(razor_domain) - --sysnet_read_config(system_razor_t) +-corenet_tcp_sendrecv_razor_port(razor_domain) +-corenet_tcp_connect_razor_port(razor_domain) +-corenet_sendrecv_razor_client_packets(razor_domain) - --# cjp: this shouldn't be needed --userdom_use_unpriv_users_fds(system_razor_t) +-dev_read_rand(razor_domain) +-dev_read_urand(razor_domain) - --optional_policy(` -- logging_send_syslog_msg(system_razor_t) --') +-files_read_etc_runtime_files(razor_domain) - --optional_policy(` -- nscd_socket_use(system_razor_t) --') +-libs_read_lib_files(razor_domain) +- +-miscfiles_read_localization(razor_domain) - -######################################## -# --# User razor local policy +-# System local policy -# - --# Allow razor to be run by hand. Needed by any action other than --# invocation from a spam filter. +-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t) +- +-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t) +-append_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-create_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t) +-logging_log_filetrans(system_razor_t, razor_log_t, file) +- +-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t) +-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file) - --allow razor_t self:unix_stream_socket create_stream_socket_perms; +-######################################## +-# +-# Session local policy +-# - -manage_dirs_pattern(razor_t, razor_home_t, razor_home_t) -manage_files_pattern(razor_t, razor_home_t, razor_home_t) -manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t) --userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir) +-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor") - -manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) -manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) -files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) - --logging_send_syslog_msg(razor_t) +-fs_getattr_all_fs(razor_t) +-fs_search_auto_mountpoints(razor_t) - --userdom_search_user_home_dirs(razor_t) +-userdom_use_unpriv_users_fds(razor_t) -userdom_use_user_terminals(razor_t) - -tunable_policy(`use_nfs_home_dirs',` @@ -54332,25 +60269,12 @@ index 9353d5e..4e15f29 100644 - fs_manage_cifs_dirs(razor_t) - fs_manage_cifs_files(razor_t) - fs_manage_cifs_symlinks(razor_t) --') -- --optional_policy(` -- nscd_socket_use(razor_t) + optional_policy(` + milter_manage_spamass_state(razor_t) + ') ') -diff --git a/rdisc.fc b/rdisc.fc -index dee4adc..a7e4bc7 100644 ---- a/rdisc.fc -+++ b/rdisc.fc -@@ -1,2 +1,4 @@ - - /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) -+ -+/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/rdisc.te b/rdisc.te -index 0f07685..1b75760 100644 +index 9196c1d..972b269 100644 --- a/rdisc.te +++ b/rdisc.te @@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t) @@ -54371,46 +60295,30 @@ index 0f07685..1b75760 100644 userdom_dontaudit_use_unpriv_user_fds(rdisc_t) diff --git a/readahead.fc b/readahead.fc -index 7077413..0428aee 100644 +index f307db4..0428aee 100644 --- a/readahead.fc +++ b/readahead.fc -@@ -1,3 +1,10 @@ --/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +@@ -1,7 +1,10 @@ +-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) -+ - /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -+ + ++/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + +/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) -+ + +-/var/run/readahead,* gen_context(system_u:object_r:readahead_var_run_t,s0) +/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/readahead.if b/readahead.if -index 47c4723..64c8889 100644 +index 661bb88..06f69c4 100644 --- a/readahead.if +++ b/readahead.if -@@ -1 +1,44 @@ - ## Readahead, read files into page cache for improved performance -+ -+######################################## -+## -+## Transition to the readahead domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`readahead_domtrans',` -+ gen_require(` -+ type readahead_t, readahead_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, readahead_exec_t, readahead_t) -+') +@@ -19,3 +19,27 @@ interface(`readahead_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, readahead_exec_t, readahead_t) + ') + +######################################## +## @@ -54436,34 +60344,23 @@ index 47c4723..64c8889 100644 +') + diff --git a/readahead.te b/readahead.te -index b4ac57e..e384d8e 100644 +index f1512d6..919a138 100644 --- a/readahead.te +++ b/readahead.te -@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; +@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; type readahead_var_run_t; files_pid_file(readahead_var_run_t) +dev_associate(readahead_var_run_t) + init_daemon_run_dir(readahead_var_run_t, "readahead") ######################################## - # - # Local policy - # - --allow readahead_t self:capability { fowner dac_override dac_read_search }; -+allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search }; - dontaudit readahead_t self:capability { net_admin sys_tty_config }; - allow readahead_t self:process { setsched signal_perms }; - -@@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) - files_search_var_lib(readahead_t) +@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) + manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) --files_pid_filetrans(readahead_t, readahead_var_run_t, file) -+manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -+files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) +dev_filetrans(readahead_t, readahead_var_run_t, { dir file }) -+init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) + files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) kernel_read_all_sysctls(readahead_t) kernel_read_system_state(readahead_t) @@ -54477,17 +60374,19 @@ index b4ac57e..e384d8e 100644 dev_getattr_generic_chr_files(readahead_t) dev_getattr_generic_blk_files(readahead_t) dev_getattr_all_chr_files(readahead_t) -@@ -53,10 +60,19 @@ domain_read_all_domains_state(readahead_t) +@@ -51,12 +56,21 @@ domain_use_interactive_fds(readahead_t) + domain_read_all_domains_state(readahead_t) - files_list_non_security(readahead_t) - files_read_non_security_files(readahead_t) -+files_dontaudit_read_security_files(readahead_t) files_create_boot_flag(readahead_t) +files_delete_root_files(readahead_t) files_getattr_all_pipes(readahead_t) + files_list_non_security(readahead_t) + files_read_non_security_files(readahead_t) + files_search_var_lib(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) files_dontaudit_getattr_non_security_blk_files(readahead_t) +files_dontaudit_all_access_check(readahead_t) ++files_dontaudit_read_security_files(readahead_t) + +ifdef(`hide_broken_symptoms', ` + files_dontaudit_write_all_files(readahead_t) @@ -54497,7 +60396,7 @@ index b4ac57e..e384d8e 100644 fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -66,12 +82,14 @@ fs_read_cgroup_files(readahead_t) +@@ -66,6 +80,7 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -54505,14 +60404,15 @@ index b4ac57e..e384d8e 100644 fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) - fs_dontaudit_use_tmpfs_chr_dev(readahead_t) +@@ -74,6 +89,7 @@ fs_dontaudit_use_tmpfs_chr_dev(readahead_t) + mcs_file_read_all(readahead_t) mls_file_read_all_levels(readahead_t) +mcs_file_read_all(readahead_t) storage_raw_read_fixed_disk(readahead_t) -@@ -82,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t) +@@ -84,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t) init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) @@ -54529,107 +60429,82 @@ index b4ac57e..e384d8e 100644 userdom_dontaudit_search_user_home_dirs(readahead_t) diff --git a/realmd.fc b/realmd.fc -new file mode 100644 -index 0000000..3c24ce4 ---- /dev/null +index 04babe3..3c24ce4 100644 +--- a/realmd.fc +++ b/realmd.fc -@@ -0,0 +1 @@ +@@ -1 +1 @@ +-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) +/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) diff --git a/realmd.if b/realmd.if -new file mode 100644 -index 0000000..e38693b ---- /dev/null +index bff31df..e38693b 100644 +--- a/realmd.if +++ b/realmd.if -@@ -0,0 +1,42 @@ +@@ -1,8 +1,9 @@ +-## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA. + +## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA -+ -+######################################## -+## + + ######################################## + ## +-## Execute realmd in the realmd domain. +## Execute realmd in the realmd_t domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`realmd_domtrans',` -+ gen_require(` -+ type realmd_t, realmd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, realmd_exec_t, realmd_t) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## realmd over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`realmd_dbus_chat',` -+ gen_require(` -+ type realmd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 realmd_t:dbus send_msg; -+ allow realmd_t $1:dbus send_msg; -+') + ## + ## + ## diff --git a/realmd.te b/realmd.te -new file mode 100644 -index 0000000..c994751 ---- /dev/null +index 9a8f052..c994751 100644 +--- a/realmd.te +++ b/realmd.te -@@ -0,0 +1,103 @@ +@@ -1,4 +1,4 @@ +-policy_module(realmd, 1.0.2) +policy_module(realmd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type realmd_t; -+type realmd_exec_t; + + ######################################## + # +@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2) + + type realmd_t; + type realmd_exec_t; +-init_system_domain(realmd_t, realmd_exec_t) +application_domain(realmd_t, realmd_exec_t) +role system_r types realmd_t; -+ -+######################################## -+# + + ######################################## + # +-# Local policy +# realmd local policy -+# -+ -+allow realmd_t self:capability sys_nice; -+allow realmd_t self:process setsched; -+ -+kernel_read_system_state(realmd_t) -+ -+corecmd_exec_bin(realmd_t) -+corecmd_exec_shell(realmd_t) -+ -+corenet_tcp_connect_http_port(realmd_t) -+ -+domain_use_interactive_fds(realmd_t) -+ -+dev_read_rand(realmd_t) -+dev_read_urand(realmd_t) -+ + # + + allow realmd_t self:capability sys_nice; +@@ -22,28 +23,32 @@ kernel_read_system_state(realmd_t) + corecmd_exec_bin(realmd_t) + corecmd_exec_shell(realmd_t) + +-corenet_all_recvfrom_unlabeled(realmd_t) +-corenet_all_recvfrom_netlabel(realmd_t) +-corenet_tcp_sendrecv_generic_if(realmd_t) +-corenet_tcp_sendrecv_generic_node(realmd_t) +- +-corenet_sendrecv_http_client_packets(realmd_t) + corenet_tcp_connect_http_port(realmd_t) +-corenet_tcp_sendrecv_http_port(realmd_t) + + domain_use_interactive_fds(realmd_t) + + dev_read_rand(realmd_t) + dev_read_urand(realmd_t) + +-fs_getattr_all_fs(realmd_t) +- +files_read_etc_files(realmd_t) -+files_read_usr_files(realmd_t) -+ + files_read_usr_files(realmd_t) + +fs_getattr_all_fs(realmd_t) + -+auth_use_nsswitch(realmd_t) -+ -+logging_send_syslog_msg(realmd_t) -+ + auth_use_nsswitch(realmd_t) + + logging_send_syslog_msg(realmd_t) + +sysnet_dns_name_resolve(realmd_t) +systemd_exec_systemctl(realmd_t) + @@ -54640,63 +60515,133 @@ index 0000000..c994751 + authconfig_domtrans(realmd_t) +') + -+optional_policy(` -+ dbus_system_domain(realmd_t, realmd_exec_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(realmd_t) -+ ') -+ -+ optional_policy(` -+ policykit_dbus_chat(realmd_t) -+ ') -+') -+ -+optional_policy(` -+ hostname_exec(realmd_t) -+') -+ -+optional_policy(` -+ kerberos_use(realmd_t) -+ kerberos_rw_keytab(realmd_t) -+') -+ -+optional_policy(` -+ nis_exec_ypbind(realmd_t) + optional_policy(` + dbus_system_domain(realmd_t, realmd_exec_t) + +@@ -67,17 +72,21 @@ optional_policy(` + + optional_policy(` + nis_exec_ypbind(realmd_t) +- nis_initrc_domtrans(realmd_t) + nis_systemctl_ypbind(realmd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- gnome_read_generic_home_content(realmd_t) + gnome_read_config(realmd_t) + gnome_read_generic_cache_files(realmd_t) + gnome_write_generic_cache_files(realmd_t) + gnome_manage_cache_home_dir(realmd_t) + -+') -+ -+optional_policy(` -+ samba_domtrans_net(realmd_t) -+ samba_manage_config(realmd_t) + ') + + optional_policy(` + samba_domtrans_net(realmd_t) + samba_manage_config(realmd_t) +- samba_getattr_winbind_exec(realmd_t) + samba_getattr_winbind(realmd_t) -+') -+ -+optional_policy(` -+ sssd_getattr_exec(realmd_t) -+ sssd_manage_config(realmd_t) -+ sssd_manage_lib_files(realmd_t) -+ sssd_manage_public_files(realmd_t) -+ sssd_read_pid_files(realmd_t) + ') + + optional_policy(` +@@ -86,5 +95,9 @@ optional_policy(` + sssd_manage_lib_files(realmd_t) + sssd_manage_public_files(realmd_t) + sssd_read_pid_files(realmd_t) +- sssd_initrc_domtrans(realmd_t) + sssd_systemctl(realmd_t) +') + +optional_policy(` + xserver_read_state_xdm(realmd_t) -+') + ') +diff --git a/remotelogin.fc b/remotelogin.fc +index 327baf0..d8691bd 100644 +--- a/remotelogin.fc ++++ b/remotelogin.fc +@@ -1 +1,2 @@ ++ + # Remote login currently has no file contexts. +diff --git a/remotelogin.if b/remotelogin.if +index a9ce68e..31be971 100644 +--- a/remotelogin.if ++++ b/remotelogin.if +@@ -1,4 +1,4 @@ +-## Rshd, rlogind, and telnetd. ++## Policy for rshd, rlogind, and telnetd. + + ######################################## + ## +@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',` + type remote_login_t; + ') + +- corecmd_search_bin($1) + auth_domtrans_login_program($1, remote_login_t) + ') + + ######################################## + ## +-## Send generic signals to remote login. ++## allow Domain to signal remote login domain. + ## + ## + ## +@@ -36,44 +35,3 @@ interface(`remotelogin_signal',` + + allow $1 remote_login_t:process signal; + ') +- +-######################################## +-## +-## Create, read, write, and delete +-## remote login temporary content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`remotelogin_manage_tmp_content',` +- gen_require(` +- type remote_login_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 remote_login_tmp_t:dir manage_dir_perms; +- allow $1 remote_login_tmp_t:file manage_file_perms; +-') +- +-######################################## +-## +-## Relabel remote login temporary content. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`remotelogin_relabel_tmp_content',` +- gen_require(` +- type remote_login_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 remote_login_tmp_t:dir relabel_dir_perms; +- allow $1 remote_login_tmp_t:file relabel_file_perms; +-') diff --git a/remotelogin.te b/remotelogin.te -index 0a76027..18f59a7 100644 +index c51a32c..18f59a7 100644 --- a/remotelogin.te +++ b/remotelogin.te -@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t) +@@ -1,4 +1,4 @@ +-policy_module(remotelogin, 1.7.2) ++policy_module(remotelogin, 1.7.0) + + ######################################## + # +@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t) auth_login_pgm_domain(remote_login_t) auth_login_entry_type(remote_login_t) @@ -54705,63 +60650,88 @@ index 0a76027..18f59a7 100644 - ######################################## # - # Remote login remote policy -@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms; - allow remote_login_t self:msg { send receive }; - allow remote_login_t self:key write; +-# Local policy ++# Remote login remote policy + # + allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +@@ -23,32 +20,42 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl + allow remote_login_t self:process { setrlimit setexec }; + allow remote_login_t self:fd use; + allow remote_login_t self:fifo_file rw_fifo_file_perms; ++allow remote_login_t self:sock_file read_sock_file_perms; ++allow remote_login_t self:unix_dgram_socket create_socket_perms; ++allow remote_login_t self:unix_stream_socket create_stream_socket_perms; + allow remote_login_t self:unix_dgram_socket sendto; +-allow remote_login_t self:unix_stream_socket { accept connectto listen }; +- -manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) -files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) -- ++allow remote_login_t self:unix_stream_socket connectto; ++allow remote_login_t self:shm create_shm_perms; ++allow remote_login_t self:sem create_sem_perms; ++allow remote_login_t self:msgq create_msgq_perms; ++allow remote_login_t self:msg { send receive }; ++allow remote_login_t self:key write; + kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctls(remote_login_t) -@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t) - fs_search_auto_mountpoints(remote_login_t) + dev_getattr_mouse_dev(remote_login_t) + dev_setattr_mouse_dev(remote_login_t) ++dev_dontaudit_search_sysfs(remote_login_t) + + fs_getattr_xattr_fs(remote_login_t) ++fs_search_auto_mountpoints(remote_login_t) term_relabel_all_ptys(remote_login_t) -+term_use_all_ptys(remote_login_t) -+term_setattr_all_ptys(remote_login_t) + term_use_all_ptys(remote_login_t) + term_setattr_all_ptys(remote_login_t) +-auth_manage_pam_console_data(remote_login_t) +-auth_domtrans_pam_console(remote_login_t) auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) -@@ -64,7 +59,6 @@ corecmd_read_bin_sockets(remote_login_t) ++auth_manage_pam_console_data(remote_login_t) ++auth_domtrans_pam_console(remote_login_t) + + corecmd_list_bin(remote_login_t) + corecmd_read_bin_symlinks(remote_login_t) ++# cjp: these are probably not needed: ++corecmd_read_bin_files(remote_login_t) ++corecmd_read_bin_pipes(remote_login_t) ++corecmd_read_bin_sockets(remote_login_t) domain_read_all_entry_files(remote_login_t) --files_read_etc_files(remote_login_t) - files_read_etc_runtime_files(remote_login_t) - files_list_home(remote_login_t) - files_read_usr_files(remote_login_t) -@@ -77,9 +71,8 @@ files_list_mnt(remote_login_t) - # for when /var/mail is a sym-link +@@ -61,30 +68,32 @@ files_read_world_readable_symlinks(remote_login_t) + files_read_world_readable_pipes(remote_login_t) + files_read_world_readable_sockets(remote_login_t) + files_list_mnt(remote_login_t) ++# for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) --sysnet_dns_name_resolve(remote_login_t) -+auth_use_nsswitch(remote_login_t) - -miscfiles_read_localization(remote_login_t) ++auth_use_nsswitch(remote_login_t) ++ userdom_use_unpriv_users_fds(remote_login_t) userdom_search_user_home_content(remote_login_t) -@@ -87,34 +80,28 @@ userdom_search_user_home_content(remote_login_t) - # since very weak authentication is used. ++# Only permit unprivileged user domains to be entered via rlogin, ++# since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) +userdom_use_user_ptys(remote_login_t) --# Search for mail spool file. --mta_getattr_spool(remote_login_t) -+userdom_manage_user_tmp_dirs(remote_login_t) -+userdom_manage_user_tmp_files(remote_login_t) -+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) - -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(remote_login_t) - fs_read_nfs_symlinks(remote_login_t) -') -- ++userdom_manage_user_tmp_dirs(remote_login_t) ++userdom_manage_user_tmp_files(remote_login_t) ++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(remote_login_t) - fs_read_cifs_symlinks(remote_login_t) @@ -54773,51 +60743,15 @@ index 0a76027..18f59a7 100644 ') optional_policy(` -- nis_use_ypbind(remote_login_t) + # Search for mail spool file. -+ mta_getattr_spool(remote_login_t) - ') - - optional_policy(` -- nscd_socket_use(remote_login_t) -+ telnet_use_ptys(remote_login_t) - ') - - optional_policy(` -- unconfined_domain(remote_login_t) - unconfined_shell_domtrans(remote_login_t) + mta_getattr_spool(remote_login_t) ') -diff --git a/resmgr.fc b/resmgr.fc -index af810b9..a888eb9 100644 ---- a/resmgr.fc -+++ b/resmgr.fc -@@ -2,6 +2,7 @@ - /etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0) - - /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) -+/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) - - /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) - /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) -diff --git a/resmgr.if b/resmgr.if -index d457736..eabdd78 100644 ---- a/resmgr.if -+++ b/resmgr.if -@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',` - type resmgrd_var_run_t, resmgrd_t; - ') - -- allow $1 resmgrd_t:unix_stream_socket connectto; -- allow $1 resmgrd_var_run_t:sock_file { getattr write }; - files_search_pids($1) -+ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) - ') diff --git a/resmgr.te b/resmgr.te -index bf5efbf..b38b22d 100644 +index 6f219b3..f38e183 100644 --- a/resmgr.te +++ b/resmgr.te -@@ -53,8 +53,6 @@ storage_raw_write_removable_device(resmgrd_t) +@@ -54,8 +54,6 @@ storage_write_scsi_generic(resmgrd_t) logging_send_syslog_msg(resmgrd_t) @@ -54827,38 +60761,49 @@ index bf5efbf..b38b22d 100644 optional_policy(` diff --git a/rgmanager.fc b/rgmanager.fc -index 3c97ef0..91e69b8 100644 +index 5421af0..91e69b8 100644 --- a/rgmanager.fc +++ b/rgmanager.fc -@@ -1,7 +1,22 @@ +@@ -1,12 +1,22 @@ +-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) -+ + +-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) ++/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) --/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -+ + +-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) +/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) -+ + +-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) - /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) - +-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++ +/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) - /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/rgmanager.if b/rgmanager.if -index 7dc38d1..5bd6fdb 100644 +index 1c2f9aa..5bd6fdb 100644 --- a/rgmanager.if +++ b/rgmanager.if -@@ -5,9 +5,9 @@ +@@ -1,13 +1,13 @@ +-## Resource Group Manager. ++## rgmanager - Resource Group Manager + + ####################################### + ## ## Execute a domain transition to run rgmanager. ## ## @@ -54870,20 +60815,40 @@ index 7dc38d1..5bd6fdb 100644 ## # interface(`rgmanager_domtrans',` -@@ -21,7 +21,7 @@ interface(`rgmanager_domtrans',` +@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',` ######################################## ## --## Connect to rgmanager over an unix stream socket. +-## Connect to rgmanager with a unix +-## domain stream socket. +## Connect to rgmanager over a unix stream socket. ## ## ## -@@ -75,3 +75,91 @@ interface(`rgmanager_manage_tmpfs_files',` - fs_search_tmpfs($1) +@@ -41,8 +40,7 @@ interface(`rgmanager_stream_connect',` + + ###################################### + ## +-## Create, read, write, and delete +-## rgmanager tmp files. ++## Allow manage rgmanager tmp files. + ## + ## + ## +@@ -61,8 +59,7 @@ interface(`rgmanager_manage_tmp_files',` + + ###################################### + ## +-## Create, read, write, and delete +-## rgmanager tmpfs files. ++## Allow manage rgmanager tmpfs files. + ## + ## + ## +@@ -79,10 +76,28 @@ interface(`rgmanager_manage_tmpfs_files',` manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ') -+ + +####################################### +## +## Allow read and write access to rgmanager semaphores. @@ -54902,51 +60867,41 @@ index 7dc38d1..5bd6fdb 100644 + allow $1 rgmanager_t:sem rw_sem_perms; +') + -+###################################### -+## + ###################################### + ## +-## All of the rules required to +-## administrate an rgmanager environment. +## All of the rules required to administrate +## an rgmanager environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## + ## + ## + ## +@@ -91,7 +106,7 @@ interface(`rgmanager_manage_tmpfs_files',` + ## + ## + ## +-## Role allowed access. +## The role to be allowed to manage the rgmanager domain. -+## -+## -+## -+# -+interface(`rgmanager_admin',` -+ gen_require(` -+ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; -+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; -+ ') -+ + ## + ## + ## +@@ -102,8 +117,11 @@ interface(`rgmanager_admin',` + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + ') + +- allow $1 rgmanager_t:process { ptrace signal_perms }; + allow $1 rgmanager_t:process signal_perms; -+ ps_process_pattern($1, rgmanager_t) + ps_process_pattern($1, rgmanager_t) + tunable_policy(`deny_ptrace',`',` + allow $1 rgmanager_t:process ptrace; + ') -+ -+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 rgmanager_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, rgmanager_tmp_t) -+ -+ admin_pattern($1, rgmanager_tmpfs_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, rgmanager_var_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, rgmanager_var_run_t) -+') + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) +@@ -121,3 +139,27 @@ interface(`rgmanager_admin',` + files_list_pids($1) + admin_pattern($1, rgmanager_var_run_t) + ') + + +###################################### @@ -54972,22 +60927,30 @@ index 7dc38d1..5bd6fdb 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/rgmanager.te b/rgmanager.te -index 3786c45..1ad9c12 100644 +index b418d1c..1ad9c12 100644 --- a/rgmanager.te +++ b/rgmanager.te -@@ -14,15 +14,20 @@ gen_tunable(rgmanager_can_network_connect, false) +@@ -1,4 +1,4 @@ +-policy_module(rgmanager, 1.2.2) ++policy_module(rgmanager, 1.2.0) - type rgmanager_t; - type rgmanager_exec_t; --domain_type(rgmanager_t) - init_daemon_domain(rgmanager_t, rgmanager_exec_t) + ######################################## + # +@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2) + # -+type rgmanager_initrc_exec_t; -+init_script_file(rgmanager_initrc_exec_t) -+ - type rgmanager_tmp_t; - files_tmp_file(rgmanager_tmp_t) + ## +-##

    +-## Determine whether rgmanager can +-## connect to the network using TCP. +-##

    ++##

    ++## Allow rgmanager domain to connect to the network using TCP. ++##

    + ##     + gen_tunable(rgmanager_can_network_connect, false) +@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t) type rgmanager_tmpfs_t; files_tmpfs_file(rgmanager_tmpfs_t) @@ -54997,20 +60960,32 @@ index 3786c45..1ad9c12 100644 type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) -@@ -35,9 +40,7 @@ files_pid_file(rgmanager_var_run_t) +@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t) + + ######################################## + # +-# Local policy ++# rgmanager local policy # allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; --dontaudit rgmanager_t self:capability { sys_ptrace }; allow rgmanager_t self:process { setsched signal }; --dontaudit rgmanager_t self:process { ptrace }; - ++ allow rgmanager_t self:fifo_file rw_fifo_file_perms; - allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; -@@ -52,14 +55,27 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +-allow rgmanager_t self:unix_stream_socket { accept listen }; +-allow rgmanager_t self:tcp_socket { accept listen }; ++allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; ++allow rgmanager_t self:unix_dgram_socket create_socket_perms; ++allow rgmanager_t self:tcp_socket create_stream_socket_perms; + + manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) + manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) +@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) +-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) +# var/lib files +# # needed by hearbeat +can_exec(rgmanager_t, rgmanager_var_lib_t) @@ -55021,8 +60996,8 @@ index 3786c45..1ad9c12 100644 +files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file }) + + - manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) - logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) ++manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) ++logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) +manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) @@ -55036,15 +61011,20 @@ index 3786c45..1ad9c12 100644 kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -67,7 +83,6 @@ kernel_search_network_state(rgmanager_t) + kernel_search_network_state(rgmanager_t) +-corenet_all_recvfrom_unlabeled(rgmanager_t) +-corenet_all_recvfrom_netlabel(rgmanager_t) +-corenet_tcp_sendrecv_generic_if(rgmanager_t) +-corenet_tcp_sendrecv_generic_node(rgmanager_t) +- corecmd_exec_bin(rgmanager_t) corecmd_exec_shell(rgmanager_t) --consoletype_exec(rgmanager_t) - # need to write to /dev/misc/dlm-control ++# need to write to /dev/misc/dlm-control dev_rw_dlm_control(rgmanager_t) -@@ -76,31 +91,35 @@ dev_search_sysfs(rgmanager_t) + dev_setattr_dlm_control(rgmanager_t) + dev_search_sysfs(rgmanager_t) domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) @@ -55059,165 +61039,242 @@ index 3786c45..1ad9c12 100644 +files_manage_mnt_symlinks(rgmanager_t) +files_manage_isid_type_files(rgmanager_t) files_manage_isid_type_dirs(rgmanager_t) +-files_read_non_security_files(rgmanager_t) - fs_getattr_xattr_fs(rgmanager_t) ++fs_getattr_xattr_fs(rgmanager_t) fs_getattr_all_fs(rgmanager_t) -+storage_raw_read_fixed_disk(rgmanager_t) - storage_getattr_fixed_disk_dev(rgmanager_t) + storage_raw_read_fixed_disk(rgmanager_t) ++storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) --#term_use_ptmx(rgmanager_t) - # needed by resources scripts --files_read_non_auth_files(rgmanager_t) ++# needed by resources scripts +files_read_non_security_files(rgmanager_t) auth_dontaudit_getattr_shadow(rgmanager_t) auth_use_nsswitch(rgmanager_t) --logging_send_syslog_msg(rgmanager_t) -+init_domtrans_script(rgmanager_t) + init_domtrans_script(rgmanager_t) +init_initrc_domain(rgmanager_t) --miscfiles_read_localization(rgmanager_t) -+logging_send_syslog_msg(rgmanager_t) + logging_send_syslog_msg(rgmanager_t) --mount_domtrans(rgmanager_t) +-miscfiles_read_localization(rgmanager_t) +userdom_kill_all_users(rgmanager_t) tunable_policy(`rgmanager_can_network_connect',` +- corenet_sendrecv_all_client_packets(rgmanager_t) corenet_tcp_connect_all_ports(rgmanager_t) -@@ -118,6 +137,14 @@ optional_policy(` +- corenet_tcp_sendrecv_all_ports(rgmanager_t) ') ++# rgmanager can run resource scripts optional_policy(` + aisexec_stream_connect(rgmanager_t) ++ corosync_stream_connect(rgmanager_t) + ') + + optional_policy(` +- consoletype_exec(rgmanager_t) ++ apache_domtrans(rgmanager_t) ++ apache_signal(rgmanager_t) + ') + + optional_policy(` +- corosync_stream_connect(rgmanager_t) + consoletype_exec(rgmanager_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_domtrans(rgmanager_t) +- apache_signal(rgmanager_t) + dbus_system_bus_client(rgmanager_t) + ') + + optional_policy(` +@@ -130,7 +150,6 @@ optional_policy(` + + optional_policy(` + rhcs_stream_connect_groupd(rgmanager_t) +- rhcs_stream_connect_gfs_controld(rgmanager_t) + ') + + optional_policy(` +@@ -140,6 +159,7 @@ optional_policy(` + optional_policy(` + ccs_manage_config(rgmanager_t) + ccs_stream_connect(rgmanager_t) ++ rhcs_stream_connect_gfs_controld(rgmanager_t) + ') + + optional_policy(` +@@ -147,6 +167,12 @@ optional_policy(` + ') + + optional_policy(` ++ ldap_initrc_domtrans(rgmanager_t) ++ ldap_systemctl(rgmanager_t) ++ ldap_domtrans(rgmanager_t) +') + +optional_policy(` - fstools_domtrans(rgmanager_t) + mount_domtrans(rgmanager_t) + ') + +@@ -174,12 +200,18 @@ optional_policy(` + ') + + optional_policy(` ++ rpc_initrc_domtrans_nfsd(rgmanager_t) ++ rpc_initrc_domtrans_rpcd(rgmanager_t) ++ rpc_systemctl_nfsd(rgmanager_t) ++ rpc_systemctl_rpcd(rgmanager_t) ++ + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) + rpc_manage_nfs_state_data(rgmanager_t) ') -@@ -140,6 +167,16 @@ optional_policy(` + optional_policy(` ++ samba_initrc_domtrans(rgmanager_t) + samba_domtrans_smbd(rgmanager_t) + samba_domtrans_nmbd(rgmanager_t) + samba_manage_var_files(rgmanager_t) +@@ -201,5 +233,9 @@ optional_policy(` ') optional_policy(` -+ ldap_initrc_domtrans(rgmanager_t) -+ ldap_systemctl(rgmanager_t) -+ ldap_domtrans(rgmanager_t) ++ unconfined_domain(rgmanager_t) +') + +optional_policy(` -+ mount_domtrans(rgmanager_t) -+') -+ -+optional_policy(` - mysql_domtrans_mysql_safe(rgmanager_t) - mysql_stream_connect(rgmanager_t) + xen_domtrans_xm(rgmanager_t) ') -@@ -165,6 +202,8 @@ optional_policy(` - optional_policy(` - rpc_initrc_domtrans_nfsd(rgmanager_t) - rpc_initrc_domtrans_rpcd(rgmanager_t) -+ rpc_systemctl_nfsd(rgmanager_t) -+ rpc_systemctl_rpcd(rgmanager_t) - - rpc_domtrans_nfsd(rgmanager_t) - rpc_domtrans_rpcd(rgmanager_t) diff --git a/rhcs.fc b/rhcs.fc -index c2ba53b..977f2eb 100644 +index 47de2d6..977f2eb 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,22 +1,30 @@ - /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) - /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) - /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +@@ -1,31 +1,30 @@ +-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) ++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) ++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0) - /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) ++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) - /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) - /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) - - /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) - ++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) ++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) + +-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) +-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) +-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) ++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + +-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) - /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) ++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +- +-/var/log/cluster/.*\.*log <> +/var/log/cluster/.*\.*log <> /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) - /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) ++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) - /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) -+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) ++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) + /var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) +-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) +-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) +/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) - /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) --/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0) - /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) - /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) - /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) ++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) ++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) ++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) diff --git a/rhcs.if b/rhcs.if -index de37806..aee7ba7 100644 +index 56bc01f..aee7ba7 100644 --- a/rhcs.if +++ b/rhcs.if -@@ -13,7 +13,7 @@ +@@ -1,19 +1,19 @@ +-## Red Hat Cluster Suite. ++## RHCS - Red Hat Cluster Suite + + ####################################### + ## +-## The template to define a rhcs domain. ++## Creates types and rules for a basic ++## rhcs init daemon domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## # template(`rhcs_domain_template',` gen_require(` -- attribute cluster_domain; +- attribute cluster_domain, cluster_pid, cluster_tmpfs; +- attribute cluster_log; + attribute cluster_domain, cluster_tmpfs, cluster_pid; ') ############################## -@@ -25,13 +25,13 @@ template(`rhcs_domain_template',` - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - -- type $1_tmpfs_t; -+ type $1_tmpfs_t, cluster_tmpfs; +@@ -28,7 +28,7 @@ template(`rhcs_domain_template',` + type $1_tmpfs_t, cluster_tmpfs; files_tmpfs_file($1_tmpfs_t) - type $1_var_log_t; +- type $1_var_log_t, cluster_log; ++ type $1_var_log_t; logging_log_file($1_var_log_t) -- type $1_var_run_t; -+ type $1_var_run_t, cluster_pid; - files_pid_file($1_var_run_t) - - ############################## -@@ -43,15 +43,20 @@ template(`rhcs_domain_template',` - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + type $1_var_run_t, cluster_pid; +@@ -44,9 +44,7 @@ template(`rhcs_domain_template',` fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) -+ manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) - manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) +- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) +- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) +- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) ++ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t) manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) -- logging_log_filetrans($1_t, $1_var_log_t, { file sock_file }) -+ logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) + logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) -+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) +@@ -56,20 +54,19 @@ template(`rhcs_domain_template',` manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) -+ files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) -+ -+ auth_use_nsswitch($1_t) + files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file }) +- optional_policy(` +- dbus_system_bus_client($1_t) +- ') ++ auth_use_nsswitch($1_t) ++ + logging_send_syslog_msg($1_t) ') ###################################### -@@ -59,9 +64,9 @@ template(`rhcs_domain_template',` - ## Execute a domain transition to run dlm_controld. + ## +-## Execute a domain transition to +-## run dlm_controld. ++## Execute a domain transition to run dlm_controld. ## ## -## @@ -55228,7 +61285,46 @@ index de37806..aee7ba7 100644 ## # interface(`rhcs_domtrans_dlm_controld',` -@@ -133,6 +138,24 @@ interface(`rhcs_domtrans_fenced',` +@@ -83,27 +80,8 @@ interface(`rhcs_domtrans_dlm_controld',` + + ##################################### + ## +-## Get attributes of fenced +-## executable files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`rhcs_getattr_fenced_exec_files',` +- gen_require(` +- type fenced_exec_t; +- ') +- +- allow $1 fenced_exec_t:file getattr_file_perms; +-') +- +-##################################### +-## +-## Connect to dlm_controld with a +-## unix domain stream socket. ++## Connect to dlm_controld over a unix domain ++## stream socket. + ## + ## + ## +@@ -122,7 +100,7 @@ interface(`rhcs_stream_connect_dlm_controld',` + + ##################################### + ## +-## Read and write dlm_controld semaphores. ++## Allow read and write access to dlm_controld semaphores. + ## + ## + ## +@@ -160,9 +138,27 @@ interface(`rhcs_domtrans_fenced',` domtrans_pattern($1, fenced_exec_t, fenced_t) ') @@ -55252,98 +61348,208 @@ index de37806..aee7ba7 100644 + ###################################### ## - ## Allow read and write access to fenced semaphores. -@@ -156,7 +179,26 @@ interface(`rhcs_rw_fenced_semaphores',` +-## Read and write fenced semaphores. ++## Allow read and write access to fenced semaphores. + ## + ## + ## +@@ -181,10 +177,9 @@ interface(`rhcs_rw_fenced_semaphores',` + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) + ') - ###################################### +-#################################### ++###################################### ## --## Connect to fenced over an unix domain stream socket. +-## Connect to all cluster domains +-## with a unix domain stream socket. +## Read fenced PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rhcs_read_fenced_pid_files',` -+ gen_require(` -+ type fenced_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t) -+') -+ -+###################################### -+## -+## Connect to fenced over a unix domain stream socket. ## ## ## -@@ -169,9 +211,8 @@ interface(`rhcs_stream_connect_fenced',` - type fenced_var_run_t, fenced_t; +@@ -192,19 +187,18 @@ interface(`rhcs_rw_fenced_semaphores',` + ## + ## + # +-interface(`rhcs_stream_connect_cluster',` ++interface(`rhcs_read_fenced_pid_files',` + gen_require(` +- attribute cluster_domain, cluster_pid; ++ type fenced_var_run_t; ') -- allow $1 fenced_t:unix_stream_socket connectto; -- allow $1 fenced_var_run_t:sock_file { getattr write }; files_search_pids($1) -+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) +- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) ++ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t) ') + ###################################### + ## +-## Connect to fenced with an unix +-## domain stream socket. ++## Connect to fenced over a unix domain stream socket. + ## + ## + ## +@@ -223,8 +217,7 @@ interface(`rhcs_stream_connect_fenced',` + ##################################### -@@ -237,7 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',` + ## +-## Execute a domain transition +-## to run gfs_controld. ++## Execute a domain transition to run gfs_controld. + ## + ## + ## +@@ -243,7 +236,7 @@ interface(`rhcs_domtrans_gfs_controld',` + + #################################### + ## +-## Read and write gfs_controld semaphores. ++## Allow read and write access to gfs_controld semaphores. + ## + ## + ## +@@ -264,7 +257,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` + + ######################################## + ## +-## Read and write gfs_controld_t shared memory. ++## Read and write to gfs_controld_t shared memory. + ## + ## + ## +@@ -285,8 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',` ##################################### ## --## Connect to gfs_controld_t over an unix domain stream socket. +-## Connect to gfs_controld_t with +-## a unix domain stream socket. +## Connect to gfs_controld_t over a unix domain stream socket. ## ## ## -@@ -335,6 +376,65 @@ interface(`rhcs_rw_groupd_shm',` - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +@@ -324,8 +316,8 @@ interface(`rhcs_domtrans_groupd',` + + ##################################### + ## +-## Connect to groupd with a unix +-## domain stream socket. ++## Connect to groupd over a unix domain ++## stream socket. + ## + ## + ## +@@ -342,10 +334,9 @@ interface(`rhcs_stream_connect_groupd',` + stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) + ') + +-######################################## ++##################################### + ## +-## Read and write all cluster domains +-## shared memory. ++## Allow read and write access to groupd semaphores. + ## + ## + ## +@@ -353,21 +344,20 @@ interface(`rhcs_stream_connect_groupd',` + ## + ## + # +-interface(`rhcs_rw_cluster_shm',` ++interface(`rhcs_rw_groupd_semaphores',` + gen_require(` +- attribute cluster_domain, cluster_tmpfs; ++ type groupd_t, groupd_tmpfs_t; + ') + +- allow $1 cluster_domain:shm { rw_shm_perms destroy }; ++ allow $1 groupd_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) +- manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) ++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') +-#################################### +######################################## -+## + ## +-## Read and write all cluster +-## domains semaphores. +## Read and write to group shared memory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -375,17 +365,20 @@ interface(`rhcs_rw_cluster_shm',` + ## + ## + # +-interface(`rhcs_rw_cluster_semaphores',` ++interface(`rhcs_rw_groupd_shm',` + gen_require(` +- attribute cluster_domain; ++ type groupd_t, groupd_tmpfs_t; + ') + +- allow $1 cluster_domain:sem { rw_sem_perms destroy }; ++ allow $1 groupd_t:shm { rw_shm_perms destroy }; ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) + ') + +-##################################### ++######################################## + ## +-## Read and write groupd semaphores. ++## Read and write to group shared memory. + ## + ## + ## +@@ -393,20 +386,20 @@ interface(`rhcs_rw_cluster_semaphores',` + ## + ## + # +-interface(`rhcs_rw_groupd_semaphores',` +interface(`rhcs_rw_cluster_shm',` -+ gen_require(` + gen_require(` +- type groupd_t, groupd_tmpfs_t; + attribute cluster_domain, cluster_tmpfs; -+ ') -+ + ') + +- allow $1 groupd_t:sem { rw_sem_perms destroy }; + allow $1 cluster_domain:shm { rw_shm_perms destroy }; -+ -+ fs_search_tmpfs($1) + + fs_search_tmpfs($1) +- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) -+') -+ + ') + +-######################################## +#################################### -+## + ## +-## Read and write groupd shared memory. +## Read and write access to cluster domains semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -414,15 +407,32 @@ interface(`rhcs_rw_groupd_semaphores',` + ## + ## + # +-interface(`rhcs_rw_groupd_shm',` +interface(`rhcs_rw_cluster_semaphores',` -+ gen_require(` + gen_require(` +- type groupd_t, groupd_tmpfs_t; + attribute cluster_domain; -+ ') -+ + ') + +- allow $1 groupd_t:shm { rw_shm_perms destroy }; + allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') -+ + +- fs_search_tmpfs($1) +- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +#################################### +## +## Connect to cluster domains over a unix domain @@ -55362,25 +61568,23 @@ index de37806..aee7ba7 100644 + + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) -+') -+ + ') + ###################################### +@@ -446,52 +456,77 @@ interface(`rhcs_domtrans_qdiskd',` + + ######################################## ## - ## Execute a domain transition to run qdiskd. -@@ -353,3 +453,80 @@ interface(`rhcs_domtrans_qdiskd',` - corecmd_search_bin($1) - domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) - ') -+ -+######################################## -+## +-## All of the rules required to +-## administrate an rhcs environment. +## Allow domain to read qdiskd tmpfs files -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`rhcs_read_qdiskd_tmpfs_files',` + gen_require(` @@ -55396,20 +61600,47 @@ index de37806..aee7ba7 100644 +## Allow domain to read cluster lib files +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`rhcs_admin',` +interface(`rhcs_read_cluster_lib_files',` -+ gen_require(` + gen_require(` +- attribute cluster_domain, cluster_pid, cluster_tmpfs; +- attribute cluster_log; +- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; +- type fenced_tmp_t, qdiskd_var_lib_t; + type cluster_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) + ') + +- allow $1 cluster_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, cluster_domain) +- +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; +- +- files_search_pids($1) +- admin_pattern($1, cluster_pid) +- +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) +- +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) +- + files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -+ + +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) +##################################### +## +## Allow domain to manage cluster lib files @@ -55424,7 +61655,9 @@ index de37806..aee7ba7 100644 + gen_require(` + type cluster_var_lib_t; + ') -+ + +- logging_search_logs($1) +- admin_pattern($1, cluster_log) + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') @@ -55447,38 +61680,12 @@ index de37806..aee7ba7 100644 + files_search_var_lib($1) + relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -+') + ') diff --git a/rhcs.te b/rhcs.te -index 93c896a..8aa7362 100644 +index 2c2de9a..4efe231 100644 --- a/rhcs.te +++ b/rhcs.te -@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0) - ## - gen_tunable(fenced_can_network_connect, false) - -+## -+##

    -+## Allow fenced domain to execute ssh. -+##

    -+##     -+gen_tunable(fenced_can_ssh, false) -+ - attribute cluster_domain; -+attribute cluster_tmpfs; -+attribute cluster_pid; - - rhcs_domain_template(dlm_controld) - -@@ -24,6 +33,8 @@ files_lock_file(fenced_lock_t) - type fenced_tmp_t; - files_tmp_file(fenced_tmp_t) - -+rhcs_domain_template(foghorn) -+ - rhcs_domain_template(gfs_controld) - - rhcs_domain_template(groupd) -@@ -33,6 +44,10 @@ rhcs_domain_template(qdiskd) +@@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd) type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) @@ -55488,85 +61695,105 @@ index 93c896a..8aa7362 100644 + ##################################### # - # dlm_controld local policy -@@ -46,6 +61,9 @@ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fence - stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + # Common cluster domains local policy +@@ -62,10 +66,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms; + allow cluster_domain self:unix_stream_socket create_stream_socket_perms; + allow cluster_domain self:unix_dgram_socket create_socket_perms; + +-logging_send_syslog_msg(cluster_domain) +- +-miscfiles_read_localization(cluster_domain) +- + optional_policy(` + ccs_stream_connect(cluster_domain) + ') +@@ -74,6 +74,10 @@ optional_policy(` + corosync_stream_connect(cluster_domain) + ') - kernel_read_system_state(dlm_controld_t) -+kernel_rw_net_sysctls(dlm_controld_t) ++optional_policy(` ++ dbus_system_bus_client(cluster_domain) ++') + -+corecmd_exec_bin(dlm_controld_t) + ##################################### + # + # dlm_controld local policy +@@ -98,6 +102,12 @@ fs_manage_configfs_dirs(dlm_controld_t) - dev_rw_dlm_control(dlm_controld_t) - dev_rw_sysfs(dlm_controld_t) -@@ -56,7 +74,7 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) - optional_policy(` -- ccs_stream_connect(dlm_controld_t) ++logging_send_syslog_msg(dlm_controld_t) ++ ++optional_policy(` + corosync_rw_tmpfs(dlm_controld_t) - ') - ++') ++ ####################################### -@@ -65,10 +83,11 @@ optional_policy(` # + # fenced local policy +@@ -105,9 +115,13 @@ init_rw_script_tmp_files(dlm_controld_t) allow fenced_t self:capability { sys_rawio sys_resource }; --allow fenced_t self:process getsched; -+allow fenced_t self:process { getsched signal_perms }; - - allow fenced_t self:tcp_socket create_stream_socket_perms; - allow fenced_t self:udp_socket create_socket_perms; -+allow fenced_t self:unix_stream_socket connectto; + allow fenced_t self:process { getsched signal_perms }; +-allow fenced_t self:tcp_socket { accept listen }; ++ ++allow fenced_t self:tcp_socket create_stream_socket_perms; ++allow fenced_t self:udp_socket create_socket_perms; + allow fenced_t self:unix_stream_socket connectto; - can_exec(fenced_t, fenced_exec_t) ++can_exec(fenced_t, fenced_exec_t) ++ + manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) + files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -82,13 +101,23 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +132,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -+kernel_read_system_state(fenced_t) +-can_exec(fenced_t, fenced_exec_t) +- + kernel_read_system_state(fenced_t) +kernel_read_network_state(fenced_t) -+ - corecmd_exec_bin(fenced_t) -+corecmd_exec_shell(fenced_t) -+corenet_udp_bind_ionixnetmon_port(fenced_t) -+corenet_tcp_bind_zented_port(fenced_t) -+corenet_udp_bind_zented_port(fenced_t) - corenet_tcp_connect_http_port(fenced_t) -+corenet_tcp_connect_zented_port(fenced_t) + corecmd_exec_bin(fenced_t) + corecmd_exec_shell(fenced_t) +@@ -148,9 +161,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) +- +-files_read_usr_files(fenced_t) +-files_read_usr_symlinks(fenced_t) +dev_read_rand(fenced_t) -+files_read_usr_files(fenced_t) - files_read_usr_symlinks(fenced_t) - storage_raw_read_fixed_disk(fenced_t) -@@ -97,16 +126,37 @@ storage_raw_read_removable_device(fenced_t) - + storage_raw_write_fixed_disk(fenced_t) +@@ -159,8 +170,9 @@ storage_raw_read_removable_device(fenced_t) term_getattr_pty_fs(fenced_t) + term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) -- --auth_use_nsswitch(fenced_t) +term_use_generic_ptys(fenced_t) +-auth_use_nsswitch(fenced_t) ++logging_send_syslog_msg(fenced_t) + tunable_policy(`fenced_can_network_connect',` - corenet_tcp_connect_all_ports(fenced_t) + corenet_sendrecv_all_client_packets(fenced_t) +@@ -186,11 +198,26 @@ optional_policy(` ') optional_policy(` +- ccs_read_config(fenced_t) + tunable_policy(`fenced_can_ssh',` + + allow fenced_t self:capability { setuid setgid }; + + corenet_tcp_connect_ssh_port(fenced_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- gnome_read_generic_home_content(fenced_t) + ssh_exec(fenced_t) + ssh_read_user_home_files(fenced_t) + ') @@ -55577,167 +61804,64 @@ index 93c896a..8aa7362 100644 +') + +optional_policy(` - ccs_read_config(fenced_t) -- ccs_stream_connect(fenced_t) -+') -+ -+optional_policy(` -+ gnome_read_generic_data_home_files(fenced_t) ++ ccs_read_config(fenced_t) ') optional_policy(` -@@ -114,13 +164,52 @@ optional_policy(` - lvm_read_config(fenced_t) +@@ -203,6 +230,13 @@ optional_policy(` + snmp_manage_var_lib_dirs(fenced_t) ') +optional_policy(` -+ snmp_manage_var_lib_files(fenced_t) -+ snmp_manage_var_lib_dirs(fenced_t) -+') -+ -+optional_policy(` + virt_domtrans(fenced_t) + virt_read_config(fenced_t) + virt_read_pid_files(fenced_t) + virt_stream_connect(fenced_t) +') + -+####################################### -+# -+# foghorn local policy -+# -+ -+allow foghorn_t self:process { signal }; -+allow foghorn_t self:tcp_socket create_stream_socket_perms; -+allow foghorn_t self:udp_socket create_socket_perms; -+ -+corenet_tcp_connect_agentx_port(foghorn_t) -+ -+dev_read_urand(foghorn_t) -+ -+files_read_etc_files(foghorn_t) -+files_read_usr_files(foghorn_t) -+ -+sysnet_dns_name_resolve(foghorn_t) -+ -+optional_policy(` -+ dbus_connect_system_bus(foghorn_t) -+') -+ -+optional_policy(` -+ snmp_read_snmp_var_lib_files(foghorn_t) -+ snmp_dontaudit_write_snmp_var_lib_files(foghorn_t) -+ snmp_stream_connect(foghorn_t) -+') -+ - ###################################### - # - # gfs_controld local policy + ####################################### # + # foghorn local policy +@@ -225,6 +259,8 @@ dev_read_urand(foghorn_t) - allow gfs_controld_t self:capability { net_admin sys_resource }; -- - allow gfs_controld_t self:shm create_shm_perms; - allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + files_read_usr_files(foghorn_t) + ++logging_send_syslog_msg(foghorn_t) ++ + optional_policy(` + dbus_connect_system_bus(foghorn_t) + ') +@@ -257,6 +293,8 @@ storage_getattr_removable_dev(gfs_controld_t) -@@ -139,10 +228,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) ++logging_send_syslog_msg(gfs_controld_t) ++ optional_policy(` -- ccs_stream_connect(gfs_controld_t) --') -- --optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) - ') -@@ -154,12 +239,12 @@ optional_policy(` - - allow groupd_t self:capability { sys_nice sys_resource }; - allow groupd_t self:process setsched; -- - allow groupd_t self:shm create_shm_perms; +@@ -275,10 +313,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) -+domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) -+ dev_list_sysfs(groupd_t) -files_read_etc_files(groupd_t) - +- init_rw_script_tmp_files(groupd_t) -@@ -168,8 +253,7 @@ init_rw_script_tmp_files(groupd_t) - # qdiskd local policy ++logging_send_syslog_msg(groupd_t) ++ + ###################################### # + # qdiskd local policy +@@ -321,6 +359,8 @@ storage_raw_write_fixed_disk(qdiskd_t) --allow qdiskd_t self:capability ipc_lock; -- -+allow qdiskd_t self:capability { ipc_lock sys_boot }; - allow qdiskd_t self:tcp_socket create_stream_socket_perms; - allow qdiskd_t self:udp_socket create_socket_perms; - -@@ -182,7 +266,7 @@ kernel_read_system_state(qdiskd_t) - kernel_read_software_raid_state(qdiskd_t) - kernel_getattr_core_if(qdiskd_t) - --corecmd_getattr_bin_files(qdiskd_t) -+corecmd_exec_bin(qdiskd_t) - corecmd_exec_shell(qdiskd_t) - - dev_read_sysfs(qdiskd_t) -@@ -197,19 +281,16 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t) + auth_use_nsswitch(qdiskd_t) - files_dontaudit_getattr_all_sockets(qdiskd_t) - files_dontaudit_getattr_all_pipes(qdiskd_t) --files_read_etc_files(qdiskd_t) ++logging_send_syslog_msg(qdiskd_t) + -+files_read_usr_files(qdiskd_t) -+ -+fs_list_hugetlbfs(qdiskd_t) - - storage_raw_read_removable_device(qdiskd_t) - storage_raw_write_removable_device(qdiskd_t) - storage_raw_read_fixed_disk(qdiskd_t) - storage_raw_write_fixed_disk(qdiskd_t) - --auth_use_nsswitch(qdiskd_t) -- --optional_policy(` -- ccs_stream_connect(qdiskd_t) --') -- optional_policy(` netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +304,24 @@ optional_policy(` - # rhcs domains common policy - # - --allow cluster_domain self:capability { sys_nice }; -+allow cluster_domain self:capability sys_nice; - allow cluster_domain self:process setsched; -- - allow cluster_domain self:sem create_sem_perms; - allow cluster_domain self:fifo_file rw_fifo_file_perms; - allow cluster_domain self:unix_stream_socket create_stream_socket_perms; - allow cluster_domain self:unix_dgram_socket create_socket_perms; - --logging_send_syslog_msg(cluster_domain) -+manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) -+manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) - --miscfiles_read_localization(cluster_domain) -+optional_policy(` -+ ccs_stream_connect(cluster_domain) -+') - - optional_policy(` - corosync_stream_connect(cluster_domain) - ') -+ -+optional_policy(` -+ dbus_system_bus_client(cluster_domain) -+') diff --git a/rhev.fc b/rhev.fc new file mode 100644 index 0000000..4b66adf @@ -55963,38 +62087,122 @@ index 0000000..51b00c0 + ') +') diff --git a/rhgb.if b/rhgb.if -index 96efae7..793a29f 100644 +index 1a134a7..793a29f 100644 --- a/rhgb.if +++ b/rhgb.if -@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` +@@ -1,4 +1,4 @@ +-## Red Hat Graphical Boot. ++## Red Hat Graphical Boot + + ######################################## + ## +@@ -18,7 +18,7 @@ interface(`rhgb_stub',` + + ######################################## + ## +-## Inherit and use rhgb file descriptors. ++## Use a rhgb file descriptor. + ## + ## + ## +@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',` + + ######################################## + ## +-## Send generic signals to rhgb. ++## Send a signal to rhgb. + ## + ## + ## +@@ -72,8 +72,7 @@ interface(`rhgb_signal',` + + ######################################## + ## +-## Read and write inherited rhgb unix +-## domain stream sockets. ++## Read and write to unix stream sockets. + ## + ## + ## +@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` + + ######################################## + ## +-## Connected to rhgb with a unix +-## domain stream socket. ++## Connected to rhgb unix stream socket. + ## + ## + ## +@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` + # + interface(`rhgb_stream_connect',` + gen_require(` +- type rhgb_t, rhgb_tmpfs_t; ++ type rhgb_t; + ') + +- fs_search_tmpfs($1) +- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) ++ allow $1 rhgb_t:unix_stream_socket connectto; + ') + + ######################################## +@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',` + + ######################################## + ## +-## Read and write rhgb pty devices. ++## Read from and write to the rhgb devpts. + ## + ## + ## +@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',` + type rhgb_devpts_t; + ') + +- dev_list_all_dev_nodes($1) + allow $1 rhgb_devpts_t:chr_file rw_term_perms; + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write rhgb pty devices. ++## dontaudit Read from and write to the rhgb devpts. + ## + ## + ## +@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',` + + ######################################## + ## +-## Read and write to rhgb tmpfs files. ++## Read and write to rhgb temporary file system. + ## + ## + ## +@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` type rhgb_tmpfs_t; ') -+ fs_search_tmpfs($1) +- + fs_search_tmpfs($1) allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/rhgb.te b/rhgb.te -index 0f262a7..08c49bc 100644 +index 3f32e4b..b729212 100644 --- a/rhgb.te +++ b/rhgb.te -@@ -30,7 +30,7 @@ allow rhgb_t self:tcp_socket create_socket_perms; - allow rhgb_t self:udp_socket create_socket_perms; - allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; - --allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; -+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty(rhgb_t, rhgb_devpts_t) - - manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) -@@ -46,7 +46,6 @@ kernel_read_system_state(rhgb_t) +@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t) corecmd_exec_bin(rhgb_t) corecmd_exec_shell(rhgb_t) -corenet_all_recvfrom_unlabeled(rhgb_t) corenet_all_recvfrom_netlabel(rhgb_t) corenet_tcp_sendrecv_generic_if(rhgb_t) - corenet_udp_sendrecv_generic_if(rhgb_t) -@@ -97,7 +96,6 @@ libs_read_lib_files(rhgb_t) + corenet_tcp_sendrecv_generic_node(rhgb_t) +@@ -89,7 +88,6 @@ libs_read_lib_files(rhgb_t) logging_send_syslog_msg(rhgb_t) @@ -56015,11 +62223,10 @@ index 0000000..1936028 +/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0) diff --git a/rhnsd.if b/rhnsd.if new file mode 100644 -index 0000000..d2a58c1 +index 0000000..88087b7 --- /dev/null +++ b/rhnsd.if -@@ -0,0 +1,75 @@ -+ +@@ -0,0 +1,74 @@ +## policy for rhnsd + +######################################## @@ -56142,15 +62349,108 @@ index 0000000..5b2757d + rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.if b/rhsmcertd.if -index 137605a..fd40b90 100644 +index 6dbc905..92aac94 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if -@@ -194,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',` +@@ -1,8 +1,8 @@ +-## Subscription Management Certificate Daemon. ++## Subscription Management Certificate Daemon policy + + ######################################## + ## +-## Execute rhsmcertd in the rhsmcertd domain. ++## Transition to rhsmcertd. + ## + ## + ## +@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',` + + ######################################## + ## +-## Execute rhsmcertd init scripts +-## in the initrc domain. ++## Execute rhsmcertd server in the rhsmcertd domain. + ## + ## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## + ## + # +@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',` + + ######################################## + ## +-## Read rhsmcertd log files. ++## Read rhsmcertd's log files. + ## + ## + ## +@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',` + + ######################################## + ## +-## Append rhsmcertd log files. ++## Append to rhsmcertd log files. + ## + ## + ## +@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## rhsmcertd log files. ++## Manage rhsmcertd log files + ## + ## + ## +@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',` + type rhsmcertd_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## +@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',` + + ######################################## + ## +-## Create, read, write, and delete +-## rhsmcertd lib files. ++## Manage rhsmcertd lib files. + ## + ## + ## +@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',` + + ######################################## + ## +-## Create, read, write, and delete +-## rhsmcertd lib directories. ++## Manage rhsmcertd lib directories. + ## + ## + ## +@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',` + + ######################################## + ## +-## Read rhsmcertd pid files. ++## Read rhsmcertd PID files. + ## + ## + ## +@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',` #################################### ## --## Connect to rhsmcertd over a unix domain --## stream socket. +-## Connect to rhsmcertd with a +-## unix domain stream socket. +## Connect to rhsmcertd over a unix domain +## stream socket. ## @@ -56164,18 +62464,19 @@ index 137605a..fd40b90 100644 ## # interface(`rhsmcertd_stream_connect',` -@@ -235,23 +235,23 @@ interface(`rhsmcertd_dbus_chat',` +@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',` ###################################### ## --## Dontaudit Send and receive messages from +-## Do not audit attempts to send +-## and receive messages from -## rhsmcertd over dbus. +## Dontaudit Send and receive messages from +## rhsmcertd over dbus. ## ## -## --## Domain allowed access. +-## Domain to not audit. -## +## +## Domain allowed access. @@ -56199,62 +62500,87 @@ index 137605a..fd40b90 100644 ') ######################################## -@@ -264,12 +264,6 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` - ## Domain allowed access. + ## +-## All of the rules required to +-## administrate an rhsmcertd environment. ++## All of the rules required to administrate ++## an rhsmcertd environment + ## + ## + ## +@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` ## ## --## + ## -## -## Role allowed access. -## --## --## ++## ++## Role allowed access. ++## + ## + ## # ++ interface(`rhsmcertd_admin',` gen_require(` -@@ -279,18 +273,7 @@ interface(`rhsmcertd_admin',` + type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; +- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; ++ type rhsmcertd_var_lib_t, rhsmcertd_var_run_t; + ') - allow $1 rhsmcertd_t:process signal_perms; +- allow $1 rhsmcertd_t:process { ptrace signal_perms }; ++ allow $1 rhsmcertd_t:process signal_perms; ps_process_pattern($1, rhsmcertd_t) -- + - rhsmcertd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 rhsmcertd_initrc_exec_t system_r; - allow $2 system_r; -- ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 rhsmcertd_t:process ptrace; ++ ') ++ ++ rhsmcertd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rhsmcertd_initrc_exec_t system_r; ++ allow $2 system_r; + - logging_search_logs($1) - admin_pattern($1, rhsmcertd_log_t) -- ++ logging_search_logs($1) ++ admin_pattern($1, rhsmcertd_log_t) + - files_search_var_lib($1) - admin_pattern($1, rhsmcertd_var_lib_t) -- ++ files_search_var_lib($1) ++ admin_pattern($1, rhsmcertd_var_lib_t) + - files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rhsmcertd_t:process ptrace; -+ ') ++ files_search_pids($1) ++ admin_pattern($1, rhsmcertd_var_run_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, rhsmcertd_lock_t) + +- files_search_locks($1) +- admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 783f678..62c40bb 100644 +index 1cedd70..c254f12 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te -@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t) - # rhsmcertd local policy - # +@@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t) -+allow rhsmcertd_t self:capability sys_nice; -+allow rhsmcertd_t self:process { signal setsched }; + allow rhsmcertd_t self:capability sys_nice; + allow rhsmcertd_t self:process { signal setsched }; + allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; -@@ -43,17 +46,40 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) - - manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) - manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -+files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) - -+kernel_read_network_state(rhsmcertd_t) +@@ -52,21 +53,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) + kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +corenet_tcp_connect_http_port(rhsmcertd_t) @@ -56264,58 +62590,47 @@ index 783f678..62c40bb 100644 corecmd_exec_bin(rhsmcertd_t) +corecmd_exec_shell(rhsmcertd_t) -+dev_read_rand(rhsmcertd_t) + dev_read_sysfs(rhsmcertd_t) + dev_read_rand(rhsmcertd_t) dev_read_urand(rhsmcertd_t) -+dev_read_sysfs(rhsmcertd_t) +dev_read_raw_memory(rhsmcertd_t) + files_list_tmp(rhsmcertd_t) files_read_etc_files(rhsmcertd_t) files_read_usr_files(rhsmcertd_t) +files_manage_generic_locks(rhsmcertd_t) + +auth_read_passwd(rhsmcertd_t) ++ ++logging_send_syslog_msg(rhsmcertd_t) -miscfiles_read_localization(rhsmcertd_t) -miscfiles_read_generic_certs(rhsmcertd_t) -+logging_send_syslog_msg(rhsmcertd_t) -+ +miscfiles_read_certs(rhsmcertd_t) sysnet_dns_name_resolve(rhsmcertd_t) -+ -+ -+optional_policy(` + + optional_policy(` + dmidecode_domtrans(rhsmcertd_t) +') + +optional_policy(` + gnome_dontaudit_search_config(rhsmcertd_t) +') -diff --git a/ricci.fc b/ricci.fc -index 5b08327..4d5819e 100644 ---- a/ricci.fc -+++ b/ricci.fc -@@ -1,3 +1,6 @@ -+ -+/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) + - /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) - /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) - /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) -@@ -9,7 +12,7 @@ - - /var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) - --/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) -+/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) - - /var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) - /var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) ++optional_policy(` + rpm_read_db(rhsmcertd_t) + ') diff --git a/ricci.if b/ricci.if -index f7826f9..23d579c 100644 +index 2ab3ed1..23d579c 100644 --- a/ricci.if +++ b/ricci.if -@@ -5,9 +5,9 @@ +@@ -1,13 +1,13 @@ +-## Ricci cluster management agent. ++## Ricci cluster management agent + + ######################################## + ## ## Execute a domain transition to run ricci. ## ## @@ -56327,15 +62642,22 @@ index f7826f9..23d579c 100644 ## # interface(`ricci_domtrans',` -@@ -18,14 +18,32 @@ interface(`ricci_domtrans',` +@@ -15,19 +15,35 @@ interface(`ricci_domtrans',` + type ricci_t, ricci_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, ricci_exec_t, ricci_t) ') +-######################################## +####################################### -+## + ## +-## Execute a domain transition to +-## run ricci modcluster. +## Execute ricci server in the ricci domain. -+## -+## + ## + ## +## +## Domain allowed access. +## @@ -56349,49 +62671,68 @@ index f7826f9..23d579c 100644 + init_labeled_script_domtrans($1, ricci_initrc_exec_t) +') + - ######################################## ++######################################## ## - ## Execute a domain transition to run ricci_modcluster. +-## Domain allowed to transition. ++## Execute a domain transition to run ricci_modcluster. ## - ## --## ++## +## - ## Domain allowed to transition. --## ++## Domain allowed to transition. +## ## # interface(`ricci_domtrans_modcluster',` -@@ -71,12 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` - type ricci_modcluster_t; +@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',` + type ricci_modcluster_t, ricci_modcluster_exec_t; ') -- dontaudit $1 ricci_modcluster_t:fifo_file { read write }; -+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) ') ######################################## ## --## Connect to ricci_modclusterd over an unix stream socket. -+## Connect to ricci_modclusterd over a unix stream socket. + ## Do not audit attempts to use +-## ricci modcluster file descriptors. ++## ricci_modcluster file descriptors. ## ## ## -@@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',` +@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',` + ######################################## + ## + ## Do not audit attempts to read write +-## ricci modcluster unamed pipes. ++## ricci_modcluster unamed pipes. + ## + ## + ## +@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` + type ricci_modcluster_t; ') - files_search_pids($1) -- allow $1 ricci_modcluster_var_run_t:sock_file write; -- allow $1 ricci_modclusterd_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) +- dontaudit $1 ricci_modcluster_t:fifo_file { read write }; ++ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## --## Execute a domain transition to run ricci_modlog. -+## Read and write to ricci_modcluserd temporary file system. +-## Connect to ricci_modclusterd with +-## a unix domain stream socket. ++## Connect to ricci_modclusterd over a unix stream socket. ## ## + ## +@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',` + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modlog. ++## Read and write to ricci_modcluserd temporary file system. ++## ++## +## +## Domain allowed access. +## @@ -56407,58 +62748,67 @@ index f7826f9..23d579c 100644 +') + +######################################## - ## --## Domain allowed to transition. ++## +## Execute a domain transition to run ricci_modlog. ## -+## -+## -+## Domain allowed to transition. -+## - ## - # - interface(`ricci_domtrans_modlog',` -@@ -117,9 +153,9 @@ interface(`ricci_domtrans_modlog',` - ## Execute a domain transition to run ricci_modrpm. + ## + ## +@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',` + type ricci_modlog_t, ricci_modlog_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modrpm. ++## Execute a domain transition to run ricci_modrpm. ## ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`ricci_domtrans_modrpm',` -@@ -135,9 +171,9 @@ interface(`ricci_domtrans_modrpm',` - ## Execute a domain transition to run ricci_modservice. + ## +@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',` + type ricci_modrpm_t, ricci_modrpm_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modservice. ++## Execute a domain transition to run ricci_modservice. ## ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`ricci_domtrans_modservice',` -@@ -153,9 +189,9 @@ interface(`ricci_domtrans_modservice',` - ## Execute a domain transition to run ricci_modstorage. + ## +@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',` + type ricci_modservice_t, ricci_modservice_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) + ') + + ######################################## + ## +-## Execute a domain transition to +-## run ricci modstorage. ++## Execute a domain transition to run ricci_modstorage. ## ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`ricci_domtrans_modstorage',` -@@ -165,3 +201,70 @@ interface(`ricci_domtrans_modstorage',` + ## +@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',` + type ricci_modstorage_t, ricci_modstorage_exec_t; + ') +- corecmd_search_bin($1) domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') -+ + +#################################### +## +## Allow the specified domain to manage ricci's lib files. @@ -56479,96 +62829,36 @@ index f7826f9..23d579c 100644 + manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) +') + -+######################################## -+## + ######################################## + ## +-## All of the rules required to +-## administrate an ricci environment. +## All of the rules required to administrate +## an ricci environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`ricci_admin',` -+ gen_require(` -+ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; -+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; -+ ') -+ + ## + ## + ## +@@ -200,10 +245,13 @@ interface(`ricci_admin',` + type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + ') + +- allow $1 ricci_t:process { ptrace signal_perms }; + allow $1 ricci_t:process signal_perms; -+ ps_process_pattern($1, ricci_t) + ps_process_pattern($1, ricci_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ricci_t:process ptrace; + ') -+ + +- init_labeled_script_domtrans($1, ricci_initrc_exec_t) + ricci_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 ricci_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, ricci_tmp_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, ricci_var_lib_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, ricci_var_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, ricci_var_run_t) -+') + domain_system_change_exemption($1) + role_transition $2 ricci_initrc_exec_t system_r; + allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 33e72e8..6b0ec3e 100644 +index 9702ed2..6d40389 100644 --- a/ricci.te +++ b/ricci.te -@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) - - type ricci_t; - type ricci_exec_t; --domain_type(ricci_t) - init_daemon_domain(ricci_t, ricci_exec_t) - -+type ricci_initrc_exec_t; -+init_script_file(ricci_initrc_exec_t) -+ - type ricci_tmp_t; - files_tmp_file(ricci_tmp_t) - -@@ -39,9 +41,11 @@ files_pid_file(ricci_modcluster_var_run_t) - - type ricci_modclusterd_t; - type ricci_modclusterd_exec_t; --domain_type(ricci_modclusterd_t) - init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) - -+type ricci_modclusterd_tmpfs_t; -+files_tmpfs_file(ricci_modclusterd_tmpfs_t) -+ - type ricci_modlog_t; - type ricci_modlog_exec_t; - domain_type(ricci_modlog_t) -@@ -95,7 +99,7 @@ manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) - manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) - files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) - --allow ricci_t ricci_var_log_t:dir setattr; -+allow ricci_t ricci_var_log_t:dir setattr_dir_perms; - manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) - manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) - logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) -@@ -105,10 +109,10 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) - files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) - - kernel_read_kernel_sysctls(ricci_t) -+kernel_read_system_state(ricci_t) +@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) corecmd_exec_bin(ricci_t) @@ -56576,7 +62866,7 @@ index 33e72e8..6b0ec3e 100644 corenet_all_recvfrom_netlabel(ricci_t) corenet_tcp_sendrecv_generic_if(ricci_t) corenet_tcp_sendrecv_generic_node(ricci_t) -@@ -123,7 +127,6 @@ dev_read_urand(ricci_t) +@@ -136,7 +135,6 @@ dev_read_urand(ricci_t) domain_read_all_domains_state(ricci_t) @@ -56584,7 +62874,7 @@ index 33e72e8..6b0ec3e 100644 files_read_etc_runtime_files(ricci_t) files_create_boot_flag(ricci_t) -@@ -136,8 +139,6 @@ locallogin_dontaudit_use_fds(ricci_t) +@@ -149,8 +147,6 @@ locallogin_dontaudit_use_fds(ricci_t) logging_send_syslog_msg(ricci_t) @@ -56593,47 +62883,12 @@ index 33e72e8..6b0ec3e 100644 sysnet_dns_name_resolve(ricci_t) optional_policy(` -@@ -170,6 +171,10 @@ optional_policy(` - ') - - optional_policy(` -+ shutdown_domtrans(ricci_t) -+') -+ -+optional_policy(` - unconfined_use_fds(ricci_t) - ') - -@@ -193,29 +198,25 @@ corecmd_exec_shell(ricci_modcluster_t) - corecmd_exec_bin(ricci_modcluster_t) - - corenet_tcp_bind_cluster_port(ricci_modclusterd_t) --corenet_tcp_bind_reserved_port(ricci_modclusterd_t) -+corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t) -+corenet_tcp_connect_cluster_port(ricci_modclusterd_t) - - domain_read_all_domains_state(ricci_modcluster_t) - - files_search_locks(ricci_modcluster_t) - files_read_etc_runtime_files(ricci_modcluster_t) --files_read_etc_files(ricci_modcluster_t) - files_search_usr(ricci_modcluster_t) - -+auth_use_nsswitch(ricci_modcluster_t) -+ - init_exec(ricci_modcluster_t) - init_domtrans_script(ricci_modcluster_t) +@@ -235,9 +231,9 @@ init_domtrans_script(ricci_modcluster_t) logging_send_syslog_msg(ricci_modcluster_t) -miscfiles_read_localization(ricci_modcluster_t) - --modutils_domtrans_insmod(ricci_modcluster_t) -- --mount_domtrans(ricci_modcluster_t) -- --consoletype_exec(ricci_modcluster_t) -- -ricci_stream_connect_modclusterd(ricci_modcluster_t) +optional_policy(` + ricci_stream_connect_modclusterd(ricci_modcluster_t) @@ -56641,61 +62896,7 @@ index 33e72e8..6b0ec3e 100644 optional_policy(` aisexec_stream_connect(ricci_modcluster_t) -@@ -233,7 +234,15 @@ optional_policy(` - ') - - optional_policy(` -- nscd_socket_use(ricci_modcluster_t) -+ modutils_domtrans_insmod(ricci_modcluster_t) -+') -+ -+optional_policy(` -+ mount_domtrans(ricci_modcluster_t) -+') -+ -+optional_policy(` -+ consoletype_exec(ricci_modcluster_t) - ') - - optional_policy(` -@@ -241,8 +250,7 @@ optional_policy(` - ') - - optional_policy(` -- # XXX This has got to go. -- unconfined_domain(ricci_modcluster_t) -+ rgmanager_stream_connect(ricci_modclusterd_t) - ') - - ######################################## -@@ -261,6 +269,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; - allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; - allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; - -+manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) -+manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t) -+fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file }) -+ - allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; - manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) - manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +284,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock - - kernel_read_kernel_sysctls(ricci_modclusterd_t) - kernel_read_system_state(ricci_modclusterd_t) -+kernel_request_load_module(ricci_modclusterd_t) - - corecmd_exec_bin(ricci_modclusterd_t) - -@@ -283,7 +296,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) - - domain_read_all_domains_state(ricci_modclusterd_t) - --files_read_etc_files(ricci_modclusterd_t) - files_read_etc_runtime_files(ricci_modclusterd_t) - - fs_getattr_xattr_fs(ricci_modclusterd_t) -@@ -296,8 +308,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) +@@ -336,8 +332,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) logging_send_syslog_msg(ricci_modclusterd_t) @@ -56704,7 +62905,7 @@ index 33e72e8..6b0ec3e 100644 sysnet_domtrans_ifconfig(ricci_modclusterd_t) optional_policy(` -@@ -334,12 +344,10 @@ corecmd_exec_bin(ricci_modlog_t) +@@ -374,12 +368,10 @@ corecmd_exec_bin(ricci_modlog_t) domain_read_all_domains_state(ricci_modlog_t) @@ -56717,7 +62918,7 @@ index 33e72e8..6b0ec3e 100644 optional_policy(` nscd_dontaudit_search_pid(ricci_modlog_t) -@@ -361,9 +369,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) +@@ -401,9 +393,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) corecmd_exec_bin(ricci_modrpm_t) files_search_usr(ricci_modrpm_t) @@ -56728,18 +62929,15 @@ index 33e72e8..6b0ec3e 100644 optional_policy(` oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) -@@ -388,23 +395,24 @@ kernel_read_system_state(ricci_modservice_t) +@@ -428,14 +419,13 @@ kernel_read_system_state(ricci_modservice_t) corecmd_exec_bin(ricci_modservice_t) corecmd_exec_shell(ricci_modservice_t) -files_read_etc_files(ricci_modservice_t) files_read_etc_runtime_files(ricci_modservice_t) files_search_usr(ricci_modservice_t) - # Needed for running chkconfig files_manage_etc_symlinks(ricci_modservice_t) --consoletype_exec(ricci_modservice_t) -- init_domtrans_script(ricci_modservice_t) -miscfiles_read_localization(ricci_modservice_t) @@ -56747,25 +62945,15 @@ index 33e72e8..6b0ec3e 100644 optional_policy(` ccs_read_config(ricci_modservice_t) - ') - - optional_policy(` -+ consoletype_exec(ricci_modservice_t) -+') -+ -+optional_policy(` - nscd_dontaudit_search_pid(ricci_modservice_t) - ') - -@@ -418,7 +426,6 @@ optional_policy(` - # +@@ -460,7 +450,6 @@ optional_policy(` + allow ricci_modstorage_t self:capability { mknod sys_nice }; allow ricci_modstorage_t self:process { setsched signal }; -dontaudit ricci_modstorage_t self:process ptrace; - allow ricci_modstorage_t self:capability { mknod sys_nice }; allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; - allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; -@@ -444,22 +451,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) + + kernel_read_kernel_sysctls(ricci_modstorage_t) +@@ -483,13 +472,19 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -56779,86 +62967,33 @@ index 33e72e8..6b0ec3e 100644 term_dontaudit_use_console(ricci_modstorage_t) --fstools_domtrans(ricci_modstorage_t) +-logging_send_syslog_msg(ricci_modstorage_t) +auth_use_nsswitch(ricci_modstorage_t) - logging_send_syslog_msg(ricci_modstorage_t) - -miscfiles_read_localization(ricci_modstorage_t) -- --modutils_read_module_deps(ricci_modstorage_t) -- --consoletype_exec(ricci_modstorage_t) -- --mount_domtrans(ricci_modstorage_t) -- - optional_policy(` - aisexec_stream_connect(ricci_modstorage_t) - corosync_stream_connect(ricci_modstorage_t) -@@ -471,12 +476,24 @@ optional_policy(` - ') - - optional_policy(` -+ consoletype_exec(ricci_modstorage_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(ricci_modstorage_t) -+') -+ -+optional_policy(` - lvm_domtrans(ricci_modstorage_t) - lvm_manage_config(ricci_modstorage_t) - ') - - optional_policy(` -- nscd_socket_use(ricci_modstorage_t) -+ modutils_read_module_deps(ricci_modstorage_t) -+') -+ -+optional_policy(` -+ mount_domtrans(ricci_modstorage_t) - ') ++logging_send_syslog_msg(ricci_modstorage_t) optional_policy(` + aisexec_stream_connect(ricci_modstorage_t) diff --git a/rlogin.fc b/rlogin.fc -index 2fae3f0..d7f6b82 100644 +index f111877..e361ee9 100644 --- a/rlogin.fc +++ b/rlogin.fc -@@ -1,7 +1,10 @@ - HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +@@ -1,5 +1,7 @@ +-HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +-HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) ++HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) --/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) -+/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) - - /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/rlogin.if b/rlogin.if -index 63e78c6..fdd8228 100644 +index 050479d..0e1b364 100644 --- a/rlogin.if +++ b/rlogin.if -@@ -21,21 +21,15 @@ interface(`rlogin_domtrans',` - - ######################################## - ## --## read rlogin homedir content (.config) -+## read rlogin homedir content (.rlogin) - ## --## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## --## --## -+## - ## --## The type of the user domain. -+## Domain allowed access. +@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',` ## ## # @@ -56868,36 +63003,29 @@ index 63e78c6..fdd8228 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index 16304ec..3293b25 100644 +index d34cdec..991c738 100644 --- a/rlogin.te +++ b/rlogin.te -@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) - # Local policy - # - --allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; -+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) + allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; - allow rlogind_t self:tcp_socket connected_stream_socket_perms; - # for identd; cjp: this should probably only be inetd_child rules? - allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow rlogind_t self:capability { setuid setgid }; +-allow rlogind_t self:tcp_socket { accept listen }; ++allow rlogind_t self:tcp_socket connected_stream_socket_perms; ++# for identd; cjp: this should probably only be inetd_child rules? ++allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; -+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) - - # for /usr/lib/telnetlogin -@@ -43,7 +42,6 @@ can_exec(rlogind_t, rlogind_exec_t) +@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) --files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) +-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -52,7 +50,6 @@ kernel_read_kernel_sysctls(rlogind_t) +@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) @@ -56905,7 +63033,7 @@ index 16304ec..3293b25 100644 corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) corenet_udp_sendrecv_generic_if(rlogind_t) -@@ -69,10 +66,11 @@ fs_getattr_xattr_fs(rlogind_t) +@@ -67,8 +67,10 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -56914,11 +63042,9 @@ index 16304ec..3293b25 100644 auth_use_nsswitch(rlogind_t) +auth_login_pgm_domain(rlogind_t) --files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) - files_search_home(rlogind_t) files_search_default(rlogind_t) -@@ -81,34 +79,29 @@ init_rw_utmp(rlogind_t) +@@ -77,30 +79,28 @@ init_rw_utmp(rlogind_t) logging_send_syslog_msg(rlogind_t) @@ -56926,26 +63052,23 @@ index 16304ec..3293b25 100644 - seutil_read_config(rlogind_t) + userdom_search_user_home_dirs(rlogind_t) userdom_setattr_user_ptys(rlogind_t) - # cjp: this is egregious - userdom_read_user_home_content_files(rlogind_t) -- --remotelogin_domtrans(rlogind_t) --remotelogin_signal(rlogind_t) ++# cjp: this is egregious ++userdom_read_user_home_content_files(rlogind_t) +userdom_search_admin_dir(rlogind_t) +userdom_manage_user_tmp_files(rlogind_t) +userdom_tmp_filetrans_user_tmp(rlogind_t, file) -+userdom_use_user_terminals(rlogind_t) + userdom_use_user_terminals(rlogind_t) +userdom_home_reader(rlogind_t) - rlogin_read_home_content(rlogind_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(rlogind_t) - fs_read_nfs_files(rlogind_t) - fs_read_nfs_symlinks(rlogind_t) -') -- ++rlogin_read_home_content(rlogind_t) + -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(rlogind_t) - fs_read_cifs_files(rlogind_t) @@ -56953,12 +63076,11 @@ index 16304ec..3293b25 100644 +optional_policy(` + kerberos_keytab_template(rlogind, rlogind_t) + kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0") -+ #part of auth_use_pam -+ #kerberos_manage_host_rcache(rlogind_t) ') optional_policy(` - kerberos_keytab_template(rlogind, rlogind_t) +- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") - kerberos_manage_host_rcache(rlogind_t) + remotelogin_domtrans(rlogind_t) + remotelogin_signal(rlogind_t) @@ -56966,27 +63088,23 @@ index 16304ec..3293b25 100644 optional_policy(` diff --git a/rngd.fc b/rngd.fc -new file mode 100644 -index 0000000..f6be09d ---- /dev/null +index 5dd779e..276eb3a 100644 +--- a/rngd.fc +++ b/rngd.fc -@@ -0,0 +1,6 @@ -+ -+/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) -+ +@@ -1,3 +1,5 @@ + /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + +/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0) + -+/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) + /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) diff --git a/rngd.if b/rngd.if -new file mode 100644 -index 0000000..8b505d5 ---- /dev/null +index 0e759a2..8b505d5 100644 +--- a/rngd.if +++ b/rngd.if -@@ -0,0 +1,62 @@ -+## Check and feed random data from hardware device to kernel random device. -+ -+######################################## -+## +@@ -2,6 +2,28 @@ + + ######################################## + ## +## Execute rngd in the rngd domain. +## +## @@ -57009,87 +63127,62 @@ index 0000000..8b505d5 + +######################################## +## -+## All of the rules required to -+## administrate an rng environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# + ## All of the rules required to + ## administrate an rng environment. + ## +@@ -17,16 +39,24 @@ + ## + ## + # +-interface(`rngd_admin',` +interface(`rng_admin',` -+ gen_require(` + gen_require(` +- type rngd_t, rngd_initrc_exec_t; + type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t; -+ ') -+ + ') + +- allow $1 rngd_t:process { ptrace signal_perms }; + allow $1 rngd_t:process signal_perms; -+ ps_process_pattern($1, rngd_t) -+ + ps_process_pattern($1, rngd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 rngd_t:process ptrace; + ') + -+ init_labeled_script_domtrans($1, rngd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 rngd_initrc_exec_t system_r; -+ allow $2 system_r; + init_labeled_script_domtrans($1, rngd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rngd_initrc_exec_t system_r; + allow $2 system_r; + + rng_systemctl($1) + admin_pattern($1, rngd_unit_file_t) + allow $1 rngd_unit_file_t:service all_service_perms; -+') + ') diff --git a/rngd.te b/rngd.te -new file mode 100644 -index 0000000..50b6196 ---- /dev/null +index 35c1427..2519caa 100644 +--- a/rngd.te +++ b/rngd.te -@@ -0,0 +1,37 @@ -+policy_module(rngd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type rngd_t; -+type rngd_exec_t; -+init_daemon_domain(rngd_t, rngd_exec_t) -+ -+type rngd_initrc_exec_t; -+init_script_file(rngd_initrc_exec_t) -+ +@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) + type rngd_initrc_exec_t; + init_script_file(rngd_initrc_exec_t) + +type rngd_unit_file_t; +systemd_unit_file(rngd_unit_file_t) + -+######################################## -+# -+# Local policy -+# -+ -+allow rngd_t self:capability sys_admin; -+allow rngd_t self:process { signal }; -+allow rngd_t self:fifo_file rw_fifo_file_perms; -+allow rngd_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_rw_kernel_sysctl(rngd_t) -+ -+dev_read_rand(rngd_t) -+dev_read_urand(rngd_t) -+dev_rw_tpm(rngd_t) -+dev_write_rand(rngd_t) -+ -+files_read_etc_files(rngd_t) -+ -+logging_send_syslog_msg(rngd_t) + ######################################## + # + # Local policy +@@ -29,8 +32,5 @@ dev_read_urand(rngd_t) + dev_rw_tpm(rngd_t) + dev_write_rand(rngd_t) + +-files_read_etc_files(rngd_t) +- + logging_send_syslog_msg(rngd_t) + +-miscfiles_read_localization(rngd_t) diff --git a/roundup.if b/roundup.if -index 30c4b75..e07c2ff 100644 +index 975bb6a..ce4f5ea 100644 --- a/roundup.if +++ b/roundup.if @@ -23,8 +23,11 @@ interface(`roundup_admin',` @@ -57106,94 +63199,220 @@ index 30c4b75..e07c2ff 100644 init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff --git a/roundup.te b/roundup.te -index 57f839f..090dd29 100644 +index 353960c..3b74aae 100644 --- a/roundup.te +++ b/roundup.te -@@ -45,7 +45,6 @@ dev_read_sysfs(roundup_t) - # execute python +@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) + corecmd_exec_bin(roundup_t) -corenet_all_recvfrom_unlabeled(roundup_t) corenet_all_recvfrom_netlabel(roundup_t) corenet_tcp_sendrecv_generic_if(roundup_t) - corenet_udp_sendrecv_generic_if(roundup_t) -@@ -75,8 +74,6 @@ fs_search_auto_mountpoints(roundup_t) + corenet_tcp_sendrecv_generic_node(roundup_t) +@@ -60,16 +59,11 @@ dev_read_urand(roundup_t) + + domain_use_interactive_fds(roundup_t) + +-files_read_etc_files(roundup_t) +-files_read_usr_files(roundup_t) +- + fs_getattr_all_fs(roundup_t) + fs_search_auto_mountpoints(roundup_t) logging_send_syslog_msg(roundup_t) -miscfiles_read_localization(roundup_t) - - sysnet_read_config(roundup_t) + sysnet_dns_name_resolve(roundup_t) userdom_dontaudit_use_unpriv_user_fds(roundup_t) diff --git a/rpc.fc b/rpc.fc -index 5c70c0c..b0c22f7 100644 +index a6fb30c..b0c22f7 100644 --- a/rpc.fc +++ b/rpc.fc -@@ -6,6 +6,9 @@ - /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +@@ -1,12 +1,23 @@ +-/etc/exports -- gen_context(system_u:object_r:exports_t,s0) ++# ++# /etc ++# ++/etc/exports -- gen_context(system_u:object_r:exports_t,s0) ++/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) -+ - # - # /sbin - # -@@ -15,12 +18,14 @@ - # - # /usr - # -+/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) + +-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++# ++# /sbin ++# ++/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + ++# ++# /usr ++# + /usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) - /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) - /usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0) +@@ -16,7 +27,11 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) -+/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - # - # /var -@@ -29,3 +34,4 @@ +-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) ++# ++# /var ++# ++/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) - /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) ++/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index dddabcf..a61764b 100644 +index 3bd6446..a61764b 100644 --- a/rpc.if +++ b/rpc.if -@@ -32,7 +32,11 @@ interface(`rpc_stub',` +@@ -1,4 +1,4 @@ +-## Remote Procedure Call Daemon. ++## Remote Procedure Call Daemon for managment of network based process communication + + ######################################## + ## +@@ -20,15 +20,21 @@ interface(`rpc_stub',` + ## + ## The template to define a rpc domain. + ## +-## ++## ++##

    ++## This template creates a domain to be used for ++## a new rpc daemon. ++##

    ++##     ++## + ## +-## Domain prefix to be used. ++## The type of daemon to be used. ## ## # --template(`rpc_domain_template', ` -+template(`rpc_domain_template',` -+ gen_require(` + template(`rpc_domain_template',` + gen_require(` +- attribute rpc_domain; + type var_lib_nfs_t; -+ ') -+ + ') + ######################################## - # +@@ -36,18 +42,86 @@ template(`rpc_domain_template',` # Declarations -@@ -69,7 +73,6 @@ template(`rpc_domain_template', ` - dev_read_urand($1_t) - dev_read_rand($1_t) + # -- corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) -@@ -105,7 +108,6 @@ template(`rpc_domain_template', ` +- type $1_t, rpc_domain; ++ type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) +- + domain_use_interactive_fds($1_t) - logging_send_syslog_msg($1_t) +- ######################################## ++ #################################### + # +- # Policy ++ # Local Policy + # -- miscfiles_read_localization($1_t) ++ dontaudit $1_t self:capability { net_admin sys_tty_config }; ++ allow $1_t self:capability net_bind_service; ++ allow $1_t self:process signal_perms; ++ allow $1_t self:unix_dgram_socket create_socket_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:tcp_socket create_stream_socket_perms; ++ allow $1_t self:udp_socket create_socket_perms; ++ ++ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) ++ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) ++ ++ kernel_list_proc($1_t) ++ kernel_read_proc_symlinks($1_t) ++ kernel_read_kernel_sysctls($1_t) ++ # bind to arbitary unused ports ++ kernel_rw_rpc_sysctls($1_t) ++ ++ dev_read_sysfs($1_t) ++ dev_read_urand($1_t) ++ dev_read_rand($1_t) ++ ++ corenet_all_recvfrom_netlabel($1_t) ++ corenet_tcp_sendrecv_generic_if($1_t) ++ corenet_udp_sendrecv_generic_if($1_t) ++ corenet_tcp_sendrecv_generic_node($1_t) ++ corenet_udp_sendrecv_generic_node($1_t) ++ corenet_tcp_sendrecv_all_ports($1_t) ++ corenet_udp_sendrecv_all_ports($1_t) ++ corenet_tcp_bind_generic_node($1_t) ++ corenet_udp_bind_generic_node($1_t) ++ corenet_tcp_bind_reserved_port($1_t) ++ corenet_tcp_connect_all_ports($1_t) ++ corenet_sendrecv_portmap_client_packets($1_t) ++ # do not log when it tries to bind to a port belonging to another domain ++ corenet_dontaudit_tcp_bind_all_ports($1_t) ++ corenet_dontaudit_udp_bind_all_ports($1_t) ++ # bind to arbitary unused ports ++ corenet_tcp_bind_generic_port($1_t) ++ corenet_udp_bind_generic_port($1_t) ++ corenet_tcp_bind_all_rpc_ports($1_t) ++ corenet_udp_bind_all_rpc_ports($1_t) ++ corenet_sendrecv_generic_server_packets($1_t) ++ ++ fs_rw_rpc_named_pipes($1_t) ++ fs_search_auto_mountpoints($1_t) ++ ++ files_read_etc_files($1_t) ++ files_read_etc_runtime_files($1_t) ++ files_search_var($1_t) ++ files_search_var_lib($1_t) ++ files_list_home($1_t) ++ + auth_use_nsswitch($1_t) ++ ++ logging_send_syslog_msg($1_t) ++ ++ ++ userdom_dontaudit_use_unpriv_user_fds($1_t) ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_t) ++ ') ++ ++ optional_policy(` ++ seutil_sigchld_newrole($1_t) ++ ') ++ ++ optional_policy(` ++ udev_read_db($1_t) ++ ') + ') - userdom_dontaudit_use_unpriv_user_fds($1_t) + ######################################## +@@ -66,8 +140,8 @@ interface(`rpc_udp_send',` -@@ -152,7 +154,7 @@ interface(`rpc_dontaudit_getattr_exports',` + ######################################## + ## +-## Do not audit attempts to get +-## attributes of export files. ++## Do not audit attempts to get the attributes ++## of the NFS export file. + ## + ## + ## +@@ -80,12 +154,12 @@ interface(`rpc_dontaudit_getattr_exports',` type exports_t; ') @@ -57202,7 +63421,22 @@ index dddabcf..a61764b 100644 ') ######################################## -@@ -188,7 +190,7 @@ interface(`rpc_write_exports',` + ## +-## Read export files. ++## Allow read access to exports. + ## + ## + ## +@@ -103,7 +177,7 @@ interface(`rpc_read_exports',` + + ######################################## + ## +-## Write export files. ++## Allow write access to exports. + ## + ## + ## +@@ -116,12 +190,12 @@ interface(`rpc_write_exports',` type exports_t; ') @@ -57211,10 +63445,33 @@ index dddabcf..a61764b 100644 ') ######################################## -@@ -229,6 +231,29 @@ interface(`rpc_initrc_domtrans_nfsd',` + ## +-## Execute nfsd in the nfsd domain. ++## Execute domain in nfsd domain. + ## + ## + ## +@@ -134,14 +208,12 @@ interface(`rpc_domtrans_nfsd',` + type nfsd_t, nfsd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, nfsd_exec_t, nfsd_t) + ') + + ####################################### + ## +-## Execute nfsd init scripts in +-## the initrc domain. ++## Execute domain in nfsd domain. + ## + ## + ## +@@ -159,7 +231,30 @@ interface(`rpc_initrc_domtrans_nfsd',` ######################################## ## +-## Execute rpcd in the rpcd domain. +## Execute nfsd server in the nfsd domain. +## +## @@ -57238,13 +63495,19 @@ index dddabcf..a61764b 100644 + +######################################## +## - ## Execute domain in rpcd domain. ++## Execute domain in rpcd domain. ## ## -@@ -246,6 +271,32 @@ interface(`rpc_domtrans_rpcd',` - allow rpcd_t $1:process signal; - ') + ## +@@ -172,14 +267,39 @@ interface(`rpc_domtrans_rpcd',` + type rpcd_t, rpcd_exec_t; + ') +- corecmd_search_bin($1) + domtrans_pattern($1, rpcd_exec_t, rpcd_t) ++ allow rpcd_t $1:process signal; ++') ++ +######################################## +## +## Execute rpcd in the rcpd domain, and @@ -57269,15 +63532,21 @@ index dddabcf..a61764b 100644 + + rpc_domtrans_rpcd($1) + role $2 types rpcd_t; -+') -+ + ') + ####################################### ## - ## Execute domain in rpcd domain. -@@ -266,6 +317,29 @@ interface(`rpc_initrc_domtrans_rpcd',` +-## Execute rpcd init scripts in +-## the initrc domain. ++## Execute domain in rpcd domain. + ## + ## + ## +@@ -197,7 +317,30 @@ interface(`rpc_initrc_domtrans_rpcd',` ######################################## ## +-## Read nfs exported content. +## Execute rpcd server in the rpcd domain. +## +## @@ -57301,136 +63570,228 @@ index dddabcf..a61764b 100644 + +######################################## +## - ## Read NFS exported content. ++## Read NFS exported content. ## ## -@@ -282,7 +356,7 @@ interface(`rpc_read_nfs_content',` - - allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; -- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; -+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; - ') - - ######################################## -@@ -329,7 +403,7 @@ interface(`rpc_manage_nfs_ro_content',` + ## +@@ -218,8 +361,7 @@ interface(`rpc_read_nfs_content',` ######################################## ## --## Allow domain to read and write to an NFS TCP socket. -+## Allow domain to read and write to an NFS UDP socket. +-## Create, read, write, and delete +-## nfs exported read write content. ++## Allow domain to create read and write NFS directories. ## ## ## -@@ -337,17 +411,17 @@ interface(`rpc_manage_nfs_ro_content',` - ## - ## - # --interface(`rpc_tcp_rw_nfs_sockets',` -+interface(`rpc_udp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - -- allow $1 nfsd_t:tcp_socket rw_socket_perms; -+ allow $1 nfsd_t:udp_socket rw_socket_perms; - ') +@@ -240,8 +382,7 @@ interface(`rpc_manage_nfs_rw_content',` ######################################## ## --## Allow domain to read and write to an NFS UDP socket. -+## Send UDP traffic to NFSd. (Deprecated) +-## Create, read, write, and delete +-## nfs exported read only content. ++## Allow domain to create read and write NFS directories. ## ## ## -@@ -355,17 +429,13 @@ interface(`rpc_tcp_rw_nfs_sockets',` - ## - ## - # --interface(`rpc_udp_rw_nfs_sockets',` +@@ -262,25 +403,7 @@ interface(`rpc_manage_nfs_ro_content',` + + ######################################## + ## +-## Read and write to nfsd tcp sockets. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`rpc_tcp_rw_nfs_sockets',` - gen_require(` - type nfsd_t; - ') - -- allow $1 nfsd_t:udp_socket rw_socket_perms; -+interface(`rpc_udp_send_nfs',` -+ refpolicywarn(`$0($*) has been deprecated.') - ') +- allow $1 nfsd_t:tcp_socket rw_socket_perms; +-') +- +-######################################## +-## +-## Read and write to nfsd udp sockets. ++## Allow domain to read and write to an NFS UDP socket. + ## + ## + ## +@@ -312,7 +435,7 @@ interface(`rpc_udp_send_nfs',` ######################################## ## --## Send UDP traffic to NFSd. (Deprecated) +-## Search nfs lib directories. +## Search NFS state data in /var/lib/nfs. ## ## ## -@@ -373,13 +443,18 @@ interface(`rpc_udp_rw_nfs_sockets',` - ## - ## - # --interface(`rpc_udp_send_nfs',` -- refpolicywarn(`$0($*) has been deprecated.') -+interface(`rpc_search_nfs_state_data',` -+ gen_require(` -+ type var_lib_nfs_t; -+ ') -+ -+ files_search_var_lib($1) +@@ -326,12 +449,12 @@ interface(`rpc_search_nfs_state_data',` + ') + + files_search_var_lib($1) +- allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; ') ######################################## ## --## Search NFS state data in /var/lib/nfs. +-## Read nfs lib files. +## List NFS state data in /var/lib/nfs. ## ## ## -@@ -387,13 +462,13 @@ interface(`rpc_udp_send_nfs',` +@@ -339,19 +462,18 @@ interface(`rpc_search_nfs_state_data',` ## ## # --interface(`rpc_search_nfs_state_data',` +-interface(`rpc_read_nfs_state_data',` +interface(`rpc_list_nfs_state_data',` gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) -- allow $1 var_lib_nfs_t:dir search; +- read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:dir list_dir_perms; ') ######################################## -@@ -432,4 +507,5 @@ interface(`rpc_manage_nfs_state_data',` + ## +-## Create, read, write, and delete +-## nfs lib files. ++## Read NFS state data in /var/lib/nfs. + ## + ## + ## +@@ -359,62 +481,31 @@ interface(`rpc_read_nfs_state_data',` + ## + ## + # +-interface(`rpc_manage_nfs_state_data',` ++interface(`rpc_read_nfs_state_data',` + gen_require(` + type var_lib_nfs_t; + ') files_search_var_lib($1) - manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) +- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ++ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an rpc environment. ++## Manage NFS state data in /var/lib/nfs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`rpc_admin',` ++interface(`rpc_manage_nfs_state_data',` + gen_require(` +- attribute rpc_domain; +- type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; +- type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; +- type nfsd_ro_t, nfsd_rw_t; ++ type var_lib_nfs_t; + ') + +- allow $1 rpc_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, rpc_domain) +- +- init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; +- allow $2 system_r; +- +- files_list_etc($1) +- admin_pattern($1, exports_t) +- +- files_list_var_lib($1) +- admin_pattern($1, var_lib_nfs_t) +- +- files_list_pids($1) +- admin_pattern($1, rpcd_var_run_t) +- +- files_list_all($1) +- admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) +- +- files_list_tmp($1) +- admin_pattern($1, gssd_tmp_t) +- +- fs_search_nfsd_fs($1) ++ files_search_var_lib($1) ++ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index 330d01f..fd96b3c 100644 +index e5212e6..fd96b3c 100644 --- a/rpc.te +++ b/rpc.te -@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) - ## Allow gssd to read temp directory. For access to kerberos tgt. - ##

    +@@ -1,4 +1,4 @@ +-policy_module(rpc, 1.14.6) ++policy_module(rpc, 1.14.0) + + ######################################## + # +@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6) + # + + ## +-##

    +-## Determine whether gssd can read +-## generic user temporary content. +-##

    ++##

    ++## Allow gssd to read temp directory. For access to kerberos tgt. ++##

    ##     --gen_tunable(allow_gssd_read_tmp, true) +-gen_tunable(allow_gssd_read_tmp, false) +gen_tunable(gssd_read_tmp, true) ## - ##

    -@@ -19,7 +19,7 @@ gen_tunable(allow_gssd_read_tmp, true) - ## labeled public_content_rw_t. - ##

    +-##

    +-## Determine whether nfs can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow nfs servers to modify public files ++## used for public file transfer services. Files/Directories must be ++## labeled public_content_rw_t. ++##

    ##     -gen_tunable(allow_nfsd_anon_write, false) +- +-attribute rpc_domain; +gen_tunable(nfsd_anon_write, false) type exports_t; files_config_file(exports_t) -@@ -39,11 +39,17 @@ rpc_domain_template(rpcd) +@@ -36,16 +32,24 @@ files_tmp_file(gssd_tmp_t) + type rpcd_var_run_t; + files_pid_file(rpcd_var_run_t) + ++# rpcd_t is the domain of rpc daemons. ++# rpc_exec_t is the type of rpc daemon programs. + rpc_domain_template(rpcd) + type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t) @@ -57448,27 +63809,103 @@ index 330d01f..fd96b3c 100644 type nfsd_rw_t; files_type(nfsd_rw_t) -@@ -58,13 +64,16 @@ files_mountpoint(var_lib_nfs_t) - # RPC local policy +@@ -57,89 +61,26 @@ files_mountpoint(var_lib_nfs_t) + + ######################################## + # +-# Common rpc domain local policy +-# +- +-dontaudit rpc_domain self:capability { net_admin sys_tty_config }; +-allow rpc_domain self:process signal_perms; +-allow rpc_domain self:unix_stream_socket { accept listen }; +-allow rpc_domain self:tcp_socket { accept listen }; +- +-manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) +-manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) +- +-kernel_read_system_state(rpc_domain) +-kernel_read_kernel_sysctls(rpc_domain) +-kernel_rw_rpc_sysctls(rpc_domain) +- +-dev_read_sysfs(rpc_domain) +-dev_read_urand(rpc_domain) +-dev_read_rand(rpc_domain) +- +-corenet_all_recvfrom_unlabeled(rpc_domain) +-corenet_all_recvfrom_netlabel(rpc_domain) +-corenet_tcp_sendrecv_generic_if(rpc_domain) +-corenet_udp_sendrecv_generic_if(rpc_domain) +-corenet_tcp_sendrecv_generic_node(rpc_domain) +-corenet_udp_sendrecv_generic_node(rpc_domain) +-corenet_tcp_sendrecv_all_ports(rpc_domain) +-corenet_udp_sendrecv_all_ports(rpc_domain) +-corenet_tcp_bind_generic_node(rpc_domain) +-corenet_udp_bind_generic_node(rpc_domain) +- +-corenet_sendrecv_all_server_packets(rpc_domain) +-corenet_tcp_bind_reserved_port(rpc_domain) +-corenet_tcp_connect_all_ports(rpc_domain) +-corenet_sendrecv_portmap_client_packets(rpc_domain) +-corenet_dontaudit_tcp_bind_all_ports(rpc_domain) +-corenet_dontaudit_udp_bind_all_ports(rpc_domain) +-corenet_tcp_bind_generic_port(rpc_domain) +-corenet_udp_bind_generic_port(rpc_domain) +-corenet_tcp_bind_all_rpc_ports(rpc_domain) +-corenet_udp_bind_all_rpc_ports(rpc_domain) +- +-fs_rw_rpc_named_pipes(rpc_domain) +-fs_search_auto_mountpoints(rpc_domain) +- +-files_read_etc_runtime_files(rpc_domain) +-files_read_usr_files(rpc_domain) +-files_list_home(rpc_domain) +- +-logging_send_syslog_msg(rpc_domain) +- +-miscfiles_read_localization(rpc_domain) +- +-userdom_dontaudit_use_unpriv_user_fds(rpc_domain) +- +-optional_policy(` +- rpcbind_stream_connect(rpc_domain) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(rpc_domain) +-') +- +-optional_policy(` +- udev_read_db(rpc_domain) +-') +- +-######################################## +-# +-# Local policy ++# RPC local policy # --allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; -+allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; -+allow rpcd_t self:capability2 block_suspend; + allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; + allow rpcd_t self:capability2 block_suspend; + allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; --allow rpcd_t rpcd_var_run_t:dir setattr; +allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; -+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) + manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) --files_pid_filetrans(rpcd_t, rpcd_var_run_t, file) -+files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) + files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) - # rpc.statd executes sm-notify ++# rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) -@@ -81,21 +90,26 @@ corecmd_exec_bin(rpcd_t) + ++kernel_read_system_state(rpcd_t) + kernel_read_network_state(rpcd_t) ++# for rpc.rquotad + kernel_read_sysctl(rpcd_t) + kernel_rw_fs_sysctls(rpcd_t) + kernel_dontaudit_getattr_core_if(rpcd_t) +@@ -149,6 +90,7 @@ corecmd_exec_bin(rpcd_t) files_manage_mounttab(rpcd_t) files_getattr_all_dirs(rpcd_t) @@ -57476,11 +63913,7 @@ index 330d01f..fd96b3c 100644 fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) - fs_read_rpc_symlinks(rpcd_t) - fs_rw_rpc_sockets(rpcd_t) - fs_get_all_fs_quotas(rpcd_t) -+fs_set_xattr_fs_quotas(rpcd_t) - fs_getattr_all_fs(rpcd_t) +@@ -160,13 +102,14 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -57491,37 +63924,42 @@ index 330d01f..fd96b3c 100644 miscfiles_read_generic_certs(rpcd_t) -seutil_dontaudit_search_config(rpcd_t) +- +-userdom_signal_all_users(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) +userdom_read_user_home_content_files(rpcd_t) optional_policy(` automount_signal(rpcd_t) -@@ -103,15 +117,32 @@ optional_policy(` +@@ -174,19 +117,23 @@ optional_policy(` ') optional_policy(` +- nis_read_ypserv_config(rpcd_t) + domain_unconfined_signal(rpcd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- quota_manage_db_files(rpcd_t) + quota_manage_db(rpcd_t) -+') -+ -+optional_policy(` - nis_read_ypserv_config(rpcd_t) ') -+optional_policy(` + optional_policy(` +- rgmanager_manage_tmp_files(rpcd_t) ++ nis_read_ypserv_config(rpcd_t) + ') + + optional_policy(` +- unconfined_signal(rpcd_t) + quota_read_db(rpcd_t) +') + +optional_policy(` + rgmanager_manage_tmp_files(rpcd_t) -+') -+ + ') + ######################################## - # - # NFSD local policy +@@ -195,41 +142,55 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -57529,52 +63967,62 @@ index 330d01f..fd96b3c 100644 allow nfsd_t exports_t:file read_file_perms; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; -@@ -120,9 +151,16 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - kernel_read_system_state(nfsd_t) + ++# for /proc/fs/nfs/exports - should we have a new type? ++kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) -+kernel_setsched(nfsd_t) -+kernel_request_load_module(nfsd_t) + kernel_setsched(nfsd_t) + kernel_request_load_module(nfsd_t) +-# kernel_mounton_proc(nfsd_t) +kernel_mounton_proc(nfsd_t) + +corecmd_exec_shell(nfsd_t) - corenet_tcp_bind_all_rpc_ports(nfsd_t) - corenet_udp_bind_all_rpc_ports(nfsd_t) -+corenet_tcp_bind_nfs_port(nfsd_t) -+corenet_udp_bind_nfs_port(nfsd_t) +-corenet_sendrecv_nfs_server_packets(nfsd_t) ++corenet_tcp_bind_all_rpc_ports(nfsd_t) ++corenet_udp_bind_all_rpc_ports(nfsd_t) + corenet_tcp_bind_nfs_port(nfsd_t) + corenet_udp_bind_nfs_port(nfsd_t) +-corecmd_exec_shell(nfsd_t) +- dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) -@@ -135,12 +173,12 @@ files_getattr_tmp_dirs(nfsd_t) - # cjp: this should really have its own type + dev_rw_lvm_control(nfsd_t) + ++# does not really need this, but it is easier to just allow it ++files_search_pids(nfsd_t) ++# for exportfs and rpc.mountd + files_getattr_tmp_dirs(nfsd_t) ++# cjp: this should really have its own type files_manage_mounttab(nfsd_t) - files_read_etc_runtime_files(nfsd_t) ++files_read_etc_runtime_files(nfsd_t) +files_read_usr_files(nfsd_t) fs_mount_nfsd_fs(nfsd_t) --fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) fs_getattr_all_dirs(nfsd_t) -fs_rw_nfsd_fs(nfsd_t) +-# fs_manage_nfsd_fs(nfsd_t) +fs_manage_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) -@@ -148,8 +186,11 @@ storage_raw_read_removable_device(nfsd_t) - # Read access to public_content_t and public_content_rw_t + ++# Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) +-tunable_policy(`allow_nfsd_anon_write',` +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) +userdom_list_user_tmp(nfsd_t) + - # Write access to public_content_t and public_content_rw_t --tunable_policy(`allow_nfsd_anon_write',` ++# Write access to public_content_t and public_content_rw_t +tunable_policy(`nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) ') -@@ -158,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -57582,44 +64030,50 @@ index 330d01f..fd96b3c 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -170,8 +210,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) - files_list_non_auth_dirs(nfsd_t) - files_read_non_auth_files(nfsd_t) + files_read_non_security_files(nfsd_t) -+') -+ -+optional_policy(` -+ mount_exec(nfsd_t) + ') + + optional_policy(` + mount_exec(nfsd_t) + mount_manage_pid_files(nfsd_t) ') ######################################## -@@ -181,7 +225,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) + manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) + files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; - allow gssd_t self:process { getsched setsched }; --allow gssd_t self:fifo_file rw_file_perms; -+allow gssd_t self:fifo_file rw_fifo_file_perms; ++kernel_read_system_state(gssd_t) + kernel_read_network_state(gssd_t) + kernel_read_network_state_symlinks(gssd_t) + kernel_request_load_module(gssd_t) +@@ -279,25 +240,29 @@ kernel_signal(gssd_t) - manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) - manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +243,7 @@ corecmd_exec_bin(gssd_t) + corecmd_exec_bin(gssd_t) + +-fs_list_inotifyfs(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) +-fs_read_nfs_files(gssd_t) +fs_read_nfsd_files(gssd_t) - fs_list_inotifyfs(gssd_t) ++fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +255,14 @@ auth_manage_cache(gssd_t) ++files_read_usr_symlinks(gssd_t) + files_dontaudit_write_var_dirs(gssd_t) + ++auth_use_nsswitch(gssd_t) + auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) --mount_signal(gssd_t) -- userdom_signal_all_users(gssd_t) -tunable_policy(`allow_gssd_read_tmp',` @@ -57632,71 +64086,102 @@ index 330d01f..fd96b3c 100644 ') optional_policy(` -@@ -226,6 +271,11 @@ optional_policy(` +@@ -306,8 +271,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) +- kerberos_manage_host_rcache(gssd_t) +- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") -+') -+ -+optional_policy(` -+ mount_signal(gssd_t) ') optional_policy(` -diff --git a/rpcbind.fc b/rpcbind.fc -index f5c47d6..164ce1f 100644 ---- a/rpcbind.fc -+++ b/rpcbind.fc -@@ -2,8 +2,10 @@ - - /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) +@@ -315,7 +279,7 @@ optional_policy(` + ') -+/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) -+ -+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + optional_policy(` +- pcscd_read_pid_files(gssd_t) ++ pcscd_read_pub_files(gssd_t) + ') - /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) --/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) --/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) -+/var/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0) + optional_policy(` diff --git a/rpcbind.if b/rpcbind.if -index a96249c..ff1163f 100644 +index 3b5e9ee..ff1163f 100644 --- a/rpcbind.if +++ b/rpcbind.if -@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',` +@@ -1,4 +1,4 @@ +-## Universal Addresses to RPC Program Number Mapper. ++## Universal Addresses to RPC Program Number Mapper + + ######################################## + ## +@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',` + type rpcbind_t, rpcbind_exec_t; ') - files_search_pids($1) -- allow $1 rpcbind_var_run_t:sock_file write; -- allow $1 rpcbind_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) +- corecmd_search_bin($1) + domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) + ') + + ######################################## + ## +-## Connect to rpcbindd with a +-## unix domain stream socket. ++## Connect to rpcbindd over an unix stream socket. + ## + ## + ## +@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',` + + ######################################## + ## +-## Read rpcbind pid files. ++## Read rpcbind PID files. + ## + ## + ## +@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',` + type rpcbind_var_lib_t; + ') + +- files_search_var_lib($1) + allow $1 rpcbind_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## +@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',` + type rpcbind_var_lib_t; + ') + +- files_search_var_lib($1) + read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) ++ files_search_var_lib($1) ') ######################################## -@@ -117,6 +116,60 @@ interface(`rpcbind_manage_lib_files',` +@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',` + type rpcbind_var_lib_t; + ') + +- files_search_var_lib($1) + manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) ++ files_search_var_lib($1) + ') ######################################## ## +-## Send null signals to rpcbind. +## Send a null signal to rpcbind. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpcbind_signull',` -+ gen_require(` -+ type rpcbind_t; -+ ') -+ -+ allow $1 rpcbind_t:process signull; -+') -+ -+######################################## -+## + ## + ## + ## +@@ -136,8 +134,44 @@ interface(`rpcbind_signull',` + + ######################################## + ## +-## All of the rules required to +-## administrate an rpcbind environment. +## Transition to rpcbind named content +## +## @@ -57733,10 +64218,21 @@ index a96249c..ff1163f 100644 + +######################################## +## - ## All of the rules required to administrate - ## an rpcbind environment ++## All of the rules required to administrate ++## an rpcbind environment ## -@@ -138,11 +191,20 @@ interface(`rpcbind_admin',` + ## + ## +@@ -146,7 +180,7 @@ interface(`rpcbind_signull',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the rpcbind domain. + ## + ## + ## +@@ -157,17 +191,20 @@ interface(`rpcbind_admin',` type rpcbind_initrc_exec_t; ') @@ -57752,18 +64248,22 @@ index a96249c..ff1163f 100644 domain_system_change_exemption($1) role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; -+ + +- files_search_pids($1) +- admin_pattern($1, rpcbind_var_run_t) +- +- files_search_var_lib($1) + files_list_var_lib($1) -+ admin_pattern($1, rpcbind_var_lib_t) + admin_pattern($1, rpcbind_var_lib_t) + + files_list_pids($1) + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index a63e9ee..e4a0c9b 100644 +index c49828c..1f39c7c 100644 --- a/rpcbind.te +++ b/rpcbind.te -@@ -43,7 +43,8 @@ kernel_read_system_state(rpcbind_t) +@@ -42,7 +42,8 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) kernel_request_load_module(rpcbind_t) @@ -57773,7 +64273,7 @@ index a63e9ee..e4a0c9b 100644 corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) corenet_udp_sendrecv_generic_if(rpcbind_t) -@@ -62,8 +63,16 @@ domain_use_interactive_fds(rpcbind_t) +@@ -65,9 +66,9 @@ domain_use_interactive_fds(rpcbind_t) files_read_etc_files(rpcbind_t) files_read_etc_runtime_files(rpcbind_t) @@ -57784,67 +64284,136 @@ index a63e9ee..e4a0c9b 100644 +logging_send_syslog_msg(rpcbind_t) sysnet_dns_name_resolve(rpcbind_t) -+ -+ifdef(`hide_broken_symptoms',` -+ dontaudit rpcbind_t self:udp_socket listen; -+') -+ -+optional_policy(` -+ nis_use_ypbind(rpcbind_t) -+') + diff --git a/rpm.fc b/rpm.fc -index b2a0b6a..ee55335 100644 +index ebe91fc..ee55335 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -2,10 +2,12 @@ - /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +@@ -1,61 +1,64 @@ +-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) +- +-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) +-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) - - /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) ++ ++/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -20,12 +22,18 @@ - /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - ifdef(`distro_redhat', ` +-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +- +-ifdef(`distro_redhat',` +-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-') ++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++ifdef(`distro_redhat', ` +/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) - ') ++') ++ ++/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -@@ -36,9 +44,10 @@ ifdef(`distro_redhat', ` - /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) ++/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) --/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) - /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) +-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) ++/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + +-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) + - /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) - /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) ++# SuSE ++ifdef(`distro_suse', ` ++/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) ++') + ifdef(`enable_mls',` +-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) + ') diff --git a/rpm.if b/rpm.if -index 951d8f6..bedc8ae 100644 +index 0628d50..bedc8ae 100644 --- a/rpm.if +++ b/rpm.if -@@ -13,10 +13,13 @@ +@@ -1,8 +1,8 @@ +-## Redhat package manager. ++## Policy for the RPM package manager. + + ######################################## + ## +-## Execute rpm in the rpm domain. ++## Execute rpm programs in the rpm domain. + ## + ## + ## +@@ -13,16 +13,18 @@ interface(`rpm_domtrans',` gen_require(` type rpm_t, rpm_exec_t; @@ -57858,7 +64427,53 @@ index 951d8f6..bedc8ae 100644 ') ######################################## -@@ -78,11 +81,19 @@ interface(`rpm_domtrans_script',` + ## +-## Execute debuginfo install +-## in the rpm domain. ++## Execute debuginfo_install programs in the rpm domain. + ## + ## + ## +@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',` + + ######################################## + ## +-## Execute rpm scripts in the rpm script domain. ++## Execute rpm_script programs in the rpm_script domain. + ## + ## + ## +@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',` + type rpm_script_t; + ') + ++ # transition to rpm script: + corecmd_shell_domtrans($1, rpm_script_t) +- + allow rpm_script_t $1:fd use; +- allow rpm_script_t $1:fifo_file rw_fifo_file_perms; ++ allow rpm_script_t $1:fifo_file rw_file_perms; + allow rpm_script_t $1:process sigchld; + ') + + ######################################## + ## +-## Execute rpm in the rpm domain, +-## and allow the specified roles the +-## rpm domain. ++## Execute RPM programs in the RPM domain. + ## + ## + ## +@@ -74,23 +74,31 @@ interface(`rpm_domtrans_script',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the RPM domain. + ## + ## + ## # interface(`rpm_run',` gen_require(` @@ -57880,7 +64495,49 @@ index 951d8f6..bedc8ae 100644 ') ######################################## -@@ -178,6 +189,42 @@ interface(`rpm_rw_pipes',` + ## +-## Execute the rpm in the caller domain. ++## Execute the rpm client in the caller domain. + ## + ## + ## +@@ -109,7 +117,7 @@ interface(`rpm_exec',` + + ######################################## + ## +-## Send null signals to rpm. ++## Send a null signal to rpm. + ## + ## + ## +@@ -127,7 +135,7 @@ interface(`rpm_signull',` + + ######################################## + ## +-## Inherit and use file descriptors from rpm. ++## Inherit and use file descriptors from RPM. + ## + ## + ## +@@ -145,7 +153,7 @@ interface(`rpm_use_fds',` + + ######################################## + ## +-## Read rpm unnamed pipes. ++## Read from an unnamed RPM pipe. + ## + ## + ## +@@ -163,7 +171,7 @@ interface(`rpm_read_pipes',` + + ######################################## + ## +-## Read and write rpm unnamed pipes. ++## Read and write an unnamed RPM pipe. + ## + ## + ## +@@ -181,6 +189,42 @@ interface(`rpm_rw_pipes',` ######################################## ## @@ -57923,7 +64580,35 @@ index 951d8f6..bedc8ae 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -274,8 +321,7 @@ interface(`rpm_append_log',` +@@ -224,7 +268,7 @@ interface(`rpm_dontaudit_dbus_chat',` + ######################################## + ## + ## Send and receive messages from +-## rpm script over dbus. ++## rpm_script over dbus. + ## + ## + ## +@@ -244,7 +288,7 @@ interface(`rpm_script_dbus_chat',` + + ######################################## + ## +-## Search rpm log directories. ++## Search RPM log directory. + ## + ## + ## +@@ -263,7 +307,8 @@ interface(`rpm_search_log',` + + ##################################### + ## +-## Append rpm log files. ++## Allow the specified domain to append ++## to rpm log files. + ## + ## + ## +@@ -276,14 +321,12 @@ interface(`rpm_append_log',` type rpm_log_t; ') @@ -57933,7 +64618,34 @@ index 951d8f6..bedc8ae 100644 ') ######################################## -@@ -332,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',` + ## +-## Create, read, write, and delete +-## rpm log files. ++## Create, read, write, and delete the RPM log. + ## + ## + ## +@@ -302,7 +345,7 @@ interface(`rpm_manage_log',` + + ######################################## + ## +-## Inherit and use rpm script file descriptors. ++## Inherit and use file descriptors from RPM scripts. + ## + ## + ## +@@ -320,8 +363,8 @@ interface(`rpm_use_script_fds',` + + ######################################## + ## +-## Create, read, write, and delete +-## rpm script temporary files. ++## Create, read, write, and delete RPM ++## script temporary files. + ## + ## + ## +@@ -335,12 +378,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -57943,7 +64655,14 @@ index 951d8f6..bedc8ae 100644 ') ##################################### -@@ -351,8 +399,7 @@ interface(`rpm_append_tmp_files',` + ## +-## Append rpm temporary files. ++## Allow the specified domain to append ++## to rpm tmp files. + ## + ## + ## +@@ -353,14 +399,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -57953,7 +64672,15 @@ index 951d8f6..bedc8ae 100644 ') ######################################## -@@ -372,7 +419,9 @@ interface(`rpm_manage_tmp_files',` + ## +-## Create, read, write, and delete +-## rpm temporary files. ++## Create, read, write, and delete RPM ++## temporary files. + ## + ## + ## +@@ -374,12 +419,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -57963,7 +64690,41 @@ index 951d8f6..bedc8ae 100644 ') ######################################## -@@ -456,6 +505,7 @@ interface(`rpm_read_db',` + ## +-## Read rpm script temporary files. ++## Read RPM script temporary files. + ## + ## + ## +@@ -399,7 +446,7 @@ interface(`rpm_read_script_tmp_files',` + + ######################################## + ## +-## Read rpm cache content. ++## Read the RPM cache. + ## + ## + ## +@@ -420,8 +467,7 @@ interface(`rpm_read_cache',` + + ######################################## + ## +-## Create, read, write, and delete +-## rpm cache content. ++## Create, read, write, and delete the RPM package database. + ## + ## + ## +@@ -442,7 +488,7 @@ interface(`rpm_manage_cache',` + + ######################################## + ## +-## Read rpm lib content. ++## Read the RPM package database. + ## + ## + ## +@@ -459,11 +505,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -57971,7 +64732,32 @@ index 951d8f6..bedc8ae 100644 ') ######################################## -@@ -513,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',` + ## +-## Delete rpm lib files. ++## Delete the RPM package database. + ## + ## + ## +@@ -482,8 +529,7 @@ interface(`rpm_delete_db',` + + ######################################## + ## +-## Create, read, write, and delete +-## rpm lib files. ++## Create, read, write, and delete the RPM package database. + ## + ## + ## +@@ -504,7 +550,7 @@ interface(`rpm_manage_db',` + ######################################## + ## + ## Do not audit attempts to create, read, +-## write, and delete rpm lib content. ++## write, and delete the RPM package database. + ## + ## + ## +@@ -517,7 +563,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -57980,40 +64766,86 @@ index 951d8f6..bedc8ae 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -573,3 +623,66 @@ interface(`rpm_pid_filetrans',` +@@ -543,8 +589,7 @@ interface(`rpm_read_pid_files',` - files_pid_filetrans($1, rpm_var_run_t, file) - ') + ##################################### + ## +-## Create, read, write, and delete +-## rpm pid files. ++## Create, read, write, and delete rpm pid files. + ## + ## + ## +@@ -563,8 +608,7 @@ interface(`rpm_manage_pid_files',` + + ###################################### + ## +-## Create files in pid directories +-## with the rpm pid file type. ++## Create files in /var/run with the rpm pid file type. + ## + ## + ## +@@ -573,94 +617,72 @@ interface(`rpm_manage_pid_files',` + ## + # + interface(`rpm_pid_filetrans',` +- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.') +- rpm_pid_filetrans_rpm_pid($1, file) ++ gen_require(` ++ type rpm_var_run_t; ++ ') + -+######################################## -+## ++ files_pid_filetrans($1, rpm_var_run_t, file) + ') + + ######################################## + ## +-## Create specified objects in pid directories +-## with the rpm pid file type. +## Send a null signal to rpm. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`rpm_pid_filetrans_rpm_pid',` +interface(`rpm_inherited_fifo',` -+ gen_require(` + gen_require(` +- type rpm_var_run_t; + attribute rpm_transition_domain; -+ ') -+ + ') + +- files_pid_filetrans($1, rpm_var_run_t, $3, $4) + allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; -+') -+ + ') + + -+######################################## -+## + ######################################## + ## +-## All of the rules required to +-## administrate an rpm environment. +## Make rpm_exec_t an entry point for +## the specified domain. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`rpm_entry_type',` + gen_require(` @@ -58028,34 +64860,73 @@ index 951d8f6..bedc8ae 100644 +## Allow application to transition to rpm_script domain. +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`rpm_admin',` +interface(`rpm_transition_script',` -+ gen_require(` + gen_require(` +- type rpm_t, rpm_script_t, rpm_initrc_exec_t; +- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; +- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; +- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; + type rpm_script_t; + attribute rpm_transition_domain; -+ ') -+ + ') + +- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { rpm_t rpm_script_t }) +- +- init_labeled_script_domtrans($1, rpm_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 rpm_initrc_exec_t system_r; +- allow $2 system_r; +- +- admin_pattern($1, rpm_file_t) +- +- files_list_var($1) +- admin_pattern($1, rpm_cache_t) +- +- files_list_tmp($1) +- admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) +- +- files_list_var_lib($1) +- admin_pattern($1, rpm_var_lib_t) + typeattribute $1 rpm_transition_domain; + allow $1 rpm_script_t:process transition; -+ + +- files_search_locks($1) +- admin_pattern($1, rpm_lock_t) +- +- logging_list_logs($1) +- admin_pattern($1, rpm_log_t) +- +- files_list_pids($1) +- admin_pattern($1, rpm_var_run_t) +- +- fs_search_tmpfs($1) +- admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t } +- +- rpm_run($1, $2) + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:process sigchld; -+') + ') diff --git a/rpm.te b/rpm.te -index 60149a5..b33a77d 100644 +index 5cbe81c..b33a77d 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,11 @@ - policy_module(rpm, 1.15.0) - -+attribute rpm_transition_domain; +-policy_module(rpm, 1.15.3) ++policy_module(rpm, 1.15.0) + ++attribute rpm_transition_domain; + ######################################## # # Declarations @@ -58069,19 +64940,31 @@ index 60149a5..b33a77d 100644 type rpm_t; type rpm_exec_t; init_system_domain(rpm_t, rpm_exec_t) -@@ -17,7 +13,10 @@ domain_obj_id_change_exemption(rpm_t) +@@ -17,10 +13,10 @@ domain_obj_id_change_exemption(rpm_t) domain_role_change_exemption(rpm_t) domain_system_change_exemption(rpm_t) domain_interactive_fd(rpm_t) -role rpm_roles types rpm_t; +role system_r types rpm_t; -+ + +-type rpm_initrc_exec_t; +-init_script_file(rpm_initrc_exec_t) +type debuginfo_exec_t; +domain_entry_file(rpm_t, debuginfo_exec_t) type rpm_file_t; files_type(rpm_file_t) -@@ -50,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t) +@@ -31,9 +27,6 @@ files_tmp_file(rpm_tmp_t) + type rpm_tmpfs_t; + files_tmpfs_file(rpm_tmpfs_t) + +-type rpm_lock_t; +-files_lock_file(rpm_lock_t) +- + type rpm_log_t; + logging_log_file(rpm_log_t) + +@@ -56,7 +49,6 @@ corecmd_bin_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) @@ -58089,48 +64972,114 @@ index 60149a5..b33a77d 100644 role system_r types rpm_script_t; type rpm_script_tmp_t; -@@ -80,6 +78,9 @@ allow rpm_t self:shm create_shm_perms; +@@ -75,23 +67,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec + allow rpm_t self:process { getattr setexec setfscreate setrlimit }; + allow rpm_t self:fd use; + allow rpm_t self:fifo_file rw_fifo_file_perms; ++allow rpm_t self:unix_dgram_socket create_socket_perms; ++allow rpm_t self:unix_stream_socket rw_stream_socket_perms; + allow rpm_t self:unix_dgram_socket sendto; +-allow rpm_t self:unix_stream_socket { accept connectto listen }; +-allow rpm_t self:udp_socket connect; +-allow rpm_t self:tcp_socket { accept listen }; ++allow rpm_t self:unix_stream_socket connectto; ++allow rpm_t self:udp_socket { connect }; ++allow rpm_t self:udp_socket create_socket_perms; ++allow rpm_t self:tcp_socket create_stream_socket_perms; + allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; +-allow rpm_t self:file rw_file_perms; +allow rpm_t self:dir search; +allow rpm_t self:file rw_file_perms;; -+allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; + allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; - allow rpm_t rpm_log_t:file manage_file_perms; +-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -105,17 +106,19 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) + + manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) + manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) + files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) ++can_exec(rpm_t, rpm_tmp_t) + + manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +@@ -99,23 +96,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) + fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++can_exec(rpm_t, rpm_tmpfs_t) + + manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) + manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) + files_var_filetrans(rpm_t, rpm_var_cache_t, dir) + +-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t) +-files_lock_filetrans(rpm_t, rpm_lock_t, file) +- +-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) ++# Access /var/lib/rpm files manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) - files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) +-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) ++files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) -+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) + manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) --files_pid_filetrans(rpm_t, rpm_var_run_t, file) +-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) +- +-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) +files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) - kernel_read_system_state(rpm_t) - kernel_read_kernel_sysctls(rpm_t) -+kernel_read_network_state_symlinks(rpm_t) -+kernel_rw_irq_sysctls(rpm_t) +@@ -126,41 +119,34 @@ kernel_rw_irq_sysctls(rpm_t) corecmd_exec_all_executables(rpm_t) -corenet_all_recvfrom_unlabeled(rpm_t) corenet_all_recvfrom_netlabel(rpm_t) corenet_tcp_sendrecv_generic_if(rpm_t) - corenet_raw_sendrecv_generic_if(rpm_t) -@@ -131,6 +134,19 @@ corenet_sendrecv_all_client_packets(rpm_t) ++corenet_raw_sendrecv_generic_if(rpm_t) ++corenet_udp_sendrecv_generic_if(rpm_t) + corenet_tcp_sendrecv_generic_node(rpm_t) ++corenet_raw_sendrecv_generic_node(rpm_t) ++corenet_udp_sendrecv_generic_node(rpm_t) + corenet_tcp_sendrecv_all_ports(rpm_t) +- +-corenet_sendrecv_all_client_packets(rpm_t) ++corenet_udp_sendrecv_all_ports(rpm_t) + corenet_tcp_connect_all_ports(rpm_t) ++corenet_sendrecv_all_client_packets(rpm_t) + dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) -+dev_read_raw_memory(rpm_t) -+dev_manage_all_dev_nodes(rpm_t) -+ + dev_read_raw_memory(rpm_t) +- + dev_manage_all_dev_nodes(rpm_t) +-dev_relabel_all_dev_nodes(rpm_t) + +#devices_manage_all_device_types(rpm_t) -+dev_create_generic_blk_files(rpm_t) -+dev_create_generic_chr_files(rpm_t) + dev_create_generic_blk_files(rpm_t) + dev_create_generic_chr_files(rpm_t) +- +-domain_read_all_domains_state(rpm_t) +-domain_getattr_all_domains(rpm_t) +-domain_use_interactive_fds(rpm_t) +-domain_dontaudit_getattr_all_pipes(rpm_t) +-domain_dontaudit_getattr_all_tcp_sockets(rpm_t) +-domain_dontaudit_getattr_all_udp_sockets(rpm_t) +-domain_dontaudit_getattr_all_packet_sockets(rpm_t) +-domain_dontaudit_getattr_all_raw_sockets(rpm_t) +-domain_dontaudit_getattr_all_stream_sockets(rpm_t) +-domain_dontaudit_getattr_all_dgram_sockets(rpm_t) +-domain_signull_all_domains(rpm_t) +- +-files_exec_etc_files(rpm_t) +-files_relabel_non_auth_files(rpm_t) +-files_manage_non_auth_files(rpm_t) +dev_delete_all_blk_files(rpm_t) +dev_delete_all_chr_files(rpm_t) +dev_relabel_all_dev_nodes(rpm_t) @@ -58141,36 +65090,40 @@ index 60149a5..b33a77d 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -158,8 +174,8 @@ storage_raw_read_fixed_disk(rpm_t) +@@ -183,29 +169,49 @@ selinux_compute_relabel_context(rpm_t) + selinux_compute_user_contexts(rpm_t) + + storage_raw_write_fixed_disk(rpm_t) ++# for installing kernel packages + storage_raw_read_fixed_disk(rpm_t) term_list_ptys(rpm_t) --files_relabel_non_auth_files(rpm_t) --files_manage_non_auth_files(rpm_t) +files_relabel_all_files(rpm_t) +files_manage_all_files(rpm_t) auth_dontaudit_read_shadow(rpm_t) auth_use_nsswitch(rpm_t) -@@ -168,7 +184,6 @@ rpm_domtrans_script(rpm_t) - - domain_read_all_domains_state(rpm_t) - domain_getattr_all_domains(rpm_t) --domain_dontaudit_ptrace_all_domains(rpm_t) - domain_use_interactive_fds(rpm_t) - domain_dontaudit_getattr_all_pipes(rpm_t) - domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -@@ -177,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) - domain_dontaudit_getattr_all_raw_sockets(rpm_t) - domain_dontaudit_getattr_all_stream_sockets(rpm_t) - domain_dontaudit_getattr_all_dgram_sockets(rpm_t) ++# transition to rpm script: + rpm_domtrans_script(rpm_t) + ++domain_read_all_domains_state(rpm_t) ++domain_getattr_all_domains(rpm_t) ++domain_use_interactive_fds(rpm_t) ++domain_dontaudit_getattr_all_pipes(rpm_t) ++domain_dontaudit_getattr_all_tcp_sockets(rpm_t) ++domain_dontaudit_getattr_all_udp_sockets(rpm_t) ++domain_dontaudit_getattr_all_packet_sockets(rpm_t) ++domain_dontaudit_getattr_all_raw_sockets(rpm_t) ++domain_dontaudit_getattr_all_stream_sockets(rpm_t) ++domain_dontaudit_getattr_all_dgram_sockets(rpm_t) +domain_signull_all_domains(rpm_t) - - files_exec_etc_files(rpm_t) - ++ ++files_exec_etc_files(rpm_t) ++ init_domtrans_script(rpm_t) init_use_script_ptys(rpm_t) -+init_signull_script(rpm_t) + init_signull_script(rpm_t) libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) @@ -58180,7 +65133,7 @@ index 60149a5..b33a77d 100644 +miscfiles_filetrans_named_content(rpm_t) + - # allow compiling and loading new policy ++# allow compiling and loading new policy seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) @@ -58189,62 +65142,115 @@ index 60149a5..b33a77d 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -211,14 +229,15 @@ optional_policy(` - optional_policy(` +@@ -224,13 +230,17 @@ optional_policy(` networkmanager_dbus_chat(rpm_t) ') -+ + +- optional_policy(` +- unconfined_dbus_chat(rpm_t) +- ') ') optional_policy(` - prelink_run(rpm_t, rpm_roles) + prelink_domtrans(rpm_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(rpm_t) ++ # yum-updatesd requires this ++ unconfined_dbus_chat(rpm_t) ++ unconfined_dbus_chat(rpm_script_t) ') - optional_policy(` -- unconfined_domain(rpm_t) -+ unconfined_domain_noaudit(rpm_t) - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) - unconfined_dbus_chat(rpm_script_t) -@@ -229,7 +248,8 @@ optional_policy(` - # rpm-script Local policy + ######################################## +@@ -239,19 +249,20 @@ optional_policy(` # --allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; -+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; + allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; -@@ -261,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) ++allow rpm_script_t self:unix_dgram_socket create_socket_perms; ++allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms; + allow rpm_script_t self:unix_dgram_socket sendto; +-allow rpm_script_t self:unix_stream_socket { accept connectto listen }; ++allow rpm_script_t self:unix_stream_socket connectto; + allow rpm_script_t self:shm create_shm_perms; + allow rpm_script_t self:sem create_sem_perms; + allow rpm_script_t self:msgq create_msgq_perms; + allow rpm_script_t self:msg { send receive }; + allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; + +-allow rpm_script_t rpm_t:netlink_route_socket { read write }; +- + allow rpm_script_t rpm_tmp_t:file read_file_perms; + + allow rpm_script_t rpm_script_tmp_t:dir mounton; +@@ -260,6 +271,7 @@ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) + manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) + manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) + files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) ++can_exec(rpm_script_t, rpm_script_tmp_t) + + manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -267,8 +279,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) + manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - can_exec(rpm_script_t, rpm_script_tmpfs_t) ++can_exec(rpm_script_t, rpm_script_tmpfs_t) +-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t }) +allow rpm_script_t rpm_t:netlink_route_socket { read write }; -+ + kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) - kernel_read_system_state(rpm_script_t) - kernel_read_network_state(rpm_script_t) -+kernel_list_all_proc(rpm_script_t) +@@ -277,38 +290,22 @@ kernel_read_network_state(rpm_script_t) + kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) +-corenet_all_recvfrom_unlabeled(rpm_script_t) +-corenet_all_recvfrom_netlabel(rpm_script_t) +-corenet_tcp_sendrecv_generic_if(rpm_script_t) +-corenet_tcp_sendrecv_generic_node(rpm_script_t) +- +-corenet_sendrecv_http_client_packets(rpm_script_t) +# needed by rhn_check -+corenet_tcp_connect_http_port(rpm_script_t) -+ - dev_list_sysfs(rpm_script_t) - - # ideally we would not need this -@@ -286,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t) - fs_search_auto_mountpoints(rpm_script_t) + corenet_tcp_connect_http_port(rpm_script_t) +-corenet_tcp_sendrecv_http_port(rpm_script_t) +- +-corecmd_exec_all_executables(rpm_script_t) - mcs_killall(rpm_script_t) --mcs_ptrace_all(rpm_script_t) + dev_list_sysfs(rpm_script_t) ++ ++# ideally we would not need this + dev_manage_generic_blk_files(rpm_script_t) + dev_manage_generic_chr_files(rpm_script_t) + dev_manage_all_blk_files(rpm_script_t) + dev_manage_all_chr_files(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) - mls_file_write_all_levels(rpm_script_t) -@@ -303,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t) +-domain_read_all_domains_state(rpm_script_t) +-domain_getattr_all_domains(rpm_script_t) +-domain_use_interactive_fds(rpm_script_t) +-domain_signal_all_domains(rpm_script_t) +-domain_signull_all_domains(rpm_script_t) +- +-files_exec_etc_files(rpm_script_t) +-files_exec_usr_files(rpm_script_t) +-files_manage_non_auth_files(rpm_script_t) +-files_relabel_non_auth_files(rpm_script_t) +- + fs_manage_nfs_files(rpm_script_t) + fs_getattr_nfs(rpm_script_t) + fs_search_all(rpm_script_t) + fs_getattr_all_fs(rpm_script_t) ++# why is this not using mount? + fs_getattr_xattr_fs(rpm_script_t) + fs_mount_xattr_fs(rpm_script_t) + fs_unmount_xattr_fs(rpm_script_t) +@@ -331,30 +328,49 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -58253,23 +65259,25 @@ index 60149a5..b33a77d 100644 auth_dontaudit_getattr_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) - # ideally we would not need this --files_manage_non_auth_files(rpm_script_t) --auth_relabel_shadow(rpm_script_t) ++# ideally we would not need this +files_manage_all_files(rpm_script_t) +files_relabel_all_files(rpm_script_t) - - corecmd_exec_all_executables(rpm_script_t) ++ ++corecmd_exec_all_executables(rpm_script_t) +can_exec(rpm_script_t, rpm_script_tmp_t) +can_exec(rpm_script_t, rpm_script_tmpfs_t) ++ ++domain_read_all_domains_state(rpm_script_t) ++domain_getattr_all_domains(rpm_script_t) ++domain_use_interactive_fds(rpm_script_t) ++domain_signal_all_domains(rpm_script_t) ++domain_signull_all_domains(rpm_script_t) ++ ++files_exec_etc_files(rpm_script_t) ++files_read_etc_runtime_files(rpm_script_t) ++files_exec_usr_files(rpm_script_t) ++files_relabel_all_files(rpm_script_t) - domain_read_all_domains_state(rpm_script_t) - domain_getattr_all_domains(rpm_script_t) --domain_dontaudit_ptrace_all_domains(rpm_script_t) - domain_use_interactive_fds(rpm_script_t) - domain_signal_all_domains(rpm_script_t) - domain_signull_all_domains(rpm_script_t) -@@ -328,35 +354,41 @@ files_relabel_all_files(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) @@ -58283,11 +65291,11 @@ index 60149a5..b33a77d 100644 logging_send_syslog_msg(rpm_script_t) -miscfiles_read_localization(rpm_script_t) -+miscfiles_filetrans_named_content(rpm_script_t) - +- -modutils_run_depmod(rpm_script_t, rpm_roles) -modutils_run_insmod(rpm_script_t, rpm_roles) -- ++miscfiles_filetrans_named_content(rpm_script_t) + -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) @@ -58301,8 +65309,7 @@ index 60149a5..b33a77d 100644 ifdef(`distro_redhat',` optional_policy(` - mta_send_mail(rpm_script_t) -+ mta_system_content(rpm_var_run_t) +@@ -363,24 +379,24 @@ ifdef(`distro_redhat',` ') ') @@ -58314,14 +65321,18 @@ index 60149a5..b33a77d 100644 optional_policy(` - bootloader_run(rpm_script_t, rpm_roles) + bootloader_domtrans(rpm_script_t) -+') -+ -+optional_policy(` -+ cups_filetrans_named_content(rpm_script_t) ') optional_policy(` -@@ -364,7 +396,7 @@ optional_policy(` +- dbus_system_bus_client(rpm_script_t) ++ cups_filetrans_named_content(rpm_script_t) ++') + +- optional_policy(` +- unconfined_dbus_chat(rpm_script_t) +- ') ++optional_policy(` ++ dbus_system_bus_client(rpm_script_t) ') optional_policy(` @@ -58330,7 +65341,7 @@ index 60149a5..b33a77d 100644 ') optional_policy(` -@@ -372,8 +404,17 @@ optional_policy(` +@@ -388,8 +404,17 @@ optional_policy(` ') optional_policy(` @@ -58350,16 +65361,15 @@ index 60149a5..b33a77d 100644 ') optional_policy(` -@@ -381,7 +422,7 @@ optional_policy(` +@@ -397,6 +422,7 @@ optional_policy(` ') optional_policy(` -- unconfined_domain(rpm_script_t) + unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -394,6 +435,6 @@ optional_policy(` +@@ -409,6 +435,6 @@ optional_policy(` ') optional_policy(` @@ -58368,44 +65378,123 @@ index 60149a5..b33a77d 100644 + usermanage_domtrans_groupadd(rpm_script_t) + usermanage_domtrans_useradd(rpm_script_t) ') +diff --git a/rshd.fc b/rshd.fc +index 9ad0d58..6a4db03 100644 +--- a/rshd.fc ++++ b/rshd.fc +@@ -1,3 +1,4 @@ ++ + /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) + + /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) +diff --git a/rshd.if b/rshd.if +index 7ad29c0..2e87d76 100644 +--- a/rshd.if ++++ b/rshd.if +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Execute rshd in the rshd domain. ++## Domain transition to rshd. + ## + ## + ## +@@ -15,6 +15,7 @@ interface(`rshd_domtrans',` + type rshd_exec_t, rshd_t; + ') + ++ files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, rshd_exec_t, rshd_t) + ') diff --git a/rshd.te b/rshd.te -index 0b405d1..23c58c2 100644 +index f842825..23c58c2 100644 --- a/rshd.te +++ b/rshd.te -@@ -22,7 +22,6 @@ allow rshd_t self:tcp_socket create_stream_socket_perms; +@@ -1,62 +1,76 @@ +-policy_module(rshd, 1.7.1) ++policy_module(rshd, 1.7.0) + + ######################################## + # + # Declarations + # +- + type rshd_t; + type rshd_exec_t; +-auth_login_pgm_domain(rshd_t) + inetd_tcp_service_domain(rshd_t, rshd_exec_t) ++domain_subj_id_change_exemption(rshd_t) ++domain_role_change_exemption(rshd_t) ++role system_r types rshd_t; + + ######################################## + # + # Local policy + # +- + allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; +-allow rshd_t self:process { signal_perms setsched setpgid setexec }; ++allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; + allow rshd_t self:fifo_file rw_fifo_file_perms; + allow rshd_t self:tcp_socket create_stream_socket_perms; kernel_read_kernel_sysctls(rshd_t) -corenet_all_recvfrom_unlabeled(rshd_t) corenet_all_recvfrom_netlabel(rshd_t) corenet_tcp_sendrecv_generic_if(rshd_t) - corenet_udp_sendrecv_generic_if(rshd_t) -@@ -39,6 +38,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t) ++corenet_udp_sendrecv_generic_if(rshd_t) + corenet_tcp_sendrecv_generic_node(rshd_t) ++corenet_udp_sendrecv_generic_node(rshd_t) + corenet_tcp_sendrecv_all_ports(rshd_t) ++corenet_udp_sendrecv_all_ports(rshd_t) + corenet_tcp_bind_generic_node(rshd_t) +- +-corenet_sendrecv_all_server_packets(rshd_t) + corenet_tcp_bind_rsh_port(rshd_t) + corenet_tcp_bind_all_rpc_ports(rshd_t) + corenet_tcp_connect_all_ports(rshd_t) + corenet_tcp_connect_all_rpc_ports(rshd_t) ++corenet_sendrecv_rsh_server_packets(rshd_t) ++ ++dev_read_urand(rshd_t) ++ ++domain_interactive_fd(rshd_t) ++ ++selinux_get_fs_mount(rshd_t) ++selinux_validate_context(rshd_t) ++selinux_compute_access_vector(rshd_t) ++selinux_compute_create_context(rshd_t) ++selinux_compute_relabel_context(rshd_t) ++selinux_compute_user_contexts(rshd_t) - dev_read_urand(rshd_t) + corecmd_read_bin_symlinks(rshd_t) -+domain_interactive_fd(rshd_t) + files_list_home(rshd_t) ++files_read_etc_files(rshd_t) ++files_search_tmp(rshd_t) ++ ++auth_login_pgm_domain(rshd_t) ++auth_write_login_records(rshd_t) + ++init_rw_utmp(rshd_t) + - selinux_get_fs_mount(rshd_t) - selinux_validate_context(rshd_t) - selinux_compute_access_vector(rshd_t) -@@ -60,26 +61,16 @@ init_rw_utmp(rshd_t) - logging_send_syslog_msg(rshd_t) ++logging_send_syslog_msg(rshd_t) logging_search_logs(rshd_t) -miscfiles_read_localization(rshd_t) -- - seutil_read_config(rshd_t) - seutil_read_default_contexts(rshd_t) - - userdom_search_user_home_content(rshd_t) -+userdom_manage_tmp_role(system_r, rshd_t) ++seutil_read_config(rshd_t) ++seutil_read_default_contexts(rshd_t) -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(rshd_t) - fs_read_nfs_symlinks(rshd_t) -') -- ++userdom_search_user_home_content(rshd_t) ++userdom_manage_tmp_role(system_r, rshd_t) + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(rshd_t) - fs_read_cifs_symlinks(rshd_t) @@ -58415,22 +65504,15 @@ index 0b405d1..23c58c2 100644 optional_policy(` kerberos_keytab_template(rshd, rshd_t) - kerberos_manage_host_rcache(rshd_t) +- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") ') optional_policy(` -diff --git a/rssh.fc b/rssh.fc -index 4c091ca..a58f123 100644 ---- a/rssh.fc -+++ b/rssh.fc -@@ -1 +1,3 @@ - /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) -+ -+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/rssh.te b/rssh.te -index ffb9605..4bb7119 100644 +index d1fd97f..88bd6f7 100644 --- a/rssh.te +++ b/rssh.te -@@ -63,7 +63,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) +@@ -60,7 +60,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) kernel_read_system_state(rssh_t) kernel_read_kernel_sysctls(rssh_t) @@ -58438,7 +65520,7 @@ index ffb9605..4bb7119 100644 files_read_etc_runtime_files(rssh_t) files_list_home(rssh_t) files_read_usr_files(rssh_t) -@@ -73,8 +72,6 @@ fs_search_auto_mountpoints(rssh_t) +@@ -70,8 +69,6 @@ fs_search_auto_mountpoints(rssh_t) logging_send_syslog_msg(rssh_t) @@ -58447,44 +65529,160 @@ index ffb9605..4bb7119 100644 rssh_domtrans_chroot_helper(rssh_t) ssh_rw_tcp_sockets(rssh_t) -@@ -95,10 +92,6 @@ allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms; - - domain_use_interactive_fds(rssh_chroot_helper_t) - --files_read_etc_files(rssh_chroot_helper_t) -- +@@ -95,5 +92,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t) auth_use_nsswitch(rssh_chroot_helper_t) logging_send_syslog_msg(rssh_chroot_helper_t) - -miscfiles_read_localization(rssh_chroot_helper_t) diff --git a/rsync.fc b/rsync.fc -index 479615b..2d77839 100644 +index d25301b..2d77839 100644 --- a/rsync.fc +++ b/rsync.fc -@@ -2,6 +2,6 @@ +@@ -1,6 +1,6 @@ + /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) - /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) +-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) ++/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) --/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) -+/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) + /var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) - /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if -index 3386f29..8d8f6c5 100644 +index f1140ef..6bde558 100644 --- a/rsync.if +++ b/rsync.if -@@ -119,7 +119,7 @@ interface(`rsync_read_config',` +@@ -1,16 +1,16 @@ +-## Fast incremental file transfer for synchronization. ++## Fast incremental file transfer for synchronization + + ######################################## + ## +-## Make rsync executable file an +-## entry point for the specified domain. ++## Make rsync an entry point for ++## the specified domain. + ## + ## + ## +-## The domain for which rsync_exec_t is an entrypoint. ++## The domain for which init scripts are an entrypoint. + ## + ## +-# ++# cjp: added for portage + interface(`rsync_entry_type',` + gen_require(` + type rsync_exec_t; +@@ -43,14 +43,13 @@ interface(`rsync_entry_type',` + ## Domain to transition to. + ## + ## +-# ++# cjp: added for portage + interface(`rsync_entry_spec_domtrans',` + gen_require(` + type rsync_exec_t; + ') + +- corecmd_search_bin($1) +- auto_trans($1, rsync_exec_t, $2) ++ domain_trans($1, rsync_exec_t, $2) + ') + + ######################################## +@@ -77,76 +76,31 @@ interface(`rsync_entry_spec_domtrans',` + ## Domain to transition to. + ## + ## +-# ++# cjp: added for portage + interface(`rsync_entry_domtrans',` + gen_require(` + type rsync_exec_t; + ') + +- corecmd_search_bin($1) + domain_auto_trans($1, rsync_exec_t, $2) + ') + + ######################################## + ## +-## Execute the rsync program in the rsync domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`rsync_domtrans',` +- gen_require(` +- type rsync_t, rsync_exec_t; +- ') +- +- corecmd_search_bin($1) +- domtrans_pattern($1, rsync_exec_t, rsync_t) +-') +- +-######################################## +-## +-## Execute rsync in the rsync domain, and +-## allow the specified role the rsync domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`rsync_run',` +- gen_require(` +- attribute_role rsync_roles; +- ') +- +- rsync_domtrans($1) +- roleattribute $2 rsync_roles; +-') +- +-######################################## +-## +-## Execute rsync in the caller domain. ++## Execute rsync in the caller domain domain. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # + interface(`rsync_exec',` + gen_require(` + type rsync_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, rsync_exec_t) + ') + +@@ -165,18 +119,18 @@ interface(`rsync_read_config',` type rsync_etc_t; ') -- allow $1 rsync_etc_t:file read_file_perms; + read_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) +- allow $1 rsync_etc_t:file read_file_perms; ') -@@ -128,9 +128,9 @@ interface(`rsync_read_config',` - ## Write to rsync config files. + ######################################## + ## +-## Write rsync config files. ++## Write to rsync config files. ## ## -## @@ -58495,124 +65693,259 @@ index 3386f29..8d8f6c5 100644 ## # interface(`rsync_write_config',` -@@ -138,6 +138,49 @@ interface(`rsync_write_config',` +@@ -184,14 +138,13 @@ interface(`rsync_write_config',` type rsync_etc_t; ') -- allow $1 rsync_etc_t:file read_file_perms; + write_files_pattern($1, rsync_etc_t, rsync_etc_t) -+ files_search_etc($1) -+') -+ -+######################################## -+## + files_search_etc($1) +- allow $1 rsync_etc_t:file write_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rsync config files. +## Manage rsync config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -199,18 +152,18 @@ interface(`rsync_write_config',` + ## + ## + # +-interface(`rsync_manage_config_files',` +interface(`rsync_manage_config',` -+ gen_require(` -+ type rsync_etc_t; -+ ') -+ -+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) + gen_require(` + type rsync_etc_t; + ') + +- files_search_etc($1) + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ') -+ -+######################################## -+## + + ######################################## + ## +-## Create specified objects in etc directories +## Create objects in etc directories -+## with rsync etc type. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Class of the object being created. -+## -+## -+# -+interface(`rsync_filetrans_config',` -+ gen_require(` -+ type rsync_etc_t; -+ ') -+ -+ files_etc_filetrans($1, rsync_etc_t, $2) -+') + ## with rsync etc type. + ## + ## +@@ -223,11 +176,6 @@ interface(`rsync_manage_config_files',` + ## Class of the object being created. + ## + ## +-## +-## +-## The name of the object being created. +-## +-## + # + interface(`rsync_etc_filetrans_config',` + gen_require(` +@@ -236,46 +184,3 @@ interface(`rsync_etc_filetrans_config',` + + files_etc_filetrans($1, rsync_etc_t, $2, $3) + ') +- +-######################################## +-## +-## All of the rules required to +-## administrate an rsync environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`rsync_admin',` +- gen_require(` +- type rsync_t, rsync_etc_t, rsync_data_t; +- type rsync_log_t, rsync_tmp_t. rsync_var_run_t; +- ') +- +- allow $1 rsync_t:process { ptrace signal_perms }; +- ps_process_pattern($1, rsync_t) +- +- files_search_etc($1) +- admin_pattern($1, rsync_etc_t) +- +- admin_pattern($1, rsync_data_t) +- +- logging_search_logs($1) +- admin_pattern($1, rsync_log_t) +- +- files_search_tmp($1) +- admin_pattern($1, rsync_tmp_t) +- +- files_search_pids($1) +- admin_pattern($1, rsync_var_run_t) +- +- rsync_run($1, $2) +-') diff --git a/rsync.te b/rsync.te -index 2834d86..8fdd060 100644 +index e3e7c96..8fdd060 100644 --- a/rsync.te +++ b/rsync.te -@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0) +@@ -1,4 +1,4 @@ +-policy_module(rsync, 1.12.2) ++policy_module(rsync, 1.12.0) + + ######################################## + # +@@ -6,67 +6,52 @@ policy_module(rsync, 1.12.2) + # ## - ##

    +-##

    +-## Determine whether rsync can use +-## cifs file systems. +-##

    ++##

    +## Allow rsync servers to share cifs files systems +##

    -+##     -+gen_tunable(rsync_use_cifs, false) -+ -+## + ## + gen_tunable(rsync_use_cifs, false) + + ## +-##

    +-## Determine whether rsync can +-## use fuse file systems. +-##

    +-##     +-gen_tunable(rsync_use_fusefs, false) +- +-## +-##

    +-## Determine whether rsync can use +-## nfs file systems. +-##

    +##

    +## Allow rsync servers to share nfs files systems +##

    -+##     -+gen_tunable(rsync_use_nfs, false) -+ -+## + ## + gen_tunable(rsync_use_nfs, false) + + ## +-##

    +-## Determine whether rsync can +-## run as a client +-##

    +##

    +## Allow rsync to run as a client +##

    -+##     -+gen_tunable(rsync_client, false) -+ -+## + ## + gen_tunable(rsync_client, false) + + ## +-##

    +-## Determine whether rsync can +-## export all content read only. +-##

    +##

    - ## Allow rsync to export any files/directories read only. - ##

    ++## Allow rsync to export any files/directories read only. ++##

    ##     -@@ -19,7 +40,7 @@ gen_tunable(rsync_export_all_ro, false) - ## labeled public_content_rw_t. - ##

    + gen_tunable(rsync_export_all_ro, false) + + ## +-##

    +-## Determine whether rsync can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow rsync to modify public files ++## used for public file transfer services. Files/Directories must be ++## labeled public_content_rw_t. ++##

    ##     -gen_tunable(allow_rsync_anon_write, false) +- +-attribute_role rsync_roles; +gen_tunable(rsync_anon_write, false) type rsync_t; type rsync_exec_t; -@@ -59,7 +80,7 @@ allow rsync_t self:udp_socket connected_socket_perms; - allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - #end for identd + init_daemon_domain(rsync_t, rsync_exec_t) +-application_domain(rsync_t, rsync_exec_t) +-role rsync_roles types rsync_t; ++application_executable_file(rsync_exec_t) ++role system_r types rsync_t; + + type rsync_etc_t; + files_config_file(rsync_etc_t) + +-type rsync_data_t; # customizable ++type rsync_data_t; + files_type(rsync_data_t) + + type rsync_log_t; +@@ -86,15 +71,22 @@ files_pid_file(rsync_var_run_t) + allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; + allow rsync_t self:process signal_perms; + allow rsync_t self:fifo_file rw_fifo_file_perms; +-allow rsync_t self:tcp_socket { accept listen }; ++allow rsync_t self:tcp_socket create_stream_socket_perms; ++allow rsync_t self:udp_socket connected_socket_perms; ++ ++# for identd ++# cjp: this should probably only be inetd_child_t rules? ++# search home and kerberos also. ++allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; ++#end for identd -allow rsync_t rsync_etc_t:file read_file_perms; +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_data_t:dir list_dir_perms; - read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -@@ -79,7 +100,6 @@ kernel_read_kernel_sysctls(rsync_t) +-allow rsync_t rsync_data_t:file read_file_perms; +-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; ++read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + +-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) + logging_log_filetrans(rsync_t, rsync_log_t, file) + + manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) +@@ -108,91 +100,69 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) -corenet_all_recvfrom_unlabeled(rsync_t) corenet_all_recvfrom_netlabel(rsync_t) corenet_tcp_sendrecv_generic_if(rsync_t) - corenet_udp_sendrecv_generic_if(rsync_t) -@@ -94,18 +114,19 @@ corenet_sendrecv_rsync_server_packets(rsync_t) ++corenet_udp_sendrecv_generic_if(rsync_t) + corenet_tcp_sendrecv_generic_node(rsync_t) ++corenet_udp_sendrecv_generic_node(rsync_t) ++corenet_tcp_sendrecv_all_ports(rsync_t) ++corenet_udp_sendrecv_all_ports(rsync_t) + corenet_tcp_bind_generic_node(rsync_t) +- +-corenet_sendrecv_rsync_server_packets(rsync_t) + corenet_tcp_bind_rsync_port(rsync_t) +-corenet_tcp_sendrecv_rsync_port(rsync_t) ++corenet_sendrecv_rsync_server_packets(rsync_t) + dev_read_urand(rsync_t) - fs_getattr_xattr_fs(rsync_t) -+fs_search_auto_mountpoints(rsync_t) +-fs_getattr_all_fs(rsync_t) ++fs_getattr_xattr_fs(rsync_t) + fs_search_auto_mountpoints(rsync_t) --files_read_etc_files(rsync_t) files_search_home(rsync_t) +-auth_can_read_shadow_passwords(rsync_t) auth_use_nsswitch(rsync_t) logging_send_syslog_msg(rsync_t) @@ -58627,7 +65960,25 @@ index 2834d86..8fdd060 100644 miscfiles_manage_public_files(rsync_t) ') -@@ -122,12 +143,26 @@ optional_policy(` +-tunable_policy(`rsync_client',` +- corenet_sendrecv_rsync_client_packets(rsync_t) +- corenet_tcp_connect_rsync_port(rsync_t) ++optional_policy(` ++ daemontools_service_domain(rsync_t, rsync_exec_t) ++') + +- corenet_sendrecv_ssh_client_packets(rsync_t) +- corenet_tcp_connect_ssh_port(rsync_t) +- corenet_tcp_sendrecv_ssh_port(rsync_t) ++optional_policy(` ++ kerberos_use(rsync_t) ++') + +- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) +- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++optional_policy(` ++ inetd_service_domain(rsync_t, rsync_exec_t) ') tunable_policy(`rsync_export_all_ro',` @@ -58635,6 +65986,7 @@ index 2834d86..8fdd060 100644 + files_getattr_all_pipes(rsync_t) + fs_read_noxattr_fs_files(rsync_t) fs_read_nfs_files(rsync_t) +- fs_read_fusefs_files(rsync_t) fs_read_cifs_files(rsync_t) - files_list_non_auth_dirs(rsync_t) - files_read_non_auth_files(rsync_t) @@ -58642,77 +65994,138 @@ index 2834d86..8fdd060 100644 + files_read_non_security_files(rsync_t) auth_tunable_read_shadow(rsync_t) ') -+ + +-tunable_policy(`rsync_use_cifs',` +- fs_list_cifs(rsync_t) +- fs_read_cifs_files(rsync_t) +- fs_read_cifs_symlinks(rsync_t) +-') +- +-tunable_policy(`rsync_use_fusefs',` +- fs_search_fusefs(rsync_t) +- fs_read_fusefs_files(rsync_t) +- fs_read_fusefs_symlinks(rsync_t) +-') +- +-tunable_policy(`rsync_use_nfs',` +- fs_list_nfs(rsync_t) +- fs_read_nfs_files(rsync_t) +- fs_read_nfs_symlinks(rsync_t) +tunable_policy(`rsync_client',` + corenet_tcp_connect_rsync_port(rsync_t) + corenet_tcp_connect_ssh_port(rsync_t) + manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+') -+ -+optional_policy(` -+ tunable_policy(`rsync_client',` + ') + + optional_policy(` + tunable_policy(`rsync_client',` +- ssh_exec(rsync_t) + ssh_exec(rsync_t) -+ ') -+') -+ - auth_can_read_shadow_passwords(rsync_t) + ') + ') + +-optional_policy(` +- daemontools_service_domain(rsync_t, rsync_exec_t) +-') +- +-optional_policy(` +- kerberos_use(rsync_t) +-') +- +-optional_policy(` +- inetd_service_domain(rsync_t, rsync_exec_t) +-') ++auth_can_read_shadow_passwords(rsync_t) diff --git a/rtkit.if b/rtkit.if -index 46dad1f..051addd 100644 +index bd35afe..051addd 100644 --- a/rtkit.if +++ b/rtkit.if -@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',` +@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',` + type rtkit_daemon_t, rtkit_daemon_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) + ') + +@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',` ######################################## ## +-## Allow rtkit to control scheduling for your process. +## Do not audit send and receive messages from +## rtkit_daemon over dbus. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ##     + ## + # +-interface(`rtkit_scheduled',` +interface(`rtkit_daemon_dontaudit_dbus_chat',` -+ gen_require(` -+ type rtkit_daemon_t; + gen_require(` + type rtkit_daemon_t; + class dbus send_msg; -+ ') -+ + ') + +- allow rtkit_daemon_t $1:process { getsched setsched }; +- +- ps_process_pattern(rtkit_daemon_t, $1) +- +- optional_policy(` +- rtkit_daemon_dbus_chat($1) +- ') + dontaudit $1 rtkit_daemon_t:dbus send_msg; + dontaudit rtkit_daemon_t $1:dbus send_msg; + dontaudit rtkit_daemon_t $1:process { getsched setsched }; -+') -+ -+######################################## -+## - ## Allow rtkit to control scheduling for your process + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an rtkit environment. ++## Allow rtkit to control scheduling for your process ## ## -@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',` - type rtkit_daemon_t; + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # +-interface(`rtkit_admin',` ++interface(`rtkit_scheduled',` + gen_require(` +- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; ++ type rtkit_daemon_t; ') +- allow $1 rtkit_daemon_t:process { ptrace signal_perms }; +- ps_process_pattern($1, rtkit_daemon_t) +- +- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 rtkit_daemon_initrc_exec_t system_r; +- allow $2 system_r; + kernel_search_proc($1) - ps_process_pattern(rtkit_daemon_t, $1) - allow rtkit_daemon_t $1:process { getsched setsched }; - rtkit_daemon_dbus_chat($1) ++ ps_process_pattern(rtkit_daemon_t, $1) ++ allow rtkit_daemon_t $1:process { getsched setsched }; ++ rtkit_daemon_dbus_chat($1) + ') diff --git a/rtkit.te b/rtkit.te -index 6f8e268..eaad2c5 100644 +index 3f5a8ef..d7bffcc 100644 --- a/rtkit.te +++ b/rtkit.te -@@ -7,7 +7,7 @@ policy_module(rtkit, 1.1.0) - - type rtkit_daemon_t; - type rtkit_daemon_exec_t; --dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) -+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - - ######################################## - # -@@ -28,8 +28,9 @@ auth_use_nsswitch(rtkit_daemon_t) +@@ -31,8 +31,9 @@ auth_use_nsswitch(rtkit_daemon_t) logging_send_syslog_msg(rtkit_daemon_t) @@ -58722,13 +66135,13 @@ index 6f8e268..eaad2c5 100644 + dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) +') optional_policy(` - policykit_dbus_chat(rtkit_daemon_t) - ') + dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + diff --git a/rwho.if b/rwho.if -index 71ea0ea..886a45e 100644 +index 0360ff0..e6cb34f 100644 --- a/rwho.if +++ b/rwho.if -@@ -138,8 +138,11 @@ interface(`rwho_admin',` +@@ -139,8 +139,11 @@ interface(`rwho_admin',` type rwho_initrc_exec_t; ') @@ -58742,7 +66155,7 @@ index 71ea0ea..886a45e 100644 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te -index a07b2f4..22e0db0 100644 +index 9927d29..9ee5654 100644 --- a/rwho.te +++ b/rwho.te @@ -16,7 +16,7 @@ type rwho_log_t; @@ -58754,15 +66167,7 @@ index a07b2f4..22e0db0 100644 ######################################## # -@@ -24,6 +24,7 @@ files_type(rwho_spool_t) - # - - allow rwho_t self:capability sys_chroot; -+allow rwho_t self:process signal; - allow rwho_t self:unix_dgram_socket create; - allow rwho_t self:fifo_file rw_file_perms; - allow rwho_t self:unix_stream_socket create_stream_socket_perms; -@@ -39,7 +40,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) +@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) kernel_read_system_state(rwho_t) @@ -58770,68 +66175,151 @@ index a07b2f4..22e0db0 100644 corenet_all_recvfrom_netlabel(rwho_t) corenet_udp_sendrecv_generic_if(rwho_t) corenet_udp_sendrecv_generic_node(rwho_t) -@@ -55,6 +55,8 @@ files_read_etc_files(rwho_t) - init_read_utmp(rwho_t) - init_dontaudit_write_utmp(rwho_t) +@@ -57,8 +56,7 @@ init_dontaudit_write_utmp(rwho_t) --miscfiles_read_localization(rwho_t) -+logging_send_syslog_msg(rwho_t) + logging_send_syslog_msg(rwho_t) +-miscfiles_read_localization(rwho_t) +- sysnet_dns_name_resolve(rwho_t) -+ + +-# userdom_getattr_user_terminals(rwho_t) +userdom_getattr_user_terminals(rwho_t) ++ diff --git a/samba.fc b/samba.fc -index 69a6074..2ccac49 100644 +index b8b66ff..2ccac49 100644 --- a/samba.fc +++ b/samba.fc -@@ -14,6 +14,9 @@ - # - # /usr - # +@@ -1,42 +1,54 @@ +-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++ ++# ++# /etc ++# ++/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) + /etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) ++/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) ++/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) + +-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) +-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) ++# ++# /usr ++# +/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) -+ - /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) - /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) - /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -@@ -31,11 +34,17 @@ - /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) +-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) +-/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) +-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) ++/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) ++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) ++/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) + +-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) +-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) +-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) ++/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) ++/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) ++/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) ++/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) + +-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) ++# ++# /var ++# ++/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +-/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -+ - /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) +-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) ++/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +-/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) + +-/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) +-/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) -+ + +-/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -@@ -48,6 +57,11 @@ +-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) ++/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +@@ -45,7 +57,11 @@ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +-/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - - /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) ++/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + ++/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + +-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 82cb169..a6bab06 100644 +index aee75af..a6bab06 100644 --- a/samba.if +++ b/samba.if -@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',` +@@ -1,8 +1,12 @@ +-## SMB and CIFS client/server programs. ++## ++## SMB and CIFS client/server programs for UNIX and ++## name Service Switch daemon for resolving names ++## from Windows NT servers. ++## + + ######################################## + ## +-## Execute nmbd in the nmbd domain. ++## Execute nmbd net in the nmbd_t domain. + ## + ## + ## +@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',` + + ####################################### + ## +-## Send generic signals to nmbd. ++## Allow domain to signal samba + ## + ## + ## +@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',` ######################################## ## +-## Connect to nmbd with a unix domain +-## stream socket. +## Search the samba pid directory. +## +## @@ -58852,31 +66340,36 @@ index 82cb169..a6bab06 100644 +######################################## +## +## Connect to nmbd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`samba_stream_connect_nmbd',` -+ gen_require(` + ## + ## + ## +@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',` + # + interface(`samba_stream_connect_nmbd',` + gen_require(` +- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type nmbd_t, nmbd_var_run_t; -+ ') -+ + ') + +- files_search_pids($1) +- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) + samba_search_pid($1) + stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -+') -+ -+######################################## -+## - ## Execute samba server in the samba domain. + ') + + ######################################## + ## +-## Execute samba init scripts in +-## the init script domain. ++## Execute samba server in the samba domain. ## ## -@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',` + ## +@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',` ######################################## ## +-## Execute samba net in the samba net domain. +## Execute samba server in the samba domain. +## +## @@ -58900,13 +66393,17 @@ index 82cb169..a6bab06 100644 + +######################################## +## - ## Execute samba net in the samba_net domain. ++## Execute samba net in the samba_net domain. ## ## -@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',` + ## +@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',` ######################################## ## +-## Execute samba net in the samba net +-## domain, and allow the specified +-## role the samba net domain. +## Execute samba net in the samba_unconfined_net domain. +## +## @@ -58926,13 +66423,24 @@ index 82cb169..a6bab06 100644 + +######################################## +## - ## Execute samba net in the samba_net domain, and - ## allow the specified role the samba_net domain. ++## Execute samba net in the samba_net domain, and ++## allow the specified role the samba_net domain. ## -@@ -103,6 +183,51 @@ interface(`samba_run_net',` - role $2 types samba_net_t; - ') + ## + ## +@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',` + # + interface(`samba_run_net',` + gen_require(` +- attribute_role samba_net_roles; ++ type samba_net_t; + ') + samba_domtrans_net($1) +- roleattribute $2 samba_net_roles; ++ role $2 types samba_net_t; ++') ++ +####################################### +## +## The role for the samba module. @@ -58976,12 +66484,43 @@ index 82cb169..a6bab06 100644 + + samba_domtrans_unconfined_net($1) + role $2 types samba_unconfined_net_t; -+') -+ + ') + + ######################################## +@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',` + + ######################################## + ## +-## Execute smbmount in the smbmount +-## domain, and allow the specified +-## role the smbmount domain. ++## Execute smbmount interactively and do ++## a domain transition to the smbmount domain. + ## + ## + ## +@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',` + # + interface(`samba_run_smbmount',` + gen_require(` +- attribute_role smbmount_roles; ++ type smbmount_t; + ') + + samba_domtrans_smbmount($1) +- roleattribute $2 smbmount_roles; ++ role $2 types smbmount_t; + ') + ######################################## ## - ## Execute smbmount in the smbmount domain. -@@ -166,6 +291,7 @@ interface(`samba_read_config',` +-## Read samba configuration files. ++## Allow the specified domain to read ++## samba configuration files. + ## + ## + ## +@@ -184,12 +291,14 @@ interface(`samba_read_config',` ') files_search_etc($1) @@ -58989,76 +66528,385 @@ index 82cb169..a6bab06 100644 read_files_pattern($1, samba_etc_t, samba_etc_t) ') -@@ -409,9 +535,10 @@ interface(`samba_manage_var_files',` + ######################################## + ## +-## Read and write samba configuration files. ++## Allow the specified domain to read ++## and write samba configuration files. + ## + ## + ## +@@ -209,8 +318,8 @@ interface(`samba_rw_config',` + + ######################################## + ## +-## Create, read, write, and delete +-## samba configuration files. ++## Allow the specified domain to read ++## and write samba configuration files. + ## + ## + ## +@@ -231,7 +340,7 @@ interface(`samba_manage_config',` + + ######################################## + ## +-## Read samba log files. ++## Allow the specified domain to read samba's log files. + ## + ## + ## +@@ -252,7 +361,7 @@ interface(`samba_read_log',` + + ######################################## + ## +-## Append to samba log files. ++## Allow the specified domain to append to samba's log files. + ## + ## + ## +@@ -273,7 +382,7 @@ interface(`samba_append_log',` + + ######################################## + ## +-## Execute samba log files in the caller domain. ++## Execute samba log in the caller domain. + ## + ## + ## +@@ -292,7 +401,7 @@ interface(`samba_exec_log',` + + ######################################## + ## +-## Read samba secret files. ++## Allow the specified domain to read samba's secrets. + ## + ## + ## +@@ -311,7 +420,7 @@ interface(`samba_read_secrets',` + + ######################################## + ## +-## Read samba share files. ++## Allow the specified domain to read samba's shares + ## + ## + ## +@@ -330,7 +439,8 @@ interface(`samba_read_share_files',` + + ######################################## + ## +-## Search samba var directories. ++## Allow the specified domain to search ++## samba /var directories. + ## + ## + ## +@@ -343,13 +453,15 @@ interface(`samba_search_var',` + type samba_var_t; + ') + ++ files_search_var($1) + files_search_var_lib($1) + allow $1 samba_var_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read samba var files. ++## Allow the specified domain to ++## read samba /var files. + ## + ## + ## +@@ -362,14 +474,15 @@ interface(`samba_read_var_files',` type samba_var_t; ') -- files_search_var($1) -+ files_search_var_lib($1) ++ files_search_var($1) + files_search_var_lib($1) + read_files_pattern($1, samba_var_t, samba_var_t) + ') + + ######################################## + ## +-## Do not audit attempts to write +-## samba var files. ++## Do not audit attempts to write samba ++## /var files. + ## + ## + ## +@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',` + + ######################################## + ## +-## Read and write samba var files. ++## Allow the specified domain to ++## read and write samba /var files. + ## + ## + ## +@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',` + type samba_var_t; + ') + ++ files_search_var($1) + files_search_var_lib($1) + rw_files_pattern($1, samba_var_t, samba_var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## samba var files. ++## Allow the specified domain to ++## read and write samba /var files. + ## + ## + ## +@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',` + ') + files_search_var_lib($1) ++ files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ') ######################################## -@@ -548,6 +675,24 @@ interface(`samba_rw_smbmount_tcp_sockets',` + ## +-## Execute smbcontrol in the smbcontrol domain. ++## Execute a domain transition to run smbcontrol. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`samba_domtrans_smbcontrol',` + gen_require(` +- type smbcontrol_t, smbcontrol_exec_t; ++ type smbcontrol_t; ++ type smbcontrol_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) + ') + + ######################################## + ## +-## Execute smbcontrol in the smbcontrol +-## domain, and allow the specified +-## role the smbcontrol domain. ++## Execute smbcontrol in the smbcontrol domain, and ++## allow the specified role the smbcontrol domain. + ## + ## + ## +@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',` + # + interface(`samba_run_smbcontrol',` + gen_require(` +- attribute_role smbcontrol_roles; ++ type smbcontrol_t; + ') + + samba_domtrans_smbcontrol($1) +- roleattribute $2 smbcontrol_roles; ++ role $2 types smbcontrol_t; + ') + + ######################################## + ## +-## Execute smbd in the smbd domain. ++## Execute smbd in the smbd_t domain. + ## + ## + ## +@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',` + + ###################################### + ## +-## Send generic signals to smbd. ++## Allow domain to signal samba + ## + ## + ## +@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',` + + ######################################## + ## +-## Do not audit attempts to inherit +-## and use smbd file descriptors. ++## Do not audit attempts to use file descriptors from samba. + ## + ## + ## +@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',` + + ######################################## + ## +-## Write smbmount tcp sockets. ++## Allow the specified domain to write to smbmount tcp sockets. + ## + ## + ## +@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',` + + ######################################## + ## +-## Read and write smbmount tcp sockets. ++## Allow the specified domain to read and write to smbmount tcp sockets. + ## + ## + ## +@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` allow $1 smbmount_t:tcp_socket { read write }; ') +-######################################## +####################################### -+## + ## +-## Execute winbind helper in the +-## winbind helper domain. +## Allow to getattr on winbind binary. -+## -+## + ## + ## +-## +-## Domain allowed to transition. +-## +## +## Domain allowed to transition. +## -+## -+# + ## + # +-interface(`samba_domtrans_winbind_helper',` +- gen_require(` +- type winbind_helper_t, winbind_helper_exec_t; +- ') +interface(`samba_getattr_winbind',` + gen_require(` + type winbind_exec_t; + ') -+ + +- corecmd_search_bin($1) +- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_exec_t:file getattr; -+') -+ - ######################################## + ') + +-####################################### ++######################################## ## - ## Execute winbind_helper in the winbind_helper domain. -@@ -564,6 +709,7 @@ interface(`samba_domtrans_winbind_helper',` +-## Get attributes of winbind executable files. ++## Execute winbind_helper in the winbind_helper domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`samba_getattr_winbind_exec',` ++interface(`samba_domtrans_winbind_helper',` + gen_require(` +- type winbind_exec_t; ++ type winbind_helper_t, winbind_helper_exec_t; ') - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) +- allow $1 winbind_exec_t:file getattr_file_perms; ++ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_helper_t:process signal; ') ######################################## -@@ -607,7 +753,7 @@ interface(`samba_read_winbind_pid',` - type winbind_var_run_t; + ## +-## Execute winbind helper in the winbind +-## helper domain, and allow the specified +-## role the winbind helper domain. ++## Execute winbind_helper in the winbind_helper domain, and ++## allow the specified role the winbind_helper domain. + ## + ## + ## +@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',` + # + interface(`samba_run_winbind_helper',` + gen_require(` +- attribute_role winbind_helper_roles; ++ type winbind_helper_t; + ') + + samba_domtrans_winbind_helper($1) +- roleattribute $2 winbind_helper_roles; ++ role $2 types winbind_helper_t; + ') + + ######################################## + ## +-## Read winbind pid files. ++## Allow the specified domain to read the winbind pid files. + ## + ## + ## +@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',` + # + interface(`samba_read_winbind_pid',` + gen_require(` +- type winbind_var_run_t, smbd_var_run_t; ++ type winbind_var_run_t; ') - files_search_pids($1) +- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) + samba_search_pid($1) - allow $1 winbind_var_run_t:file read_file_perms; ++ allow $1 winbind_var_run_t:file read_file_perms; ') -@@ -626,9 +772,10 @@ interface(`samba_stream_connect_winbind',` - type samba_var_t, winbind_t, winbind_var_run_t; + ######################################## + ## +-## Connect to winbind with a unix +-## domain stream socket. ++## Connect to winbind. + ## + ## + ## +@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',` + # + interface(`samba_stream_connect_winbind',` + gen_require(` +- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; ++ type samba_var_t, winbind_t, winbind_var_run_t; ') - files_search_pids($1) +- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) + samba_search_pid($1) - allow $1 samba_var_t:dir search_dir_perms; - stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) ++ allow $1 samba_var_t:dir search_dir_perms; ++ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) + samba_read_config($1) - - ifndef(`distro_redhat',` - gen_require(` -@@ -644,6 +791,37 @@ interface(`samba_stream_connect_winbind',` ++ ++ ifndef(`distro_redhat',` ++ gen_require(` ++ type winbind_tmp_t; ++ ') ++ ++ # the default for the socket is (poorly named): ++ # /tmp/.winbindd/pipe ++ files_search_tmp($1) ++ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ++ ') + ') ######################################## ## +-## All of the rules required to +-## administrate an samba environment. +## Create a set of derived types for apache +## web content. +## @@ -59090,29 +66938,29 @@ index 82cb169..a6bab06 100644 + +######################################## +## - ## All of the rules required to administrate - ## an samba environment ++## All of the rules required to administrate ++## an samba environment ## -@@ -661,33 +839,33 @@ interface(`samba_stream_connect_winbind',` - # + ## + ## +@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the samba domain. + ## + ## + ## +@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',` interface(`samba_admin',` gen_require(` -- type nmbd_t, nmbd_var_run_t; -- type smbd_t, smbd_tmp_t; -- type smbd_var_run_t; -- type smbd_spool_t; -- -- type samba_log_t, samba_var_t; -- type samba_etc_t, samba_share_t; -- type samba_secrets_t; -- -- type swat_var_run_t, swat_tmp_t; -- + type nmbd_t, nmbd_var_run_t, smbd_var_run_t; +- type smbd_t, smbd_tmp_t, smbd_spool_t; +- type samba_log_t, samba_var_t, samba_secrets_t; +- type samba_etc_t, samba_share_t, samba_initrc_exec_t; +- type swat_var_run_t, swat_tmp_t, winbind_log_t; - type winbind_var_run_t, winbind_tmp_t; -- type winbind_log_t; -- -- type samba_initrc_exec_t; -+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type smbd_t, smbd_tmp_t, samba_secrets_t; + type samba_initrc_exec_t, samba_log_t, samba_var_t; + type samba_etc_t, samba_share_t, winbind_log_t; @@ -59121,23 +66969,19 @@ index 82cb169..a6bab06 100644 + type samba_unit_file_t; ') -- allow $1 smbd_t:process { ptrace signal_perms }; +- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nmbd_t smbd_t }) + allow $1 smbd_t:process signal_perms; - ps_process_pattern($1, smbd_t) ++ ps_process_pattern($1, smbd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 smbd_t:process ptrace; + allow $1 nmbd_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace; + ') - -- allow $1 nmbd_t:process { ptrace signal_perms }; ++ + allow $1 nmbd_t:process signal_perms; - ps_process_pattern($1, nmbd_t) - -- samba_run_smbcontrol($1, $2, $3) -- samba_run_winbind_helper($1, $2, $3) -- samba_run_smbmount($1, $2, $3) -- samba_run_net($1, $2, $3) ++ ps_process_pattern($1, nmbd_t) ++ + allow $1 samba_unconfined_script_t:process signal_perms; + ps_process_pattern($1, samba_unconfined_script_t) + @@ -59148,20 +66992,51 @@ index 82cb169..a6bab06 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -709,9 +887,6 @@ interface(`samba_admin',` - admin_pattern($1, samba_var_t) - files_list_var($1) + role_transition $2 samba_initrc_exec_t system_r; + allow $2 system_r; + +- files_list_etc($1) ++ admin_pattern($1, nmbd_var_run_t) ++ + admin_pattern($1, samba_etc_t) ++ files_list_etc($1) + ++ admin_pattern($1, samba_log_t) + logging_list_logs($1) +- admin_pattern($1, { samba_log_t winbind_log_t }) + +- files_list_var($1) +- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) ++ admin_pattern($1, samba_secrets_t) -- admin_pattern($1, smbd_spool_t) - files_list_spool($1) -- - admin_pattern($1, smbd_var_run_t) +- admin_pattern($1, smbd_spool_t) ++ admin_pattern($1, samba_share_t) ++ ++ admin_pattern($1, samba_var_t) ++ files_list_var($1) + ++ admin_pattern($1, smbd_var_run_t) files_list_pids($1) +- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) -@@ -727,4 +902,9 @@ interface(`samba_admin',` - admin_pattern($1, winbind_tmp_t) ++ admin_pattern($1, smbd_tmp_t) + files_list_tmp($1) +- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) - admin_pattern($1, winbind_var_run_t) +- samba_run_smbcontrol($1, $2) +- samba_run_winbind_helper($1, $2) +- samba_run_smbmount($1, $2) +- samba_run_net($1, $2) ++ admin_pattern($1, swat_var_run_t) ++ ++ admin_pattern($1, swat_tmp_t) ++ ++ admin_pattern($1, winbind_log_t) ++ ++ admin_pattern($1, winbind_tmp_t) ++ ++ admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) + + samba_systemctl($1) @@ -59169,34 +67044,153 @@ index 82cb169..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 905883f..7e70344 100644 +index 57c034b..7e70344 100644 --- a/samba.te +++ b/samba.te -@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0) - ## public_content_rw_t. - ##

    +@@ -1,4 +1,4 @@ +-policy_module(samba, 1.15.7) ++policy_module(samba, 1.15.0) + + ################################# + # +@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7) + # + + ## +-##

    +-## Determine whether samba can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow samba to modify public files used for public file ++## transfer services. Files/Directories must be labeled ++## public_content_rw_t. ++##

    ##     -gen_tunable(allow_smbd_anon_write, false) +gen_tunable(smbd_anon_write, false) ## - ##

    -@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false) +-##

    +-## Determine whether samba can +-## create home directories via pam. +-##

    ++##

    ++## Allow samba to create new home directories (e.g. via PAM) ++##

    + ##     + gen_tunable(samba_create_home_dirs, false) + + ## +-##

    +-## Determine whether samba can act as the +-## domain controller, add users, groups +-## and change passwords. +-##

    ++##

    ++## Allow samba to act as the domain controller, add users, ++## groups and change passwords. ++## ++##

    + ##     + gen_tunable(samba_domain_controller, false) ## - ##

    +-##

    +-## Determine whether samba can +-## act as a portmapper. +-##

    ++##

    +## Allow samba to act as a portmapper +## +##

    -+##     -+gen_tunable(samba_portmapper, false) -+ -+## + ## + gen_tunable(samba_portmapper, false) + + ## +-##

    +-## Determine whether samba can share +-## users home directories. +-##

    +##

    - ## Allow samba to share users home directories. - ##

    ++## Allow samba to share users home directories. ++##

    + ##     + gen_tunable(samba_enable_home_dirs, false) + + ## +-##

    +-## Determine whether samba can share +-## any content read only. +-##

    ++##

    ++## Allow samba to share any file/directory read only. ++##

    + ##     + gen_tunable(samba_export_all_ro, false) + + ## +-##

    +-## Determine whether samba can share any +-## content readable and writable. +-##

    ++##

    ++## Allow samba to share any file/directory read/write. ++##

    ##     -@@ -85,6 +93,9 @@ files_config_file(samba_etc_t) + gen_tunable(samba_export_all_rw, false) + + ## +-##

    +-## Determine whether samba can +-## run unconfined scripts. +-##

    ++##

    ++## Allow samba to run unconfined scripts ++##

    + ##     + gen_tunable(samba_run_unconfined, false) + + ## +-##

    +-## Determine whether samba can +-## use nfs file systems. +-##

    ++##

    ++## Allow samba to export NFS volumes. ++##

    + ##     + gen_tunable(samba_share_nfs, false) + + ## +-##

    +-## Determine whether samba can +-## use fuse file systems. +-##

    ++##

    ++## Allow samba to export ntfs/fusefs volumes. ++##

    + ##     + gen_tunable(samba_share_fusefs, false) + +-attribute_role samba_net_roles; +-roleattribute system_r samba_net_roles; +- +-attribute_role smbcontrol_roles; +-roleattribute system_r smbcontrol_roles; +- +-attribute_role smbmount_roles; +-roleattribute system_r smbmount_roles; +- +-attribute_role winbind_helper_roles; +-roleattribute system_r winbind_helper_roles; +- + type nmbd_t; + type nmbd_exec_t; + init_daemon_domain(nmbd_t, nmbd_exec_t) +@@ -113,13 +93,16 @@ files_config_file(samba_etc_t) type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) @@ -59206,7 +67200,48 @@ index 905883f..7e70344 100644 type samba_log_t; logging_log_file(samba_log_t) -@@ -152,9 +163,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) + type samba_net_t; + type samba_net_exec_t; + application_domain(samba_net_t, samba_net_exec_t) +-role samba_net_roles types samba_net_t; ++role system_r types samba_net_t; + + type samba_net_tmp_t; + files_tmp_file(samba_net_tmp_t) +@@ -136,7 +119,7 @@ files_type(samba_var_t) + type smbcontrol_t; + type smbcontrol_exec_t; + application_domain(smbcontrol_t, smbcontrol_exec_t) +-role smbcontrol_roles types smbcontrol_t; ++role system_r types smbcontrol_t; + + type smbd_t; + type smbd_exec_t; +@@ -149,9 +132,10 @@ type smbd_var_run_t; + files_pid_file(smbd_var_run_t) + + type smbmount_t; ++domain_type(smbmount_t) ++ + type smbmount_exec_t; +-application_domain(smbmount_t, smbmount_exec_t) +-role smbmount_roles types smbmount_t; ++domain_entry_file(smbmount_t, smbmount_exec_t) + + type swat_t; + type swat_exec_t; +@@ -170,27 +154,28 @@ type winbind_exec_t; + init_daemon_domain(winbind_t, winbind_exec_t) + + type winbind_helper_t; ++domain_type(winbind_helper_t) ++role system_r types winbind_helper_t; ++ + type winbind_helper_exec_t; +-application_domain(winbind_helper_t, winbind_helper_exec_t) +-role winbind_helper_roles types winbind_helper_t; ++domain_entry_file(winbind_helper_t, winbind_helper_exec_t) + type winbind_log_t; logging_log_file(winbind_log_t) @@ -59216,29 +67251,50 @@ index 905883f..7e70344 100644 type winbind_var_run_t; files_pid_file(winbind_var_run_t) -@@ -181,11 +189,12 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) - manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) - manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) + ######################################## + # +-# Net local policy ++# Samba net local policy + # +- + allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; + allow samba_net_t self:process { getsched setsched }; +-allow samba_net_t self:unix_stream_socket { accept listen }; ++allow samba_net_t self:unix_dgram_socket create_socket_perms; ++allow samba_net_t self:unix_stream_socket create_stream_socket_perms; ++allow samba_net_t self:udp_socket create_socket_perms; ++allow samba_net_t self:tcp_socket create_socket_perms; + + allow samba_net_t samba_etc_t:file read_file_perms; + +@@ -206,17 +191,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) -+files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") + files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") - kernel_read_proc_symlinks(samba_net_t) ++kernel_read_proc_symlinks(samba_net_t) kernel_read_system_state(samba_net_t) -+kernel_read_network_state(samba_net_t) + kernel_read_network_state(samba_net_t) -corenet_all_recvfrom_unlabeled(samba_net_t) corenet_all_recvfrom_netlabel(samba_net_t) - corenet_tcp_sendrecv_generic_if(samba_net_t) ++corenet_tcp_sendrecv_generic_if(samba_net_t) corenet_udp_sendrecv_generic_if(samba_net_t) -@@ -203,7 +212,6 @@ dev_read_urand(samba_net_t) - - domain_use_interactive_fds(samba_net_t) ++corenet_raw_sendrecv_generic_if(samba_net_t) + corenet_tcp_sendrecv_generic_node(samba_net_t) +- +-corenet_sendrecv_smbd_client_packets(samba_net_t) ++corenet_udp_sendrecv_generic_node(samba_net_t) ++corenet_raw_sendrecv_generic_node(samba_net_t) ++corenet_tcp_sendrecv_all_ports(samba_net_t) ++corenet_udp_sendrecv_all_ports(samba_net_t) ++corenet_tcp_bind_generic_node(samba_net_t) ++corenet_udp_bind_generic_node(samba_net_t) + corenet_tcp_connect_smbd_port(samba_net_t) +-corenet_tcp_sendrecv_smbd_port(samba_net_t) --files_read_etc_files(samba_net_t) - files_read_usr_symlinks(samba_net_t) + dev_read_urand(samba_net_t) - auth_use_nsswitch(samba_net_t) -@@ -211,15 +219,16 @@ auth_manage_cache(samba_net_t) +@@ -229,54 +219,60 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -59259,138 +67315,211 @@ index 905883f..7e70344 100644 ') optional_policy(` -@@ -228,13 +237,15 @@ optional_policy(` +- pcscd_read_pid_files(samba_net_t) ++ pcscd_read_pub_files(samba_net_t) + ') optional_policy(` kerberos_use(samba_net_t) +- kerberos_etc_filetrans_keytab(samba_net_t, file) + kerberos_etc_filetrans_keytab(samba_net_t) ') ######################################## # - # smbd Local policy +-# Smbd Local policy ++# smbd Local policy # --allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -+ -+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; + + allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; - allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow smbd_t self:process setrlimit; -@@ -244,6 +255,7 @@ allow smbd_t self:msg { send receive }; +-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; ++allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow smbd_t self:process setrlimit; + allow smbd_t self:fd use; + allow smbd_t self:fifo_file rw_fifo_file_perms; + allow smbd_t self:msg { send receive }; allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; +-allow smbd_t self:tcp_socket { accept listen }; +-allow smbd_t self:unix_dgram_socket sendto; +-allow smbd_t self:unix_stream_socket { accept connectto listen }; +allow smbd_t self:key manage_key_perms; - allow smbd_t self:sock_file read_sock_file_perms; - allow smbd_t self:tcp_socket create_stream_socket_perms; - allow smbd_t self:udp_socket create_socket_perms; -@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow smbd_t nmbd_t:process { signal signull }; ++allow smbd_t self:sock_file read_sock_file_perms; ++allow smbd_t self:tcp_socket create_stream_socket_perms; ++allow smbd_t self:udp_socket create_socket_perms; ++allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++allow smbd_t nmbd_t:process { signal signull }; - allow smbd_t nmbd_var_run_t:file rw_file_perms; +-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; ++allow smbd_t nmbd_var_run_t:file rw_file_perms; +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) - allow smbd_t samba_etc_t:file { rw_file_perms setattr }; +-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; ++allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) - manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) - manage_files_pattern(smbd_t, samba_share_t, samba_share_t) - manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) --allow smbd_t samba_share_t:filesystem getattr; -+allow smbd_t samba_share_t:filesystem { getattr quotaget }; + manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) +-append_files_pattern(smbd_t, samba_log_t, samba_log_t) +-create_files_pattern(smbd_t, samba_log_t, samba_log_t) +-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t) ++manage_files_pattern(smbd_t, samba_log_t, samba_log_t) - manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) - manage_files_pattern(smbd_t, samba_var_t, samba_var_t) - manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) - manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) -+files_var_filetrans(smbd_t, samba_var_t, dir, "samba") +-allow smbd_t samba_net_tmp_t:file getattr_file_perms; ++allow smbd_t samba_net_tmp_t:file getattr; - allow smbd_t smbcontrol_t:process { signal signull }; + manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) + filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -292,6 +288,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) + files_var_filetrans(smbd_t, samba_var_t, dir, "samba") -@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) - manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) - manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) ++allow smbd_t smbcontrol_t:process { signal signull }; ++ + manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) + manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) + files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -301,11 +299,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) --files_pid_filetrans(smbd_t, smbd_var_run_t, file) -+files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) + files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) + +-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; +-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) ++allow smbd_t swat_t:process signal; + +-allow smbd_t nmbd_var_run_t:file read_file_perms; +-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; ++ ++allow smbd_t winbind_t:process { signal signull }; - allow smbd_t swat_t:process signal; + kernel_getattr_core_if(smbd_t) + kernel_getattr_message_if(smbd_t) +@@ -315,43 +313,33 @@ kernel_read_kernel_sysctls(smbd_t) + kernel_read_software_raid_state(smbd_t) + kernel_read_system_state(smbd_t) -@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t) +-corecmd_exec_bin(smbd_t) corecmd_exec_shell(smbd_t) - corecmd_exec_bin(smbd_t) ++corecmd_exec_bin(smbd_t) -corenet_all_recvfrom_unlabeled(smbd_t) corenet_all_recvfrom_netlabel(smbd_t) corenet_tcp_sendrecv_generic_if(smbd_t) - corenet_udp_sendrecv_generic_if(smbd_t) -@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t) ++corenet_udp_sendrecv_generic_if(smbd_t) ++corenet_raw_sendrecv_generic_if(smbd_t) + corenet_tcp_sendrecv_generic_node(smbd_t) ++corenet_udp_sendrecv_generic_node(smbd_t) ++corenet_raw_sendrecv_generic_node(smbd_t) ++corenet_tcp_sendrecv_all_ports(smbd_t) ++corenet_udp_sendrecv_all_ports(smbd_t) + corenet_tcp_bind_generic_node(smbd_t) +- +-corenet_sendrecv_smbd_client_packets(smbd_t) +-corenet_tcp_connect_smbd_port(smbd_t) +-corenet_sendrecv_smbd_server_packets(smbd_t) ++corenet_udp_bind_generic_node(smbd_t) + corenet_tcp_bind_smbd_port(smbd_t) +-corenet_tcp_sendrecv_smbd_port(smbd_t) +- +-corenet_sendrecv_ipp_client_packets(smbd_t) + corenet_tcp_connect_ipp_port(smbd_t) +-corenet_tcp_sendrecv_ipp_port(smbd_t) ++corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) +dev_dontaudit_write_urand(smbd_t) dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) - # For redhat bug 566984 -@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t) ++# For redhat bug 566984 + dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) +-domain_use_interactive_fds(smbd_t) +-domain_dontaudit_list_all_domains_state(smbd_t) +- +-files_list_var_lib(smbd_t) +-files_read_etc_runtime_files(smbd_t) +-files_read_usr_files(smbd_t) +-files_search_spool(smbd_t) +-files_dontaudit_getattr_all_dirs(smbd_t) +-files_dontaudit_list_all_mountpoints(smbd_t) +-files_list_mnt(smbd_t) +- fs_getattr_all_fs(smbd_t) -+fs_getattr_all_dirs(smbd_t) + fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) - fs_search_auto_mountpoints(smbd_t) - fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +348,55 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) -+fs_get_all_fs_quotas(smbd_t) + fs_get_all_fs_quotas(smbd_t) +-term_use_ptmx(smbd_t) +- auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) auth_domtrans_upd_passwd(smbd_t) auth_manage_cache(smbd_t) -+auth_write_login_records(smbd_t) - - domain_use_interactive_fds(smbd_t) - domain_dontaudit_list_all_domains_state(smbd_t) - - files_list_var_lib(smbd_t) --files_read_etc_files(smbd_t) - files_read_etc_runtime_files(smbd_t) - files_read_usr_files(smbd_t) - files_search_spool(smbd_t) - # smbd seems to getattr all mountpoints - files_dontaudit_getattr_all_dirs(smbd_t) + auth_write_login_records(smbd_t) + ++domain_use_interactive_fds(smbd_t) ++domain_dontaudit_list_all_domains_state(smbd_t) ++ ++files_list_var_lib(smbd_t) ++files_read_etc_runtime_files(smbd_t) ++files_read_usr_files(smbd_t) ++files_search_spool(smbd_t) ++# smbd seems to getattr all mountpoints ++files_dontaudit_getattr_all_dirs(smbd_t) +files_dontaudit_list_all_mountpoints(smbd_t) - # Allow samba to list mnt_t for potential mounted dirs - files_list_mnt(smbd_t) ++# Allow samba to list mnt_t for potential mounted dirs ++files_list_mnt(smbd_t) ++ + init_rw_utmp(smbd_t) -@@ -355,9 +372,10 @@ init_rw_utmp(smbd_t) logging_search_logs(smbd_t) logging_send_syslog_msg(smbd_t) -miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) -+sysnet_use_ldap(smbd_t) -+ + sysnet_use_ldap(smbd_t) + userdom_use_unpriv_users_fds(smbd_t) - userdom_search_user_home_content(smbd_t) ++userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -372,8 +390,13 @@ ifdef(`hide_broken_symptoms', ` +-userdom_home_filetrans_user_home_dir(smbd_t) +-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) + + usermanage_read_crack_db(smbd_t) + +-ifdef(`hide_broken_symptoms',` ++term_use_ptmx(smbd_t) ++ ++ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') -tunable_policy(`allow_smbd_anon_write',` +tunable_policy(`smbd_anon_write',` miscfiles_manage_public_files(smbd_t) +-') +') -+ + +-tunable_policy(`samba_create_home_dirs',` +- allow smbd_t self:capability chown; +- userdom_create_user_home_dirs(smbd_t) +tunable_policy(`samba_portmapper',` + corenet_tcp_bind_epmap_port(smbd_t) + corenet_tcp_bind_all_unreserved_ports(smbd_t) ') tunable_policy(`samba_domain_controller',` -@@ -389,12 +412,7 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +412,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -59399,104 +67528,131 @@ index 905883f..7e70344 100644 - userdom_manage_user_home_content_symlinks(smbd_t) - userdom_manage_user_home_content_sockets(smbd_t) - userdom_manage_user_home_content_pipes(smbd_t) -- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) +-') +- +-tunable_policy(`samba_portmapper',` +- corenet_sendrecv_all_server_packets(smbd_t) +- corenet_tcp_bind_epmap_port(smbd_t) +- corenet_tcp_bind_all_unreserved_ports(smbd_t) +- corenet_tcp_sendrecv_all_ports(smbd_t) + userdom_manage_user_home_content(smbd_t) ') - # Support Samba sharing of NFS mount points -@@ -415,6 +433,15 @@ tunable_policy(`samba_share_fusefs',` ++# Support Samba sharing of NFS mount points + tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) +@@ -435,6 +424,7 @@ tunable_policy(`samba_share_nfs',` + fs_manage_nfs_named_sockets(smbd_t) + ') + ++# Support Samba sharing of ntfs/fusefs mount points + tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +@@ -442,17 +432,6 @@ tunable_policy(`samba_share_fusefs',` + fs_search_fusefs(smbd_t) ') +-tunable_policy(`samba_export_all_ro',` +- fs_read_noxattr_fs_files(smbd_t) +- files_list_non_auth_dirs(smbd_t) +- files_read_non_auth_files(smbd_t) +-') +- +-tunable_policy(`samba_export_all_rw',` +- fs_read_noxattr_fs_files(smbd_t) +- files_manage_non_auth_files(smbd_t) +-') +- optional_policy(` -+ ccs_read_config(smbd_t) -+') -+ -+optional_policy(` -+ ctdbd_stream_connect(smbd_t) -+ ctdbd_manage_lib_files(smbd_t) -+') -+ -+optional_policy(` - cups_read_rw_config(smbd_t) - cups_stream_connect(smbd_t) + ccs_read_config(smbd_t) + ') +@@ -473,6 +452,11 @@ optional_policy(` ') -@@ -426,6 +453,7 @@ optional_policy(` optional_policy(` - ldap_stream_connect(smbd_t) ++ ldap_stream_connect(smbd_t) + dirsrv_stream_connect(smbd_t) ++') ++ ++optional_policy(` + lpd_exec_lpr(smbd_t) ') - optional_policy(` -@@ -452,26 +480,26 @@ optional_policy(` - tunable_policy(`samba_create_home_dirs',` - allow smbd_t self:capability chown; - userdom_create_user_home_dirs(smbd_t) -- userdom_home_filetrans_user_home_dir(smbd_t) +@@ -493,9 +477,32 @@ optional_policy(` + udev_read_db(smbd_t) ') ++tunable_policy(`samba_create_home_dirs',` ++ allow smbd_t self:capability chown; ++ userdom_create_user_home_dirs(smbd_t) ++') ++ +userdom_home_filetrans_user_home_dir(smbd_t) + - tunable_policy(`samba_export_all_ro',` -- fs_read_noxattr_fs_files(smbd_t) -- files_list_non_auth_dirs(smbd_t) -- files_read_non_auth_files(smbd_t) -- fs_read_noxattr_fs_files(nmbd_t) -- files_list_non_auth_dirs(nmbd_t) -- files_read_non_auth_files(nmbd_t) ++tunable_policy(`samba_export_all_ro',` + fs_read_noxattr_fs_files(smbd_t) + files_read_non_security_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + files_read_non_security_files(nmbd_t) - ') - - tunable_policy(`samba_export_all_rw',` -- fs_read_noxattr_fs_files(smbd_t) -- files_manage_non_auth_files(smbd_t) -- fs_read_noxattr_fs_files(nmbd_t) -- files_manage_non_auth_files(nmbd_t) -- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) ++') ++ ++tunable_policy(`samba_export_all_rw',` + fs_read_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + files_manage_non_security_files(nmbd_t) - ') - ++') ++ +userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) + ######################################## # - # nmbd Local policy -@@ -491,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms; - allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; - allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - -+manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) +-# Nmbd Local policy ++# nmbd Local policy + # + + dontaudit nmbd_t self:capability sys_tty_config; +@@ -506,9 +513,11 @@ allow nmbd_t self:msg { send receive }; + allow nmbd_t self:msgq create_msgq_perms; + allow nmbd_t self:sem create_sem_perms; + allow nmbd_t self:shm create_shm_perms; +-allow nmbd_t self:tcp_socket { accept listen }; +-allow nmbd_t self:unix_dgram_socket sendto; +-allow nmbd_t self:unix_stream_socket { accept connectto listen }; ++allow nmbd_t self:sock_file read_sock_file_perms; ++allow nmbd_t self:tcp_socket create_stream_socket_perms; ++allow nmbd_t self:udp_socket create_socket_perms; ++allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) --files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) -+manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) -+filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir) - - read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +529,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -501,11 +532,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) - manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) -+manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) -+manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) -+files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") + manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) +-append_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-create_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) ++manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - allow nmbd_t smbcontrol_t:process signal; + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) +-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") + files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") --allow nmbd_t smbd_var_run_t:dir rw_dir_perms; +-allow nmbd_t { swat_t smbcontrol_t }:process signal; - +-allow nmbd_t smbd_var_run_t:dir rw_dir_perms; ++allow nmbd_t smbcontrol_t:process signal; + kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) - kernel_read_kernel_sysctls(nmbd_t) -@@ -513,7 +546,6 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +546,40 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -59504,113 +67660,192 @@ index 905883f..7e70344 100644 corenet_all_recvfrom_netlabel(nmbd_t) corenet_tcp_sendrecv_generic_if(nmbd_t) corenet_udp_sendrecv_generic_if(nmbd_t) -@@ -536,7 +568,6 @@ fs_search_auto_mountpoints(nmbd_t) + corenet_tcp_sendrecv_generic_node(nmbd_t) + corenet_udp_sendrecv_generic_node(nmbd_t) ++corenet_tcp_sendrecv_all_ports(nmbd_t) ++corenet_udp_sendrecv_all_ports(nmbd_t) + corenet_udp_bind_generic_node(nmbd_t) +- +-corenet_sendrecv_nmbd_server_packets(nmbd_t) + corenet_udp_bind_nmbd_port(nmbd_t) +-corenet_udp_sendrecv_nmbd_port(nmbd_t) +- +-corenet_sendrecv_smbd_client_packets(nmbd_t) ++corenet_sendrecv_nmbd_server_packets(nmbd_t) ++corenet_sendrecv_nmbd_client_packets(nmbd_t) + corenet_tcp_connect_smbd_port(nmbd_t) +-corenet_tcp_sendrecv_smbd_port(nmbd_t) + + dev_read_sysfs(nmbd_t) + dev_getattr_mtrr_dev(nmbd_t) + ++fs_getattr_all_fs(nmbd_t) ++fs_search_auto_mountpoints(nmbd_t) ++ domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) --files_read_etc_files(nmbd_t) files_list_var_lib(nmbd_t) +-fs_getattr_all_fs(nmbd_t) +-fs_search_auto_mountpoints(nmbd_t) +- auth_use_nsswitch(nmbd_t) -@@ -544,12 +575,14 @@ auth_use_nsswitch(nmbd_t) + logging_search_logs(nmbd_t) logging_send_syslog_msg(nmbd_t) -miscfiles_read_localization(nmbd_t) - userdom_use_unpriv_users_fds(nmbd_t) - userdom_dontaudit_search_user_home_dirs(nmbd_t) +-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) +- +-tunable_policy(`samba_export_all_ro',` +- fs_read_noxattr_fs_files(nmbd_t) +- files_list_non_auth_dirs(nmbd_t) +- files_read_non_auth_files(nmbd_t) +-') ++userdom_dontaudit_search_user_home_dirs(nmbd_t) - optional_policy(` -+ ctdbd_stream_connect(nmbd_t) -+') -+ +-tunable_policy(`samba_export_all_rw',` +- fs_read_noxattr_fs_files(nmbd_t) +- files_manage_non_auth_files(nmbd_t) +optional_policy(` - seutil_sigchld_newrole(nmbd_t) ++ ctdbd_stream_connect(nmbd_t) ') -@@ -562,18 +595,21 @@ optional_policy(` - # smbcontrol local policy + optional_policy(` +@@ -600,17 +592,24 @@ optional_policy(` + + ######################################## + # +-# Smbcontrol local policy ++# smbcontrol local policy # + -+allow smbcontrol_t self:process signal; - # internal communication is often done using fifo and unix sockets. - allow smbcontrol_t self:fifo_file rw_file_perms; + allow smbcontrol_t self:process signal; +-allow smbcontrol_t self:fifo_file rw_fifo_file_perms; ++# internal communication is often done using fifo and unix sockets. ++allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; -+allow smbcontrol_t self:process { signal signull }; + allow smbcontrol_t self:process { signal signull }; - allow smbcontrol_t nmbd_t:process { signal signull }; +-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; +-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) ++allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) --allow smbcontrol_t nmbd_var_run_t:file { read lock }; -- --allow smbcontrol_t smbd_t:process signal; -- +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) - allow smbcontrol_t winbind_t:process { signal signull }; - ++allow smbcontrol_t winbind_t:process { signal signull }; ++ +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -581,11 +617,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -620,16 +619,13 @@ domain_use_interactive_fds(smbcontrol_t) - domain_use_interactive_fds(smbcontrol_t) + dev_read_urand(smbcontrol_t) -files_read_etc_files(smbcontrol_t) -+dev_read_urand(smbcontrol_t) -+ +-files_search_var_lib(smbcontrol_t) +files_read_usr_files(smbcontrol_t) -+ -+term_use_console(smbcontrol_t) -+ -+sysnet_use_ldap(smbcontrol_t) + + term_use_console(smbcontrol_t) -miscfiles_read_localization(smbcontrol_t) -+userdom_use_inherited_user_terminals(smbcontrol_t) +- + sysnet_use_ldap(smbcontrol_t) -userdom_use_user_terminals(smbcontrol_t) -+optional_policy(` -+ ctdbd_stream_connect(smbcontrol_t) -+') ++userdom_use_inherited_user_terminals(smbcontrol_t) + + optional_policy(` + ctdbd_stream_connect(smbcontrol_t) +@@ -637,22 +633,23 @@ optional_policy(` ######################################## # -@@ -604,18 +648,20 @@ allow smbmount_t samba_etc_t:file read_file_perms; +-# Smbmount Local policy ++# smbmount Local policy + # - can_exec(smbmount_t, smbmount_exec_t) +-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; +-allow smbmount_t self:process signal_perms; +-allow smbmount_t self:tcp_socket { accept listen }; ++allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? ++allow smbmount_t self:process { fork signal_perms }; ++allow smbmount_t self:tcp_socket create_stream_socket_perms; ++allow smbmount_t self:udp_socket connect; + allow smbmount_t self:unix_dgram_socket create_socket_perms; + allow smbmount_t self:unix_stream_socket create_socket_perms; + + allow smbmount_t samba_etc_t:dir list_dir_perms; + allow smbmount_t samba_etc_t:file read_file_perms; -allow smbmount_t samba_log_t:dir list_dir_perms; +-append_files_pattern(smbmount_t, samba_log_t, samba_log_t) +-create_files_pattern(smbmount_t, samba_log_t, samba_log_t) +-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t) ++can_exec(smbmount_t, smbmount_exec_t) ++ +allow smbmount_t samba_log_t:dir list_dir_perms; - allow smbmount_t samba_log_t:file manage_file_perms; ++allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; -+manage_dirs_pattern(smbmount_t, samba_var_t, samba_var_t) - manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +658,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) -+files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") -+ - files_list_var_lib(smbmount_t) + files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") + +-can_exec(smbmount_t, smbmount_exec_t) ++files_list_var_lib(smbmount_t) kernel_read_system_state(smbmount_t) -corenet_all_recvfrom_unlabeled(smbmount_t) corenet_all_recvfrom_netlabel(smbmount_t) corenet_tcp_sendrecv_generic_if(smbmount_t) - corenet_raw_sendrecv_generic_if(smbmount_t) -@@ -645,31 +691,32 @@ files_list_mnt(smbmount_t) - files_mounton_mnt(smbmount_t) - files_manage_etc_runtime_files(smbmount_t) - files_etc_filetrans_etc_runtime(smbmount_t, file) --files_read_etc_files(smbmount_t) - - auth_use_nsswitch(smbmount_t) ++corenet_raw_sendrecv_generic_if(smbmount_t) ++corenet_udp_sendrecv_generic_if(smbmount_t) + corenet_tcp_sendrecv_generic_node(smbmount_t) +- +-corenet_sendrecv_all_client_packets(smbmount_t) +-corenet_tcp_connect_all_ports(smbmount_t) ++corenet_raw_sendrecv_generic_node(smbmount_t) ++corenet_udp_sendrecv_generic_node(smbmount_t) + corenet_tcp_sendrecv_all_ports(smbmount_t) +- +-corecmd_list_bin(smbmount_t) +- +-files_list_mnt(smbmount_t) +-files_list_var_lib(smbmount_t) +-files_mounton_mnt(smbmount_t) +-files_manage_etc_runtime_files(smbmount_t) +-files_etc_filetrans_etc_runtime(smbmount_t, file) ++corenet_udp_sendrecv_all_ports(smbmount_t) ++corenet_tcp_bind_generic_node(smbmount_t) ++corenet_udp_bind_generic_node(smbmount_t) ++corenet_tcp_connect_all_ports(smbmount_t) + + fs_getattr_cifs(smbmount_t) + fs_mount_cifs(smbmount_t) +@@ -692,58 +685,78 @@ fs_read_cifs_files(smbmount_t) + storage_raw_read_fixed_disk(smbmount_t) + storage_raw_write_fixed_disk(smbmount_t) + +-auth_use_nsswitch(smbmount_t) ++corecmd_list_bin(smbmount_t) -miscfiles_read_localization(smbmount_t) -- ++files_list_mnt(smbmount_t) ++files_mounton_mnt(smbmount_t) ++files_manage_etc_runtime_files(smbmount_t) ++files_etc_filetrans_etc_runtime(smbmount_t, file) ++ ++auth_use_nsswitch(smbmount_t) + -mount_use_fds(smbmount_t) locallogin_use_fds(smbmount_t) @@ -59631,7 +67866,8 @@ index 905883f..7e70344 100644 + ######################################## # - # SWAT Local policy +-# Swat Local policy ++# SWAT Local policy # allow swat_t self:capability { dac_override setuid setgid sys_resource }; @@ -59639,43 +67875,80 @@ index 905883f..7e70344 100644 allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -684,7 +731,8 @@ samba_domtrans_nmbd(swat_t) - allow swat_t nmbd_t:process { signal signull }; - allow nmbd_t swat_t:process signal; +-allow swat_t self:tcp_socket { accept listen }; ++allow swat_t self:tcp_socket create_stream_socket_perms; ++allow swat_t self:udp_socket create_socket_perms; + allow swat_t self:unix_stream_socket connectto; --allow swat_t smbd_var_run_t:file { lock unlink }; +-allow swat_t { nmbd_t smbd_t }:process { signal signull }; ++samba_domtrans_smbd(swat_t) ++allow swat_t smbd_t:process { signal signull }; + +-allow swat_t smbd_var_run_t:file read_file_perms; +-allow swat_t smbd_var_run_t:file { lock delete_file_perms }; ++samba_domtrans_nmbd(swat_t) ++allow swat_t nmbd_t:process { signal signull }; ++allow nmbd_t swat_t:process signal; ++ +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) +stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++ ++allow swat_t smbd_port_t:tcp_socket name_bind; ++ ++allow swat_t nmbd_port_t:udp_socket name_bind; - allow swat_t smbd_port_t:tcp_socket name_bind; + rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -698,13 +746,17 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) + manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) +-append_files_pattern(swat_t, samba_log_t, samba_log_t) +-create_files_pattern(swat_t, samba_log_t, samba_log_t) +-setattr_files_pattern(swat_t, samba_log_t, samba_log_t) ++manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) -+manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) + manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) -+files_var_filetrans(swat_t, samba_var_t, dir, "samba") +-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t) + files_var_filetrans(swat_t, samba_var_t, dir, "samba") +files_list_var_lib(swat_t) allow swat_t smbd_exec_t:file mmap_file_perms ; - allow swat_t smbd_t:process signull; - - allow swat_t smbd_var_run_t:file read_file_perms; +-allow swat_t { winbind_t smbd_t }:process { signal signull }; ++allow swat_t smbd_t:process signull; ++ ++allow swat_t smbd_var_run_t:file read_file_perms; +allow swat_t smbd_var_run_t:file { lock unlink }; manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -717,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; - domtrans_pattern(swat_t, winbind_exec_t, winbind_t) - allow swat_t winbind_t:process { signal signull }; +@@ -752,17 +765,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) + manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) + files_pid_filetrans(swat_t, swat_var_run_t, file) +-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) +-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; +-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; +- +-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) +-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +- +-samba_domtrans_smbd(swat_t) +-samba_domtrans_nmbd(swat_t) +- ++allow swat_t winbind_exec_t:file mmap_file_perms; + domtrans_pattern(swat_t, winbind_exec_t, winbind_t) ++allow swat_t winbind_t:process { signal signull }; ++ +read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) - allow swat_t winbind_var_run_t:dir { write add_name remove_name }; - allow swat_t winbind_var_run_t:sock_file { create unlink }; ++allow swat_t winbind_var_run_t:dir { write add_name remove_name }; ++allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -726,7 +779,6 @@ kernel_read_network_state(swat_t) + kernel_read_kernel_sysctls(swat_t) + kernel_read_system_state(swat_t) +@@ -770,28 +779,19 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -59683,47 +67956,97 @@ index 905883f..7e70344 100644 corenet_all_recvfrom_netlabel(swat_t) corenet_tcp_sendrecv_generic_if(swat_t) corenet_udp_sendrecv_generic_if(swat_t) -@@ -744,7 +796,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) ++corenet_raw_sendrecv_generic_if(swat_t) + corenet_tcp_sendrecv_generic_node(swat_t) + corenet_udp_sendrecv_generic_node(swat_t) +-corenet_tcp_bind_generic_node(swat_t) +-corenet_udp_bind_generic_node(swat_t) +- +-corenet_sendrecv_nmbd_server_packets(swat_t) +-corenet_udp_bind_nmbd_port(swat_t) +-corenet_udp_sendrecv_nmbd_port(swat_t) +- +-corenet_sendrecv_smbd_client_packets(swat_t) ++corenet_raw_sendrecv_generic_node(swat_t) ++corenet_tcp_sendrecv_all_ports(swat_t) ++corenet_udp_sendrecv_all_ports(swat_t) + corenet_tcp_connect_smbd_port(swat_t) +-corenet_sendrecv_smbd_server_packets(swat_t) +-corenet_tcp_bind_smbd_port(swat_t) +-corenet_tcp_sendrecv_smbd_port(swat_t) +- +-corenet_sendrecv_ipp_client_packets(swat_t) + corenet_tcp_connect_ipp_port(swat_t) +-corenet_tcp_sendrecv_ipp_port(swat_t) ++corenet_sendrecv_smbd_client_packets(swat_t) ++corenet_sendrecv_ipp_client_packets(swat_t) + dev_read_urand(swat_t) - files_list_var_lib(swat_t) --files_read_etc_files(swat_t) +@@ -799,7 +799,6 @@ files_list_var_lib(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) -@@ -759,7 +810,10 @@ logging_send_syslog_msg(swat_t) +-files_list_var_lib(swat_t) + + auth_domtrans_chk_passwd(swat_t) + auth_use_nsswitch(swat_t) +@@ -811,10 +810,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) -miscfiles_read_localization(swat_t) -+sysnet_use_ldap(swat_t) -+ +- + sysnet_use_ldap(swat_t) + + +userdom_dontaudit_search_admin_dir(swat_t) - ++ optional_policy(` cups_read_rw_config(swat_t) -@@ -790,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms; + cups_stream_connect(swat_t) +@@ -837,13 +837,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; + dontaudit winbind_t self:capability sys_tty_config; + allow winbind_t self:process { signal_perms getsched setsched }; + allow winbind_t self:fifo_file rw_fifo_file_perms; +-allow winbind_t self:unix_stream_socket { accept listen }; +-allow winbind_t self:tcp_socket { accept listen }; ++allow winbind_t self:unix_dgram_socket create_socket_perms; ++allow winbind_t self:unix_stream_socket create_stream_socket_perms; ++allow winbind_t self:tcp_socket create_stream_socket_perms; ++allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; -allow winbind_t nmbd_var_run_t:file read_file_perms; +-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) +samba_stream_connect_nmbd(winbind_t) allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,6 +861,8 @@ manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) +@@ -853,9 +855,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) + + manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) +-append_files_pattern(winbind_t, samba_log_t, samba_log_t) +-create_files_pattern(winbind_t, samba_log_t, samba_log_t) +-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t) ++manage_files_pattern(winbind_t, samba_log_t, samba_log_t) + manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) + manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) - manage_files_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -863,26 +863,25 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) -+manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) -+files_var_filetrans(winbind_t, samba_var_t, dir, "samba") - files_list_var_lib(winbind_t) + manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) + files_var_filetrans(winbind_t, samba_var_t, dir, "samba") ++files_list_var_lib(winbind_t) rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) -@@ -813,21 +870,26 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) - allow winbind_t winbind_log_t:file manage_file_perms; + +-# This needs a file context specification +-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) -manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) @@ -59734,70 +68057,76 @@ index 905883f..7e70344 100644 +userdom_manage_user_tmp_files(winbind_t) +userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) -+manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) + manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) --files_pid_filetrans(winbind_t, winbind_var_run_t, file) + files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) + filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) - -+files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) -+filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) +-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +# /run/samba/krb5cc_samba -+manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) + manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) -+manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) -+ -+kernel_read_network_state(winbind_t) - kernel_read_kernel_sysctls(winbind_t) - kernel_read_system_state(winbind_t) + manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) + + kernel_read_network_state(winbind_t) +@@ -891,13 +890,18 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) -corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) - corenet_udp_sendrecv_generic_if(winbind_t) -@@ -840,12 +902,15 @@ corenet_udp_sendrecv_all_ports(winbind_t) - corenet_tcp_bind_generic_node(winbind_t) - corenet_udp_bind_generic_node(winbind_t) - corenet_tcp_connect_smbd_port(winbind_t) ++corenet_udp_sendrecv_generic_if(winbind_t) ++corenet_raw_sendrecv_generic_if(winbind_t) + corenet_tcp_sendrecv_generic_node(winbind_t) ++corenet_udp_sendrecv_generic_node(winbind_t) ++corenet_raw_sendrecv_generic_node(winbind_t) + corenet_tcp_sendrecv_all_ports(winbind_t) +- +-corenet_sendrecv_all_client_packets(winbind_t) ++corenet_udp_sendrecv_all_ports(winbind_t) ++corenet_tcp_bind_generic_node(winbind_t) ++corenet_udp_bind_generic_node(winbind_t) +corenet_tcp_connect_smbd_port(winbind_t) + corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) - +@@ -905,10 +909,7 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) +-domain_use_interactive_fds(winbind_t) +- +-files_read_usr_symlinks(winbind_t) +-files_list_var_lib(winbind_t) +files_read_usr_files(winbind_t) -+ + fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) +@@ -917,11 +918,17 @@ auth_domtrans_chk_passwd(winbind_t) + auth_use_nsswitch(winbind_t) + auth_manage_cache(winbind_t) -@@ -855,12 +920,14 @@ auth_manage_cache(winbind_t) - - domain_use_interactive_fds(winbind_t) - --files_read_etc_files(winbind_t) - files_read_usr_symlinks(winbind_t) ++domain_use_interactive_fds(winbind_t) ++ ++files_read_usr_symlinks(winbind_t) +files_list_var_lib(winbind_t) - ++ logging_send_syslog_msg(winbind_t) -miscfiles_read_localization(winbind_t) -+miscfiles_read_generic_certs(winbind_t) -+ -+sysnet_use_ldap(winbind_t) + miscfiles_read_generic_certs(winbind_t) ++sysnet_use_ldap(winbind_t) ++ userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -871,6 +938,15 @@ userdom_manage_user_home_content_sockets(winbind_t) - userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) + userdom_manage_user_home_content_files(winbind_t) +@@ -936,6 +943,10 @@ optional_policy(` + ') optional_policy(` -+ ctdbd_stream_connect(winbind_t) -+ ctdbd_manage_lib_files(winbind_t) -+') -+ -+optional_policy(` + dirsrv_stream_connect(winbind_t) +') + @@ -59805,7 +68134,34 @@ index 905883f..7e70344 100644 kerberos_use(winbind_t) ') -@@ -909,9 +985,7 @@ auth_use_nsswitch(winbind_helper_t) +@@ -952,31 +963,29 @@ optional_policy(` + # Winbind helper local policy + # + +-allow winbind_helper_t self:unix_stream_socket { accept listen }; ++allow winbind_helper_t self:unix_dgram_socket create_socket_perms; ++allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; + + allow winbind_helper_t samba_etc_t:dir list_dir_perms; + read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) + + allow winbind_helper_t samba_var_t:dir search_dir_perms; ++files_list_var_lib(winbind_helper_t) + + allow winbind_t smbcontrol_t:process signal; + + stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) + +-domain_use_interactive_fds(winbind_helper_t) +- +-files_list_var_lib(winbind_helper_t) +- + term_list_ptys(winbind_helper_t) + ++domain_use_interactive_fds(winbind_helper_t) ++ + auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -59816,7 +68172,12 @@ index 905883f..7e70344 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -929,19 +1003,34 @@ optional_policy(` +@@ -990,25 +999,38 @@ optional_policy(` + + ######################################## + # +-# Unconfined script local policy ++# samba_unconfined_script_t local policy # optional_policy(` @@ -59830,11 +68191,9 @@ index 905883f..7e70344 100644 + domain_type(samba_unconfined_net_t) + domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) + role system_r types samba_unconfined_net_t; - -- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -- allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++ + unconfined_domain(samba_unconfined_net_t) - ++ + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) @@ -59846,10 +68205,12 @@ index 905883f..7e70344 100644 +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; -+ + +- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +- allow smbd_t samba_unconfined_script_exec_t:file ioctl; +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; -+ + +optional_policy(` unconfined_domain(samba_unconfined_script_t) +') @@ -59857,45 +68218,35 @@ index 905883f..7e70344 100644 - tunable_policy(`samba_run_unconfined',` +tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) +- ',` +- can_exec(smbd_t, samba_unconfined_script_exec_t) - ') +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index 1898dbd..1d5e802 100644 +index d9f8784..2b2c0dc 100644 --- a/sambagui.te +++ b/sambagui.te -@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0) - - type sambagui_t; - type sambagui_exec_t; --dbus_system_domain(sambagui_t, sambagui_exec_t) -+application_domain(sambagui_t, sambagui_exec_t) -+role system_r types sambagui_t; - - ######################################## - # -@@ -27,21 +28,28 @@ corecmd_exec_bin(sambagui_t) +@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t) dev_dontaudit_read_urand(sambagui_t) --files_read_etc_files(sambagui_t) -+files_read_usr_files(sambagui_t) - files_search_var_lib(sambagui_t) - files_read_usr_files(sambagui_t) +-files_read_usr_files(sambagui_t) ++files_search_var_lib(sambagui_t) auth_use_nsswitch(sambagui_t) -+auth_dontaudit_read_shadow(sambagui_t) -+ -+init_access_check(sambagui_t) + auth_dontaudit_read_shadow(sambagui_t) - logging_send_syslog_msg(sambagui_t) +-logging_send_syslog_msg(sambagui_t) ++init_access_check(sambagui_t) -miscfiles_read_localization(sambagui_t) -+sysnet_use_ldap(sambagui_t) ++logging_send_syslog_msg(sambagui_t) - optional_policy(` - consoletype_exec(sambagui_t) + sysnet_use_ldap(sambagui_t) + +@@ -44,6 +44,10 @@ optional_policy(` ') optional_policy(` @@ -59906,7 +68257,7 @@ index 1898dbd..1d5e802 100644 nscd_dontaudit_search_pid(sambagui_t) ') -@@ -56,6 +64,7 @@ optional_policy(` +@@ -61,6 +65,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -59915,31 +68266,32 @@ index 1898dbd..1d5e802 100644 samba_domtrans_nmbd(sambagui_t) ') diff --git a/samhain.if b/samhain.if -index c040ebf..2b601a5 100644 +index f0236d6..78a792a 100644 --- a/samhain.if +++ b/samhain.if -@@ -271,10 +271,14 @@ interface(`samhain_admin',` - type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; - ') - -- allow $1 samhain_t:process { ptrace signal_perms }; -+ allow $1 samhain_t:process signal_perms; - ps_process_pattern($1, samhain_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 samhain_t:process ptrace; -+ allow $1 samhaind_t:process ptrace; -+ ') +@@ -23,6 +23,8 @@ template(`samhain_service_template',` + files_read_all_files($1_t) -- allow $1 samhaind_t:process { ptrace signal_perms }; -+ allow $1 samhaind_t:process signal_perms; - ps_process_pattern($1, samhaind_t) + mls_file_write_all_levels($1_t) ++ ++ logging_send_sylog_msg($1_t) + ') - files_list_var_lib($1) + ######################################## diff --git a/samhain.te b/samhain.te -index acd1700..778d18b 100644 +index 931312b..bd9a4c7 100644 --- a/samhain.te +++ b/samhain.te -@@ -55,7 +55,7 @@ domain_use_interactive_fds(samhain_t) +@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) + + init_read_utmp(samhain_domain) + +-logging_send_syslog_msg(samhain_domain) +- + ######################################## + # + # Client local policy +@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t) seutil_sigchld_newrole(samhain_t) @@ -59957,7 +68309,7 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..7addd77 +index 0000000..577dfa7 --- /dev/null +++ b/sandbox.if @@ -0,0 +1,55 @@ @@ -60014,7 +68366,7 @@ index 0000000..7addd77 + application_type($1_t) + + mls_rangetrans_target($1_t) -+ mcs_untrusted_proc($1_t) ++ mcs_constrained($1_t) +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 @@ -60098,7 +68450,7 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..f00e5c5 +index 0000000..1b21b7b --- /dev/null +++ b/sandboxX.if @@ -0,0 +1,391 @@ @@ -60188,7 +68540,7 @@ index 0000000..f00e5c5 + + type $1_t, sandbox_x_domain, sandbox_type; + application_type($1_t) -+ mcs_untrusted_proc($1_t) ++ mcs_constrained($1_t) + + kernel_read_system_state($1_t) + selinux_get_fs_mount($1_t) @@ -60205,7 +68557,7 @@ index 0000000..f00e5c5 + application_type($1_client_t) + kernel_read_system_state($1_client_t) + -+ mcs_untrusted_proc($1_t) ++ mcs_constrained($1_t) + + type $1_client_tmpfs_t, sandbox_tmpfs_type; + files_tmpfs_file($1_client_tmpfs_t) @@ -60495,10 +68847,10 @@ index 0000000..f00e5c5 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..479ece4 +index 0000000..7a746a3 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,463 @@ +@@ -0,0 +1,464 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -60854,9 +69206,10 @@ index 0000000..479ece4 +corenet_tcp_connect_ftp_port(sandbox_web_type) +corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type) +corenet_tcp_connect_ipp_port(sandbox_web_type) -+corenet_tcp_connect_streaming_port(sandbox_web_type) ++corenet_tcp_connect_ms_streaming_port(sandbox_web_type) ++corenet_tcp_connect_rtsp_port(sandbox_web_type) +corenet_tcp_connect_pulseaudio_port(sandbox_web_type) -+corenet_tcp_connect_tor_socks_port(sandbox_web_type) ++corenet_tcp_connect_tor_port(sandbox_web_type) +corenet_tcp_connect_speech_port(sandbox_web_type) +corenet_tcp_connect_generic_port(sandbox_web_type) +corenet_tcp_connect_soundd_port(sandbox_web_type) @@ -60963,43 +69316,72 @@ index 0000000..479ece4 + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') diff --git a/sanlock.fc b/sanlock.fc -index 5d1826c..9059165 100644 +index 3df2a0f..9059165 100644 --- a/sanlock.fc +++ b/sanlock.fc @@ -1,7 +1,10 @@ + /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) - /var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) - --/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0) +-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) ++/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) ++ +/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0) - /usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) -+ +-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) ++/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) + +-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) +/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0) diff --git a/sanlock.if b/sanlock.if -index cfe3172..34b861a 100644 +index cd6c213..34b861a 100644 --- a/sanlock.if +++ b/sanlock.if -@@ -1,3 +1,4 @@ +@@ -1,4 +1,5 @@ +-## shared storage lock manager. + - ## policy for sanlock ++## policy for sanlock ######################################## -@@ -18,6 +19,7 @@ interface(`sanlock_domtrans',` + ## +@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',` + type sanlock_t, sanlock_exec_t; + ') + +- corecmd_search_bin($1) domtrans_pattern($1, sanlock_exec_t, sanlock_t) ') + ######################################## ## - ## Execute sanlock server in the sanlock domain. -@@ -57,21 +59,44 @@ interface(`sanlock_manage_pid_files',` +-## Execute sanlock init scripts in +-## the initrc domain. ++## Execute sanlock server in the sanlock domain. + ## + ## + ## +-## Domain allowed to transition. ++## The type of the process performing this action. + ## + ## + # +@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',` + + ###################################### + ## +-## Create, read, write, and delete +-## sanlock pid files. ++## Create, read, write, and delete sanlock PID files. + ## + ## + ## +@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',` ######################################## ## --## Connect to sanlock over an unix stream socket. +-## Connect to sanlock with a unix +-## domain stream socket. +## Connect to sanlock over a unix stream socket. +## +## @@ -61046,14 +69428,27 @@ index cfe3172..34b861a 100644 ') ######################################## -@@ -95,13 +120,21 @@ interface(`sanlock_admin',` + ## +-## All of the rules required to +-## administrate an sanlock environment. ++## All of the rules required to administrate ++## an sanlock environment + ## + ## + ## +@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',` + # + interface(`sanlock_admin',` gen_require(` - type sanlock_t; - type sanlock_initrc_exec_t; +- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; +- type sanlock_log_t; ++ type sanlock_t; ++ type sanlock_initrc_exec_t; + type sanlock_unit_file_t; ') - allow $1 sanlock_t:process signal_perms; +- allow $1 sanlock_t:process { ptrace signal_perms }; ++ allow $1 sanlock_t:process signal_perms; ps_process_pattern($1, sanlock_t) + tunable_policy(`deny_ptrace',`',` + allow $1 sanlock_t:process ptrace; @@ -61063,28 +69458,34 @@ index cfe3172..34b861a 100644 domain_system_change_exemption($1) role_transition $2 sanlock_initrc_exec_t system_r; allow $2 system_r; -+ + +- files_search_pids($1) +- admin_pattern($1, sanlock_var_run_t) +- +- logging_search_logs($1) +- admin_pattern($1, sanlock_log_t) + virt_systemctl($1) + admin_pattern($1, sanlock_unit_file_t) + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index e02eb6c..4f4eaf4 100644 +index a34eac4..4f4eaf4 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ --policy_module(sanlock, 1.0.0) +-policy_module(sanlock, 1.0.2) +policy_module(sanlock,1.0.0) ######################################## # -@@ -6,18 +6,25 @@ policy_module(sanlock, 1.0.0) +@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2) # ## --##

    --## Allow confined virtual guests to manage nfs files --##

    +-##

    +-## Determine whether sanlock can use +-## nfs file systems. +-##

    +##

    +## Allow sanlock to manage nfs files +##

    @@ -61092,24 +69493,27 @@ index e02eb6c..4f4eaf4 100644 gen_tunable(sanlock_use_nfs, false) ## +-##

    +-## Determine whether sanlock can use +-## cifs file systems. +-##

    +##

    +## Allow sanlock to manage cifs files +##

    -+##     -+gen_tunable(sanlock_use_samba, false) -+ + ##     + gen_tunable(sanlock_use_samba, false) + +## - ##

    --## Allow confined virtual guests to manage cifs files ++##

    +## Allow sanlock to read/write fuse files - ##

    - ##     --gen_tunable(sanlock_use_samba, false) ++##

    ++## +gen_tunable(sanlock_use_fusefs, false) - ++ type sanlock_t; type sanlock_exec_t; -@@ -32,6 +39,9 @@ logging_log_file(sanlock_log_t) + init_daemon_domain(sanlock_t, sanlock_exec_t) +@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t) type sanlock_initrc_exec_t; init_script_file(sanlock_initrc_exec_t) @@ -61119,38 +69523,48 @@ index e02eb6c..4f4eaf4 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) ') -@@ -44,8 +54,9 @@ ifdef(`enable_mls',` +@@ -44,17 +52,15 @@ ifdef(`enable_mls',` + + ######################################## # - # sanlock local policy +-# Local policy ++# sanlock local policy # --allow sanlock_t self:capability { sys_nice ipc_lock }; --allow sanlock_t self:process { setsched signull }; -+allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; -+allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; +- + allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; + allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; + allow sanlock_t self:fifo_file rw_fifo_file_perms; - allow sanlock_t self:unix_stream_socket create_stream_socket_perms; +-allow sanlock_t self:unix_stream_socket { accept listen }; ++allow sanlock_t self:unix_stream_socket create_stream_socket_perms; -@@ -58,36 +69,51 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) - files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) ++manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) + logging_log_filetrans(sanlock_t, sanlock_log_t, file) + manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) -+kernel_read_kernel_sysctls(sanlock_t) + kernel_read_kernel_sysctls(sanlock_t) +-dev_read_rand(sanlock_t) +-dev_read_urand(sanlock_t) +- domain_use_interactive_fds(sanlock_t) --files_read_etc_files(sanlock_t) +files_read_mnt_symlinks(sanlock_t) - ++ storage_raw_rw_fixed_disk(sanlock_t) +dev_read_rand(sanlock_t) - dev_read_urand(sanlock_t) - -+auth_use_nsswitch(sanlock_t) ++dev_read_urand(sanlock_t) + + auth_use_nsswitch(sanlock_t) + init_read_utmp(sanlock_t) - init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -61182,31 +69596,69 @@ index e02eb6c..4f4eaf4 100644 + fs_manage_cifs_files(sanlock_t) + fs_manage_cifs_named_sockets(sanlock_t) + fs_read_cifs_symlinks(sanlock_t) -+') -+ -+optional_policy(` -+ wdmd_stream_connect(sanlock_t) ') optional_policy(` +@@ -100,7 +113,7 @@ optional_policy(` + ') + + optional_policy(` +- virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) virt_manage_lib_files(sanlock_t) +- virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) ') +diff --git a/sasl.fc b/sasl.fc +index 54f41c2..7e58679 100644 +--- a/sasl.fc ++++ b/sasl.fc +@@ -1,7 +1,12 @@ + /etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) + ++# ++# /usr ++# + /usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) + +-/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +- ++# ++# /var ++# ++/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) + /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) diff --git a/sasl.if b/sasl.if -index f1aea88..3e6a93f 100644 +index b2f388a..3e6a93f 100644 --- a/sasl.if +++ b/sasl.if -@@ -38,21 +38,21 @@ interface(`sasl_connect',` +@@ -1,4 +1,4 @@ +-## SASL authentication server. ++## SASL authentication server + + ######################################## + ## +@@ -21,8 +21,8 @@ interface(`sasl_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an sasl environment. ++## All of the rules required to administrate ++## an sasl environment + ## + ## + ## +@@ -38,11 +38,15 @@ interface(`sasl_connect',` # interface(`sasl_admin',` gen_require(` -- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; +- type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; + type saslauthd_t, saslauthd_var_run_t; - type saslauthd_initrc_exec_t; ++ type saslauthd_initrc_exec_t; ') -- allow $1 saslauthd_t:process { ptrace signal_perms getattr }; +- allow $1 saslauthd_t:process { ptrace signal_perms }; + allow $1 saslauthd_t:process signal_perms; ps_process_pattern($1, saslauthd_t) + tunable_policy(`deny_ptrace',`',` @@ -61215,80 +69667,92 @@ index f1aea88..3e6a93f 100644 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; - allow $2 system_r; - -- files_list_tmp($1) -- admin_pattern($1, saslauthd_tmp_t) -- - files_list_pids($1) - admin_pattern($1, saslauthd_var_run_t) - ') diff --git a/sasl.te b/sasl.te -index 9d9f8ce..88a01c0 100644 +index a63b875..88a01c0 100644 --- a/sasl.te +++ b/sasl.te -@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0) - ## Allow sasl to read shadow - ##

    +@@ -1,4 +1,4 @@ +-policy_module(sasl, 1.14.3) ++policy_module(sasl, 1.14.0) + + ######################################## + # +@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3) + # + + ## +-##

    +-## Determine whether sasl can +-## read shadow files. +-##

    ++##

    ++## Allow sasl to read shadow ++##

    ##     -gen_tunable(allow_saslauthd_read_shadow, false) +gen_tunable(saslauthd_read_shadow, false) type saslauthd_t; type saslauthd_exec_t; -@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) - type saslauthd_initrc_exec_t; - init_script_file(saslauthd_initrc_exec_t) - --type saslauthd_tmp_t; --files_tmp_file(saslauthd_tmp_t) -- - type saslauthd_var_run_t; - files_pid_file(saslauthd_var_run_t) - -@@ -30,31 +27,32 @@ files_pid_file(saslauthd_var_run_t) - # Local policy - # - --allow saslauthd_t self:capability { setgid setuid }; -+allow saslauthd_t self:capability { setgid setuid sys_nice }; +@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice }; dontaudit saslauthd_t self:capability sys_tty_config; --allow saslauthd_t self:process signal_perms; -+allow saslauthd_t self:process { setsched signal_perms }; + allow saslauthd_t self:process { setsched signal_perms }; allow saslauthd_t self:fifo_file rw_fifo_file_perms; - allow saslauthd_t self:unix_dgram_socket create_socket_perms; - allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; - allow saslauthd_t self:tcp_socket create_socket_perms; +-allow saslauthd_t self:unix_stream_socket { accept listen }; ++allow saslauthd_t self:unix_dgram_socket create_socket_perms; ++allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; ++allow saslauthd_t self:tcp_socket create_socket_perms; --allow saslauthd_t saslauthd_tmp_t:dir setattr; --manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) --files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) -- -+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) + manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) - manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) --files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file) -+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(saslauthd_t) +@@ -43,29 +44,19 @@ kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) -+kernel_rw_afs_state(saslauthd_t) -+ -+#577519 -+corecmd_exec_bin(saslauthd_t) + kernel_rw_afs_state(saslauthd_t) -corenet_all_recvfrom_unlabeled(saslauthd_t) ++#577519 ++corecmd_exec_bin(saslauthd_t) ++ corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) corenet_tcp_sendrecv_generic_node(saslauthd_t) - corenet_tcp_sendrecv_all_ports(saslauthd_t) +- +-corenet_sendrecv_pop_client_packets(saslauthd_t) ++corenet_tcp_sendrecv_all_ports(saslauthd_t) corenet_tcp_connect_pop_port(saslauthd_t) -+corenet_tcp_connect_zarafa_port(saslauthd_t) - corenet_sendrecv_pop_client_packets(saslauthd_t) +-corenet_tcp_sendrecv_pop_port(saslauthd_t) +- +-corenet_sendrecv_zarafa_client_packets(saslauthd_t) + corenet_tcp_connect_zarafa_port(saslauthd_t) +-corenet_tcp_sendrecv_zarafa_port(saslauthd_t) +- +-corecmd_exec_bin(saslauthd_t) ++corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_urand(saslauthd_t) -@@ -78,21 +76,20 @@ init_dontaudit_stream_connect_script(saslauthd_t) + +-domain_use_interactive_fds(saslauthd_t) +- +-files_dontaudit_read_etc_runtime_files(saslauthd_t) +-files_dontaudit_getattr_home_dir(saslauthd_t) +-files_dontaudit_getattr_tmp_dirs(saslauthd_t) +- + fs_getattr_all_fs(saslauthd_t) + fs_search_auto_mountpoints(saslauthd_t) + +@@ -73,33 +64,38 @@ selinux_compute_access_vector(saslauthd_t) + + auth_use_pam(saslauthd_t) + ++domain_use_interactive_fds(saslauthd_t) ++ ++files_read_etc_files(saslauthd_t) ++files_dontaudit_read_etc_runtime_files(saslauthd_t) ++files_search_var_lib(saslauthd_t) ++files_dontaudit_getattr_home_dir(saslauthd_t) ++files_dontaudit_getattr_tmp_dirs(saslauthd_t) ++ + init_dontaudit_stream_connect_script(saslauthd_t) logging_send_syslog_msg(saslauthd_t) @@ -61300,26 +69764,36 @@ index 9d9f8ce..88a01c0 100644 userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) userdom_dontaudit_search_user_home_dirs(saslauthd_t) - # cjp: typeattribute doesnt work in conditionals ++# cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` +tunable_policy(`saslauthd_read_shadow',` -+ allow saslauthd_t self:capability dac_override; + allow saslauthd_t self:capability dac_override; auth_tunable_read_shadow(saslauthd_t) ') optional_policy(` + kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") kerberos_keytab_template(saslauthd, saslauthd_t) +- kerberos_manage_host_rcache(saslauthd_t) +- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") ') + optional_policy(` ++ mysql_search_db(saslauthd_t) + mysql_stream_connect(saslauthd_t) +- mysql_tcp_connect(saslauthd_t) + ') + + optional_policy(` diff --git a/sblim.if b/sblim.if -index fa24879..3abfdf2 100644 +index 98c9e0a..df51942 100644 --- a/sblim.if +++ b/sblim.if -@@ -1,5 +1,28 @@ - ## policy for SBLIM Gatherer - +@@ -1,8 +1,36 @@ +-## Standards Based Linux Instrumentation for Manageability. ++## Standards Based Linux Instrumentation for Manageability. ++ +###################################### +## +## Creates types and rules for a basic @@ -61341,12 +69815,40 @@ index fa24879..3abfdf2 100644 + init_daemon_domain(sblim_$1_t, sblim_$1_exec_t) + + kernel_read_system_state(sblim_$1_t) -+') + ++ corenet_all_recvfrom_unlabeled(sblim_$1_t) ++ corenet_all_recvfrom_netlabel(sblim_$1_t) ++ ++ logging_send_syslog_msg(sblim_$1_t) ++') + + ######################################## + ## +-## Execute gatherd in the gatherd domain. ++## Transition to gatherd. + ## + ## + ## +@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',` + + ######################################## + ## +-## Read gatherd pid files. ++## Read gatherd PID files. + ## + ## + ## +@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',` + ######################################## ## - ## Transition to gatherd. -@@ -48,11 +71,6 @@ interface(`sblim_read_pid_files',` +-## All of the rules required to +-## administrate an sblim environment. ++## All of the rules required to administrate ++## an gatherd environment + ## + ## + ## ## Domain allowed access. ## ## @@ -61358,23 +69860,38 @@ index fa24879..3abfdf2 100644 ## # interface(`sblim_admin',` -@@ -65,6 +83,11 @@ interface(`sblim_admin',` - allow $1 sblim_gatherd_t:process signal_perms; - ps_process_pattern($1, sblim_gatherd_t) + gen_require(` +- attribute sblim_domain; +- type sblim_initrc_exec_t, sblim_var_run_t; ++ type sblim_gatherd_t; ++ type sblim_reposd_t; ++ type sblim_var_run_t; + ') +- allow $1 sblim_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, sblim_domain) ++ allow $1 sblim_gatherd_t:process signal_perms; ++ ps_process_pattern($1, sblim_gatherd_t) ++ + tunable_policy(`deny_ptrace',`',` + allow $1 sblim_gatherd_t:process ptrace; + allow $1 sblim_reposd_t:process ptrace; + ') -+ - allow $1 sblim_reposd_t:process signal_perms; - ps_process_pattern($1, sblim_reposd_t) +- init_labeled_script_domtrans($1, sblim_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 sblim_initrc_exec_t system_r; +- allow $2 system_r; ++ allow $1 sblim_reposd_t:process signal_perms; ++ ps_process_pattern($1, sblim_reposd_t) + + files_search_pids($1) + admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 869f976..5171bda 100644 +index 4a23d84..bc26091 100644 --- a/sblim.te +++ b/sblim.te -@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.0) +@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3) attribute sblim_domain; @@ -61388,231 +69905,188 @@ index 869f976..5171bda 100644 -init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) +sblim_domain_template(reposd) - type sblim_var_run_t; - files_pid_file(sblim_var_run_t) -@@ -41,6 +37,12 @@ dev_read_urand(sblim_gatherd_t) - domain_read_all_domains_state(sblim_gatherd_t) - - fs_getattr_all_fs(sblim_gatherd_t) -+fs_search_cgroup_dirs(sblim_gatherd_t) -+ -+storage_raw_read_fixed_disk(sblim_gatherd_t) -+storage_raw_read_removable_device(sblim_gatherd_t) -+ -+logging_send_syslog_msg(sblim_gatherd_t) + type sblim_initrc_exec_t; + init_script_file(sblim_initrc_exec_t) +@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) + manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - sysnet_dns_name_resolve(sblim_gatherd_t) + kernel_read_network_state(sblim_domain) +-kernel_read_system_state(sblim_domain) -@@ -63,7 +65,9 @@ optional_policy(` - ') +-corenet_all_recvfrom_unlabeled(sblim_domain) +-corenet_all_recvfrom_netlabel(sblim_domain) + corenet_tcp_sendrecv_generic_if(sblim_domain) + corenet_tcp_sendrecv_generic_node(sblim_domain) - optional_policy(` -+ virt_read_config(sblim_gatherd_t) - virt_stream_connect(sblim_gatherd_t) -+ virt_getattr_exec(sblim_gatherd_t) - ') +@@ -44,12 +37,6 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) - optional_policy(` -@@ -81,6 +85,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) - corenet_tcp_bind_all_nodes(sblim_reposd_t) - corenet_tcp_bind_repository_port(sblim_reposd_t) + dev_read_sysfs(sblim_domain) -+logging_send_syslog_msg(sblim_reposd_t) -+ - ###################################### +-logging_send_syslog_msg(sblim_domain) +- +-files_read_etc_files(sblim_domain) +- +-miscfiles_read_localization(sblim_domain) +- + ######################################## # - # sblim_domain local policy -@@ -91,14 +97,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms; - manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) - manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) -+files_pid_filetrans(sblim_domain, sblim_var_run_t, { dir file sock_file }) + # Gatherd local policy +@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) - kernel_read_network_state(sblim_domain) --kernel_read_system_state(sblim_domain) + init_read_utmp(sblim_gatherd_t) - dev_read_sysfs(sblim_domain) ++logging_send_syslog_msg(sblim_gatherd_t) ++ + sysnet_dns_name_resolve(sblim_gatherd_t) --logging_send_syslog_msg(sblim_domain) -+auth_read_passwd(sblim_domain) + term_getattr_pty_fs(sblim_gatherd_t) +@@ -103,8 +92,9 @@ optional_policy(` + ') + + optional_policy(` +- virt_getattr_virtd_exec_files(sblim_gatherd_t) ++ virt_read_config(sblim_gatherd_t) + virt_stream_connect(sblim_gatherd_t) ++ virt_getattr_exec(sblim_gatherd_t) + ') - files_read_etc_files(sblim_domain) + optional_policy(` +@@ -119,4 +109,6 @@ optional_policy(` --miscfiles_read_localization(sblim_domain) + corenet_sendrecv_repository_server_packets(sblim_reposd_t) + corenet_tcp_bind_repository_port(sblim_reposd_t) +-corenet_tcp_bind_generic_node(sblim_domain) ++ ++logging_send_syslog_msg(sblim_reposd_t) ++ diff --git a/screen.fc b/screen.fc -index c8254dd..b73334e 100644 +index ac04d27..b73334e 100644 --- a/screen.fc +++ b/screen.fc -@@ -1,15 +1,19 @@ - # - # /home - # --HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) - HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) +@@ -1,8 +1,19 @@ +-HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) +-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) ++# ++# /home ++# ++HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) +HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) -+ + +-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) +-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) +/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) - # - # /usr - # - /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) +-/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +-/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) ++# ++# /usr ++# ++/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) +/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) - - # - # /var - # - /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) ++ ++# ++# /var ++# ++/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/screen.if b/screen.if -index c50a444..ee00be2 100644 +index c21ddcc..ee00be2 100644 --- a/screen.if +++ b/screen.if -@@ -25,6 +25,7 @@ template(`screen_role_template',` +@@ -1,4 +1,4 @@ +-## GNU terminal multiplexer. ++## GNU terminal multiplexer + + ####################################### + ## +@@ -23,10 +23,9 @@ + # + template(`screen_role_template',` gen_require(` +- attribute screen_domain; +- attribute_role screen_roles; type screen_exec_t, screen_tmp_t; type screen_home_t, screen_var_run_t; + attribute screen_domain; ') ######################################## -@@ -32,50 +33,24 @@ template(`screen_role_template',` - # Declarations +@@ -35,49 +34,48 @@ template(`screen_role_template',` # -- type $1_screen_t; + type $1_screen_t, screen_domain; - userdom_user_application_domain($1_screen_t, screen_exec_t) -+ type $1_screen_t, screen_domain; + application_domain($1_screen_t, screen_exec_t) domain_interactive_fd($1_screen_t) +- role screen_roles types $1_screen_t; + ubac_constrained($1_screen_t) - role $2 types $1_screen_t; ++ role $2 types $1_screen_t; -- ######################################## -- # -- # Local policy -- # -- -- allow $1_screen_t self:capability { setuid setgid fsetid }; -- allow $1_screen_t self:process signal_perms; -- allow $1_screen_t self:fifo_file rw_fifo_file_perms; -- allow $1_screen_t self:tcp_socket create_stream_socket_perms; -- allow $1_screen_t self:udp_socket create_socket_perms; -- # Internal screen networking -- allow $1_screen_t self:fd use; -- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; -- allow $1_screen_t self:unix_dgram_socket create_socket_perms; -- -- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) -- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) -- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) -- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) -- -- # Create fifo -- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) -- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) -- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) -- files_pid_filetrans($1_screen_t, screen_var_run_t, dir) -- -- allow $1_screen_t screen_home_t:dir list_dir_perms; -- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) -- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) -- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) -- read_files_pattern($1_screen_t, screen_home_t, screen_home_t) -- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- roleattribute $2 screen_roles; + tunable_policy(`deny_ptrace',`',` + allow $3 $1_screen_t:process ptrace; + ') -- allow $1_screen_t $3:process signal; +- ######################################## +- # +- # Local policy +- # + userdom_home_reader($1_screen_t) domtrans_pattern($3, screen_exec_t, $1_screen_t) - allow $3 $1_screen_t:process { signal sigchld }; +- +- ps_process_pattern($3, $1_screen_t) +- allow $3 $1_screen_t:process { ptrace signal_perms }; +- ++ allow $3 $1_screen_t:process { signal sigchld }; dontaudit $3 $1_screen_t:unix_stream_socket { read write }; + allow $1_screen_t $3:unix_stream_socket { connectto }; allow $1_screen_t $3:process signal; + ps_process_pattern($1_screen_t, $3) - manage_fifo_files_pattern($3, screen_home_t, screen_home_t) - manage_dirs_pattern($3, screen_home_t, screen_home_t) -@@ -86,77 +61,46 @@ template(`screen_role_template',` - relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) +- allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; +- allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- +- allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 screen_home_t:file { manage_file_perms relabel_file_perms }; +- allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; +- allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- +- userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") +- userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") ++ manage_fifo_files_pattern($3, screen_home_t, screen_home_t) ++ manage_dirs_pattern($3, screen_home_t, screen_home_t) ++ manage_files_pattern($3, screen_home_t, screen_home_t) ++ manage_lnk_files_pattern($3, screen_home_t, screen_home_t) ++ relabel_dirs_pattern($3, screen_home_t, screen_home_t) ++ relabel_files_pattern($3, screen_home_t, screen_home_t) ++ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - kernel_read_system_state($1_screen_t) -- kernel_read_kernel_sysctls($1_screen_t) - -- corecmd_list_bin($1_screen_t) -- corecmd_read_bin_files($1_screen_t) -- corecmd_read_bin_symlinks($1_screen_t) -- corecmd_read_bin_pipes($1_screen_t) -- corecmd_read_bin_sockets($1_screen_t) - # Revert to the user domain when a shell is executed. +- corecmd_bin_domtrans($1_screen_t, $3) ++ kernel_read_system_state($1_screen_t) ++ ++ # Revert to the user domain when a shell is executed. corecmd_shell_domtrans($1_screen_t, $3) - corecmd_bin_domtrans($1_screen_t, $3) - -- corenet_all_recvfrom_unlabeled($1_screen_t) -- corenet_all_recvfrom_netlabel($1_screen_t) -- corenet_tcp_sendrecv_generic_if($1_screen_t) -- corenet_udp_sendrecv_generic_if($1_screen_t) -- corenet_tcp_sendrecv_generic_node($1_screen_t) -- corenet_udp_sendrecv_generic_node($1_screen_t) -- corenet_tcp_sendrecv_all_ports($1_screen_t) -- corenet_udp_sendrecv_all_ports($1_screen_t) -- corenet_tcp_connect_all_ports($1_screen_t) -- -- dev_dontaudit_getattr_all_chr_files($1_screen_t) -- dev_dontaudit_getattr_all_blk_files($1_screen_t) -- # for SSP -- dev_read_urand($1_screen_t) -- -- domain_use_interactive_fds($1_screen_t) -- -- files_search_tmp($1_screen_t) -- files_search_home($1_screen_t) -- files_list_home($1_screen_t) -- files_read_usr_files($1_screen_t) -- files_read_etc_files($1_screen_t) -- -- fs_search_auto_mountpoints($1_screen_t) -- fs_getattr_xattr_fs($1_screen_t) -- ++ corecmd_bin_domtrans($1_screen_t, $3) + auth_domtrans_chk_passwd($1_screen_t) auth_use_nsswitch($1_screen_t) -- auth_dontaudit_read_shadow($1_screen_t) -- auth_dontaudit_exec_utempter($1_screen_t) -- -- # Write to utmp. -- init_rw_utmp($1_screen_t) - logging_send_syslog_msg($1_screen_t) - -- miscfiles_read_localization($1_screen_t) -- -- seutil_read_config($1_screen_t) -- -- userdom_use_user_terminals($1_screen_t) -- userdom_create_user_pty($1_screen_t) ++ logging_send_syslog_msg($1_screen_t) ++ userdom_user_home_domtrans($1_screen_t, $3) -- userdom_setattr_user_ptys($1_screen_t) -- userdom_setattr_user_ttys($1_screen_t) + userdom_manage_tmp_role($2, $1_screen_t) tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -- fs_read_cifs_symlinks($1_screen_t) -- fs_list_cifs($1_screen_t) - ') - - tunable_policy(`use_nfs_home_dirs',` +@@ -87,3 +85,22 @@ template(`screen_role_template',` fs_nfs_domtrans($1_screen_t, $3) -- fs_list_nfs($1_screen_t) -- fs_read_nfs_symlinks($1_screen_t) ') ') + @@ -61635,19 +70109,26 @@ index c50a444..ee00be2 100644 + can_exec($1, screen_exec_t) +') diff --git a/screen.te b/screen.te -index 2583626..86af6f6 100644 +index f095081..86af6f6 100644 --- a/screen.te +++ b/screen.te -@@ -5,6 +5,8 @@ policy_module(screen, 2.5.0) +@@ -1,13 +1,11 @@ +-policy_module(screen, 2.5.3) ++policy_module(screen, 2.5.0) + + ######################################## + # # Declarations # +-attribute screen_domain; +- +-attribute_role screen_roles; +attribute screen_domain; -+ + type screen_exec_t; application_executable_file(screen_exec_t) - -@@ -13,13 +15,84 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc +@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; userdom_user_home_content(screen_home_t) @@ -61659,174 +70140,316 @@ index 2583626..86af6f6 100644 type screen_var_run_t; typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; - files_pid_file(screen_var_run_t) - ubac_constrained(screen_var_run_t) -+ -+######################################## -+# +@@ -30,33 +23,33 @@ ubac_constrained(screen_var_run_t) + + ######################################## + # +-# Common screen domain local policy +# Local policy -+# -+ -+allow screen_domain self:capability { setuid setgid fsetid }; -+allow screen_domain self:process signal_perms; -+allow screen_domain self:fifo_file rw_fifo_file_perms; + # + + allow screen_domain self:capability { setuid setgid fsetid }; + allow screen_domain self:process signal_perms; +-allow screen_domain self:fd use; + allow screen_domain self:fifo_file rw_fifo_file_perms; +-allow screen_domain self:tcp_socket { accept listen }; +-allow screen_domain self:unix_stream_socket connectto; +- +-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) +-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) +allow screen_domain self:tcp_socket create_stream_socket_perms; +allow screen_domain self:udp_socket create_socket_perms; +# Internal screen networking +allow screen_domain self:fd use; +allow screen_domain self:unix_stream_socket { create_socket_perms connectto }; +allow screen_domain self:unix_dgram_socket create_socket_perms; -+ + +# Create fifo -+manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -+manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -+manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) -+files_pid_filetrans(screen_domain, screen_var_run_t, dir) -+ + manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) + manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) + manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) + files_pid_filetrans(screen_domain, screen_var_run_t, dir) + +allow screen_domain screen_home_t:dir list_dir_perms; -+manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) -+manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) + manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) +-read_files_pattern(screen_domain, screen_home_t, screen_home_t) + manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) +userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir) +userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir) +read_files_pattern(screen_domain, screen_home_t, screen_home_t) -+read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) -+ -+kernel_read_kernel_sysctls(screen_domain) -+ -+corecmd_list_bin(screen_domain) -+corecmd_read_bin_files(screen_domain) -+corecmd_read_bin_symlinks(screen_domain) -+corecmd_read_bin_pipes(screen_domain) -+corecmd_read_bin_sockets(screen_domain) -+ -+corenet_tcp_sendrecv_generic_if(screen_domain) + read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) +-userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen") + +-kernel_read_system_state(screen_domain) + kernel_read_kernel_sysctls(screen_domain) + + corecmd_list_bin(screen_domain) +@@ -65,55 +58,41 @@ corecmd_read_bin_symlinks(screen_domain) + corecmd_read_bin_pipes(screen_domain) + corecmd_read_bin_sockets(screen_domain) + +-corenet_all_recvfrom_unlabeled(screen_domain) +-corenet_all_recvfrom_netlabel(screen_domain) + corenet_tcp_sendrecv_generic_if(screen_domain) +corenet_udp_sendrecv_generic_if(screen_domain) -+corenet_tcp_sendrecv_generic_node(screen_domain) + corenet_tcp_sendrecv_generic_node(screen_domain) +corenet_udp_sendrecv_generic_node(screen_domain) -+corenet_tcp_sendrecv_all_ports(screen_domain) + corenet_tcp_sendrecv_all_ports(screen_domain) +- +-corenet_sendrecv_all_client_packets(screen_domain) +corenet_udp_sendrecv_all_ports(screen_domain) -+corenet_tcp_connect_all_ports(screen_domain) -+ -+dev_dontaudit_getattr_all_chr_files(screen_domain) -+dev_dontaudit_getattr_all_blk_files(screen_domain) + corenet_tcp_connect_all_ports(screen_domain) + + dev_dontaudit_getattr_all_chr_files(screen_domain) + dev_dontaudit_getattr_all_blk_files(screen_domain) +# for SSP -+dev_read_urand(screen_domain) -+ -+domain_sigchld_interactive_fds(screen_domain) + dev_read_urand(screen_domain) + +-domain_use_interactive_fds(screen_domain) + domain_sigchld_interactive_fds(screen_domain) +domain_use_interactive_fds(screen_domain) -+domain_read_all_domains_state(screen_domain) -+ + domain_read_all_domains_state(screen_domain) + +files_search_tmp(screen_domain) +files_search_home(screen_domain) -+files_list_home(screen_domain) -+files_read_usr_files(screen_domain) + files_list_home(screen_domain) + files_read_usr_files(screen_domain) +files_read_etc_files(screen_domain) -+ -+fs_search_auto_mountpoints(screen_domain) + + fs_search_auto_mountpoints(screen_domain) +-fs_getattr_all_fs(screen_domain) +fs_getattr_xattr_fs(screen_domain) -+ -+auth_dontaudit_read_shadow(screen_domain) -+auth_dontaudit_exec_utempter(screen_domain) -+ + + auth_dontaudit_read_shadow(screen_domain) + auth_dontaudit_exec_utempter(screen_domain) + +# Write to utmp. -+init_rw_utmp(screen_domain) -+ -+seutil_read_config(screen_domain) -+ -+userdom_use_user_terminals(screen_domain) -+userdom_create_user_pty(screen_domain) -+userdom_setattr_user_ptys(screen_domain) -+userdom_setattr_user_ttys(screen_domain) + init_rw_utmp(screen_domain) + +-logging_send_syslog_msg(screen_domain) +- +-miscfiles_read_localization(screen_domain) +- + seutil_read_config(screen_domain) + + userdom_use_user_terminals(screen_domain) + userdom_create_user_pty(screen_domain) + userdom_setattr_user_ptys(screen_domain) + userdom_setattr_user_ttys(screen_domain) +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(screen_domain) +- fs_read_cifs_files(screen_domain) +- fs_manage_cifs_named_pipes(screen_domain) +- fs_read_cifs_symlinks(screen_domain) +-') +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(screen_domain) +- fs_read_nfs_files(screen_domain) +- fs_manage_nfs_named_pipes(screen_domain) +- fs_read_nfs_symlinks(screen_domain) +-') diff --git a/sectoolm.fc b/sectoolm.fc -index 1ed6870..3f1dac5 100644 +index 64a2394..3f1dac5 100644 --- a/sectoolm.fc +++ b/sectoolm.fc -@@ -1,4 +1,4 @@ +@@ -1,5 +1,4 @@ /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) - /var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) --/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) +-/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) +- +-/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) ++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) +/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) +diff --git a/sectoolm.if b/sectoolm.if +index c78a569..9007451 100644 +--- a/sectoolm.if ++++ b/sectoolm.if +@@ -1,24 +1,2 @@ +-## Sectool security audit tool. ++## Sectool security audit tool + +-######################################## +-## +-## Role access for sectoolm. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`sectoolm_role',` +- gen_require(` +- type sectoolm_t; +- ') +- +- allow sectoolm_t $2:unix_dgram_socket sendto; +-') diff --git a/sectoolm.te b/sectoolm.te -index c8ef84b..ffa81dd 100644 +index 8193bf1..ffa81dd 100644 --- a/sectoolm.te +++ b/sectoolm.te -@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0) +@@ -1,4 +1,4 @@ +-policy_module(sectoolm, 1.0.1) ++policy_module(sectoolm, 1.0.0) + + ######################################## + # +@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1) type sectoolm_t; type sectoolm_exec_t; --dbus_system_domain(sectoolm_t, sectoolm_exec_t) +-init_system_domain(sectoolm_t, sectoolm_exec_t) +init_daemon_domain(sectoolm_t, sectoolm_exec_t) type sectool_var_lib_t; files_type(sectool_var_lib_t) -@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t) - # sectool local policy +@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t) + + ######################################## + # +-# Local policy ++# sectool local policy # --allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; -+allow sectoolm_t self:capability { dac_override net_admin sys_nice }; + allow sectoolm_t self:capability { dac_override net_admin sys_nice }; allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; -@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t) +-allow sectoolm_t self:unix_dgram_socket sendto; ++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; - auth_use_nsswitch(sectoolm_t) + manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) + manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) +@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) + manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) + files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) --# tests related to network --hostname_exec(sectoolm_t) -- --# tests related to network --iptables_domtrans(sectoolm_t) -- - libs_exec_ld_so(sectoolm_t) +-allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; ++manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) + logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) + + kernel_read_net_sysctls(sectoolm_t) +@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t) + + selinux_validate_context(sectoolm_t) + ++# tcp_wrappers test + application_exec_all(sectoolm_t) + + auth_use_nsswitch(sectoolm_t) +@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t) logging_send_syslog_msg(sectoolm_t) -@@ -84,6 +78,21 @@ logging_send_syslog_msg(sectoolm_t) + ++# tests related to network sysnet_domtrans_ifconfig(sectoolm_t) - userdom_manage_user_tmp_sockets(sectoolm_t) +-userdom_write_user_tmp_sockets(sectoolm_t) ++userdom_manage_user_tmp_sockets(sectoolm_t) +userdom_dgram_send(sectoolm_t) -+ -+optional_policy(` + + optional_policy(` +- mount_exec(sectoolm_t) + dbus_system_domain(sectoolm_t, sectoolm_exec_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- dbus_system_domain(sectoolm_t, sectoolm_exec_t) + # tests related to network + hostname_exec(sectoolm_t) +') -+ + +- optional_policy(` +- policykit_dbus_chat(sectoolm_t) +- ') +optional_policy(` + # tests related to network + iptables_domtrans(sectoolm_t) -+') + ') optional_policy(` - mount_exec(sectoolm_t) +- hostname_exec(sectoolm_t) ++ mount_exec(sectoolm_t) + ') + + optional_policy(` +- iptables_domtrans(sectoolm_t) ++ policykit_dbus_chat(sectoolm_t) + ') + ++# suid test using ++# rpm -Vf option + optional_policy(` + prelink_domtrans(sectoolm_t) + ') diff --git a/sendmail.fc b/sendmail.fc -index a86ec50..da5d41d 100644 +index d14b6bf..da5d41d 100644 --- a/sendmail.fc +++ b/sendmail.fc -@@ -1,5 +1,7 @@ +@@ -1,7 +1,8 @@ +-/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) --/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) +-/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) +-/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) +/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) -+ -+/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) - /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) - /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +-/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) ++/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) ++/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) ++ ++/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) ++/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/sendmail.if b/sendmail.if -index 7e94c7c..ca74cd9 100644 +index 88e753f..ca74cd9 100644 --- a/sendmail.if +++ b/sendmail.if -@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',` +@@ -1,4 +1,4 @@ +-## Internetwork email routing facility. ++## Policy for sendmail. + + ######################################## + ## +@@ -18,7 +18,8 @@ interface(`sendmail_stub',` + + ######################################## + ## +-## Read and write sendmail unnamed pipes. ++## Allow attempts to read and write to ++## sendmail unnamed pipes. + ## + ## + ## +@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',` + + ######################################## + ## +-## Execute a domain transition to run sendmail. ++## Domain transition to sendmail. + ## + ## + ## +@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',` + type sendmail_t; ') +- corecmd_search_bin($1) mta_sendmail_domtrans($1, sendmail_t) +') -+ + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_fifo_file_perms; +- allow sendmail_t $1:process sigchld; +####################################### +## +## Execute sendmail in the sendmail domain. @@ -61841,39 +70464,165 @@ index 7e94c7c..ca74cd9 100644 + gen_require(` + type sendmail_initrc_exec_t; + ') - -- allow sendmail_t $1:fd use; -- allow sendmail_t $1:fifo_file rw_file_perms; -- allow sendmail_t $1:process sigchld; ++ + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ') ######################################## -@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',` - type sendmail_t; + ## +-## Execute the sendmail program in the +-## sendmail domain, and allow the +-## specified role the sendmail domain. ++## Execute the sendmail program in the sendmail domain. + ## + ## + ## +@@ -70,18 +82,18 @@ interface(`sendmail_domtrans',` + ## + ## + ## +-## Role allowed access. ++## The role to allow the sendmail domain. + ## + ## + ## + # + interface(`sendmail_run',` + gen_require(` +- attribute_role sendmail_roles; ++ type sendmail_t; ') -- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; -+ allow $1 sendmail_t:unix_stream_socket rw_socket_perms; + sendmail_domtrans($1) +- roleattribute $2 sendmail_roles; ++ role $2 types sendmail_t; ') ######################################## -@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` - type sendmail_t; +@@ -141,8 +153,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',` + + ######################################## + ## +-## Read and write sendmail unix +-## domain stream sockets. ++## Read and write sendmail unix_stream_sockets. + ## + ## + ## +@@ -179,7 +190,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` + + ######################################## + ## +-## Read sendmail log files. ++## Read sendmail logs. + ## + ## + ## +@@ -199,8 +210,7 @@ interface(`sendmail_read_log',` + + ######################################## + ## +-## Create, read, write, and delete +-## sendmail log files. ++## Create, read, write, and delete sendmail logs. + ## + ## + ## +@@ -220,8 +230,7 @@ interface(`sendmail_manage_log',` + + ######################################## + ## +-## Create specified objects in generic +-## log directories sendmail log file type. ++## Create sendmail logs with the correct type. + ## + ## + ## +@@ -230,43 +239,16 @@ interface(`sendmail_manage_log',` + ## + # + interface(`sendmail_create_log',` +- refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') +- sendmail_log_filetrans_sendmail_log($1, $2, $3) +-') +- +-######################################## +-## +-## Create specified objects in generic +-## log directories sendmail log file type. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +-# +-interface(`sendmail_log_filetrans_sendmail_log',` + gen_require(` + type sendmail_log_t; + ') + +- logging_log_filetrans($1, sendmail_log_t, $2, $3) ++ logging_log_filetrans($1, sendmail_log_t, file) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## sendmail tmp files. ++## Manage sendmail tmp files. + ## + ## + ## +@@ -299,18 +281,13 @@ interface(`sendmail_domtrans_unconfined',` ') -- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; -+ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; + mta_sendmail_domtrans($1, unconfined_sendmail_t) +- +- allow unconfined_sendmail_t $1:fd use; +- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms; +- allow unconfined_sendmail_t $1:process sigchld; ') ######################################## -@@ -295,3 +309,73 @@ interface(`sendmail_run_unconfined',` + ## +-## Execute sendmail in the unconfined +-## sendmail domain, and allow the +-## specified role the unconfined +-## sendmail domain. ++## Execute sendmail in the unconfined sendmail domain, and ++## allow the specified role the unconfined sendmail domain, ++## and use the caller's terminal. + ## + ## + ## +@@ -326,17 +303,36 @@ interface(`sendmail_domtrans_unconfined',` + # + interface(`sendmail_run_unconfined',` + gen_require(` +- attribute_role sendmail_unconfined_roles; ++ type unconfined_sendmail_t; + ') + sendmail_domtrans_unconfined($1) - role $2 types unconfined_sendmail_t; +- roleattribute $2 sendmail_unconfined_roles; ++ role $2 types unconfined_sendmail_t; ') -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an sendmail environment. +## Set the attributes of sendmail pid files. +## +## @@ -61895,136 +70644,200 @@ index 7e94c7c..ca74cd9 100644 +## +## All of the rules required to administrate +## an sendmail environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`sendmail_admin',` -+ gen_require(` -+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; -+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + ## + ## + ## +@@ -354,12 +350,20 @@ interface(`sendmail_admin',` + gen_require(` + type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; + type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + type mail_spool_t; -+ ') -+ + ') + +- allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) + allow $1 sendmail_t:process signal_perms; + ps_process_pattern($1, sendmail_t) + tunable_policy(`deny_ptrace',`',` + allow $1 sendmail_t:process ptrace; + allow $1 unconfined_sendmail_t:process ptrace; + ') -+ + +- init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + allow $1 unconfined_sendmail_t:process signal_perms; + ps_process_pattern($1, unconfined_sendmail_t) + + sendmail_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 sendmail_initrc_exec_t system_r; -+ -+ logging_list_logs($1) -+ admin_pattern($1, sendmail_log_t) -+ -+ files_list_tmp($1) -+ admin_pattern($1, sendmail_tmp_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, sendmail_var_run_t) -+ + domain_system_change_exemption($1) + role_transition $2 sendmail_initrc_exec_t system_r; + +@@ -372,6 +376,6 @@ interface(`sendmail_admin',` + files_list_pids($1) + admin_pattern($1, sendmail_var_run_t) + +- sendmail_run($1, $2) +- sendmail_run_unconfined($1, $2) + files_list_spool($1) + admin_pattern($1, mail_spool_t) -+') + ') diff --git a/sendmail.te b/sendmail.te -index 22dac1f..a536819 100644 +index 5f35d78..a536819 100644 --- a/sendmail.te +++ b/sendmail.te -@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) +@@ -1,18 +1,10 @@ +-policy_module(sendmail, 1.11.5) ++policy_module(sendmail, 1.11.0) + + ######################################## + # + # Declarations + # + +-attribute_role sendmail_roles; +- +-attribute_role sendmail_unconfined_roles; +-roleattribute system_r sendmail_unconfined_roles; +- +-type sendmail_initrc_exec_t; +-init_script_file(sendmail_initrc_exec_t) +- + type sendmail_log_t; + logging_log_file(sendmail_log_t) + +@@ -26,27 +18,25 @@ type sendmail_t; + mta_sendmail_mailserver(sendmail_t) mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +-role sendmail_roles types sendmail_t; -type unconfined_sendmail_t; -application_domain(unconfined_sendmail_t, sendmail_exec_t) --role system_r types unconfined_sendmail_t; +-role sendmail_unconfined_roles types unconfined_sendmail_t; +type sendmail_initrc_exec_t; +init_script_file(sendmail_initrc_exec_t) ######################################## # -@@ -52,7 +51,6 @@ kernel_read_kernel_sysctls(sendmail_t) - # for piping mail to a command +-# Local policy ++# Sendmail local policy + # + +-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; ++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; + allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; + allow sendmail_t self:fifo_file rw_fifo_file_perms; +-allow sendmail_t self:unix_stream_socket { accept listen }; +-allow sendmail_t self:tcp_socket { accept listen }; ++allow sendmail_t self:unix_stream_socket create_stream_socket_perms; ++allow sendmail_t self:unix_dgram_socket create_socket_perms; ++allow sendmail_t self:tcp_socket create_stream_socket_perms; ++allow sendmail_t self:udp_socket create_socket_perms; + +-allow sendmail_t sendmail_log_t:dir setattr_dir_perms; +-append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +-create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) +-setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) ++allow sendmail_t sendmail_log_t:dir setattr; ++manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) + logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) + + manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) +@@ -58,33 +48,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) + + kernel_read_network_state(sendmail_t) + kernel_read_kernel_sysctls(sendmail_t) ++# for piping mail to a command kernel_read_system_state(sendmail_t) -corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_generic_if(sendmail_t) corenet_tcp_sendrecv_generic_node(sendmail_t) -@@ -79,17 +77,18 @@ corecmd_exec_bin(sendmail_t) + corenet_tcp_sendrecv_all_ports(sendmail_t) + corenet_tcp_bind_generic_node(sendmail_t) +- +-corenet_sendrecv_smtp_server_packets(sendmail_t) + corenet_tcp_bind_smtp_port(sendmail_t) +- +-corenet_sendrecv_all_client_packets(sendmail_t) + corenet_tcp_connect_all_ports(sendmail_t) ++corenet_sendrecv_smtp_server_packets(sendmail_t) ++corenet_sendrecv_smtp_client_packets(sendmail_t) + +-corecmd_exec_bin(sendmail_t) +-corecmd_exec_shell(sendmail_t) +- +-dev_read_sysfs(sendmail_t) + dev_read_urand(sendmail_t) +- +-domain_use_interactive_fds(sendmail_t) +- +-files_read_all_tmp_files(sendmail_t) +-files_read_etc_runtime_files(sendmail_t) +-files_read_usr_files(sendmail_t) +-files_search_spool(sendmail_t) ++dev_read_sysfs(sendmail_t) - domain_use_interactive_fds(sendmail_t) + fs_getattr_all_fs(sendmail_t) + fs_search_auto_mountpoints(sendmail_t) +@@ -93,35 +71,50 @@ fs_rw_anon_inodefs_files(sendmail_t) + term_dontaudit_use_console(sendmail_t) + term_dontaudit_use_generic_ptys(sendmail_t) --files_read_etc_files(sendmail_t) - files_read_usr_files(sendmail_t) - files_search_spool(sendmail_t) - # for piping mail to a command - files_read_etc_runtime_files(sendmail_t) ++# for piping mail to a command ++corecmd_exec_shell(sendmail_t) ++corecmd_exec_bin(sendmail_t) ++ ++domain_use_interactive_fds(sendmail_t) ++ ++files_read_usr_files(sendmail_t) ++files_search_spool(sendmail_t) ++# for piping mail to a command ++files_read_etc_runtime_files(sendmail_t) +files_read_all_tmp_files(sendmail_t) - ++ init_use_fds(sendmail_t) init_use_script_ptys(sendmail_t) - # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console ++# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console init_read_utmp(sendmail_t) init_dontaudit_write_utmp(sendmail_t) -+init_rw_script_tmp_files(sendmail_t) + init_rw_script_tmp_files(sendmail_t) auth_use_nsswitch(sendmail_t) -@@ -100,10 +99,10 @@ logging_send_syslog_msg(sendmail_t) ++# Read /usr/lib/sasl2/.* + libs_read_lib_files(sendmail_t) + + logging_send_syslog_msg(sendmail_t) logging_dontaudit_write_generic_logs(sendmail_t) miscfiles_read_generic_certs(sendmail_t) -miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) --userdom_dontaudit_search_user_home_dirs(sendmail_t) +userdom_read_user_home_content_files(sendmail_t) +userdom_dontaudit_list_user_home_dirs(sendmail_t) - mta_read_config(sendmail_t) - mta_etc_filetrans_aliases(sendmail_t) -@@ -115,6 +114,10 @@ mta_manage_spool(sendmail_t) +-mta_etc_filetrans_aliases(sendmail_t, file, "aliases") +-mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") +-mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") ++mta_read_config(sendmail_t) ++mta_etc_filetrans_aliases(sendmail_t) ++# Write to /etc/aliases and /etc/mail. + mta_manage_aliases(sendmail_t) ++# Write to /var/spool/mail and /var/spool/mqueue. + mta_manage_queue(sendmail_t) + mta_manage_spool(sendmail_t) +-mta_read_config(sendmail_t) mta_sendmail_exec(sendmail_t) optional_policy(` +- cfengine_dontaudit_write_log_files(sendmail_t) + cfengine_dontaudit_write_log(sendmail_t) -+') -+ -+optional_policy(` - cron_read_pipes(sendmail_t) - ') - -@@ -128,7 +131,14 @@ optional_policy(` - ') - - optional_policy(` -+ dovecot_write_inherited_tmp_files(sendmail_t) -+') -+ -+optional_policy(` - exim_domtrans(sendmail_t) -+ exim_manage_spool_files(sendmail_t) -+ exim_manage_spool_dirs(sendmail_t) -+ exim_read_log(sendmail_t) ') optional_policy(` -@@ -149,7 +159,14 @@ optional_policy(` +@@ -166,6 +159,11 @@ optional_policy(` ') optional_policy(` @@ -62033,13 +70846,10 @@ index 22dac1f..a536819 100644 +') + +optional_policy(` -+ postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) -+ postfix_domtrans_postqueue(sendmail_t) - postfix_read_config(sendmail_t) - postfix_search_spool(sendmail_t) - ') -@@ -168,20 +185,13 @@ optional_policy(` + postfix_domtrans_postqueue(sendmail_t) +@@ -187,21 +185,13 @@ optional_policy(` ') optional_policy(` @@ -62054,37 +70864,39 @@ index 22dac1f..a536819 100644 -######################################## -# --# Unconfined sendmail local policy --# Allow unconfined domain to run newalias and have transitions work +-# Unconfined local policy -# - optional_policy(` -- mta_etc_filetrans_aliases(unconfined_sendmail_t) +- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") +- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") +- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") - unconfined_domain(unconfined_sendmail_t) + uucp_domtrans_uux(sendmail_t) ') diff --git a/sensord.fc b/sensord.fc -new file mode 100644 -index 0000000..e1ef619 ---- /dev/null +index 8185d5a..719ac47 100644 +--- a/sensord.fc +++ b/sensord.fc -@@ -0,0 +1,5 @@ +@@ -1,3 +1,5 @@ +/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) + -+/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) -+ -+/var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) + /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) + + /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) diff --git a/sensord.if b/sensord.if -new file mode 100644 -index 0000000..5eba5fd ---- /dev/null +index d204752..5eba5fd 100644 +--- a/sensord.if +++ b/sensord.if -@@ -0,0 +1,75 @@ +@@ -1,35 +1,75 @@ +-## Sensor information logging daemon. + +## Sensor information logging daemon -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an sensord environment. +## Execute sensord in the sensord domain. +## +## @@ -62104,12 +70916,14 @@ index 0000000..5eba5fd +######################################## +## +## Execute sensord server in the sensord domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +-## +# +interface(`sensord_systemctl',` + gen_require(` @@ -62131,97 +70945,113 @@ index 0000000..5eba5fd +## an sensord environment +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+## -+# -+interface(`sensord_admin',` -+ gen_require(` + ## + ## + ## + # + interface(`sensord_admin',` + gen_require(` +- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + type sensord_t; + type sensord_unit_file_t; -+ ') -+ -+ allow $1 sensord_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, sensord_t) -+ + ') + + allow $1 sensord_t:process { ptrace signal_perms }; + ps_process_pattern($1, sensord_t) + +- init_labeled_script_domtrans($1, sensord_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 sensord_initrc_exec_t system_r; +- allow $2 system_r; + sensord_systemctl($1) + admin_pattern($1, sensord_unit_file_t) + allow $1 sensord_unit_file_t:service all_service_perms; -+ + +- files_search_pids($1) +- admin_pattern($1, sensord_var_run_t) + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/sensord.te b/sensord.te -new file mode 100644 -index 0000000..5e92ac9 ---- /dev/null +index 5e82fd6..fa352d8 100644 +--- a/sensord.te +++ b/sensord.te -@@ -0,0 +1,35 @@ -+policy_module(sensord, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type sensord_t; -+type sensord_exec_t; -+init_daemon_domain(sensord_t, sensord_exec_t) -+ +@@ -9,6 +9,9 @@ type sensord_t; + type sensord_exec_t; + init_daemon_domain(sensord_t, sensord_exec_t) + +type sensord_unit_file_t; +systemd_unit_file(sensord_unit_file_t) + -+type sensord_var_run_t; -+files_pid_file(sensord_var_run_t) -+ -+######################################## -+# -+# sensord local policy -+# -+ -+allow sensord_t self:fifo_file rw_fifo_file_perms; -+allow sensord_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) -+files_pid_filetrans(sensord_t, sensord_var_run_t, { file }) -+ -+domain_use_interactive_fds(sensord_t) -+ -+dev_read_sysfs(sensord_t) -+ -+files_read_etc_files(sensord_t) -+ -+logging_send_syslog_msg(sensord_t) + type sensord_initrc_exec_t; + init_script_file(sensord_initrc_exec_t) + +@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file) + + dev_read_sysfs(sensord_t) + +-files_read_etc_files(sensord_t) +- + logging_send_syslog_msg(sensord_t) + +-miscfiles_read_localization(sensord_t) +diff --git a/setroubleshoot.fc b/setroubleshoot.fc +index 0b3a971..397a522 100644 +--- a/setroubleshoot.fc ++++ b/setroubleshoot.fc +@@ -1,9 +1,9 @@ + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) + +-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) ++/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) + +-/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) ++/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) + +-/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) ++/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) + +-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) ++/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/setroubleshoot.if b/setroubleshoot.if -index bcdd16c..039b0c8 100644 +index 3a9a70b..039b0c8 100644 --- a/setroubleshoot.if +++ b/setroubleshoot.if -@@ -2,7 +2,7 @@ +@@ -1,9 +1,8 @@ +-## SELinux troubleshooting service. ++## SELinux troubleshooting service ######################################## ## --## Connect to setroubleshootd over an unix stream socket. +-## Connect to setroubleshootd with a +-## unix domain stream socket. +## Connect to setroubleshootd over a unix stream socket. ## ## ## -@@ -23,7 +23,7 @@ interface(`setroubleshoot_stream_connect',` +@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',` + ######################################## ## - ## Dontaudit attempts to connect to setroubleshootd --## over an unix stream socket. +-## Do not audit attempts to connect to +-## setroubleshootd with a unix +-## domain stream socket. ++## Dontaudit attempts to connect to setroubleshootd +## over a unix stream socket. ## ## ## -@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` +@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',` ######################################## ## +-## All of the rules required to +-## administrate an setroubleshoot environment. +## Dontaudit read/write to a setroubleshoot leaked sockets. +## +## @@ -62241,197 +71071,235 @@ index bcdd16c..039b0c8 100644 + +######################################## +## - ## All of the rules required to administrate - ## an setroubleshoot environment ++## All of the rules required to administrate ++## an setroubleshoot environment ## -@@ -117,15 +136,18 @@ interface(`setroubleshoot_dbus_chat_fixit',` + ## + ## +@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` # interface(`setroubleshoot_admin',` gen_require(` -- type setroubleshootd_t, setroubleshoot_log_t; +- type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; + type setroubleshoot_var_lib_t; ') -- allow $1 setroubleshootd_t:process { ptrace signal_perms }; +- allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) + allow $1 setroubleshootd_t:process signal_perms; - ps_process_pattern($1, setroubleshootd_t) ++ ps_process_pattern($1, setroubleshootd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 setroubleshootd_t:process ptrace; + ') logging_list_logs($1) -- admin_pattern($1, setroubleshoot_log_t) -+ admin_pattern($1, setroubleshoot_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, setroubleshoot_var_lib_t) + admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..ab3ba4d 100644 +index 49b12ae..ab3ba4d 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te -@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) +@@ -1,4 +1,4 @@ +-policy_module(setroubleshoot, 1.11.2) ++policy_module(setroubleshoot, 1.11.0) + + ######################################## + # +@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2) + + type setroubleshootd_t alias setroubleshoot_t; + type setroubleshootd_exec_t; +-init_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++domain_type(setroubleshootd_t) ++init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) type setroubleshoot_fixit_t; type setroubleshoot_fixit_exec_t; --dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +-init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) type setroubleshoot_var_lib_t; files_type(setroubleshoot_var_lib_t) -@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t) - # setroubleshootd local policy + ++# log files + type setroubleshoot_var_log_t; + logging_log_file(setroubleshoot_var_log_t) + ++# pid files + type setroubleshoot_var_run_t; + files_pid_file(setroubleshoot_var_run_t) + + ######################################## + # +-# Local policy ++# setroubleshootd local policy # --allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -+allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; - allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; + allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; +-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; ++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run +allow setroubleshootd_t self:process { execmem execstack }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; - allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; - allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,19 +51,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble +-allow setroubleshootd_t self:tcp_socket { accept listen }; +-allow setroubleshootd_t self:unix_stream_socket { accept connectto listen }; ++allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; ++allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; + +-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; ++# database files ++allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; + manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) + files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) + +-allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms; +-append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +-create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) +-setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) ++# log files ++allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; ++manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) + manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) - # pid file -+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) ++# pid file + manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) --files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) -+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) - - kernel_read_kernel_sysctls(setroubleshootd_t) - kernel_read_system_state(setroubleshootd_t) - kernel_read_net_sysctls(setroubleshootd_t) - kernel_read_network_state(setroubleshootd_t) -+kernel_dontaudit_list_all_proc(setroubleshootd_t) -+kernel_read_irq_sysctls(setroubleshootd_t) -+kernel_read_unlabeled_state(setroubleshootd_t) - - corecmd_exec_bin(setroubleshootd_t) +@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -+corecmd_read_all_executables(setroubleshootd_t) + corecmd_read_all_executables(setroubleshootd_t) -corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) corenet_tcp_sendrecv_generic_if(setroubleshootd_t) corenet_tcp_sendrecv_generic_node(setroubleshootd_t) -@@ -74,17 +80,18 @@ dev_read_urand(setroubleshootd_t) +- +-corenet_sendrecv_smtp_client_packets(setroubleshootd_t) ++corenet_tcp_sendrecv_all_ports(setroubleshootd_t) ++corenet_tcp_bind_generic_node(setroubleshootd_t) + corenet_tcp_connect_smtp_port(setroubleshootd_t) +-corenet_tcp_sendrecv_smtp_port(setroubleshootd_t) ++corenet_sendrecv_smtp_client_packets(setroubleshootd_t) + + dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) - dev_getattr_all_blk_files(setroubleshootd_t) - dev_getattr_all_chr_files(setroubleshootd_t) -+dev_getattr_mtrr_dev(setroubleshootd_t) - - domain_dontaudit_search_all_domains_state(setroubleshootd_t) - domain_signull_all_domains(setroubleshootd_t) - - files_read_usr_files(setroubleshootd_t) --files_read_etc_files(setroubleshootd_t) - files_list_all(setroubleshootd_t) - files_getattr_all_files(setroubleshootd_t) - files_getattr_all_pipes(setroubleshootd_t) - files_getattr_all_sockets(setroubleshootd_t) - files_read_all_symlinks(setroubleshootd_t) -+files_read_mnt_files(setroubleshootd_t) - - fs_getattr_all_dirs(setroubleshootd_t) - fs_getattr_all_files(setroubleshootd_t) -@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) - - selinux_get_enforce_mode(setroubleshootd_t) - selinux_validate_context(setroubleshootd_t) -+selinux_read_policy(setroubleshootd_t) - - term_dontaudit_use_all_ptys(setroubleshootd_t) - term_dontaudit_use_all_ttys(setroubleshootd_t) -@@ -104,15 +112,15 @@ auth_use_nsswitch(setroubleshootd_t) - init_read_utmp(setroubleshootd_t) - init_dontaudit_write_utmp(setroubleshootd_t) +@@ -108,13 +114,13 @@ init_dontaudit_write_utmp(setroubleshootd_t) --miscfiles_read_localization(setroubleshootd_t) -+libs_exec_ld_so(setroubleshootd_t) -+ + libs_exec_ld_so(setroubleshootd_t) ++ locallogin_dontaudit_use_fds(setroubleshootd_t) logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) - --modutils_read_module_config(setroubleshootd_t) +-miscfiles_read_localization(setroubleshootd_t) +logging_stream_connect_syslog(setroubleshootd_t) seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) -@@ -121,10 +129,27 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -123,11 +129,7 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` +- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +- +- optional_policy(` +- abrt_dbus_chat(setroubleshootd_t) +- ') + abrt_dbus_chat(setroubleshootd_t) -+') -+ -+optional_policy(` -+ locate_read_lib_files(setroubleshootd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +@@ -135,10 +137,18 @@ optional_policy(` + ') + + optional_policy(` + mock_getattr_lib(setroubleshootd_t) +') + +optional_policy(` -+ modutils_read_module_config(setroubleshootd_t) -+') -+ -+optional_policy(` - dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) + modutils_read_module_config(setroubleshootd_t) ') optional_policy(` -+ rpm_exec(setroubleshootd_t) ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++') ++ ++optional_policy(` + rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) - rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -148,15 +158,17 @@ optional_policy(` + + ######################################## + # +-# Fixit local policy ++# setroubleshoot_fixit local policy + # + + allow setroubleshoot_fixit_t self:capability sys_nice; + allow setroubleshoot_fixit_t self:process { setsched getsched }; + allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; ++allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; + + allow setroubleshoot_fixit_t setroubleshootd_t:process signull; + ++setroubleshoot_dbus_chat(setroubleshoot_fixit_t) + setroubleshoot_stream_connect(setroubleshoot_fixit_t) - corecmd_exec_bin(setroubleshoot_fixit_t) + kernel_read_system_state(setroubleshoot_fixit_t) +@@ -165,7 +177,12 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) -+corecmd_getattr_all_executables(setroubleshoot_fixit_t) -+ + corecmd_getattr_all_executables(setroubleshoot_fixit_t) + +dev_read_sysfs(setroubleshoot_fixit_t) +dev_read_urand(setroubleshoot_fixit_t) - ++ seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) +seutil_read_module_store(setroubleshoot_fixit_t) files_read_usr_files(setroubleshoot_fixit_t) --files_read_etc_files(setroubleshoot_fixit_t) files_list_tmp(setroubleshoot_fixit_t) - - auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -162,9 +192,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) -miscfiles_read_localization(setroubleshoot_fixit_t) +- +-userdom_read_all_users_state(setroubleshoot_fixit_t) +userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) -+userdom_signull_unpriv_users(setroubleshoot_fixit_t) -+ -+optional_policy(` -+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + userdom_signull_unpriv_users(setroubleshoot_fixit_t) + + optional_policy(` + dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +- setroubleshoot_dbus_chat(setroubleshoot_fixit_t) +') -+ + +- optional_policy(` +- policykit_dbus_chat(setroubleshoot_fixit_t) +- ') +optional_policy(` + gnome_dontaudit_search_config(setroubleshoot_fixit_t) -+') + ') optional_policy(` + rpm_exec(setroubleshoot_fixit_t) rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) rpm_dontaudit_manage_db(setroubleshoot_fixit_t) + rpm_use_script_fds(setroubleshoot_fixit_t) + ') ++ ++optional_policy(` ++ policykit_dbus_chat(setroubleshoot_fixit_t) ++ userdom_read_all_users_state(setroubleshoot_fixit_t) ++') diff --git a/sge.fc b/sge.fc new file mode 100644 index 0000000..160ddc2 @@ -62673,31 +71541,46 @@ index 0000000..d43336f +optional_policy(` + nslcd_stream_connect(sge_domain) +') -diff --git a/shorewall.fc b/shorewall.fc -index 48d1363..4a5b930 100644 ---- a/shorewall.fc -+++ b/shorewall.fc -@@ -7,6 +7,9 @@ - /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) - /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) - -+/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) -+/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) -+ - /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) diff --git a/shorewall.if b/shorewall.if -index 781ad7e..d5ce40a 100644 +index 1aeef8a..d5ce40a 100644 --- a/shorewall.if +++ b/shorewall.if -@@ -55,28 +55,9 @@ interface(`shorewall_read_config',` +@@ -1,4 +1,4 @@ +-## Shoreline Firewall high-level tool for configuring netfilter. ++## Shoreline Firewall high-level tool for configuring netfilter + + ######################################## + ## +@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',` + type shorewall_t, shorewall_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, shorewall_exec_t, shorewall_t) + ') + +@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',` + type shorewall_t, shorewall_var_lib_t; + ') + +- files_search_var_lib($1) + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) + ') + + ####################################### + ## +-## Read shorewall configuration files. ++## Read shorewall etc configuration files. + ## + ## + ## +@@ -57,47 +55,9 @@ interface(`shorewall_read_config',` read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) ') -####################################### -## --## Read shorewall PID files. +-## Read shorewall pid files. -## -## -## @@ -62715,17 +71598,15 @@ index 781ad7e..d5ce40a 100644 -') - -####################################### -+###################################### - ## --## Read and write shorewall PID files. -+## Read shorewall /var/lib files. - ## - ## - ## -@@ -84,28 +65,9 @@ interface(`shorewall_read_pid_files',` - ## - ## - # +-## +-## Read and write shorewall pid files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# -interface(`shorewall_rw_pid_files',` - gen_require(` - type shorewall_var_run_t; @@ -62735,24 +71616,94 @@ index 781ad7e..d5ce40a 100644 - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) -') - --###################################### --## --## Read shorewall /var/lib files. --## --## --## --## Domain allowed access. --## --## --# + ###################################### + ## +-## Read shorewall lib files. ++## Read shorewall /var/lib files. + ## + ## + ## +@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',` + ## + # interface(`shorewall_read_lib_files',` - gen_require(` -- type shorewall_t; -+ type shorewall_var_lib_t; - ') +- gen_require(` ++ gen_require(` + type shorewall_var_lib_t; +- ') ++ ') + +- files_search_var_lib($1) +- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ files_search_var_lib($1) ++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + ') + + ####################################### + ## +-## Read and write shorewall lib files. ++## Read and write shorewall /var/lib files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # + interface(`shorewall_rw_lib_files',` +- gen_require(` +- type shorewall_var_lib_t; +- ') ++ gen_require(` ++ type shorewall_var_lib_t; ++ ') + +- files_search_var_lib($1) +- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ files_search_var_lib($1) ++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + ') + + ####################################### + ## +-## Read shorewall temporary files. ++## Read shorewall tmp files. + ## + ## + ## +@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',` - files_search_var_lib($1) -@@ -177,8 +139,11 @@ interface(`shorewall_admin',` + ####################################### + ## +-## All of the rules required to +-## administrate an shorewall environment. ++## All of the rules required to administrate ++## an shorewall environment + ## + ## + ## +@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the syslog domain. + ## + ## + ## + # + interface(`shorewall_admin',` + gen_require(` +- type shorewall_t, shorewall_lock_t, shorewall_log_t; +- type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; ++ type shorewall_t, shorewall_lock_t; ++ type shorewall_log_t; ++ type shorewall_initrc_exec_t, shorewall_var_lib_t; type shorewall_tmp_t, shorewall_etc_t; ') @@ -62765,23 +71716,19 @@ index 781ad7e..d5ce40a 100644 init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + +- can_exec($1, shorewall_exec_t) +- + files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + diff --git a/shorewall.te b/shorewall.te -index 4723c6b..c55fcaa 100644 +index ca03de6..bcf990d 100644 --- a/shorewall.te +++ b/shorewall.te -@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t) - # shorewall local policy - # - --allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; -+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; - dontaudit shorewall_t self:capability sys_tty_config; - allow shorewall_t self:fifo_file rw_fifo_file_perms; -+allow shorewall_t self:netlink_socket create_socket_perms; - - read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) - list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) -@@ -59,6 +60,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +@@ -57,6 +57,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) @@ -62791,25 +71738,8 @@ index 4723c6b..c55fcaa 100644 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; -@@ -70,12 +74,12 @@ kernel_rw_net_sysctls(shorewall_t) - corecmd_exec_bin(shorewall_t) - corecmd_exec_shell(shorewall_t) - -+dev_read_sysfs(shorewall_t) - dev_read_urand(shorewall_t) - - domain_read_all_domains_state(shorewall_t) - - files_getattr_kernel_modules(shorewall_t) --files_read_etc_files(shorewall_t) - files_read_usr_files(shorewall_t) - files_search_kernel_modules(shorewall_t) - -@@ -83,13 +87,20 @@ fs_getattr_all_fs(shorewall_t) - - init_rw_utmp(shorewall_t) - -+logging_read_generic_logs(shorewall_t) +@@ -86,12 +89,13 @@ init_rw_utmp(shorewall_t) + logging_read_generic_logs(shorewall_t) logging_send_syslog_msg(shorewall_t) -miscfiles_read_localization(shorewall_t) @@ -62818,41 +71748,64 @@ index 4723c6b..c55fcaa 100644 sysnet_domtrans_ifconfig(shorewall_t) -userdom_dontaudit_list_user_home_dirs(shorewall_t) +-userdom_use_user_terminals(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) +userdom_use_inherited_user_ttys(shorewall_t) +userdom_use_inherited_user_ptys(shorewall_t) -+ -+optional_policy(` -+ brctl_domtrans(shorewall_t) -+') optional_policy(` - hostname_exec(shorewall_t) + brctl_domtrans(shorewall_t) diff --git a/shutdown.fc b/shutdown.fc -index 97671a3..e317fbe 100644 +index a91f33b..631dbc1 100644 --- a/shutdown.fc +++ b/shutdown.fc -@@ -2,6 +2,10 @@ - - /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +@@ -8,4 +8,4 @@ --/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -+/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+ -+/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -+ +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/shutdown.if b/shutdown.if -index d0604cf..b66057c 100644 +index d1706bf..aa97fad 100644 --- a/shutdown.if +++ b/shutdown.if -@@ -18,9 +18,18 @@ interface(`shutdown_domtrans',` +@@ -1,30 +1,4 @@ +-## System shutdown command. +- +-######################################## +-## +-## Role access for shutdown. +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-## +-## User domain for the role. +-## +-## +-# +-interface(`shutdown_role',` +- gen_require(` +- type shutdown_t; +- ') +- +- shutdown_run($2, $1) +- +- allow $2 shutdown_t:process { ptrace signal_perms }; +- ps_process_pattern($2, shutdown_t) +-') ++## System shutdown command + + ######################################## + ## +@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',` + corecmd_search_bin($1) domtrans_pattern($1, shutdown_exec_t, shutdown_t) - ++ + init_reboot($1) + init_halt($1) + @@ -62863,17 +71816,38 @@ index d0604cf..b66057c 100644 + systemd_login_halt($1) + ') + - ifdef(`hide_broken_symptoms', ` -- dontaudit shutdown_t $1:socket_class_set { read write }; -- dontaudit shutdown_t $1:fifo_file { read write }; ++ ifdef(`hide_broken_symptoms', ` + dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; - ') ++ ') ') -@@ -51,6 +60,73 @@ interface(`shutdown_run',` + ######################################## + ## +-## Execute shutdown in the shutdown +-## domain, and allow the specified role +-## the shutdown domain. ++## Execute shutdown in the shutdown domain, and ++## allow the specified role the shutdown domain. + ## + ## + ## +@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',` + # + interface(`shutdown_run',` + gen_require(` ++ type shutdown_t; + attribute_role shutdown_roles; + ') + +- shutdown_domtrans($1) +- roleattribute $2 shutdown_roles; ++ shutdown_domtrans($1) ++ roleattribute $2 shutdown_roles; + ') ######################################## ## +-## Send generic signals to shutdown. +## Role access for shutdown +## +## @@ -62892,12 +71866,10 @@ index d0604cf..b66057c 100644 + type shutdown_t; + ') + -+ role $1 types shutdown_t; -+ -+ shutdown_domtrans($2) ++ shutdown_run($2, $1) + -+ ps_process_pattern($2, shutdown_t) -+ allow $2 shutdown_t:process signal; ++ allow $2 shutdown_t:process { ptrace signal_perms }; ++ ps_process_pattern($2, shutdown_t +') + +######################################## @@ -62922,148 +71894,92 @@ index d0604cf..b66057c 100644 +## +## Send and receive messages from +## shutdown over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -81,17 +114,19 @@ interface(`shutdown_run',` + ## + ## + # +-interface(`shutdown_signal',` +interface(`shutdown_dbus_chat',` -+ gen_require(` -+ type shutdown_t; + gen_require(` + type shutdown_t; + class dbus send_msg; -+ ') -+ + ') + +- allow shutdown_t $1:process signal; + allow $1 shutdown_t:dbus send_msg; + allow shutdown_t $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Get attributes of shutdown executable. + ') + + ######################################## + ## +-## Get attributes of shutdown executable files. ++## Get attributes of shutdown executable. ## ## + ## diff --git a/shutdown.te b/shutdown.te -index 8966ec9..2a52a13 100644 +index 7880d1f..8804935 100644 --- a/shutdown.te +++ b/shutdown.te -@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0) - - type shutdown_t; - type shutdown_exec_t; -+init_system_domain(shutdown_t, shutdown_exec_t) - application_domain(shutdown_t, shutdown_exec_t) - role system_r types shutdown_t; - -@@ -21,8 +22,8 @@ files_pid_file(shutdown_var_run_t) - # shutdown local policy - # - --allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; --allow shutdown_t self:process { fork signal signull }; -+allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; -+allow shutdown_t self:process { fork setsched signal signull }; +@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t) - allow shutdown_t self:fifo_file manage_fifo_file_perms; - allow shutdown_t self:unix_stream_socket create_stream_socket_perms; -@@ -33,25 +34,31 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file) - manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) - files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) - -+kernel_read_system_state(shutdown_t) -+ - domain_use_interactive_fds(shutdown_t) - --files_read_etc_files(shutdown_t) - files_read_generic_pids(shutdown_t) -+files_delete_boot_flag(shutdown_t) -+ -+mls_file_write_to_clearance(shutdown_t) + mls_file_write_to_clearance(shutdown_t) -term_use_all_terms(shutdown_t) +term_use_all_inherited_terms(shutdown_t) auth_use_nsswitch(shutdown_t) auth_write_login_records(shutdown_t) - --init_dontaudit_write_utmp(shutdown_t) --init_read_utmp(shutdown_t) -+init_rw_utmp(shutdown_t) - init_stream_connect(shutdown_t) - init_telinit(shutdown_t) - +@@ -56,8 +56,6 @@ init_telinit(shutdown_t) logging_search_logs(shutdown_t) logging_send_audit_msgs(shutdown_t) -miscfiles_read_localization(shutdown_t) -+ -+optional_policy(` -+ cron_system_entry(shutdown_t, shutdown_exec_t) -+') - +- optional_policy(` - dbus_system_bus_client(shutdown_t) -@@ -59,5 +66,15 @@ optional_policy(` + cron_system_entry(shutdown_t, shutdown_exec_t) + ') +@@ -68,10 +66,15 @@ optional_policy(` ') optional_policy(` +- oddjob_dontaudit_rw_fifo_files(shutdown_t) +- oddjob_sigchld(shutdown_t) + oddjob_dontaudit_rw_fifo_file(shutdown_t) + oddjob_sigchld(shutdown_t) +') + +optional_policy(` + rhev_sigchld_agentd(shutdown_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` xserver_dontaudit_write_log(shutdown_t) + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index a225c02..b76ed92 100644 +index ba26427..83d21aa 100644 --- a/slocate.te +++ b/slocate.te -@@ -43,7 +43,6 @@ files_getattr_all_files(locate_t) - files_getattr_all_pipes(locate_t) - files_getattr_all_sockets(locate_t) - files_read_etc_runtime_files(locate_t) --files_read_etc_files(locate_t) - - fs_getattr_all_fs(locate_t) - fs_getattr_all_files(locate_t) -@@ -58,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t) - # getpwnam +@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t) + auth_use_nsswitch(locate_t) -miscfiles_read_localization(locate_t) ifdef(`enable_mls',` - # On MLS machines will not be allowed to getattr Anything but SystemLow -diff --git a/slpd.fc b/slpd.fc -new file mode 100644 -index 0000000..5064a4a ---- /dev/null -+++ b/slpd.fc -@@ -0,0 +1,7 @@ -+/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0) -+ -+/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0) -+ -+/var/log/slpd\.log -- gen_context(system_u:object_r:slpd_var_log_t,s0) -+ -+/var/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0) + files_dontaudit_getattr_all_dirs(locate_t) diff --git a/slpd.if b/slpd.if -new file mode 100644 -index 0000000..75931f8 ---- /dev/null +index ca32e89..98278dd 100644 +--- a/slpd.if +++ b/slpd.if -@@ -0,0 +1,75 @@ -+ -+## OpenSLP server daemon to dynamically register services. -+ -+######################################## -+## +@@ -2,6 +2,43 @@ + + ######################################## + ## +## Transition to slpd. +## +## @@ -63101,99 +72017,45 @@ index 0000000..75931f8 + +######################################## +## -+## All of the rules required to administrate -+## an slpd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`slpd_admin',` -+ gen_require(` -+ type slpd_t; -+ type slpd_initrc_exec_t; -+ ') -+ -+ allow $1 slpd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, slpd_t) -+ + ## All of the rules required to + ## administrate an slpd environment. + ## +@@ -26,7 +63,7 @@ interface(`slpd_admin',` + allow $1 slpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slpd_t) + +- init_labeled_script_domtrans($1, slpd_initrc_exec_t) + slpd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 slpd_initrc_exec_t system_r; -+ allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 slpd_initrc_exec_t system_r; + allow $2 system_r; +@@ -36,4 +73,10 @@ interface(`slpd_admin',` + + files_search_pids($1) + admin_pattern($1, slpd_var_run_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') ++ + ') diff --git a/slpd.te b/slpd.te -new file mode 100644 -index 0000000..cd475d6 ---- /dev/null +index 66ac42a..f28fadc 100644 +--- a/slpd.te +++ b/slpd.te -@@ -0,0 +1,52 @@ -+policy_module(slpd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type slpd_t; -+type slpd_exec_t; -+init_daemon_domain(slpd_t, slpd_exec_t) -+ -+type slpd_initrc_exec_t; -+init_script_file(slpd_initrc_exec_t) -+ -+type slpd_var_log_t; -+logging_log_file(slpd_var_log_t) -+ -+type slpd_var_run_t; -+files_pid_file(slpd_var_run_t) -+ -+######################################## -+# -+# slpd local policy -+# -+ -+allow slpd_t self:capability { kill setgid setuid }; -+allow slpd_t self:process { fork signal }; -+allow slpd_t self:fifo_file rw_fifo_file_perms; -+allow slpd_t self:tcp_socket { create_socket_perms listen }; -+allow slpd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(slpd_t, slpd_var_log_t, slpd_var_log_t) -+logging_log_filetrans(slpd_t, slpd_var_log_t, { file }) -+ -+manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) -+files_pid_filetrans(slpd_t, slpd_var_run_t, { file }) -+ -+corenet_all_recvfrom_netlabel(slpd_t) -+corenet_tcp_bind_generic_node(slpd_t) -+corenet_udp_bind_generic_node(slpd_t) -+corenet_tcp_bind_all_ports(slpd_t) -+corenet_udp_bind_all_ports(slpd_t) -+ +@@ -50,6 +50,8 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) + corenet_tcp_bind_svrloc_port(slpd_t) + corenet_udp_bind_svrloc_port(slpd_t) + +dev_read_urand(slpd_t) + -+domain_use_interactive_fds(slpd_t) -+ -+files_read_etc_files(slpd_t) -+ -+auth_use_nsswitch(slpd_t) -+ + auth_use_nsswitch(slpd_t) + +-miscfiles_read_localization(slpd_t) +sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te -index e5e72fd..84936ca 100644 +index 5437237..d46f779 100644 --- a/slrnpull.te +++ b/slrnpull.te @@ -13,7 +13,7 @@ type slrnpull_var_run_t; @@ -63215,108 +72077,85 @@ index e5e72fd..84936ca 100644 userdom_dontaudit_search_user_home_dirs(slrnpull_t) diff --git a/smartmon.if b/smartmon.if -index adea9f9..f5dd0fe 100644 +index e0644b5..ea347cc 100644 --- a/smartmon.if +++ b/smartmon.if -@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',` - type fsdaemon_tmp_t; +@@ -42,9 +42,13 @@ interface(`smartmon_admin',` + type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; ') -+ files_search_tmp($1) - allow $1 fsdaemon_tmp_t:file read_file_perms; - ') - -@@ -41,8 +42,11 @@ interface(`smartmon_admin',` - type fsdaemon_initrc_exec_t; - ') - -- allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; +- allow $1 fsdaemon_t:process { ptrace signal_perms }; + allow $1 fsdaemon_t:process signal_perms; ps_process_pattern($1, fsdaemon_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 fsdaemon_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 6b3322b..c955ccc 100644 +index 9ade9c5..48444ed 100644 --- a/smartmon.te +++ b/smartmon.te -@@ -1,4 +1,4 @@ --policy_module(smartmon, 1.11.0) -+policy_module(smartmon, 1.14.0) - - ######################################## - # -@@ -35,7 +35,7 @@ ifdef(`enable_mls',` - # Local policy - # - --allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; -+allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; - dontaudit fsdaemon_t self:capability sys_tty_config; - allow fsdaemon_t self:process { getcap setcap signal_perms }; - allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -@@ -52,12 +52,12 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) - files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) - - kernel_read_kernel_sysctls(fsdaemon_t) -+kernel_read_network_state(fsdaemon_t) - kernel_read_software_raid_state(fsdaemon_t) - kernel_read_system_state(fsdaemon_t) +@@ -60,6 +60,11 @@ kernel_read_system_state(fsdaemon_t) corecmd_exec_all_executables(fsdaemon_t) --corenet_all_recvfrom_unlabeled(fsdaemon_t) - corenet_all_recvfrom_netlabel(fsdaemon_t) - corenet_udp_sendrecv_generic_if(fsdaemon_t) - corenet_udp_sendrecv_generic_node(fsdaemon_t) -@@ -73,26 +73,36 @@ files_read_etc_runtime_files(fsdaemon_t) - files_read_usr_files(fsdaemon_t) - # for config - files_read_etc_files(fsdaemon_t) -+files_read_usr_files(fsdaemon_t) ++corenet_all_recvfrom_netlabel(fsdaemon_t) ++corenet_udp_sendrecv_generic_if(fsdaemon_t) ++corenet_udp_sendrecv_generic_node(fsdaemon_t) ++corenet_udp_sendrecv_all_ports(fsdaemon_t) ++ + dev_read_sysfs(fsdaemon_t) + dev_read_urand(fsdaemon_t) + +@@ -72,9 +77,12 @@ files_read_usr_files(fsdaemon_t) fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) +fs_read_removable_files(fsdaemon_t) mls_file_read_all_levels(fsdaemon_t) - #mls_rangetrans_target(fsdaemon_t) +storage_create_fixed_disk_dev(fsdaemon_t) +storage_dev_filetrans_named_fixed_disk(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) -+storage_read_scsi_generic(fsdaemon_t) -+storage_write_scsi_generic(fsdaemon_t) +@@ -85,6 +93,8 @@ term_dontaudit_search_ptys(fsdaemon_t) - term_dontaudit_search_ptys(fsdaemon_t) + application_signull(fsdaemon_t) -+application_signull(fsdaemon_t) -+ +auth_read_passwd(fsdaemon_t) + -+init_read_utmp(fsdaemon_t) -+ + init_read_utmp(fsdaemon_t) + libs_exec_ld_so(fsdaemon_t) - libs_exec_lib_files(fsdaemon_t) +@@ -92,7 +102,7 @@ libs_exec_lib_files(fsdaemon_t) logging_send_syslog_msg(fsdaemon_t) -miscfiles_read_localization(fsdaemon_t) -- - seutil_sigchld_newrole(fsdaemon_t) ++seutil_sigchld_newrole(fsdaemon_t) sysnet_dns_name_resolve(fsdaemon_t) + +@@ -122,3 +132,7 @@ optional_policy(` + optional_policy(` + udev_read_db(fsdaemon_t) + ') ++ ++optional_policy(` ++ virt_read_images(fsdaemon_t) ++') diff --git a/smokeping.if b/smokeping.if -index 8265278..017b923 100644 +index 1fa51c1..82e111c 100644 --- a/smokeping.if +++ b/smokeping.if -@@ -153,8 +153,11 @@ interface(`smokeping_admin',` - type smokeping_t, smokeping_initrc_exec_t; +@@ -158,8 +158,11 @@ interface(`smokeping_admin',` + type smokeping_var_run_t; ') - allow $1 smokeping_t:process { ptrace signal_perms }; @@ -63329,23 +72168,10 @@ index 8265278..017b923 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index 740994a..4bfc780 100644 +index a8b1aaf..3769d45 100644 --- a/smokeping.te +++ b/smokeping.te -@@ -36,11 +36,10 @@ manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) - files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } ) - --corecmd_read_bin_symlinks(smokeping_t) -+corecmd_exec_bin(smokeping_t) - - dev_read_urand(smokeping_t) - --files_read_etc_files(smokeping_t) - files_read_usr_files(smokeping_t) - files_search_tmp(smokeping_t) - -@@ -49,8 +48,6 @@ auth_dontaudit_read_shadow(smokeping_t) +@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t) logging_send_syslog_msg(smokeping_t) @@ -63354,49 +72180,31 @@ index 740994a..4bfc780 100644 mta_send_mail(smokeping_t) netutils_domtrans_ping(smokeping_t) -@@ -73,5 +70,9 @@ optional_policy(` +@@ -70,6 +68,8 @@ optional_policy(` files_search_tmp(httpd_smokeping_cgi_script_t) files_search_var_lib(httpd_smokeping_cgi_script_t) + auth_read_passwd(httpd_smokeping_cgi_script_t) + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) -+ -+ netutils_domtrans_ping(httpd_smokeping_cgi_script_t) - ') + + netutils_domtrans_ping(httpd_smokeping_cgi_script_t) diff --git a/smoltclient.te b/smoltclient.te -index bc00875..7dd4e53 100644 +index 9c8f9a5..529487e 100644 --- a/smoltclient.te +++ b/smoltclient.te -@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) - type smoltclient_t; - type smoltclient_exec_t; - application_domain(smoltclient_t, smoltclient_exec_t) --cron_system_entry(smoltclient_t, smoltclient_exec_t) - - type smoltclient_tmp_t; - files_tmp_file(smoltclient_tmp_t) -@@ -39,20 +38,29 @@ corecmd_exec_shell(smoltclient_t) - corenet_tcp_connect_http_port(smoltclient_t) - - dev_read_sysfs(smoltclient_t) -+dev_read_urand(smoltclient_t) - - fs_getattr_all_fs(smoltclient_t) - fs_getattr_all_dirs(smoltclient_t) - fs_list_auto_mountpoints(smoltclient_t) +@@ -51,14 +51,20 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) --files_read_etc_files(smoltclient_t) -+files_read_etc_runtime_files(smoltclient_t) - files_read_usr_files(smoltclient_t) + files_read_etc_runtime_files(smoltclient_t) +-files_read_usr_files(smoltclient_t) auth_use_nsswitch(smoltclient_t) logging_send_syslog_msg(smoltclient_t) + miscfiles_read_hwdata(smoltclient_t) -miscfiles_read_localization(smoltclient_t) -+miscfiles_read_hwdata(smoltclient_t) + +optional_policy(` + abrt_stream_connect(smoltclient_t) @@ -63407,7 +72215,7 @@ index bc00875..7dd4e53 100644 +') optional_policy(` - dbus_system_bus_client(smoltclient_t) + abrt_stream_connect(smoltclient_t) diff --git a/smsd.fc b/smsd.fc new file mode 100644 index 0000000..4c3fcec @@ -63427,11 +72235,10 @@ index 0000000..4c3fcec +/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) diff --git a/smsd.if b/smsd.if new file mode 100644 -index 0000000..6db3f07 +index 0000000..52450c7 --- /dev/null +++ b/smsd.if -@@ -0,0 +1,241 @@ -+ +@@ -0,0 +1,240 @@ +## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions. + +######################################## @@ -63674,10 +72481,10 @@ index 0000000..6db3f07 +') diff --git a/smsd.te b/smsd.te new file mode 100644 -index 0000000..4e822e5 +index 0000000..92c3638 --- /dev/null +++ b/smsd.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,72 @@ +policy_module(smsd, 1.0.0) + +######################################## @@ -63745,61 +72552,56 @@ index 0000000..4e822e5 + +corecmd_exec_shell(smsd_t) + -+files_read_etc_files(smsd_t) -+ +auth_use_nsswitch(smsd_t) + +logging_send_syslog_msg(smsd_t) + +sysnet_dns_name_resolve(smsd_t) diff --git a/snmp.fc b/snmp.fc -index 623c8fa..1ef62d0 100644 +index c73fa24..d852517 100644 --- a/snmp.fc +++ b/snmp.fc -@@ -16,9 +16,10 @@ - /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +@@ -13,6 +13,8 @@ --/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) -+/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) + /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) --/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - -+/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) - /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) ++ + /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/snmp.if b/snmp.if -index 275f9fb..f1343b7 100644 +index 7a9cc9d..86cbca9 100644 --- a/snmp.if +++ b/snmp.if -@@ -11,12 +11,12 @@ - ## - # - interface(`snmp_stream_connect',` -- gen_require(` -+ gen_require(` - type snmpd_t, snmpd_var_lib_t; -- ') -+ ') - -- files_search_var_lib($1) -- stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) -+ files_search_var_lib($1) -+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) - ') +@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',` ######################################## -@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',` + ## +-## Create, read, write, and delete +-## snmp lib directories. ++## Read snmpd lib content. + ## + ## + ## +@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',` + ## + ## + # +-interface(`snmp_manage_var_lib_dirs',` ++interface(`snmp_read_snmp_var_lib_files',` + gen_require(` type snmpd_var_lib_t; ') -+ files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - ') - + files_search_var_lib($1) +- allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ allow $1 snmpd_var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++') ++ +####################################### +## +## Read snmpd libraries directories @@ -63817,74 +72619,65 @@ index 275f9fb..f1343b7 100644 + + files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## snmp lib files. +## Manage snmpd libraries directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',` + ## + ## + # +-interface(`snmp_manage_var_lib_files',` +interface(`snmp_manage_var_lib_dirs',` -+ gen_require(` -+ type snmpd_var_lib_t; -+ ') -+ + gen_require(` + type snmpd_var_lib_t; + ') + +- files_search_var_lib($1) +- allow $1 snmpd_var_lib_t:dir list_dir_perms; +- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + allow $1 snmpd_var_lib_t:dir manage_dir_perms; + files_var_lib_filetrans($1, snmpd_var_lib_t, dir) -+') -+ -+######################################## -+## -+## Manage snmpd libraries. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`snmp_manage_var_lib_files',` -+ gen_require(` -+ type snmpd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ allow $1 snmpd_var_lib_t:dir list_dir_perms; -+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+') -+ + ') + ######################################## ## - ## dontaudit Read snmpd libraries. -@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` +-## Read snmpd lib content. ++## Manage snmpd libraries. + ## + ## + ## +@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',` + ## + ## + # +-interface(`snmp_read_snmp_var_lib_files',` ++interface(`snmp_manage_var_lib_files',` gen_require(` type snmpd_var_lib_t; ') -+ - dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; - dontaudit $1 snmpd_var_lib_t:file read_file_perms; -- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; -+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; + ++ files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; +- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ') ######################################## -@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` - # - interface(`snmp_admin',` - gen_require(` -- type snmpd_t, snmpd_log_t; -+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; +@@ -179,8 +197,12 @@ interface(`snmp_admin',` type snmpd_var_lib_t, snmpd_var_run_t; -- type snmpd_initrc_exec_t; ') -- allow $1 snmpd_t:process { ptrace signal_perms getattr }; +- allow $1 snmpd_t:process { ptrace signal_perms }; + allow $1 snmpd_t:process signal_perms; ++ ps_process_pattern($1, snmpd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 snmpd_t:process ptrace; @@ -63893,55 +72686,32 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 56f074c..4909ce8 100644 +index 81864ce..cc44e06 100644 --- a/snmp.te +++ b/snmp.te -@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0) - # - # Declarations +@@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t) # -+ - type snmpd_t; - type snmpd_exec_t; - init_daemon_domain(snmpd_t, snmpd_exec_t) -@@ -24,12 +25,14 @@ files_type(snmpd_var_lib_t) - # - # Local policy - # --allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; -+ -+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + + allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; - allow snmpd_t self:unix_dgram_socket create_socket_perms; --allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +-allow snmpd_t self:unix_stream_socket { accept connectto listen }; +-allow snmpd_t self:tcp_socket { accept listen }; ++allow snmpd_t self:unix_dgram_socket create_socket_perms; +allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow snmpd_t self:tcp_socket create_stream_socket_perms; ++allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; -@@ -41,23 +44,23 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) - manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) - files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) - files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) --files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) -+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) - -+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) - manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) --files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) -+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) - - kernel_read_device_sysctls(snmpd_t) - kernel_read_kernel_sysctls(snmpd_t) + allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t) kernel_read_fs_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) --kernel_read_proc_symlinks(snmpd_t) --kernel_read_system_state(snmpd_t) kernel_read_network_state(snmpd_t) +kernel_read_proc_symlinks(snmpd_t) +kernel_read_all_proc(snmpd_t) + kernel_read_system_state(snmpd_t) corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) @@ -63950,38 +72720,15 @@ index 56f074c..4909ce8 100644 corenet_all_recvfrom_netlabel(snmpd_t) corenet_tcp_sendrecv_generic_if(snmpd_t) corenet_udp_sendrecv_generic_if(snmpd_t) -@@ -73,6 +76,7 @@ corenet_sendrecv_snmp_server_packets(snmpd_t) - corenet_tcp_connect_agentx_port(snmpd_t) - corenet_tcp_bind_agentx_port(snmpd_t) - corenet_udp_bind_agentx_port(snmpd_t) -+corenet_tcp_connect_snmp_port(snmpd_t) - - dev_list_sysfs(snmpd_t) - dev_read_sysfs(snmpd_t) -@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t) - domain_use_interactive_fds(snmpd_t) - domain_signull_all_domains(snmpd_t) - domain_read_all_domains_state(snmpd_t) --domain_dontaudit_ptrace_all_domains(snmpd_t) - domain_exec_all_entry_files(snmpd_t) - --files_read_etc_files(snmpd_t) - files_read_usr_files(snmpd_t) - files_read_etc_runtime_files(snmpd_t) - files_search_home(snmpd_t) -@@ -94,28 +96,28 @@ files_search_home(snmpd_t) - fs_getattr_all_dirs(snmpd_t) - fs_getattr_all_fs(snmpd_t) +@@ -103,6 +106,7 @@ fs_getattr_all_fs(snmpd_t) + files_list_all(snmpd_t) + files_search_all_mountpoints(snmpd_t) fs_search_auto_mountpoints(snmpd_t) +files_search_all_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) -+storage_dontaudit_write_removable_device(snmpd_t) - - auth_use_nsswitch(snmpd_t) --files_list_non_auth_dirs(snmpd_t) -+files_list_all(snmpd_t) +@@ -112,16 +116,25 @@ auth_use_nsswitch(snmpd_t) init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -63991,46 +72738,28 @@ index 56f074c..4909ce8 100644 logging_send_syslog_msg(snmpd_t) -miscfiles_read_localization(snmpd_t) -- --seutil_dontaudit_search_config(snmpd_t) -- - sysnet_read_config(snmpd_t) ++sysnet_read_config(snmpd_t) + + seutil_dontaudit_search_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) --ifdef(`distro_redhat', ` +ifdef(`distro_redhat',` - optional_policy(` - rpm_read_db(snmpd_t) - rpm_dontaudit_manage_db(snmpd_t) -@@ -131,6 +133,10 @@ optional_policy(` - ') - - optional_policy(` -+ corosync_stream_connect(snmpd_t) ++ optional_policy(` ++ rpm_read_db(snmpd_t) ++ rpm_dontaudit_manage_db(snmpd_t) ++ ') +') + -+optional_policy(` - cups_read_rw_config(snmpd_t) - ') - -@@ -140,6 +146,10 @@ optional_policy(` - ') - optional_policy(` -+ ricci_stream_connect_modclusterd(snmpd_t) -+') -+ -+optional_policy(` - rpc_search_nfs_state_data(snmpd_t) + amanda_dontaudit_read_dumpdates(snmpd_t) ') - diff --git a/snort.if b/snort.if -index c117e8b..0eb909b 100644 +index 7d86b34..5f58180 100644 --- a/snort.if +++ b/snort.if -@@ -41,8 +41,11 @@ interface(`snort_admin',` +@@ -42,8 +42,11 @@ interface(`snort_admin',` type snort_etc_t, snort_initrc_exec_t; ') @@ -64043,7 +72772,7 @@ index c117e8b..0eb909b 100644 init_labeled_script_domtrans($1, snort_initrc_exec_t) domain_system_change_exemption($1) -@@ -50,11 +53,11 @@ interface(`snort_admin',` +@@ -51,11 +54,11 @@ interface(`snort_admin',` allow $2 system_r; admin_pattern($1, snort_etc_t) @@ -64059,32 +72788,25 @@ index c117e8b..0eb909b 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 179bc1b..3dbbcc0 100644 +index ccd28bb..b9e856e 100644 --- a/snort.te +++ b/snort.te -@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t) +@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; --allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow snort_t self:netlink_route_socket create_netlink_socket_perms; -+allow snort_t self:netlink_socket create_socket_perms; - allow snort_t self:tcp_socket create_stream_socket_perms; - allow snort_t self:udp_socket create_socket_perms; + allow snort_t self:netlink_socket create_socket_perms; +-allow snort_t self:tcp_socket { accept listen }; ++allow snort_t self:tcp_socket create_stream_socket_perms; ++allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; allow snort_t self:socket create_socket_perms; - # Snort IPS node. unverified. --allow snort_t self:netlink_firewall_socket { bind create getattr }; -+allow snort_t self:netlink_firewall_socket create_socket_perms; ++# Snort IPS node. unverified. + allow snort_t self:netlink_firewall_socket create_socket_perms; allow snort_t snort_etc_t:dir list_dir_perms; - allow snort_t snort_etc_t:file read_file_perms; --allow snort_t snort_etc_t:lnk_file { getattr read }; -+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; - - manage_files_pattern(snort_t, snort_log_t, snort_log_t) - create_dirs_pattern(snort_t, snort_log_t, snort_log_t) -@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t) +@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) kernel_read_network_state(snort_t) @@ -64092,94 +72814,50 @@ index 179bc1b..3dbbcc0 100644 corenet_all_recvfrom_netlabel(snort_t) corenet_tcp_sendrecv_generic_if(snort_t) corenet_udp_sendrecv_generic_if(snort_t) -@@ -95,8 +95,6 @@ init_read_utmp(snort_t) +@@ -86,7 +88,6 @@ dev_rw_generic_usb_dev(snort_t) + + domain_use_interactive_fds(snort_t) + +-files_read_etc_files(snort_t) + files_dontaudit_read_etc_runtime_files(snort_t) + + fs_getattr_all_fs(snort_t) +@@ -96,8 +97,6 @@ init_read_utmp(snort_t) logging_send_syslog_msg(snort_t) -miscfiles_read_localization(snort_t) - - sysnet_read_config(snort_t) - # snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager sysnet_dns_name_resolve(snort_t) -diff --git a/sosreport.fc b/sosreport.fc -index a40478e..050f521 100644 ---- a/sosreport.fc -+++ b/sosreport.fc -@@ -1 +1,3 @@ - /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) -+ -+/.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) -diff --git a/sosreport.if b/sosreport.if -index 94c01b5..f64bd93 100644 ---- a/sosreport.if -+++ b/sosreport.if -@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',` - type sosreport_tmp_t; - ') - -- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) -+ allow $1 sosreport_tmp_t:file append_inherited_file_perms; - ') - ######################################## + userdom_dontaudit_use_unpriv_user_fds(snort_t) diff --git a/sosreport.te b/sosreport.te -index c6079a5..cb59eff 100644 +index 703efa3..ec61db7 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) - # sosreport local policy - # - --allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; -+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; - allow sosreport_t self:process { setsched signull }; - allow sosreport_t self:fifo_file rw_fifo_file_perms; - allow sosreport_t self:tcp_socket create_stream_socket_perms; -@@ -64,7 +64,6 @@ files_getattr_all_sockets(sosreport_t) - files_exec_etc_files(sosreport_t) - files_list_all(sosreport_t) - files_read_config_files(sosreport_t) --files_read_etc_files(sosreport_t) - files_read_generic_tmp_files(sosreport_t) - files_read_usr_files(sosreport_t) - files_read_var_lib_files(sosreport_t) -@@ -74,13 +73,17 @@ files_read_all_symlinks(sosreport_t) - # for blkid.tab - files_manage_etc_runtime_files(sosreport_t) - files_etc_filetrans_etc_runtime(sosreport_t, file) -+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") - - fs_getattr_all_fs(sosreport_t) - fs_list_inotifyfs(sosreport_t) - -+storage_dontaudit_read_fixed_disk(sosreport_t) -+storage_dontaudit_read_removable_device(sosreport_t) -+ - # some config files do not have configfile attribute - # sosreport needs to read various files on system --files_read_non_auth_files(sosreport_t) +@@ -84,6 +84,10 @@ fs_list_inotifyfs(sosreport_t) + storage_dontaudit_read_fixed_disk(sosreport_t) + storage_dontaudit_read_removable_device(sosreport_t) + ++# some config files do not have configfile attribute ++# sosreport needs to read various files on system +files_read_non_security_files(sosreport_t) ++ auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) -@@ -90,15 +93,11 @@ libs_domtrans_ldconfig(sosreport_t) +@@ -93,9 +97,8 @@ libs_domtrans_ldconfig(sosreport_t) logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) -miscfiles_read_localization(sosreport_t) -- --# needed by modinfo ++sysnet_read_config(sosreport_t) + -modutils_read_module_deps(sosreport_t) -- - sysnet_read_config(sosreport_t) optional_policy(` abrt_manage_pid_files(sosreport_t) -+ abrt_manage_cache(sosreport_t) - ') - - optional_policy(` -@@ -110,6 +109,11 @@ optional_policy(` +@@ -111,6 +114,11 @@ optional_policy(` ') optional_policy(` @@ -64192,41 +72870,37 @@ index c6079a5..cb59eff 100644 ') diff --git a/soundserver.if b/soundserver.if -index 93fe7bf..1b07ed4 100644 +index a5abc5a..b9eff74 100644 --- a/soundserver.if +++ b/soundserver.if -@@ -33,13 +33,15 @@ interface(`soundserver_tcp_connect',` - # - interface(`soundserver_admin',` - gen_require(` -- type soundd_t, soundd_etc_t; -+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t; - type soundd_tmp_t, soundd_var_run_t; -- type soundd_initrc_exec_t; +@@ -38,9 +38,13 @@ interface(`soundserver_admin',` + type soundd_state_t; ') - allow $1 soundd_t:process { ptrace signal_perms }; + allow $1 soundd_t:process signal_perms; ps_process_pattern($1, soundd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 soundd_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te -index 3217605..e9a4381 100644 +index db1bc6f..40abb06 100644 --- a/soundserver.te +++ b/soundserver.te -@@ -68,7 +68,6 @@ kernel_read_kernel_sysctls(soundd_t) +@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) kernel_read_proc_symlinks(soundd_t) -corenet_all_recvfrom_unlabeled(soundd_t) corenet_all_recvfrom_netlabel(soundd_t) corenet_tcp_sendrecv_generic_if(soundd_t) - corenet_udp_sendrecv_generic_if(soundd_t) -@@ -94,8 +93,6 @@ fs_search_auto_mountpoints(soundd_t) + corenet_tcp_sendrecv_generic_node(soundd_t) +@@ -89,8 +88,6 @@ fs_search_auto_mountpoints(soundd_t) logging_send_syslog_msg(soundd_t) @@ -64236,47 +72910,52 @@ index 3217605..e9a4381 100644 userdom_dontaudit_use_unpriv_user_fds(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc -index 6b3abf9..80c9e56 100644 +index e9bd097..80c9e56 100644 --- a/spamassassin.fc +++ b/spamassassin.fc -@@ -1,15 +1,53 @@ +@@ -1,20 +1,24 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+ -+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + + /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) --/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) - /usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) - /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) - - /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) + /usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) +-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) ++/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) + /usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) + +-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +-/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) + /usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) +-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) -+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) -+ -+/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) -+/var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0) - + /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) +@@ -25,7 +29,25 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) - /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +-/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +-/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + /var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + /var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + +/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -64296,108 +72975,267 @@ index 6b3abf9..80c9e56 100644 +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if -index c954f31..82fc7f6 100644 +index 1499b0b..82fc7f6 100644 --- a/spamassassin.if +++ b/spamassassin.if -@@ -14,6 +14,7 @@ - ## User domain for the role +@@ -2,39 +2,45 @@ + + ######################################## + ## +-## Role access for spamassassin. ++## Role access for spamassassin + ## + ## + ## +-## Role allowed access. ++## Role allowed access + ## + ## + ## + ## +-## User domain for the role. ++## User domain for the role ## ## +## # interface(`spamassassin_role',` gen_require(` -@@ -25,9 +26,13 @@ interface(`spamassassin_role',` + type spamc_t, spamc_exec_t, spamc_tmp_t; +- type spamassassin_t, spamassassin_exec_t, spamd_home_t; ++ type spamassassin_t, spamassassin_exec_t; + type spamassassin_home_t, spamassassin_tmp_t; + ') + role $1 types { spamc_t spamassassin_t }; domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + + allow $2 spamassassin_t:process signal_perms; - ps_process_pattern($2, spamassassin_t) - - domtrans_pattern($2, spamc_exec_t, spamc_t) ++ ps_process_pattern($2, spamassassin_t) + + domtrans_pattern($2, spamc_exec_t, spamc_t) + +- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; +- ps_process_pattern($2, { spamc_t spamassassin_t }) + allow $2 spamc_t:process signal_perms; - ps_process_pattern($2, spamc_t) ++ ps_process_pattern($2, spamc_t) - manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) -@@ -55,7 +60,6 @@ interface(`spamassassin_exec',` +- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") +- userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") ++ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ++ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + ') + + ######################################## +@@ -53,13 +59,12 @@ interface(`spamassassin_exec',` + type spamassassin_exec_t; ') +- corecmd_search_bin($1) can_exec($1, spamassassin_exec_t) -- ') ######################################## -@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',` + ## +-## Send generic signals to spamd. ++## Singnal the spam assassin daemon + ## + ## + ## +@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',` + + ######################################## + ## +-## Execute spamd in the caller domain. ++## Execute the spamassassin daemon ++## program in the caller directory. + ## + ## + ## +@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',` + type spamd_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, spamd_exec_t) + ') + + ######################################## + ## +-## Execute spamc in the spamc domain. ++## Execute spamassassin client in the spamassassin client domain. + ## + ## + ## +@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',` + type spamc_t, spamc_exec_t; ') +- corecmd_search_bin($1) domtrans_pattern($1, spamc_exec_t, spamc_t) + allow $1 spamc_exec_t:file ioctl; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute spamc in the caller domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`spamassassin_exec_client',` +- gen_require(` +- type spamc_exec_t; +- ') +- +- corecmd_search_bin($1) +- can_exec($1, spamc_exec_t) +-') +- +-######################################## +-## +-## Send kill signals to spamc. +## Send kill signal to spamassassin client -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`spamassassin_kill_client',` -+ gen_require(` -+ type spamc_t; -+ ') -+ -+ allow $1 spamc_t:process sigkill; -+') -+ -+######################################## -+## + ## + ## + ## +@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',` + + ######################################## + ## +-## Execute spamassassin standalone client +-## in the user spamassassin domain. +## Manage spamc home files. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`spamassassin_domtrans_local_client',` +interface(`spamassassin_manage_home_client',` -+ gen_require(` + gen_require(` +- type spamassassin_t, spamassassin_exec_t; + type spamc_home_t; -+ ') -+ + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) + userdom_search_user_home_dirs($1) + manage_dirs_pattern($1, spamc_home_t, spamc_home_t) + manage_files_pattern($1, spamc_home_t, spamc_home_t) + manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## spamd home content. +## Read spamc home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',` + ## + ## + # +-interface(`spamassassin_manage_spamd_home_content',` +interface(`spamassassin_read_home_client',` -+ gen_require(` + gen_require(` +- type spamd_home_t; + type spamc_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) + ') + + userdom_search_user_home_dirs($1) +- allow $1 spamd_home_t:dir manage_dir_perms; +- allow $1 spamd_home_t:file manage_file_perms; +- allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; + list_dirs_pattern($1, spamc_home_t, spamc_home_t) + read_files_pattern($1, spamc_home_t, spamc_home_t) + read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') ######################################## -@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',` + ## +-## Relabel spamd home content. ++## Execute the spamassassin client ++## program in the caller directory. + ## + ## + ## +@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',` + ## + ## + # +-interface(`spamassassin_relabel_spamd_home_content',` ++interface(`spamassassin_exec_client',` + gen_require(` +- type spamd_home_t; ++ type spamc_exec_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 spamd_home_t:dir relabel_dir_perms; +- allow $1 spamd_home_t:file relabel_file_perms; +- allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; ++ can_exec($1, spamc_exec_t) + ') + + ######################################## + ## +-## Create objects in user home +-## directories with the spamd home type. ++## Execute spamassassin standalone client in the user spamassassin domain. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. ++## Domain allowed to transition. + ## + ## + # +-interface(`spamassassin_home_filetrans_spamd_home',` ++interface(`spamassassin_domtrans_local_client',` + gen_require(` +- type spamd_home_t; ++ type spamassassin_t, spamassassin_exec_t; + ') + +- userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) ++ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) + ') + + ######################################## + ## +-## Read spamd lib files. ++## read spamd lib files. + ## + ## + ## +@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',` ') files_search_var_lib($1) @@ -64407,137 +73245,183 @@ index c954f31..82fc7f6 100644 ') ######################################## -@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',` - type spamd_tmp_t; +@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',` + + ######################################## + ## +-## Read spamd pid files. ++## Read temporary spamd file. + ## + ## + ## +@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',` + ## + ## + # +-interface(`spamassassin_read_spamd_pid_files',` ++interface(`spamassassin_read_spamd_tmp_files',` + gen_require(` +- type spamd_var_run_t; ++ type spamd_tmp_t; ') +- files_search_pids($1) +- read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) + files_search_tmp($1) - allow $1 spamd_tmp_t:file read_file_perms; ++ allow $1 spamd_tmp_t:file read_file_perms; ') -@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + ######################################## + ## +-## Read temporary spamd files. ++## Do not audit attempts to get attributes of temporary ++## spamd sockets/ + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`spamassassin_read_spamd_tmp_files',` ++interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + gen_require(` type spamd_tmp_t; ') -- dontaudit $1 spamd_tmp_t:sock_file getattr; +- allow $1 spamd_tmp_t:file read_file_perms; + dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get +-## attributes of temporary spamd sockets. +## Connect to run spamd. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed to connect. -+## -+## -+# + ## + ## + # +-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +interface(`spamd_stream_connect',` -+ gen_require(` + gen_require(` +- type spamd_tmp_t; + type spamd_t, spamd_var_run_t; -+ ') -+ + ') + +- dontaudit $1 spamd_tmp_t:sock_file getattr; + files_search_pids($1) + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to spamd with a unix +-## domain stream socket. +## Read spamd pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -348,19 +323,19 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` + ## + ## + # +-interface(`spamassassin_stream_connect_spamd',` +interface(`spamassassin_read_pid_files',` -+ gen_require(` + gen_require(` +- type spamd_t, spamd_var_run_t; + type spamd_var_run_t; -+ ') -+ -+ files_search_pids($1) + ') + + files_search_pids($1) +- stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) + read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an spamassassin environment. +## All of the rules required to administrate +## an spamassassin environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## + ## + ## + ## +@@ -369,20 +344,23 @@ interface(`spamassassin_stream_connect_spamd',` + ## + ## + ## +-## Role allowed access. +## The role to be allowed to manage the spamassassin domain. -+## -+## -+## -+# + ## + ## + ## + # +-interface(`spamassassin_admin',` +interface(`spamassassin_spamd_admin',` -+ gen_require(` -+ type spamd_t, spamd_tmp_t, spamd_log_t; -+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; -+ type spamd_initrc_exec_t; -+ ') -+ + gen_require(` + type spamd_t, spamd_tmp_t, spamd_log_t; + type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_initrc_exec_t; + ') + +- allow $1 spamd_t:process { ptrace signal_perms }; + allow $1 spamd_t:process signal_perms; -+ ps_process_pattern($1, spamd_t) + ps_process_pattern($1, spamd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 spamd_t:process ptrace; + ') -+ -+ init_labeled_script_domtrans($1, spamd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 spamd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, spamd_tmp_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, spamd_log_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, spamd_spool_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, spamd_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, spamd_var_run_t) + + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) +@@ -403,6 +381,4 @@ interface(`spamassassin_admin',` + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +- +- spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..dd3e5e1 100644 +index 4faa7e0..18d0efc 100644 --- a/spamassassin.te +++ b/spamassassin.te -@@ -6,52 +6,40 @@ policy_module(spamassassin, 2.5.0) +@@ -1,4 +1,4 @@ +-policy_module(spamassassin, 2.5.8) ++policy_module(spamassassin, 2.5.0) + + ######################################## # +@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8) ## --##

    --## Allow user spamassassin clients to use the network. --##

    -+##

    + ##

    +-## Determine whether spamassassin +-## clients can use the network. +## Allow user spamassassin clients to use the network. -+##

    + ##

    ##     gen_tunable(spamassassin_can_network, false) ## --##

    --## Allow spamd to read/write user home directories. --##

    -+##

    + ##

    +-## Determine whether spamd can manage +-## generic user home content. +## Allow spamd to read/write user home directories. -+##

    + ##

    ##     - gen_tunable(spamd_enable_home_dirs, true) +-gen_tunable(spamd_enable_home_dirs, false) ++gen_tunable(spamd_enable_home_dirs, true) ++ + type spamd_update_t; + type spamd_update_exec_t; +-init_system_domain(spamd_update_t, spamd_update_exec_t) +- -type spamassassin_t; -type spamassassin_exec_t; -typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; @@ -64564,35 +73448,42 @@ index 1bbf73b..dd3e5e1 100644 -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -userdom_user_tmp_file(spamc_tmp_t) -+ -+type spamd_update_t; -+type spamd_update_exec_t; +application_domain(spamd_update_t, spamd_update_exec_t) +role system_r types spamd_update_t; type spamd_t; type spamd_exec_t; - init_daemon_domain(spamd_t, spamd_exec_t) +@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t) + type spamd_compiled_t; + files_type(spamd_compiled_t) + +-type spamd_etc_t; +-files_config_file(spamd_etc_t) +- +-type spamd_home_t; +-userdom_user_home_content(spamd_home_t) +- + type spamd_initrc_exec_t; + init_script_file(spamd_initrc_exec_t) + +@@ -72,49 +39,154 @@ type spamd_log_t; + logging_log_file(spamd_log_t) -+type spamd_compiled_t; -+files_type(spamd_compiled_t) -+ -+type spamd_initrc_exec_t; -+init_script_file(spamd_initrc_exec_t) -+ -+type spamd_log_t; -+logging_log_file(spamd_log_t) -+ type spamd_spool_t; -files_type(spamd_spool_t) +files_spool_file(spamd_spool_t) type spamd_tmp_t; files_tmp_file(spamd_tmp_t) -@@ -63,6 +51,89 @@ files_type(spamd_var_lib_t) + ++# var/lib files + type spamd_var_lib_t; + files_type(spamd_var_lib_t) + type spamd_var_run_t; files_pid_file(spamd_var_run_t) +-######################################## +ifdef(`distro_redhat',` + # spamassassin client executable + type spamc_t; @@ -64676,25 +73567,60 @@ index 1bbf73b..dd3e5e1 100644 + ubac_constrained(spamc_tmp_t) +') + - ############################## ++############################## # - # Standalone program local policy -@@ -98,12 +169,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) - manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) - manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) - userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) +-# Standalone local policy ++# Standalone program local policy + # + + allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow spamassassin_t self:fd use; + allow spamassassin_t self:fifo_file rw_fifo_file_perms; ++allow spamassassin_t self:sock_file read_sock_file_perms; ++allow spamassassin_t self:unix_dgram_socket create_socket_perms; ++allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; + allow spamassassin_t self:unix_dgram_socket sendto; +-allow spamassassin_t self:unix_stream_socket { accept connectto listen }; ++allow spamassassin_t self:unix_stream_socket connectto; ++allow spamassassin_t self:shm create_shm_perms; ++allow spamassassin_t self:sem create_sem_perms; ++allow spamassassin_t self:msgq create_msgq_perms; ++allow spamassassin_t self:msg { send receive }; + + manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) + manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) +-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") ++userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) + + manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) + manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) + files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) + ++manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_home_manager(spamassassin_t) - ++ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) +-fs_getattr_all_fs(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) +fs_getattr_all_fs(spamassassin_t) - - # this should probably be removed - corecmd_list_bin(spamassassin_t) -@@ -114,7 +187,6 @@ corecmd_read_bin_sockets(spamassassin_t) ++ ++# this should probably be removed ++corecmd_list_bin(spamassassin_t) ++corecmd_read_bin_symlinks(spamassassin_t) ++corecmd_read_bin_files(spamassassin_t) ++corecmd_read_bin_pipes(spamassassin_t) ++corecmd_read_bin_sockets(spamassassin_t) domain_use_interactive_fds(spamassassin_t) @@ -64702,53 +73628,57 @@ index 1bbf73b..dd3e5e1 100644 files_read_etc_runtime_files(spamassassin_t) files_list_home(spamassassin_t) files_read_usr_files(spamassassin_t) -@@ -122,8 +194,6 @@ files_dontaudit_search_var(spamassassin_t) +@@ -122,37 +194,44 @@ files_dontaudit_search_var(spamassassin_t) logging_send_syslog_msg(spamassassin_t) -miscfiles_read_localization(spamassassin_t) -- - # cjp: this could probably be removed - seutil_read_config(spamassassin_t) ++# cjp: this could probably be removed ++seutil_read_config(spamassassin_t) + + sysnet_dns_name_resolve(spamassassin_t) -@@ -134,8 +204,6 @@ tunable_policy(`spamassassin_can_network',` - allow spamassassin_t self:tcp_socket create_stream_socket_perms; - allow spamassassin_t self:udp_socket create_socket_perms; ++# set tunable if you have spamassassin do DNS lookups + tunable_policy(`spamassassin_can_network',` +- allow spamassassin_t self:tcp_socket { accept listen }; ++ allow spamassassin_t self:tcp_socket create_stream_socket_perms; ++ allow spamassassin_t self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled(spamassassin_t) - corenet_all_recvfrom_netlabel(spamassassin_t) corenet_tcp_sendrecv_generic_if(spamassassin_t) - corenet_udp_sendrecv_generic_if(spamassassin_t) ++ corenet_udp_sendrecv_generic_if(spamassassin_t) corenet_tcp_sendrecv_generic_node(spamassassin_t) -@@ -144,6 +212,9 @@ tunable_policy(`spamassassin_can_network',` - corenet_udp_sendrecv_all_ports(spamassassin_t) ++ corenet_udp_sendrecv_generic_node(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) +- ++ corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) + corenet_udp_bind_generic_node(spamassassin_t) + corenet_udp_bind_generic_port(spamassassin_t) + corenet_dontaudit_udp_bind_all_ports(spamassassin_t) - - sysnet_read_config(spamassassin_t) - ') -@@ -154,25 +225,13 @@ tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_user_home_content_symlinks(spamd_t) ++ ++ sysnet_read_config(spamassassin_t) ') -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamassassin_t) - fs_manage_nfs_files(spamassassin_t) - fs_manage_nfs_symlinks(spamassassin_t) --') -- ++tunable_policy(`spamd_enable_home_dirs',` ++ userdom_manage_user_home_content_dirs(spamd_t) ++ userdom_manage_user_home_content_files(spamd_t) ++ userdom_manage_user_home_content_symlinks(spamd_t) + ') + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamassassin_t) - fs_manage_cifs_files(spamassassin_t) - fs_manage_cifs_symlinks(spamassassin_t) --') -- - optional_policy(` - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) ++optional_policy(` ++ # Write pid file and socket in ~/.evolution/cache/tmp ++ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) ') optional_policy(` @@ -64757,7 +73687,7 @@ index 1bbf73b..dd3e5e1 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -180,6 +239,8 @@ optional_policy(` +@@ -160,6 +239,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -64766,16 +73696,40 @@ index 1bbf73b..dd3e5e1 100644 ') ######################################## -@@ -202,17 +263,37 @@ allow spamc_t self:unix_stream_socket connectto; - allow spamc_t self:tcp_socket create_stream_socket_perms; - allow spamc_t self:udp_socket create_socket_perms; - -+can_exec(spamc_t, spamc_exec_t) +@@ -167,72 +248,88 @@ optional_policy(` + # Client local policy + # + +-allow spamc_t self:capability dac_override; + allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow spamc_t self:fd use; + allow spamc_t self:fifo_file rw_fifo_file_perms; ++allow spamc_t self:sock_file read_sock_file_perms; ++allow spamc_t self:shm create_shm_perms; ++allow spamc_t self:sem create_sem_perms; ++allow spamc_t self:msgq create_msgq_perms; ++allow spamc_t self:msg { send receive }; ++allow spamc_t self:unix_dgram_socket create_socket_perms; ++allow spamc_t self:unix_stream_socket create_stream_socket_perms; + allow spamc_t self:unix_dgram_socket sendto; +-allow spamc_t self:unix_stream_socket { accept connectto listen }; +-allow spamc_t self:tcp_socket { accept listen }; ++allow spamc_t self:unix_stream_socket connectto; ++allow spamc_t self:tcp_socket create_stream_socket_perms; ++allow spamc_t self:udp_socket create_socket_perms; + ++can_exec(spamc_t, spamc_exec_t) + manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) +-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) +-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin") +manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) @@ -64786,45 +73740,59 @@ index 1bbf73b..dd3e5e1 100644 +# for /root/.pyzor +allow spamc_t self:capability dac_override; +userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor") -+ -+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -+ - # Allow connecting to a local spamd - allow spamc_t spamd_t:unix_stream_socket connectto; - allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; + + list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) ++# Allow connecting to a local spamd ++allow spamc_t spamd_t:unix_stream_socket connectto; ++allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; +spamd_stream_connect(spamc_t) +allow spamc_t spamd_tmp_t:file read_inherited_file_perms; kernel_read_kernel_sysctls(spamc_t) -+kernel_read_system_state(spamc_t) -+ -+corecmd_exec_bin(spamc_t) + kernel_read_system_state(spamc_t) -corenet_all_recvfrom_unlabeled(spamc_t) ++corecmd_exec_bin(spamc_t) ++ corenet_all_recvfrom_netlabel(spamc_t) corenet_tcp_sendrecv_generic_if(spamc_t) - corenet_udp_sendrecv_generic_if(spamc_t) -@@ -222,6 +303,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) - corenet_udp_sendrecv_all_ports(spamc_t) ++corenet_udp_sendrecv_generic_if(spamc_t) + corenet_tcp_sendrecv_generic_node(spamc_t) ++corenet_udp_sendrecv_generic_node(spamc_t) + corenet_tcp_sendrecv_all_ports(spamc_t) +- +-corenet_sendrecv_all_client_packets(spamc_t) ++corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) - corenet_sendrecv_all_client_packets(spamc_t) ++corenet_sendrecv_all_client_packets(spamc_t) +corenet_tcp_connect_spamd_port(spamc_t) - fs_search_auto_mountpoints(spamc_t) +-corecmd_exec_bin(spamc_t) ++fs_search_auto_mountpoints(spamc_t) -@@ -234,43 +316,52 @@ corecmd_read_bin_sockets(spamc_t) +-domain_use_interactive_fds(spamc_t) ++# cjp: these should probably be removed: ++corecmd_list_bin(spamc_t) ++corecmd_read_bin_symlinks(spamc_t) ++corecmd_read_bin_files(spamc_t) ++corecmd_read_bin_pipes(spamc_t) ++corecmd_read_bin_sockets(spamc_t) - domain_use_interactive_fds(spamc_t) +-fs_getattr_all_fs(spamc_t) +-fs_search_auto_mountpoints(spamc_t) ++domain_use_interactive_fds(spamc_t) --files_read_etc_files(spamc_t) files_read_etc_runtime_files(spamc_t) files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) - # cjp: this may be removable: ++# cjp: this may be removable: files_list_home(spamc_t) -+files_list_var_lib(spamc_t) -+ + files_list_var_lib(spamc_t) + +-auth_use_nsswitch(spamc_t) +fs_search_auto_mountpoints(spamc_t) logging_send_syslog_msg(spamc_t) @@ -64832,96 +73800,123 @@ index 1bbf73b..dd3e5e1 100644 -miscfiles_read_localization(spamc_t) +auth_use_nsswitch(spamc_t) --# cjp: this should probably be removed: --seutil_read_config(spamc_t) +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(spamc_t) +- fs_manage_nfs_files(spamc_t) +- fs_manage_nfs_symlinks(spamc_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(spamc_t) +- fs_manage_cifs_files(spamc_t) +- fs_manage_cifs_symlinks(spamc_t) +-') +userdom_home_manager(spamc_t) --sysnet_read_config(spamc_t) -+optional_policy(` -+ abrt_stream_connect(spamc_t) -+') - optional_policy(` -- # Allow connection to spamd socket above -- evolution_stream_connect(spamc_t) -+ amavis_manage_spool_files(spamc_t) + abrt_stream_connect(spamc_t) +@@ -243,6 +340,7 @@ optional_policy(` ') optional_policy(` -- # Needed for pyzor/razor called from spamd -- milter_manage_spamass_state(spamc_t) + # Allow connection to spamd socket above -+ evolution_stream_connect(spamc_t) + evolution_stream_connect(spamc_t) ') - optional_policy(` -- nis_use_ypbind(spamc_t) -+ milter_manage_spamass_state(spamc_t) +@@ -251,52 +349,55 @@ optional_policy(` ') optional_policy(` -- nscd_socket_use(spamc_t) + postfix_domtrans_postdrop(spamc_t) + postfix_search_spool(spamc_t) + postfix_rw_local_pipes(spamc_t) -+ postfix_rw_master_pipes(spamc_t) - ') - - optional_policy(` -+ mta_send_mail(spamc_t) ++ postfix_rw_inherited_master_pipes(spamc_t) ++') ++ ++optional_policy(` + mta_send_mail(spamc_t) mta_read_config(spamc_t) -+ mta_read_queue(spamc_t) + mta_read_queue(spamc_t) +- sendmail_rw_pipes(spamc_t) sendmail_stub(spamc_t) +-') +- +-optional_policy(` +- postfix_domtrans_postdrop(spamc_t) +- postfix_search_spool(spamc_t) +- postfix_rw_local_pipes(spamc_t) +- postfix_rw_master_pipes(spamc_t) + sendmail_rw_pipes(spamc_t) + sendmail_dontaudit_rw_tcp_sockets(spamc_t) ') ######################################## -@@ -282,7 +373,7 @@ optional_policy(` - # setuids to the user running spamc. Comment this if you are not - # using this ability. + # +-# Daemon local policy ++# Server local policy + # --allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; -+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; ++# Spamassassin, when run as root and using per-user config files, ++# setuids to the user running spamc. Comment this if you are not ++# using this ability. ++ + allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -298,10 +389,20 @@ allow spamd_t self:unix_dgram_socket sendto; - allow spamd_t self:unix_stream_socket connectto; - allow spamd_t self:tcp_socket create_stream_socket_perms; - allow spamd_t self:udp_socket create_socket_perms; --allow spamd_t self:netlink_route_socket r_netlink_socket_perms; -+ + allow spamd_t self:fifo_file rw_fifo_file_perms; ++allow spamd_t self:sock_file read_sock_file_perms; ++allow spamd_t self:shm create_shm_perms; ++allow spamd_t self:sem create_sem_perms; ++allow spamd_t self:msgq create_msgq_perms; ++allow spamd_t self:msg { send receive }; ++allow spamd_t self:unix_dgram_socket create_socket_perms; ++allow spamd_t self:unix_stream_socket create_stream_socket_perms; + allow spamd_t self:unix_dgram_socket sendto; +-allow spamd_t self:unix_stream_socket { accept connectto listen }; +-allow spamd_t self:tcp_socket { accept listen }; ++allow spamd_t self:unix_stream_socket connectto; ++allow spamd_t self:tcp_socket create_stream_socket_perms; ++allow spamd_t self:udp_socket create_socket_perms; + +-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) +-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") +- +-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") +# needed by razor +rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) -+ + +can_exec(spamd_t, spamd_compiled_t) -+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) -+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) -+ + manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) + manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) + +-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) -+logging_log_filetrans(spamd_t, spamd_log_t, file) + logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) - manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) - files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) +@@ -308,6 +409,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) + manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) + files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -310,16 +411,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - - # var/lib files for spamd ++# var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; --read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) + manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) +@@ -317,12 +419,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) - manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) - manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) --files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) -+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) -+ +-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) +read_files_pattern(spamd_t, spamc_home_t, spamc_home_t) + +can_exec(spamd_t, spamd_exec_t) @@ -64933,90 +73928,149 @@ index 1bbf73b..dd3e5e1 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -356,30 +462,30 @@ corecmd_exec_bin(spamd_t) +@@ -331,78 +434,62 @@ corenet_udp_sendrecv_generic_node(spamd_t) + corenet_tcp_sendrecv_all_ports(spamd_t) + corenet_udp_sendrecv_all_ports(spamd_t) + corenet_tcp_bind_generic_node(spamd_t) +-corenet_udp_bind_generic_node(spamd_t) +- +-corenet_sendrecv_spamd_server_packets(spamd_t) + corenet_tcp_bind_spamd_port(spamd_t) +- +-corenet_sendrecv_razor_client_packets(spamd_t) + corenet_tcp_connect_razor_port(spamd_t) +- +-corenet_sendrecv_smtp_client_packets(spamd_t) + corenet_tcp_connect_smtp_port(spamd_t) +- +-corenet_sendrecv_generic_server_packets(spamd_t) ++corenet_sendrecv_razor_client_packets(spamd_t) ++corenet_sendrecv_spamd_server_packets(spamd_t) ++# spamassassin 3.1 needs this for its ++# DnsResolver.pm module which binds to ++# random ports >= 1024. ++corenet_udp_bind_generic_node(spamd_t) + corenet_udp_bind_generic_port(spamd_t) +- +-corenet_sendrecv_imaze_server_packets(spamd_t) + corenet_udp_bind_imaze_port(spamd_t) +- + corenet_dontaudit_udp_bind_all_ports(spamd_t) +- +-corecmd_exec_bin(spamd_t) ++corenet_sendrecv_imaze_server_packets(spamd_t) ++corenet_sendrecv_generic_server_packets(spamd_t) + + dev_read_sysfs(spamd_t) + dev_read_urand(spamd_t) + ++fs_getattr_all_fs(spamd_t) ++fs_search_auto_mountpoints(spamd_t) ++ ++auth_dontaudit_read_shadow(spamd_t) ++ ++corecmd_exec_bin(spamd_t) ++ domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) --files_read_etc_files(spamd_t) files_read_etc_runtime_files(spamd_t) - # /var/lib/spamassin - files_read_var_lib_files(spamd_t) ++# /var/lib/spamassin ++files_read_var_lib_files(spamd_t) - init_dontaudit_rw_utmp(spamd_t) +-fs_getattr_all_fs(spamd_t) +-fs_search_auto_mountpoints(spamd_t) ++init_dontaudit_rw_utmp(spamd_t) --logging_send_syslog_msg(spamd_t) -+auth_use_nsswitch(spamd_t) + auth_use_nsswitch(spamd_t) +-auth_dontaudit_read_shadow(spamd_t) +- +-init_dontaudit_rw_utmp(spamd_t) --miscfiles_read_localization(spamd_t) -+libs_use_ld_so(spamd_t) -+libs_use_shared_libs(spamd_t) + libs_use_ld_so(spamd_t) + libs_use_shared_libs(spamd_t) --sysnet_read_config(spamd_t) --sysnet_use_ldap(spamd_t) --sysnet_dns_name_resolve(spamd_t) -+logging_send_syslog_msg(spamd_t) + logging_send_syslog_msg(spamd_t) +-miscfiles_read_localization(spamd_t) +- +-sysnet_use_ldap(spamd_t) +- userdom_use_unpriv_users_fds(spamd_t) - userdom_search_user_home_dirs(spamd_t) ++userdom_search_user_home_dirs(spamd_t) +userdom_home_manager(spamd_t) +-tunable_policy(`spamd_enable_home_dirs',` +- userdom_manage_user_home_content_dirs(spamd_t) +- userdom_manage_user_home_content_files(spamd_t) +- userdom_manage_user_home_content_symlinks(spamd_t) +-') +- -tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(spamd_t) - fs_manage_nfs_files(spamd_t) +- fs_manage_nfs_symlinks(spamd_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(spamd_t) +- fs_manage_cifs_files(spamd_t) +- fs_manage_cifs_symlinks(spamd_t) +optional_policy(` + clamav_stream_connect(spamd_t) ') --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_files(spamd_t) -+optional_policy(` + optional_policy(` +- amavis_manage_lib_files(spamd_t) + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) ') optional_policy(` -@@ -395,7 +501,9 @@ optional_policy(` +- clamav_stream_connect(spamd_t) ++ amavis_manage_lib_files(spamd_t) ') optional_policy(` -+ dcc_domtrans_cdcc(spamd_t) - dcc_domtrans_client(spamd_t) -+ dcc_signal_client(spamd_t) - dcc_stream_connect_dccifd(spamd_t) - ') - -@@ -404,25 +512,17 @@ optional_policy(` +@@ -421,21 +508,13 @@ optional_policy(` ') optional_policy(` -- corenet_tcp_connect_mysqld_port(spamd_t) -- corenet_sendrecv_mysqld_client_packets(spamd_t) +- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) +-') - -+ mysql_tcp_connect(spamd_t) - mysql_search_db(spamd_t) - mysql_stream_connect(spamd_t) - ') - - optional_policy(` -- nis_use_ypbind(spamd_t) +-optional_policy(` +- exim_manage_spool_dirs(spamd_t) +- exim_manage_spool_files(spamd_t) -') - -optional_policy(` - postfix_read_config(spamd_t) + milter_manage_spamass_state(spamd_t) ') optional_policy(` -- corenet_tcp_connect_postgresql_port(spamd_t) -- corenet_sendrecv_postgresql_client_packets(spamd_t) -- -+ postgresql_tcp_connect(spamd_t) - postgresql_stream_connect(spamd_t) +- mysql_stream_connect(spamd_t) + mysql_tcp_connect(spamd_t) ++ mysql_search_db(spamd_t) ++ mysql_stream_connect(spamd_t) + ') + + optional_policy(` +@@ -443,8 +522,8 @@ optional_policy(` ') -@@ -433,6 +533,13 @@ optional_policy(` + optional_policy(` +- postgresql_stream_connect(spamd_t) + postgresql_tcp_connect(spamd_t) ++ postgresql_stream_connect(spamd_t) + ') optional_policy(` +@@ -455,7 +534,12 @@ optional_policy(` + optional_policy(` razor_domtrans(spamd_t) -+ razor_read_lib_files(spamd_t) + razor_read_lib_files(spamd_t) +- razor_manage_home_content(spamd_t) +') + +optional_policy(` @@ -65026,71 +74080,85 @@ index 1bbf73b..dd3e5e1 100644 ') optional_policy(` -@@ -440,6 +547,7 @@ optional_policy(` +@@ -463,9 +547,9 @@ optional_policy(` ') optional_policy(` + mta_send_mail(spamd_t) sendmail_stub(spamd_t) mta_read_config(spamd_t) +- mta_send_mail(spamd_t) ') -@@ -447,3 +555,54 @@ optional_policy(` + optional_policy(` - udev_read_db(spamd_t) - ') -+ -+######################################## -+# +@@ -474,32 +558,29 @@ optional_policy(` + + ######################################## + # +-# Update local policy +# spamd_update local policy -+# -+ -+allow spamd_update_t self:fifo_file manage_fifo_file_perms; -+allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; + # + +-allow spamd_update_t self:capability dac_override; + allow spamd_update_t self:fifo_file manage_fifo_file_perms; + allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; +allow spamd_update_t self:capability dac_read_search; +dontaudit spamd_update_t self:capability dac_override; -+ -+manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) -+manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) -+files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) -+ + + manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) + manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) + files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) + +allow spamd_update_t spamd_var_lib_t:dir list_dir_perms; -+manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) -+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) -+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) -+ + manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + +-kernel_read_system_state(spamd_update_t) +allow spamd_update_t spamd_tmp_t:file read_file_perms; -+ + +-corenet_all_recvfrom_unlabeled(spamd_update_t) +-corenet_all_recvfrom_netlabel(spamd_update_t) +-corenet_tcp_sendrecv_generic_if(spamd_update_t) +-corenet_tcp_sendrecv_generic_node(spamd_update_t) +-corenet_tcp_sendrecv_all_ports(spamd_update_t) +kernel_read_system_state(spamd_update_t) -+ + +-corenet_sendrecv_http_client_packets(spamd_update_t) +# for updating rules -+corenet_tcp_connect_http_port(spamd_update_t) -+ -+corecmd_exec_bin(spamd_update_t) -+corecmd_exec_shell(spamd_update_t) -+ -+dev_read_urand(spamd_update_t) -+ -+domain_use_interactive_fds(spamd_update_t) -+ -+files_read_usr_files(spamd_update_t) -+ -+auth_use_nsswitch(spamd_update_t) -+auth_dontaudit_read_shadow(spamd_update_t) -+ + corenet_tcp_connect_http_port(spamd_update_t) +-corenet_tcp_sendrecv_http_port(spamd_update_t) + + corecmd_exec_bin(spamd_update_t) + corecmd_exec_shell(spamd_update_t) +@@ -513,20 +594,16 @@ files_read_usr_files(spamd_update_t) + auth_use_nsswitch(spamd_update_t) + auth_dontaudit_read_shadow(spamd_update_t) + +-miscfiles_read_localization(spamd_update_t) +mta_read_config(spamd_update_t) -+ + +-userdom_use_user_terminals(spamd_update_t) +userdom_use_inherited_user_ptys(spamd_update_t) -+ -+optional_policy(` -+ cron_system_entry(spamd_update_t, spamd_update_exec_t) -+') -+ -+optional_policy(` + + optional_policy(` + cron_system_entry(spamd_update_t, spamd_update_exec_t) + ') + +-# probably want a solution same as httpd_use_gpg since this will +-# give spamd_update a path to users gpg keys +-# optional_policy(` +-# gpg_domtrans(spamd_update_t) +-# ') +- + optional_policy(` +- mta_read_config(spamd_update_t) + gpg_domtrans(spamd_update_t) -+') ++ gpg_manage_home_content(spamd_update_t) + ') + diff --git a/speedtouch.te b/speedtouch.te -index ade10f5..bed16af 100644 +index 9025dbd..7e4c41f 100644 --- a/speedtouch.te +++ b/speedtouch.te @@ -47,8 +47,6 @@ fs_search_auto_mountpoints(speedmgmt_t) @@ -65103,31 +74171,43 @@ index ade10f5..bed16af 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 2015152..6664de3 100644 +index 0a8b0f7..ebbec17 100644 --- a/squid.fc +++ b/squid.fc -@@ -1,8 +1,11 @@ - /etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) - /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +@@ -1,12 +1,15 @@ +-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +- +-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) ++/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) -+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) - /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) - /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) + /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + +/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) - /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) ++ + /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) + + /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) ++/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + + /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + +@@ -15,6 +18,7 @@ - /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -@@ -11,3 +14,4 @@ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) - /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + +-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) ++/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) + +-/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/squid.if b/squid.if -index d2496bd..c7614d7 100644 +index 5e1f053..e7820bc 100644 --- a/squid.if +++ b/squid.if -@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',` +@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',` type squid_t; ') @@ -65136,7 +74216,7 @@ index d2496bd..c7614d7 100644 ') ######################################## -@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',` +@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',` ## Domain to not audit. ##     ## @@ -65144,26 +74224,23 @@ index d2496bd..c7614d7 100644 # interface(`squid_dontaudit_search_cache',` gen_require(` -@@ -207,12 +206,14 @@ interface(`squid_use',` - interface(`squid_admin',` - gen_require(` - type squid_t, squid_cache_t, squid_conf_t; -- type squid_log_t, squid_var_run_t; -- type squid_initrc_exec_t; -+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t; +@@ -213,9 +212,13 @@ interface(`squid_admin',` + type squid_initrc_exec_t, squid_tmp_t; ') - allow $1 squid_t:process { ptrace signal_perms }; + allow $1 squid_t:process signal_perms; ps_process_pattern($1, squid_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 squid_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index c38de7a..413146c 100644 +index 221c560..b20a9d9 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -65175,7 +74252,13 @@ index c38de7a..413146c 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -40,9 +40,18 @@ logging_log_file(squid_log_t) +@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t) + type squid_log_t; + logging_log_file(squid_log_t) + +-type squid_tmp_t; +-files_tmp_file(squid_tmp_t) +- type squid_tmpfs_t; files_tmpfs_file(squid_tmpfs_t) @@ -65194,15 +74277,7 @@ index c38de7a..413146c 100644 ######################################## # # Local policy -@@ -69,6 +78,7 @@ allow squid_t self:udp_socket create_socket_perms; - manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) - manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) - manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) -+files_var_filetrans(squid_t, squid_cache_t, dir, "squid") - - allow squid_t squid_conf_t:dir list_dir_perms; - read_files_pattern(squid_t, squid_conf_t, squid_conf_t) -@@ -85,15 +95,19 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) +@@ -87,6 +93,10 @@ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) @@ -65213,25 +74288,17 @@ index c38de7a..413146c 100644 manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) files_pid_filetrans(squid_t, squid_var_run_t, file) - kernel_read_kernel_sysctls(squid_t) +@@ -96,7 +106,8 @@ kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) -+kernel_read_network_state(squid_t) - - files_dontaudit_getattr_boot_dirs(squid_t) + kernel_read_network_state(squid_t) -corenet_all_recvfrom_unlabeled(squid_t) ++files_dontaudit_getattr_boot_dirs(squid_t) ++ corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -145,7 +159,6 @@ corecmd_exec_shell(squid_t) - - domain_use_interactive_fds(squid_t) - --files_read_etc_files(squid_t) - files_read_etc_runtime_files(squid_t) - files_read_usr_files(squid_t) - files_search_spool(squid_t) -@@ -161,7 +174,6 @@ libs_exec_lib_files(squid_t) +@@ -178,7 +189,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -65239,25 +74306,21 @@ index c38de7a..413146c 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -169,7 +181,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) - tunable_policy(`squid_connect_any',` - corenet_tcp_connect_all_ports(squid_t) - corenet_tcp_bind_all_ports(squid_t) -- corenet_sendrecv_all_packets(squid_t) -+ corenet_sendrecv_all_client_packets(squid_t) -+ corenet_sendrecv_all_server_packets(squid_t) - ') - - tunable_policy(`squid_use_tproxy',` -@@ -182,17 +195,19 @@ optional_policy(` - - allow httpd_squid_script_t self:tcp_socket create_socket_perms; +@@ -200,6 +210,8 @@ tunable_policy(`squid_use_tproxy',` + optional_policy(` + apache_content_template(squid) -- corenet_all_recvfrom_unlabeled(httpd_squid_script_t) ++ allow httpd_squid_script_t self:tcp_socket create_socket_perms; ++ + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) + corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) +@@ -209,18 +221,22 @@ optional_policy(` corenet_tcp_connect_http_cache_port(httpd_squid_script_t) -+ corenet_tcp_connect_squid_port(httpd_squid_script_t) + corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) ++ corenet_tcp_connect_squid_port(httpd_squid_script_t) ++ sysnet_dns_name_resolve(httpd_squid_script_t) - squid_read_config(httpd_squid_script_t) @@ -65272,15 +74335,18 @@ index c38de7a..413146c 100644 ') optional_policy(` -@@ -206,3 +221,32 @@ optional_policy(` +- kerberos_manage_host_rcache(squid_t) +- kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0") ++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") ++ kerberos_manage_host_rcache(squid_t) + ') + + optional_policy(` +@@ -238,3 +254,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') + -+optional_policy(` -+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") -+') -+ +######################################## +# +# squid cron Local policy @@ -65298,75 +74364,94 @@ index c38de7a..413146c 100644 + +dev_read_urand(squid_cron_t) + -+files_read_etc_files(squid_cron_t) -+files_read_usr_files(squid_cron_t) -+ -+ +optional_policy(` + cron_system_entry(squid_cron_t, squid_cron_exec_t) +') diff --git a/sssd.fc b/sssd.fc -index 4271815..45291bb 100644 +index dbb005a..45291bb 100644 --- a/sssd.fc +++ b/sssd.fc -@@ -1,9 +1,15 @@ +@@ -1,15 +1,17 @@ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) +/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) -+ - /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) +-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) -+ - /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) +-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) ++/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) + ++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) +-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) ++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) + +-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index 941380a..54c45f6 100644 +index a240455..54c45f6 100644 --- a/sssd.if +++ b/sssd.if -@@ -1,13 +1,31 @@ - ## System Security Services Daemon +@@ -1,21 +1,21 @@ +-## System Security Services Daemon. ++## System Security Services Daemon -+####################################### -+## + ####################################### + ## +-## Get attributes of sssd executable files. +## Allow a domain to getattr on sssd binary. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed to transition. +## -+## -+# -+interface(`sssd_getattr_exec',` + ## + # + interface(`sssd_getattr_exec',` +- gen_require(` +- type sssd_exec_t; +- ') + gen_require(` + type sssd_t, sssd_exec_t; + ') -+ + +- allow $1 sssd_exec_t:file getattr_file_perms; + allow $1 sssd_exec_t:file getattr; -+') -+ + ') + + ######################################## +@@ -33,14 +33,12 @@ interface(`sssd_domtrans',` + type sssd_t, sssd_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, sssd_exec_t, sssd_t) + ') + ######################################## ## - ## Execute a domain transition to run sssd. +-## Execute sssd init scripts in +-## the initrc domain. ++## Execute sssd server in the sssd domain. ## ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`sssd_domtrans',` -@@ -38,6 +56,106 @@ interface(`sssd_initrc_domtrans',` + ## +@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',` + init_labeled_script_domtrans($1, sssd_initrc_exec_t) + ') - ######################################## - ## ++######################################## ++## +## Execute sssd server in the sssd domain. +## +## @@ -65388,37 +74473,54 @@ index 941380a..54c45f6 100644 + ps_process_pattern($1, sssd_t) +') + -+####################################### -+## + ####################################### + ## +-## Read sssd configuration content. +## Read sssd configuration. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# -+interface(`sssd_read_config',` + ## + # + interface(`sssd_read_config',` +- gen_require(` +- type sssd_conf_t; +- ') + gen_require(` + type sssd_conf_t; + ') -+ + +- files_search_etc($1) +- list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) +- read_files_pattern($1, sssd_conf_t, sssd_conf_t) + files_search_etc($1) + list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) + read_files_pattern($1, sssd_conf_t, sssd_conf_t) -+') -+ -+###################################### -+## + ') + + ###################################### + ## +-## Write sssd configuration files. +## Write sssd configuration. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# -+interface(`sssd_write_config',` + ## + # + interface(`sssd_write_config',` +- gen_require(` +- type sssd_conf_t; +- ') + gen_require(` + type sssd_conf_t; + ') @@ -65441,166 +74543,186 @@ index 941380a..54c45f6 100644 + gen_require(` + type sssd_conf_t; + ') -+ + +- files_search_etc($1) +- write_files_pattern($1, sssd_conf_t, sssd_conf_t) + files_search_etc($1) + create_files_pattern($1, sssd_conf_t, sssd_conf_t) -+') -+ -+#################################### -+## + ') + + #################################### + ## +-## Create, read, write, and delete +-## sssd configuration files. +## Manage sssd configuration. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_manage_config',` + ## + ## + ## +@@ -107,12 +146,12 @@ interface(`sssd_write_config',` + ## + # + interface(`sssd_manage_config',` +- gen_require(` +- type sssd_conf_t; +- ') + gen_require(` + type sssd_conf_t; + ') -+ + +- files_search_etc($1) +- manage_files_pattern($1, sssd_conf_t, sssd_conf_t) + files_search_etc($1) + manage_files_pattern($1, sssd_conf_t, sssd_conf_t) -+') -+ -+######################################## -+## - ## Read sssd public files. - ## - ## -@@ -52,9 +170,29 @@ interface(`sssd_read_public_files',` + ') + + ######################################## +@@ -131,33 +170,32 @@ interface(`sssd_read_public_files',` ') sssd_search_lib($1) +- allow $1 sssd_public_t:dir list_dir_perms; + list_dirs_pattern($1, sssd_public_t, sssd_public_t) read_files_pattern($1, sssd_public_t, sssd_public_t) ') -+####################################### -+## + ####################################### + ## +-## Create, read, write, and delete +-## sssd public files. +## Manage sssd public files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# -+interface(`sssd_manage_public_files',` + ## + # + interface(`sssd_manage_public_files',` +- gen_require(` +- type sssd_public_t; +- ') + gen_require(` + type sssd_public_t; + ') -+ + +- sssd_search_lib($1) +- manage_files_pattern($1, sssd_public_t, sssd_public_t) + sssd_search_lib($1) + manage_files_pattern($1, sssd_public_t, sssd_public_t) -+') -+ - ######################################## - ## - ## Read sssd PID files. -@@ -89,6 +227,7 @@ interface(`sssd_manage_pids',` - type sssd_var_run_t; - ') - -+ files_search_pids($1) - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) - ') -@@ -128,7 +267,6 @@ interface(`sssd_dontaudit_search_lib',` - ') - - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; -- files_search_var_lib($1) ') ######################################## -@@ -148,6 +286,7 @@ interface(`sssd_read_lib_files',` - - files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -+ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - ') + ## +-## Read sssd pid files. ++## Read sssd PID files. + ## + ## + ## +@@ -176,8 +214,7 @@ interface(`sssd_read_pid_files',` ######################################## -@@ -168,6 +307,7 @@ interface(`sssd_manage_lib_files',` - - files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -+ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - ') + ## +-## Create, read, write, and delete +-## sssd pid content. ++## Manage sssd var_run files. + ## + ## + ## +@@ -216,8 +253,7 @@ interface(`sssd_search_lib',` ######################################## -@@ -193,7 +333,7 @@ interface(`sssd_dbus_chat',` + ## +-## Do not audit attempts to search +-## sssd lib directories. ++## Do not audit attempts to search sssd lib directories. + ## + ## + ## +@@ -297,8 +333,7 @@ interface(`sssd_dbus_chat',` ######################################## ## --## Connect to sssd over an unix stream socket. +-## Connect to sssd with a unix +-## domain stream socket. +## Connect to sssd over a unix stream socket. ## ## ## -@@ -225,21 +365,19 @@ interface(`sssd_stream_connect',` - ## The role to be allowed to manage the sssd domain. +@@ -317,8 +352,8 @@ interface(`sssd_stream_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an sssd environment. ++## All of the rules required to administrate ++## an sssd environment + ## + ## + ## +@@ -327,7 +362,7 @@ interface(`sssd_stream_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the sssd domain. ## ## --## --## --## The type of the user terminal. --## --## ## - # +@@ -335,27 +370,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` -- type sssd_t, sssd_public_t; -- type sssd_initrc_exec_t; -+ type sssd_t, sssd_public_t, sssd_initrc_exec_t; + type sssd_t, sssd_public_t, sssd_initrc_exec_t; +- type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; +- type sssd_log_t; + type sssd_unit_file_t; ') -- allow $1 sssd_t:process { ptrace signal_perms getattr }; -- read_files_pattern($1, sssd_t, sssd_t) +- allow $1 sssd_t:process { ptrace signal_perms }; + allow $1 sssd_t:process signal_perms; -+ ps_process_pattern($1, sssd_t) + ps_process_pattern($1, sssd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 sssd_t:process ptrace; + ') - # Allow sssd_t to restart the apache service ++ # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) -@@ -252,4 +390,9 @@ interface(`sssd_admin',` - sssd_manage_lib_files($1) + domain_system_change_exemption($1) + role_transition $2 sssd_initrc_exec_t system_r; + allow $2 system_r; - admin_pattern($1, sssd_public_t) +- files_search_etc($1) +- admin_pattern($1, sssd_conf_t) ++ sssd_manage_pids($1) + +- files_search_var_lib($1) +- admin_pattern($1, { sssd_var_lib_t sssd_public_t }) ++ sssd_manage_lib_files($1) + +- files_search_pids($1) +- admin_pattern($1, sssd_var_run_t) ++ admin_pattern($1, sssd_public_t) + + sssd_systemctl($1) + admin_pattern($1, sssd_unit_file_t) + allow $1 sssd_unit_file_t:service all_service_perms; -+ + +- logging_search_logs($1) +- admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index a1b61bc..4253541 100644 +index 8b537aa..4253541 100644 --- a/sssd.te +++ b/sssd.te -@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t) - type sssd_initrc_exec_t; - init_script_file(sssd_initrc_exec_t) - -+type sssd_conf_t; -+files_config_file(sssd_conf_t) -+ - type sssd_public_t; - files_pid_file(sssd_public_t) - - type sssd_var_lib_t; - files_type(sssd_var_lib_t) -+mls_trusted_object(sssd_var_lib_t) +@@ -1,4 +1,4 @@ +-policy_module(sssd, 1.1.4) ++policy_module(sssd, 1.1.0) - type sssd_var_log_t; - logging_log_file(sssd_var_log_t) -@@ -24,22 +28,31 @@ logging_log_file(sssd_var_log_t) + ######################################## + # +@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) type sssd_var_run_t; files_pid_file(sssd_var_run_t) @@ -65609,97 +74731,87 @@ index a1b61bc..4253541 100644 + ######################################## # - # sssd local policy +-# Local policy ++# sssd local policy # --allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; --allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; --allow sssd_t self:fifo_file rw_file_perms; -+ -+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -+allow sssd_t self:capability2 block_suspend; -+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; -+allow sssd_t self:fifo_file rw_fifo_file_perms; -+allow sssd_t self:key manage_key_perms; - allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) -+ - manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) - manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend; + allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; + allow sssd_t self:fifo_file rw_fifo_file_perms; + allow sssd_t self:key manage_key_perms; +-allow sssd_t self:unix_stream_socket { accept connectto listen }; ++allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + + read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) - manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) - manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -+manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) --files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) -+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) + files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) - manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +-create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +-setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) ++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,37 +61,57 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) - files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) -+kernel_read_network_state(sssd_t) + manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) -+corenet_udp_bind_generic_port(sssd_t) -+corenet_dontaudit_udp_bind_all_ports(sssd_t) +-corenet_all_recvfrom_unlabeled(sssd_t) +-corenet_all_recvfrom_netlabel(sssd_t) +-corenet_udp_sendrecv_generic_if(sssd_t) +-corenet_udp_sendrecv_generic_node(sssd_t) +-corenet_udp_sendrecv_all_ports(sssd_t) +-corenet_udp_bind_generic_node(sssd_t) +- +-corenet_sendrecv_generic_server_packets(sssd_t) + corenet_udp_bind_generic_port(sssd_t) + corenet_dontaudit_udp_bind_all_ports(sssd_t) +corenet_tcp_connect_kerberos_password_port(sssd_t) -+ - corecmd_exec_bin(sssd_t) - - dev_read_urand(sssd_t) -+dev_read_sysfs(sssd_t) - - domain_read_all_domains_state(sssd_t) - domain_obj_id_change_exemption(sssd_t) - - files_list_tmp(sssd_t) - files_read_etc_files(sssd_t) -+files_read_etc_runtime_files(sssd_t) - files_read_usr_files(sssd_t) -+files_list_var_lib(sssd_t) - fs_list_inotifyfs(sssd_t) + corecmd_exec_bin(sssd_t) - selinux_validate_context(sssd_t) +@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) -+# sssd wants to write /etc/selinux//logins/ for SELinux PAM module + # sssd wants to write /etc/selinux//logins/ for SELinux PAM module +-# seutil_rw_login_config_dirs(sssd_t) +-# seutil_manage_login_config_files(sssd_t) +seutil_rw_login_config_dirs(sssd_t) +seutil_manage_login_config_files(sssd_t) mls_file_read_to_clearance(sssd_t) -+mls_socket_read_to_clearance(sssd_t) -+mls_socket_write_to_clearance(sssd_t) -+mls_trusted_object(sssd_t) + mls_socket_read_to_clearance(sssd_t) + mls_socket_write_to_clearance(sssd_t) + mls_trusted_object(sssd_t) --auth_use_nsswitch(sssd_t) +# auth_use_nsswitch(sssd_t) auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -+auth_manage_cache(sssd_t) - - init_read_utmp(sssd_t) - - logging_send_syslog_msg(sssd_t) + auth_manage_cache(sssd_t) +@@ -112,18 +107,30 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) + miscfiles_read_generic_certs(sssd_t) -miscfiles_read_localization(sssd_t) -+miscfiles_read_generic_certs(sssd_t) -+ -+sysnet_dns_name_resolve(sssd_t) -+sysnet_use_ldap(sssd_t) -+ -+userdom_manage_tmp_role(system_r, sssd_t) + sysnet_dns_name_resolve(sssd_t) + sysnet_use_ldap(sssd_t) + ++userdom_manage_tmp_role(system_r, sssd_t) ++ optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,8 +120,17 @@ optional_policy(` + dbus_connect_system_bus(sssd_t) + ') optional_policy(` +- kerberos_read_config(sssd_t) kerberos_manage_host_rcache(sssd_t) +- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0") + kerberos_read_home_content(sssd_t) +') @@ -65707,10 +74819,10 @@ index a1b61bc..4253541 100644 +optional_policy(` + dirsrv_stream_connect(sssd_t) ') - - optional_policy(` - ldap_stream_connect(sssd_t) - ') ++ ++optional_policy(` ++ ldap_stream_connect(sssd_t) ++') + +userdom_home_reader(sssd_t) + @@ -65991,73 +75103,59 @@ index 0000000..b87c79c +') + diff --git a/stunnel.te b/stunnel.te -index f646c66..a399168 100644 +index 9992e62..47f1802 100644 --- a/stunnel.te +++ b/stunnel.te -@@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms; - - allow stunnel_t stunnel_etc_t:dir list_dir_perms; - allow stunnel_t stunnel_etc_t:file read_file_perms; --allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; -+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) - manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -@@ -56,7 +56,6 @@ kernel_read_network_state(stunnel_t) +@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t) corecmd_exec_bin(stunnel_t) -corenet_all_recvfrom_unlabeled(stunnel_t) corenet_all_recvfrom_netlabel(stunnel_t) corenet_tcp_sendrecv_generic_if(stunnel_t) - corenet_udp_sendrecv_generic_if(stunnel_t) -@@ -73,8 +72,6 @@ auth_use_nsswitch(stunnel_t) - + corenet_tcp_sendrecv_generic_node(stunnel_t) +@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t) logging_send_syslog_msg(stunnel_t) + miscfiles_read_generic_certs(stunnel_t) -miscfiles_read_localization(stunnel_t) -- - sysnet_read_config(stunnel_t) - ifdef(`distro_gentoo', ` -@@ -106,7 +103,6 @@ ifdef(`distro_gentoo', ` - - dev_read_urand(stunnel_t) - -- files_read_etc_files(stunnel_t) - files_read_etc_runtime_files(stunnel_t) - files_search_home(stunnel_t) - -@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', ` + userdom_dontaudit_use_unpriv_user_fds(stunnel_t) + userdom_dontaudit_search_user_home_dirs(stunnel_t) +@@ -105,4 +103,5 @@ optional_policy(` gen_require(` type stunnel_port_t; ') + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/svnserve.fc b/svnserve.fc -new file mode 100644 -index 0000000..5ab0840 ---- /dev/null +index effffd0..5ab0840 100644 +--- a/svnserve.fc +++ b/svnserve.fc -@@ -0,0 +1,12 @@ +@@ -1,8 +1,12 @@ +-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) +/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) -+ + +-/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) +/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) -+ + +-/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) +/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) -+ + +-/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) +-/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) +/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) +/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) + +/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) diff --git a/svnserve.if b/svnserve.if -new file mode 100644 -index 0000000..dd2ac36 ---- /dev/null +index 2ac91b6..dd2ac36 100644 +--- a/svnserve.if +++ b/svnserve.if -@@ -0,0 +1,118 @@ +@@ -1,35 +1,118 @@ +-## Server for the svn repository access method. + +## policy for svnserve + @@ -66122,16 +75220,19 @@ index 0000000..dd2ac36 + + ps_process_pattern($1, svnserve_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## All of the rules required to +-## administrate an svnserve environment. +## Read svnserve PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`svnserve_read_pid_files',` + gen_require(` @@ -66149,22 +75250,31 @@ index 0000000..dd2ac36 +## an svnserve environment +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# -+interface(`svnserve_admin',` -+ gen_require(` + ## + ## +-## + # + interface(`svnserve_admin',` + gen_require(` +- type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; + type svnserve_t; + type svnserve_var_run_t; + type svnserve_unit_file_t; -+ ') -+ -+ allow $1 svnserve_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, svnserve_t) -+ -+ files_search_pids($1) + ') + + allow $1 svnserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, svnserve_t) + +- init_labeled_script_domtrans($1, svnserve_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 svnserve_initrc_exec_t system_r; +- allow $2 system_r; +- + files_search_pids($1) +- admin_pattern($1, httpd_var_run_t) + admin_pattern($1, svnserve_var_run_t) + + svnserve_systemctl($1) @@ -66174,69 +75284,41 @@ index 0000000..dd2ac36 + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') + diff --git a/svnserve.te b/svnserve.te -new file mode 100644 -index 0000000..ba40a17 ---- /dev/null +index c6aaac7..dc3f167 100644 +--- a/svnserve.te +++ b/svnserve.te -@@ -0,0 +1,53 @@ -+policy_module(svnserve, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type svnserve_t; -+type svnserve_exec_t; -+init_daemon_domain(svnserve_t, svnserve_exec_t) -+ -+type svnserve_initrc_exec_t; -+init_script_file(svnserve_initrc_exec_t) -+ -+type svnserve_var_run_t; -+files_pid_file(svnserve_var_run_t) -+ -+type svnserve_content_t; -+files_type(svnserve_content_t) -+ +@@ -12,6 +12,9 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) + type svnserve_initrc_exec_t; + init_script_file(svnserve_initrc_exec_t) + +type svnserve_unit_file_t; +systemd_unit_file(svnserve_unit_file_t) + -+######################################## -+# -+# svnserve local policy -+# -+ -+allow svnserve_t self:fifo_file rw_fifo_file_perms; -+allow svnserve_t self:tcp_socket create_stream_socket_perms; -+allow svnserve_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) -+manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) -+ -+manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) -+manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) -+files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) -+ -+corenet_udp_bind_generic_node(svnserve_t) -+#corenet_tcp_connect_svn_port(svnserve_t) -+#corenet_tcp_bind_svn_port(svnserve_t) -+#corenet_udp_bind_svn_port(svnserve_t) -+ -+domain_use_interactive_fds(svnserve_t) -+ -+files_read_etc_files(svnserve_t) -+files_read_usr_files(svnserve_t) -+ -+logging_send_syslog_msg(svnserve_t) -+ -+sysnet_dns_name_resolve(svnserve_t) -+ + type svnserve_content_t; + files_type(svnserve_content_t) + +@@ -34,9 +37,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) + manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) + files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) + +-files_read_etc_files(svnserve_t) +-files_read_usr_files(svnserve_t) +- + corenet_all_recvfrom_unlabeled(svnserve_t) + corenet_all_recvfrom_netlabel(svnserve_t) + corenet_tcp_sendrecv_generic_if(svnserve_t) +@@ -54,6 +54,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t) + + logging_send_syslog_msg(svnserve_t) + +-miscfiles_read_localization(svnserve_t) +- + sysnet_dns_name_resolve(svnserve_t) diff --git a/sxid.te b/sxid.te -index 8296303..50eddef 100644 +index c9824cb..1973f71 100644 --- a/sxid.te +++ b/sxid.te @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) @@ -66256,96 +75338,232 @@ index 8296303..50eddef 100644 auth_dontaudit_getattr_shadow(sxid_t) init_use_fds(sxid_t) -@@ -74,15 +73,17 @@ init_use_script_ptys(sxid_t) +@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t) logging_send_syslog_msg(sxid_t) -miscfiles_read_localization(sxid_t) - --mount_exec(sxid_t) -- sysnet_read_config(sxid_t) userdom_dontaudit_use_unpriv_user_fds(sxid_t) - --cron_system_entry(sxid_t, sxid_exec_t) -+optional_policy(` -+ cron_system_entry(sxid_t, sxid_exec_t) -+') -+ -+optional_policy(` -+ mount_exec(sxid_t) -+') - - optional_policy(` - mta_send_mail(sxid_t) -diff --git a/sysstat.fc b/sysstat.fc -index 5d0e77b..5a92938 100644 ---- a/sysstat.fc -+++ b/sysstat.fc -@@ -6,3 +6,4 @@ - /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) - /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) - /var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -+/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/sysstat.te b/sysstat.te -index 0ecd8a7..b532568 100644 +index c8b80b2..33023d7 100644 --- a/sysstat.te +++ b/sysstat.te -@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t) - # Local policy - # - --allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; --dontaudit sysstat_t self:capability sys_admin; -+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; - allow sysstat_t self:fifo_file rw_fifo_file_perms; - - can_exec(sysstat_t, sysstat_exec_t) -@@ -36,6 +35,7 @@ kernel_read_kernel_sysctls(sysstat_t) +@@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t) kernel_read_fs_sysctls(sysstat_t) kernel_read_rpc_sysctls(sysstat_t) +corecmd_exec_shell(sysstat_t) corecmd_exec_bin(sysstat_t) - dev_read_urand(sysstat_t) -@@ -45,19 +45,20 @@ files_search_var(sysstat_t) - # for mtab - files_read_etc_runtime_files(sysstat_t) - #for fstab --files_read_etc_files(sysstat_t) - - fs_getattr_xattr_fs(sysstat_t) + dev_read_sysfs(sysstat_t) +@@ -50,7 +51,7 @@ fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) term_use_console(sysstat_t) -term_use_all_terms(sysstat_t) +term_use_all_inherited_terms(sysstat_t) - init_use_fds(sysstat_t) + auth_use_nsswitch(sysstat_t) + +@@ -58,12 +59,13 @@ init_use_fds(sysstat_t) locallogin_use_fds(sysstat_t) --miscfiles_read_localization(sysstat_t) +-logging_send_syslog_msg(sysstat_t) +auth_use_nsswitch(sysstat_t) -+ + +-miscfiles_read_localization(sysstat_t) +logging_send_syslog_msg(sysstat_t) userdom_dontaudit_list_user_home_dirs(sysstat_t) -@@ -65,6 +66,3 @@ optional_policy(` + optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) ') - ++ +diff --git a/systemtap.fc b/systemtap.fc +deleted file mode 100644 +index 1710cbb..0000000 +--- a/systemtap.fc ++++ /dev/null +@@ -1,11 +0,0 @@ +-/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0) +- +-/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0) +- +-/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) +- +-/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) +- +-/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) +- +-/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) +diff --git a/systemtap.if b/systemtap.if +deleted file mode 100644 +index c755e2d..0000000 +--- a/systemtap.if ++++ /dev/null +@@ -1,45 +0,0 @@ +-## instrumentation system for Linux. +- +-######################################## +-## +-## All of the rules required to +-## administrate an stapserver environment. +-## +-## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-## +-# +-interface(`stapserver_admin',` +- gen_require(` +- type stapserver_t, stapserver_conf_t, stapserver_log_t; +- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t; +- ') +- +- allow $1 stapserver_t:process { ptrace signal_perms }; +- ps_process_pattern($1, stapserver_t) +- +- init_labeled_script_domtrans($1, stapserver_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 stapserver_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, stapserver_conf_t) +- +- files_search_var_lib($1) +- admin_pattern($1, stapserver_var_lib_t) +- +- logging_search_logs($1) +- admin_pattern($1, stapserver_log_t) +- +- files_search_pids($1) +- admin_pattern($1, stapserver_var_run_t) +-') +diff --git a/systemtap.te b/systemtap.te +deleted file mode 100644 +index 6c06a84..0000000 +--- a/systemtap.te ++++ /dev/null +@@ -1,101 +0,0 @@ +-policy_module(systemtap, 1.0.2) +- +-######################################## +-# +-# Declarations +-# +- +-type stapserver_t; +-type stapserver_exec_t; +-init_daemon_domain(stapserver_t, stapserver_exec_t) +- +-type stapserver_initrc_exec_t; +-init_script_file(stapserver_initrc_exec_t) +- +-type stapserver_conf_t; +-files_config_file(stapserver_conf_t) +- +-type stapserver_var_lib_t; +-files_type(stapserver_var_lib_t) +- +-type stapserver_log_t; +-logging_log_file(stapserver_log_t) +- +-type stapserver_var_run_t; +-files_pid_file(stapserver_var_run_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow stapserver_t self:capability { dac_override kill setuid setgid }; +-allow stapserver_t self:process { setrlimit setsched signal }; +-allow stapserver_t self:fifo_file rw_fifo_file_perms; +-allow stapserver_t self:key write; +-allow stapserver_t self:unix_stream_socket { accept listen }; +-allow stapserver_t self:tcp_socket create_stream_socket_perms; +- +-allow stapserver_t stapserver_conf_t:file read_file_perms; +- +-manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +-manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) +-files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) +- +-manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) +- +-manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +-manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +-files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) +- +-kernel_read_kernel_sysctls(stapserver_t) +-kernel_read_system_state(stapserver_t) +- +-corecmd_exec_bin(stapserver_t) +-corecmd_exec_shell(stapserver_t) +- +-domain_read_all_domains_state(stapserver_t) +- +-dev_read_rand(stapserver_t) +-dev_read_sysfs(stapserver_t) +-dev_read_urand(stapserver_t) +- +-files_list_tmp(stapserver_t) +-files_read_usr_files(stapserver_t) +-files_search_kernel_modules(stapserver_t) +- +-auth_use_nsswitch(stapserver_t) +- +-init_read_utmp(stapserver_t) +- +-logging_send_audit_msgs(stapserver_t) +-logging_send_syslog_msg(stapserver_t) +- +-miscfiles_read_localization(stapserver_t) +-miscfiles_read_hwdata(stapserver_t) +- +-userdom_use_user_terminals(stapserver_t) +- +-optional_policy(` +- consoletype_exec(stapserver_t) +-') +- +-optional_policy(` +- dbus_system_bus_client(stapserver_t) +-') +- +-optional_policy(` +- hostname_exec(stapserver_t) +-') +- +-optional_policy(` +- plymouthd_exec_plymouth(stapserver_t) +-') +- -optional_policy(` -- logging_send_syslog_msg(sysstat_t) +- rpm_exec(stapserver_t) -') diff --git a/tcpd.te b/tcpd.te -index 7038b55..8961067 100644 +index f388db3..92d5fe0 100644 --- a/tcpd.te +++ b/tcpd.te -@@ -22,7 +22,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) +@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) @@ -66353,7 +75571,7 @@ index 7038b55..8961067 100644 corenet_all_recvfrom_netlabel(tcpd_t) corenet_tcp_sendrecv_generic_if(tcpd_t) corenet_tcp_sendrecv_generic_node(tcpd_t) -@@ -39,8 +38,6 @@ files_dontaudit_search_var(tcpd_t) +@@ -38,8 +37,6 @@ files_dontaudit_search_var(tcpd_t) logging_send_syslog_msg(tcpd_t) @@ -66363,11 +75581,11 @@ index 7038b55..8961067 100644 inetd_domtrans_child(tcpd_t) diff --git a/tcsd.if b/tcsd.if -index 595f5a7..4e518cf 100644 +index b42ec1d..91b8f71 100644 --- a/tcsd.if +++ b/tcsd.if -@@ -137,8 +137,11 @@ interface(`tcsd_admin',` - type tcsd_var_lib_t; +@@ -138,8 +138,11 @@ interface(`tcsd_admin',` + type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; ') - allow $1 tcsd_t:process { ptrace signal_perms }; @@ -66380,61 +75598,102 @@ index 595f5a7..4e518cf 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index ee9f3c6..ac97168 100644 +index ac8213a..20fa71f 100644 --- a/tcsd.te +++ b/tcsd.te -@@ -30,7 +30,6 @@ manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) - files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) - - # Accept connections on the TCS port over loopback. --corenet_all_recvfrom_unlabeled(tcsd_t) - corenet_tcp_bind_generic_node(tcsd_t) - corenet_tcp_bind_tcs_port(tcsd_t) - -@@ -38,13 +37,8 @@ dev_read_urand(tcsd_t) - # Access /dev/tpm0. +@@ -41,10 +41,6 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) + dev_read_urand(tcsd_t) dev_rw_tpm(tcsd_t) --files_read_etc_files(tcsd_t) - files_read_usr_files(tcsd_t) - +-files_read_usr_files(tcsd_t) +- auth_use_nsswitch(tcsd_t) logging_send_syslog_msg(tcsd_t) - -miscfiles_read_localization(tcsd_t) -- --sysnet_dns_name_resolve(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc -index b07ee19..a275bd6 100644 +index c7de0cf..a275bd6 100644 --- a/telepathy.fc +++ b/telepathy.fc -@@ -1,8 +1,11 @@ - HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) --HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) -+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) -+HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) - HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) - HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) - HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) -+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) +@@ -1,34 +1,21 @@ +-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) ++HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) + HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) + HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) +-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) +-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0) +-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0) ++HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) ++HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) + HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) +-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0) +-HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0) +-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) +HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0) - HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) - HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) - ++HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) ++HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) + +-/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) +-/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) +-/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) +-/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +-/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0) +-/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) +-/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) +- +-/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) +-/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) +-/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) +-/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0) +-/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +-/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) +-/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0) +-/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0) +-/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0) ++/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0) ++/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) ++/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0) ++/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0) ++/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0) ++/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) ++/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) ++/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) ++/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) ++/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if -index f09171e..95a9aa3 100644 +index 42946bc..95a9aa3 100644 --- a/telepathy.if +++ b/telepathy.if -@@ -11,7 +11,6 @@ +@@ -2,45 +2,39 @@ + + ####################################### + ## +-## The template to define a telepathy domain. ++## Creates basic types for telepathy ++## domain + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. ## ## # --# template(`telepathy_domain_template',` gen_require(` - attribute telepathy_domain; -@@ -20,19 +19,21 @@ template(`telepathy_domain_template',` +- attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; ++ attribute telepathy_domain; ++ attribute telepathy_executable; + ') type telepathy_$1_t, telepathy_domain; type telepathy_$1_exec_t, telepathy_executable; @@ -66442,25 +75701,37 @@ index f09171e..95a9aa3 100644 + application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ubac_constrained(telepathy_$1_t) - type telepathy_$1_tmp_t; +- type telepathy_$1_tmp_t, telepathy_tmp_content; ++ type telepathy_$1_tmp_t; userdom_user_tmp_file(telepathy_$1_tmp_t) -- auth_use_nsswitch(telepathy_$1_t) + kernel_read_system_state(telepathy_$1_t) - -+ auth_use_nsswitch(telepathy_$1_t) ++ + auth_use_nsswitch(telepathy_$1_t) ') ####################################### ## --## Role access for telepathy domains --### that executes via dbus-session +-## The role template for the telepathy module. +## Role access for telepathy domains +## that executes via dbus-session ## +-## +-##

    +-## This template creates a derived domains which are used +-## for window manager applications. +-##

    +-##     +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## ## ## -@@ -44,8 +45,13 @@ template(`telepathy_domain_template',` + ## The role associated with the user domain. +@@ -51,10 +45,15 @@ template(`telepathy_domain_template',` ## The type of the user domain. ## ## @@ -66470,45 +75741,198 @@ index f09171e..95a9aa3 100644 +##     +## # --template(`telepathy_role', ` +-template(`telepathy_role_template',` +template(`telepathy_role',` gen_require(` - attribute telepathy_domain; +- attribute telepathy_domain, telepathy_tmp_content; ++ attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; -@@ -76,6 +82,8 @@ template(`telepathy_role', ` - dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) - dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) - dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) -+ + type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; + type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; +@@ -63,91 +62,61 @@ template(`telepathy_role_template',` + type telepathy_mission_control_exec_t, telepathy_salut_exec_t; + type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; + type telepathy_msn_exec_t; +- +- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t; +- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t; +- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t; + ') + +- role $2 types telepathy_domain; +- +- allow $3 telepathy_domain:process { ptrace signal_perms }; +- ps_process_pattern($3, telepathy_domain) +- +- telepathy_gabble_stream_connect($3) +- telepathy_msn_stream_connect($3) +- telepathy_salut_stream_connect($3) +- +- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) +- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) +- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) +- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t) +- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t) +- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t) +- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t) +- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) +- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t) +- +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- +- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; ++ role $1 types telepathy_domain; + +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") +- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") ++ allow $2 telepathy_domain:process signal_perms; ++ ps_process_pattern($2, telepathy_domain) + +- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") ++ telepathy_gabble_stream_connect($2) ++ telepathy_msn_stream_connect($2) ++ telepathy_salut_stream_connect($2) + +- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") +- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") ++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) ++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) ++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) ++ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t) ++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) ++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) ++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) ++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) ++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) + +- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") +- +- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") +- # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy") +- +- allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms }; +- allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms }; +- allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + telepathy_dbus_chat($2) ') ######################################## -@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', ` ## - ## Read telepathy mission control state. +-## Connect to gabble with a unix +-## domain stream socket. ++## Stream connect to Telepathy Gabble ## --## --## --## Prefix to be used. --## --## ## - ## +-## ++## + ## Domain allowed access. + ## + ## + # +-interface(`telepathy_gabble_stream_connect',` ++interface(`telepathy_gabble_stream_connect', ` + gen_require(` + type telepathy_gabble_t, telepathy_gabble_tmp_t; + ') + +- files_search_tmp($1) + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) ++ files_search_tmp($1) + ') + + ######################################## + ## +-## Send dbus messages to and from +-## gabble. ++## Send DBus messages to and from ++## Telepathy Gabble. + ## + ## +-## ++## ## Domain allowed access. -@@ -166,7 +169,7 @@ interface(`telepathy_msn_stream_connect', ` - ## Stream connect to Telepathy Salut + ## + ## + # +-interface(`telepathy_gabble_dbus_chat',` ++interface(`telepathy_gabble_dbus_chat', ` + gen_require(` + type telepathy_gabble_t; + class dbus send_msg; +@@ -159,10 +128,10 @@ interface(`telepathy_gabble_dbus_chat',` + + ######################################## + ## +-## Read mission control process state files. ++## Read telepathy mission control state. ## ## --## -+## +-## ++## ## Domain allowed access. ## ## -@@ -179,3 +182,130 @@ interface(`telepathy_salut_stream_connect', ` - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) - files_search_tmp($1) +@@ -173,15 +142,12 @@ interface(`telepathy_mission_control_read_state',` + ') + + kernel_search_proc($1) +- allow $1 telepathy_mission_control_t:dir list_dir_perms; +- allow $1 telepathy_mission_control_t:file read_file_perms; +- allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; ++ ps_process_pattern($1, telepathy_mission_control_t) ') + + ####################################### + ## +-## Connect to msn with a unix +-## domain stream socket. ++## Stream connect to telepathy MSN managers + ## + ## + ## +@@ -189,19 +155,18 @@ interface(`telepathy_mission_control_read_state',` + ## + ## + # +-interface(`telepathy_msn_stream_connect',` ++interface(`telepathy_msn_stream_connect', ` + gen_require(` + type telepathy_msn_t, telepathy_msn_tmp_t; + ') + +- files_search_tmp($1) + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) ++ files_search_tmp($1) + ') + + ######################################## + ## +-## Connect to salut with a unix +-## domain stream socket. ++## Stream connect to Telepathy Salut + ## + ## + ## +@@ -209,11 +174,138 @@ interface(`telepathy_msn_stream_connect',` + ## + ## + # +-interface(`telepathy_salut_stream_connect',` ++interface(`telepathy_salut_stream_connect', ` + gen_require(` + type telepathy_salut_t, telepathy_salut_tmp_t; + ') + +- files_search_tmp($1) + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) ++ files_search_tmp($1) ++') + +####################################### +## @@ -66635,65 +76059,74 @@ index f09171e..95a9aa3 100644 + + corecmd_search_bin($1) + can_exec($1, telepathy_executable) -+') + ') diff --git a/telepathy.te b/telepathy.te -index 964978b..6cc7ecd 100644 +index e9c0964..6cc7ecd 100644 --- a/telepathy.te +++ b/telepathy.te -@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0) +@@ -1,29 +1,28 @@ +-policy_module(telepathy, 1.3.5) ++policy_module(telepathy, 1.3.0) + + ######################################## + # +-# Declarations ++# Declarations. + # ## - ##

    --## Allow the Telepathy connection managers --## to connect to any generic TCP port. +-##

    +-## Determine whether telepathy connection +-## managers can connect to generic tcp ports. +-##

    ++##

    +## Allow the Telepathy connection managers +## to connect to any generic TCP port. - ##

    ++##

    ##     gen_tunable(telepathy_tcp_connect_generic_network_ports, false) ## - ##

    --## Allow the Telepathy connection managers --## to connect to any network port. +-##

    +-## Determine whether telepathy connection +-## managers can connect to any port. +-##

    ++##

    +## Allow the Telepathy connection managers +## to connect to any network port. - ##

    ++##

    ##     gen_tunable(telepathy_connect_all_ports, false) -@@ -26,12 +26,18 @@ attribute telepathy_executable; - - telepathy_domain_template(gabble) -+type telepathy_cache_home_t; -+userdom_user_home_content(telepathy_cache_home_t) -+ - type telepathy_gabble_cache_home_t; - userdom_user_home_content(telepathy_gabble_cache_home_t) + attribute telepathy_domain; + attribute telepathy_executable; +-attribute telepathy_tmp_content; - telepathy_domain_template(idle) - telepathy_domain_template(logger) + telepathy_domain_template(gabble) -+type telepathy_data_home_t; -+userdom_user_home_content(telepathy_data_home_t) -+ - type telepathy_logger_cache_home_t; - userdom_user_home_content(telepathy_logger_cache_home_t) +@@ -67,176 +66,146 @@ userdom_user_home_content(telepathy_sunshine_home_t) -@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control) - type telepathy_mission_control_home_t; - userdom_user_home_content(telepathy_mission_control_home_t) + ####################################### + # +-# Gabble local policy ++# Telepathy Gabble local policy. + # -+type telepathy_mission_control_data_home_t; -+userdom_user_home_content(telepathy_mission_control_data_home_t) -+ - type telepathy_mission_control_cache_home_t; - userdom_user_home_content(telepathy_mission_control_cache_home_t) +-allow telepathy_gabble_t self:tcp_socket { accept listen }; ++allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms; + allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -67,8 +76,16 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble +-# ~/.cache/telepathy/gabble/caps-cache.db-journal +-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") +-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky") +- + manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) +-corenet_all_recvfrom_unlabeled(telepathy_gabble_t) +# ~/.cache/telepathy/gabble/caps-cache.db-journal +optional_policy(` + manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) @@ -66704,62 +76137,125 @@ index 964978b..6cc7ecd 100644 +') + corenet_all_recvfrom_netlabel(telepathy_gabble_t) --corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) corenet_tcp_sendrecv_generic_node(telepathy_gabble_t) +- +-corenet_sendrecv_http_client_packets(telepathy_gabble_t) corenet_tcp_connect_http_port(telepathy_gabble_t) -@@ -98,18 +115,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) +-corenet_tcp_sendrecv_http_port(telepathy_gabble_t) +- +-corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) + corenet_tcp_connect_jabber_client_port(telepathy_gabble_t) +-corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t) +- +-corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) + corenet_tcp_connect_vnc_port(telepathy_gabble_t) +-corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t) ++corenet_sendrecv_http_client_packets(telepathy_gabble_t) ++corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) ++corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) + + dev_read_rand(telepathy_gabble_t) + + files_read_config_files(telepathy_gabble_t) + files_read_usr_files(telepathy_gabble_t) + ++fs_getattr_all_fs(telepathy_gabble_t) ++ + miscfiles_read_all_certs(telepathy_gabble_t) + + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_gabble_t) + corenet_tcp_connect_all_ports(telepathy_gabble_t) + corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) ++ corenet_udp_sendrecv_all_ports(telepathy_gabble_t) ') + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_gabble_t) + corenet_tcp_connect_generic_port(telepathy_gabble_t) +- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) +-') +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_gabble_t) - fs_manage_nfs_files(telepathy_gabble_t) --') -+userdom_home_manager(telepathy_gabble_t) ++ corenet_sendrecv_generic_client_packets(telepathy_gabble_t) + ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) -+optional_policy(` -+ dbus_system_bus_client(telepathy_gabble_t) - ') +-') ++userdom_home_manager(telepathy_gabble_t) optional_policy(` -- dbus_system_bus_client(telepathy_gabble_t) -+ gnome_manage_home_config(telepathy_gabble_t) + dbus_system_bus_client(telepathy_gabble_t) ') +-# optional_policy(` +- # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_gabble_t) +-# ') ++optional_policy(` ++ gnome_manage_home_config(telepathy_gabble_t) ++') + ####################################### -@@ -118,7 +131,6 @@ optional_policy(` + # +-# Idle local policy ++# Telepathy Idle local policy. # corenet_all_recvfrom_netlabel(telepathy_idle_t) -corenet_all_recvfrom_unlabeled(telepathy_idle_t) corenet_tcp_sendrecv_generic_if(telepathy_idle_t) corenet_tcp_sendrecv_generic_node(telepathy_idle_t) +- +-corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t) corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) -@@ -127,8 +139,6 @@ corenet_sendrecv_ircd_client_packets(telepathy_idle_t) +-corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t) +- +-corenet_sendrecv_ircd_client_packets(telepathy_idle_t) + corenet_tcp_connect_ircd_port(telepathy_idle_t) +-corenet_tcp_sendrecv_ircd_port(telepathy_idle_t) ++corenet_sendrecv_ircd_client_packets(telepathy_idle_t) dev_read_rand(telepathy_idle_t) --files_read_etc_files(telepathy_idle_t) +-files_read_usr_files(telepathy_idle_t) - tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_idle_t) corenet_tcp_connect_all_ports(telepathy_idle_t) corenet_tcp_sendrecv_all_ports(telepathy_idle_t) -@@ -147,51 +157,74 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ++ corenet_udp_sendrecv_all_ports(telepathy_idle_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_idle_t) + corenet_tcp_connect_generic_port(telepathy_idle_t) +- corenet_tcp_sendrecv_generic_port(telepathy_idle_t) ++ corenet_sendrecv_generic_client_packets(telepathy_idle_t) + ') + + ####################################### + # +-# Logger local policy ++# Telepathy Logger local policy. + # allow telepathy_logger_t self:unix_stream_socket create_socket_perms; -+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) + manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) +-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir) manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) +-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger") --files_read_etc_files(telepathy_logger_t) -files_read_usr_files(telepathy_logger_t) +optional_policy(` + gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir) @@ -66767,37 +76263,48 @@ index 964978b..6cc7ecd 100644 + files_search_pids(telepathy_logger_t) - fs_getattr_all_fs(telepathy_logger_t) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_logger_t) - fs_manage_nfs_files(telepathy_logger_t) -') -+userdom_home_manager(telepathy_logger_t) ++fs_getattr_all_fs(telepathy_logger_t) -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_logger_t) - fs_manage_cifs_files(telepathy_logger_t) +-') ++userdom_home_manager(telepathy_logger_t) + +-# optional_policy(` +optional_policy(` -+ # ~/.config/dconf/user + # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_logger_t) +-# ') + gnome_manage_home_config(telepathy_logger_t) - ') ++') ####################################### # - # Telepathy Mission-Control local policy. +-# Mission-Control local policy ++# Telepathy Mission-Control local policy. # -+allow telepathy_mission_control_t self:process setsched; +- + allow telepathy_mission_control_t self:process setsched; manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) - userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) +-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") ++userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) +userdom_search_user_home_dirs(telepathy_mission_control_t) -+ + +-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) -+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) -+ + +-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) +-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") +optional_policy(` + gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) + gnome_manage_home_config(telepathy_mission_control_t) @@ -66805,78 +76312,143 @@ index 964978b..6cc7ecd 100644 dev_read_rand(telepathy_mission_control_t) - fs_getattr_all_fs(telepathy_mission_control_t) - --files_read_etc_files(telepathy_mission_control_t) +-files_list_tmp(telepathy_mission_control_t) -files_read_usr_files(telepathy_mission_control_t) -+files_list_tmp(telepathy_mission_control_t) -+ -+userdom_home_manager(telepathy_mission_control_t) -+ -+optional_policy(` -+ dbus_system_bus_client(telepathy_mission_control_t) ++fs_getattr_all_fs(telepathy_mission_control_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -+ optional_policy(` -+ devicekit_dbus_chat_power(telepathy_mission_control_t) -+ ') -+ optional_policy(` -+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) -+ ') -+ optional_policy(` -+ networkmanager_dbus_chat(telepathy_mission_control_t) -+ ') - ') +-') ++files_list_tmp(telepathy_mission_control_t) -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) +-') ++userdom_home_manager(telepathy_mission_control_t) + + optional_policy(` + dbus_system_bus_client(telepathy_mission_control_t) +@@ -245,59 +214,51 @@ optional_policy(` + devicekit_dbus_chat_power(telepathy_mission_control_t) + ') + optional_policy(` +- gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t) ++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) + ') + optional_policy(` + networkmanager_dbus_chat(telepathy_mission_control_t) + ') + ') + +-# optional_policy(` +- # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_mission_control_t) +-# ') +# ~/.cache/.mc_connections. +optional_policy(` + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) + gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) - ') ++') ####################################### -@@ -205,11 +238,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; + # +-# Butterfly and Haze local policy ++# Telepathy Butterfly and Haze local policy. + # + + allow telepathy_msn_t self:process setsched; ++allow telepathy_msn_t self:unix_dgram_socket { write create connect }; + manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +- userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +- +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) -+can_exec(telepathy_msn_t, telepathy_msn_tmp_t) + can_exec(telepathy_msn_t, telepathy_msn_tmp_t) corenet_all_recvfrom_netlabel(telepathy_msn_t) -corenet_all_recvfrom_unlabeled(telepathy_msn_t) corenet_tcp_sendrecv_generic_if(telepathy_msn_t) corenet_tcp_sendrecv_generic_node(telepathy_msn_t) - corenet_tcp_bind_generic_node(telepathy_msn_t) -@@ -225,8 +260,7 @@ corecmd_exec_bin(telepathy_msn_t) - corecmd_exec_shell(telepathy_msn_t) - corecmd_read_bin_symlinks(telepathy_msn_t) +- +-corenet_sendrecv_http_client_packets(telepathy_msn_t) ++corenet_tcp_bind_generic_node(telepathy_msn_t) + corenet_tcp_connect_http_port(telepathy_msn_t) +-corenet_tcp_sendrecv_http_port(telepathy_msn_t) +- +-corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) + corenet_tcp_connect_mmcc_port(telepathy_msn_t) +-corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t) +- +-corenet_sendrecv_msnp_client_packets(telepathy_msn_t) + corenet_tcp_connect_msnp_port(telepathy_msn_t) +-corenet_tcp_sendrecv_msnp_port(telepathy_msn_t) +- +-corenet_sendrecv_sip_client_packets(telepathy_msn_t) + corenet_tcp_connect_sip_port(telepathy_msn_t) +-corenet_tcp_sendrecv_sip_port(telepathy_msn_t) ++corenet_sendrecv_http_client_packets(telepathy_msn_t) ++corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) ++corenet_sendrecv_msnp_client_packets(telepathy_msn_t) --files_read_etc_files(telepathy_msn_t) + corecmd_exec_bin(telepathy_msn_t) + corecmd_exec_shell(telepathy_msn_t) +- -files_read_usr_files(telepathy_msn_t) -+init_read_state(telepathy_msn_t) ++corecmd_read_bin_symlinks(telepathy_msn_t) + + init_read_state(telepathy_msn_t) + +@@ -307,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t) - libs_exec_ldconfig(telepathy_msn_t) + miscfiles_read_all_certs(telepathy_msn_t) -@@ -246,6 +280,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +-# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) +- + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_msn_t) + corenet_tcp_connect_all_ports(telepathy_msn_t) + corenet_tcp_sendrecv_all_ports(telepathy_msn_t) ++ corenet_udp_sendrecv_all_ports(telepathy_msn_t) ') - optional_policy(` -+ gnome_read_gconf_home_files(telepathy_msn_t) + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_msn_t) + corenet_tcp_connect_generic_port(telepathy_msn_t) +- corenet_tcp_sendrecv_generic_port(telepathy_msn_t) ++ corenet_sendrecv_generic_client_packets(telepathy_msn_t) +') + +optional_policy(` - dbus_system_bus_client(telepathy_msn_t) ++ gnome_read_gconf_home_files(telepathy_msn_t) + ') - optional_policy(` -@@ -264,7 +302,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa + optional_policy(` +@@ -329,43 +291,33 @@ optional_policy(` + ') + ') + +-# optional_policy(` +- # ~/.config/dconf/user +- # gnome_manage_generic_home_content(telepathy_msn_t) +-# ') +- + ####################################### + # +-# Salut local policy ++# Telepathy Salut local policy. + # + +-allow telepathy_salut_t self:tcp_socket { accept listen }; ++allow telepathy_salut_t self:tcp_socket create_stream_socket_perms; + + manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) corenet_all_recvfrom_netlabel(telepathy_salut_t) @@ -66884,49 +76456,142 @@ index 964978b..6cc7ecd 100644 corenet_tcp_sendrecv_generic_if(telepathy_salut_t) corenet_tcp_sendrecv_generic_node(telepathy_salut_t) corenet_tcp_bind_generic_node(telepathy_salut_t) -@@ -272,8 +309,6 @@ corenet_tcp_bind_presence_port(telepathy_salut_t) +- +-corenet_sendrecv_presence_server_packets(telepathy_salut_t) + corenet_tcp_bind_presence_port(telepathy_salut_t) +-corenet_sendrecv_presence_client_packets(telepathy_salut_t) corenet_tcp_connect_presence_port(telepathy_salut_t) - corenet_sendrecv_presence_server_packets(telepathy_salut_t) +-corenet_tcp_sendrecv_presence_port(telepathy_salut_t) ++corenet_sendrecv_presence_server_packets(telepathy_salut_t) --files_read_etc_files(telepathy_salut_t) -- tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_salut_t) corenet_tcp_connect_all_ports(telepathy_salut_t) corenet_tcp_sendrecv_all_ports(telepathy_salut_t) -@@ -302,7 +337,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; - allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; ++ corenet_udp_sendrecv_all_ports(telepathy_salut_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_salut_t) + corenet_tcp_connect_generic_port(telepathy_salut_t) +- corenet_tcp_sendrecv_generic_port(telepathy_salut_t) ++ corenet_sendrecv_generic_client_packets(telepathy_salut_t) + ') + + optional_policy(` +@@ -378,73 +330,53 @@ optional_policy(` + + ####################################### + # +-# Sofiasip local policy ++# Telepathy Sofiasip local policy. + # + +-allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; +-allow telepathy_sofiasip_t self:tcp_socket { accept listen }; ++allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; ++allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) -corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) -@@ -343,9 +377,6 @@ files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t) + corenet_tcp_bind_generic_node(telepathy_sofiasip_t) + corenet_raw_bind_generic_node(telepathy_sofiasip_t) +- +-corenet_sendrecv_all_server_packets(telepathy_sofiasip_t) + corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t) +-corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) +- + corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t) +- +-corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_sip_port(telepathy_sofiasip_t) +-corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t) ++corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) + + kernel_request_load_module(telepathy_sofiasip_t) + + tunable_policy(`telepathy_connect_all_ports',` +- corenet_sendrecv_all_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_all_ports(telepathy_sofiasip_t) + corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) ++ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t) + ') + + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +- corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) + corenet_tcp_connect_generic_port(telepathy_sofiasip_t) +- corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t) ++ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) + ') + ####################################### + # +-# Sunshine local policy ++# Telepathy Sunshine local policy. + # + + manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) + manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) +-userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") ++userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) ++userdom_search_user_home_dirs(telepathy_sunshine_t) + + manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) ++exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) + files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) + +-can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) +- corecmd_exec_bin(telepathy_sunshine_t) --files_read_etc_files(telepathy_sunshine_t) -files_read_usr_files(telepathy_sunshine_t) - +-tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs(telepathy_sunshine_t) +- fs_manage_nfs_files(telepathy_sunshine_t) +-') +- +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(telepathy_sunshine_t) +- fs_manage_cifs_files(telepathy_sunshine_t) +-') +- optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -361,18 +392,33 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; - allow telepathy_domain self:tcp_socket create_socket_perms; - allow telepathy_domain self:udp_socket create_socket_perms; +@@ -452,31 +384,41 @@ optional_policy(` + + ####################################### + # +-# Common telepathy domain local policy ++# telepathy domains common policy + # + + allow telepathy_domain self:process { getsched signal sigkill }; + allow telepathy_domain self:fifo_file rw_fifo_file_perms; ++allow telepathy_domain self:tcp_socket create_socket_perms; ++allow telepathy_domain self:udp_socket create_socket_perms; -+manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) + manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) +-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +- +-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) +-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") +optional_policy(` + gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +') -+ + dev_read_urand(telepathy_domain) -kernel_read_system_state(telepathy_domain) +files_read_etc_files(telepathy_domain) +files_read_usr_files(telepathy_domain) -+fs_getattr_all_fs(telepathy_domain) + fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) - -miscfiles_read_localization(telepathy_domain) @@ -66948,50 +76613,20 @@ index 964978b..6cc7ecd 100644 +optional_policy(` xserver_rw_xdm_pipes(telepathy_domain) ') -diff --git a/telnet.if b/telnet.if -index 58e7ec0..e4119f7 100644 ---- a/telnet.if -+++ b/telnet.if -@@ -1 +1,19 @@ - ## Telnet daemon -+ -+######################################## -+## -+## Read and write a telnetd domain pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`telnet_use_ptys',` -+ gen_require(` -+ type telnetd_devpts_t; -+ ') -+ -+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; -+') diff --git a/telnet.te b/telnet.te -index 3858d35..62dca46 100644 +index 9f89916..6a317d0 100644 --- a/telnet.te +++ b/telnet.te -@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t) - # Local policy - # - --allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; -+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t) + allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow telnetd_t self:process signal_perms; allow telnetd_t self:fifo_file rw_fifo_file_perms; - allow telnetd_t self:tcp_socket connected_stream_socket_perms; - allow telnetd_t self:udp_socket create_socket_perms; - # for identd; cjp: this should probably only be inetd_child rules? - allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow telnetd_t self:capability { setuid setgid }; ++allow telnetd_t self:tcp_socket connected_stream_socket_perms; ++allow telnetd_t self:udp_socket create_socket_perms; ++# for identd; cjp: this should probably only be inetd_child rules? ++allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; -+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty(telnetd_t, telnetd_devpts_t) @@ -67001,7 +76636,7 @@ index 3858d35..62dca46 100644 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -47,7 +46,6 @@ kernel_read_kernel_sysctls(telnetd_t) +@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) kernel_read_network_state(telnetd_t) @@ -67009,15 +76644,21 @@ index 3858d35..62dca46 100644 corenet_all_recvfrom_netlabel(telnetd_t) corenet_tcp_sendrecv_generic_if(telnetd_t) corenet_udp_sendrecv_generic_if(telnetd_t) -@@ -68,7 +66,6 @@ auth_use_nsswitch(telnetd_t) - corecmd_search_bin(telnetd_t) +@@ -56,7 +59,6 @@ dev_read_urand(telnetd_t) + + domain_interactive_fd(telnetd_t) - files_read_usr_files(telnetd_t) --files_read_etc_files(telnetd_t) +-files_read_usr_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) - # for identd; cjp: this should probably only be inetd_child rules? files_search_home(telnetd_t) -@@ -77,14 +74,12 @@ init_rw_utmp(telnetd_t) + +@@ -65,16 +67,18 @@ fs_getattr_xattr_fs(telnetd_t) + auth_rw_login_records(telnetd_t) + auth_use_nsswitch(telnetd_t) + ++corecmd_search_bin(telnetd_t) ++ + init_rw_utmp(telnetd_t) logging_send_syslog_msg(telnetd_t) @@ -67025,8 +76666,6 @@ index 3858d35..62dca46 100644 - seutil_read_config(telnetd_t) --remotelogin_domtrans(telnetd_t) -- userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) +userdom_manage_user_tmp_files(telnetd_t) @@ -67034,136 +76673,217 @@ index 3858d35..62dca46 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -96,5 +91,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -86,7 +90,7 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) +- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") kerberos_manage_host_rcache(telnetd_t) ') -+ -+optional_policy(` -+ remotelogin_domtrans(telnetd_t) -+') + diff --git a/tftp.fc b/tftp.fc -index 25eee43..621f343 100644 +index 93a5bf4..621f343 100644 --- a/tftp.fc +++ b/tftp.fc -@@ -1,3 +1,4 @@ +@@ -1,9 +1,9 @@ +-/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) +/etc/xinetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) + +-/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) +-/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) ++/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) ++/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) + +-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) ++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/tftp.if b/tftp.if -index 38bb312..d9fe23c 100644 +index 9957e30..cf0b925 100644 --- a/tftp.if +++ b/tftp.if -@@ -13,9 +13,34 @@ +@@ -1,8 +1,8 @@ +-## Trivial file transfer protocol daemon. ++## Trivial file transfer protocol daemon + + ######################################## + ## +-## Read tftp content files. ++## Read tftp content + ## + ## + ## +@@ -13,18 +13,21 @@ interface(`tftp_read_content',` gen_require(` type tftpdir_t; + type tftpdir_rw_t; ') +- files_search_var_lib($1) +- allow $1 tftpdir_t:dir list_dir_perms; +- allow $1 tftpdir_t:file read_file_perms; +- allow $1 tftpdir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, tftpdir_t, tftpdir_t) - read_files_pattern($1, tftpdir_t, tftpdir_t) ++ read_files_pattern($1, tftpdir_t, tftpdir_t) + read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) + ++ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## tftp rw content. +## Search tftp /var/lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -32,20 +35,18 @@ interface(`tftp_read_content',` + ## + ## + # +-interface(`tftp_manage_rw_content',` +interface(`tftp_search_rw_content',` -+ gen_require(` -+ type tftpdir_rw_t; -+ ') -+ + gen_require(` + type tftpdir_rw_t; + ') + + search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ files_search_var_lib($1) + files_search_var_lib($1) +- allow $1 tftpdir_rw_t:dir manage_dir_perms; +- allow $1 tftpdir_rw_t:file manage_file_perms; +- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; ') ######################################## -@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',` + ## +-## Read tftpd configuration files. ++## Manage tftp /var/lib files. + ## + ## + ## +@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',` + ## + ## + # +-interface(`tftp_read_config_files',` ++interface(`tftp_manage_rw_content',` + gen_require(` +- type tftpd_conf_t; ++ type tftpdir_rw_t; + ') + +- files_search_etc($1) +- allow $1 tftpd_conf_t:file read_file_perms; ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + ') ######################################## ## +-## Create, read, write, and delete +-## tftpd configuration files. +## Read tftp config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',` + ## + ## + # +-interface(`tftp_manage_config_files',` +interface(`tftp_read_config',` -+ gen_require(` + gen_require(` +- type tftpd_conf_t; + type tftpd_etc_t; -+ ') -+ + ') + +- files_search_etc($1) +- allow $1 tftpd_conf_t:file manage_file_perms; + read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in etc directories +-## with tftp conf type. +## Manage tftp config files. -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`tftp_etc_filetrans_config',` +interface(`tftp_manage_config',` -+ gen_require(` + gen_require(` +- type tftp_conf_t; + type tftpd_etc_t; -+ ') -+ + ') + +- files_etc_filetrans($1, tftp_conf_t, $2, $3) + manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) + files_etc_filetrans($1, tftpd_etc_t, file, "tftp") -+') -+ -+######################################## -+## -+## Create objects in tftpdir directories + ') + + ######################################## + ## + ## Create objects in tftpdir directories +-## with a private type. +## with specified types. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## -+## -+## Private file type. -+## -+## -+## -+## -+## Class of the object being created. -+## -+## -+# -+interface(`tftp_filetrans_tftpdir',` -+ gen_require(` -+ type tftpdir_rw_t; -+ ') -+ + ## + ## Private file type. + ## +@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',` + ## Class of the object being created. + ##     + ## +-## +-## +-## The name of the object being created. +-## +-## + # + interface(`tftp_filetrans_tftpdir',` + gen_require(` + type tftpdir_rw_t; + ') + + filetrans_pattern($1, tftpdir_rw_t, $2, $3) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## + files_search_var_lib($1) +- filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an tftp environment. +## Transition to tftp named content +## +## @@ -67182,25 +76902,34 @@ index 38bb312..d9fe23c 100644 + +######################################## +## - ## All of the rules required to administrate - ## an tftp environment ++## All of the rules required to administrate ++## an tftp environment ## -@@ -55,8 +165,13 @@ interface(`tftp_admin',` + ## + ## +@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',` + interface(`tftp_admin',` + gen_require(` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; +- type tftpd_conf_t; ') -- allow $1 tftpd_t:process { ptrace signal_perms getattr }; +- allow $1 tftpd_t:process { ptrace signal_perms }; + allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 tftpd_t:process ptrace; + ') -+ -+ files_list_var_lib($1) - admin_pattern($1, tftpdir_rw_t) +- files_search_etc($1) +- admin_pattern($1, tftpd_conf_t) ++ files_list_var_lib($1) -@@ -64,4 +179,6 @@ interface(`tftp_admin',` +- files_search_var_lib($1) +- admin_pattern($1, { tftpdir_t tftpdir_rw_t }) ++ admin_pattern($1, tftpdir_rw_t) ++ ++ admin_pattern($1, tftpdir_t) files_list_pids($1) admin_pattern($1, tftpd_var_run_t) @@ -67208,24 +76937,55 @@ index 38bb312..d9fe23c 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index d50c10d..d2778d3 100644 +index f455e70..d2778d3 100644 --- a/tftp.te +++ b/tftp.te -@@ -13,6 +13,13 @@ policy_module(tftp, 1.12.0) +@@ -1,4 +1,4 @@ +-policy_module(tftp, 1.12.4) ++policy_module(tftp, 1.12.0) + + ######################################## + # +@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4) + # + + ## +-##

    +-## Determine whether tftp can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    ++##

    ++## Allow tftp to modify public files ++## used for public file transfer services. ++##

    ##     gen_tunable(tftp_anon_write, false) -+## + ## +-##

    +-## Determine whether tftp can manage +-## generic user home content. +-##

    +##

    +## Allow tftp to read and write files in the user home directories +##

    -+##     + ##     +-gen_tunable(tftp_enable_homedir, false) +gen_tunable(tftp_home_dir, false) -+ + type tftpd_t; type tftpd_exec_t; init_daemon_domain(tftpd_t, tftpd_exec_t) -@@ -26,21 +33,26 @@ files_type(tftpdir_t) + +-type tftpd_conf_t; +-files_config_file(tftpd_conf_t) +- + type tftpd_var_run_t; + files_pid_file(tftpd_var_run_t) + +@@ -39,6 +33,9 @@ files_type(tftpdir_t) type tftpdir_rw_t; files_type(tftpdir_rw_t) @@ -67235,42 +76995,64 @@ index d50c10d..d2778d3 100644 ######################################## # # Local policy - # +@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t) allow tftpd_t self:capability { setgid setuid sys_chroot }; -+dontaudit tftpd_t self:capability sys_tty_config; - allow tftpd_t self:tcp_socket create_stream_socket_perms; - allow tftpd_t self:udp_socket create_socket_perms; - allow tftpd_t self:unix_dgram_socket create_socket_perms; - allow tftpd_t self:unix_stream_socket create_stream_socket_perms; --dontaudit tftpd_t self:capability sys_tty_config; + dontaudit tftpd_t self:capability sys_tty_config; +-allow tftpd_t self:tcp_socket { accept listen }; +-allow tftpd_t self:unix_stream_socket { accept listen }; +- +-allow tftpd_t tftpd_conf_t:file read_file_perms; ++allow tftpd_t self:tcp_socket create_stream_socket_perms; ++allow tftpd_t self:udp_socket create_socket_perms; ++allow tftpd_t self:unix_dgram_socket create_socket_perms; ++allow tftpd_t self:unix_stream_socket create_stream_socket_perms; allow tftpd_t tftpdir_t:dir list_dir_perms; allow tftpd_t tftpdir_t:file read_file_perms; --allow tftpd_t tftpdir_t:lnk_file { getattr read }; -+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; -+ -+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) + allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; ++read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) ++ manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -@@ -52,7 +64,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) + manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) kernel_read_system_state(tftpd_t) kernel_read_kernel_sysctls(tftpd_t) -corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) - corenet_tcp_sendrecv_generic_if(tftpd_t) ++corenet_tcp_sendrecv_generic_if(tftpd_t) corenet_udp_sendrecv_generic_if(tftpd_t) -@@ -72,7 +83,6 @@ fs_search_auto_mountpoints(tftpd_t) ++corenet_tcp_sendrecv_generic_node(tftpd_t) + corenet_udp_sendrecv_generic_node(tftpd_t) ++corenet_tcp_sendrecv_all_ports(tftpd_t) ++corenet_udp_sendrecv_all_ports(tftpd_t) ++corenet_tcp_bind_generic_node(tftpd_t) + corenet_udp_bind_generic_node(tftpd_t) +- +-corenet_sendrecv_tftp_server_packets(tftpd_t) + corenet_udp_bind_tftp_port(tftpd_t) +-corenet_udp_sendrecv_tftp_port(tftpd_t) ++corenet_sendrecv_tftp_server_packets(tftpd_t) + + dev_read_sysfs(tftpd_t) ++fs_getattr_all_fs(tftpd_t) ++fs_search_auto_mountpoints(tftpd_t) ++ domain_use_interactive_fds(tftpd_t) --files_read_etc_files(tftpd_t) files_read_etc_runtime_files(tftpd_t) - files_read_var_files(tftpd_t) +@@ -84,43 +88,44 @@ files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) -@@ -82,7 +92,6 @@ auth_use_nsswitch(tftpd_t) + files_search_var(tftpd_t) + +-fs_getattr_all_fs(tftpd_t) +-fs_search_auto_mountpoints(tftpd_t) +- + auth_use_nsswitch(tftpd_t) logging_send_syslog_msg(tftpd_t) @@ -67278,15 +77060,24 @@ index d50c10d..d2778d3 100644 miscfiles_read_public_files(tftpd_t) userdom_dontaudit_use_unpriv_user_fds(tftpd_t) -@@ -93,6 +102,36 @@ tunable_policy(`tftp_anon_write',` + userdom_dontaudit_use_user_terminals(tftpd_t) +-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) ++userdom_dontaudit_search_user_home_dirs(tftpd_t) + + tunable_policy(`tftp_anon_write',` miscfiles_manage_public_files(tftpd_t) ') +-tunable_policy(`tftp_enable_homedir',` +- allow tftpd_t self:capability { dac_override dac_read_search }; +tunable_policy(`tftp_home_dir',` + allow tftpd_t self:capability { dac_override dac_read_search }; -+ + + # allow access to /home -+ files_list_home(tftpd_t) + files_list_home(tftpd_t) +- userdom_manage_user_home_content_dirs(tftpd_t) +- userdom_manage_user_home_content_files(tftpd_t) +- userdom_manage_user_home_content_symlinks(tftpd_t) + userdom_read_user_home_content_files(tftpd_t) + userdom_manage_user_home_content(tftpd_t) + @@ -67296,121 +77087,72 @@ index d50c10d..d2778d3 100644 +',` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file }) -+') -+ + ') + +-tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` +- fs_manage_nfs_dirs(tftpd_t) +- fs_manage_nfs_files(tftpd_t) +- fs_read_nfs_symlinks(tftpd_t) +tunable_policy(`tftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_files(tftpd_t) + fs_read_nfs_symlinks(tftpd_t) -+') -+ + ') + +-tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` +- fs_manage_cifs_dirs(tftpd_t) +- fs_manage_cifs_files(tftpd_t) +- fs_read_cifs_symlinks(tftpd_t) +tunable_policy(`tftp_home_dir && use_samba_home_dirs',` + fs_manage_cifs_files(tftpd_t) + fs_read_cifs_symlinks(tftpd_t) -+') -+ -+optional_policy(` -+ cobbler_read_lib_files(tftpd_t) -+') -+ - optional_policy(` - inetd_udp_service_domain(tftpd_t, tftpd_exec_t) ') + + optional_policy(` diff --git a/tgtd.fc b/tgtd.fc -index 8294f6f..4847b43 100644 +index 38389e6..4847b43 100644 --- a/tgtd.fc +++ b/tgtd.fc -@@ -1,3 +1,4 @@ - /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) - /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) - /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +@@ -1,7 +1,4 @@ +-/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) +- +-/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) +- +-/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +- +-/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) ++/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) ++/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) ++/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) -diff --git a/tgtd.if b/tgtd.if -index c2ed23a..d9e875d 100644 ---- a/tgtd.if -+++ b/tgtd.if -@@ -44,3 +44,22 @@ interface(`tgtd_manage_semaphores',` - - allow $1 tgtd_t:sem create_sem_perms; - ') -+ -+###################################### -+## -+## Connect to tgtd using a unix domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tgtd_stream_connect',` -+ gen_require(` -+ type tgtd_t, tgtd_var_run_t; -+ ') -+ -+ files_search_var_lib($1) -+ stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) -+') diff --git a/tgtd.te b/tgtd.te -index 80fe75c..6e81911 100644 +index c93c973..0eff459 100644 --- a/tgtd.te +++ b/tgtd.te -@@ -21,15 +21,19 @@ files_tmpfs_file(tgtd_tmpfs_t) - type tgtd_var_lib_t; - files_type(tgtd_var_lib_t) - -+type tgtd_var_run_t; -+files_pid_file(tgtd_var_run_t) -+ - ######################################## - # - # TGTD personal policy. - # - - allow tgtd_t self:capability sys_resource; -+allow tgtd_t self:capability2 block_suspend; - allow tgtd_t self:process { setrlimit signal }; - allow tgtd_t self:fifo_file rw_fifo_file_perms; --allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; -+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms; - allow tgtd_t self:shm create_shm_perms; - allow tgtd_t self:sem create_sem_perms; - allow tgtd_t self:tcp_socket create_stream_socket_perms; -@@ -46,10 +50,15 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) - manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) - files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) - -+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) -+ -+kernel_read_system_state(tgtd_t) +@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) -corenet_all_recvfrom_unlabeled(tgtd_t) corenet_tcp_sendrecv_generic_if(tgtd_t) corenet_tcp_sendrecv_generic_node(tgtd_t) - corenet_tcp_sendrecv_iscsi_port(tgtd_t) -@@ -57,10 +66,16 @@ corenet_tcp_bind_generic_node(tgtd_t) - corenet_tcp_bind_iscsi_port(tgtd_t) - corenet_sendrecv_iscsi_server_packets(tgtd_t) + corenet_tcp_bind_generic_node(tgtd_t) +@@ -69,16 +68,12 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t) -+dev_read_sysfs(tgtd_t) -+ - files_read_etc_files(tgtd_t) + dev_read_sysfs(tgtd_t) + +-files_read_etc_files(tgtd_t) +- + fs_read_anon_inodefs_files(tgtd_t) -+fs_read_anon_inodefs_files(tgtd_t) -+ storage_manage_fixed_disk(tgtd_t) logging_send_syslog_msg(tgtd_t) -miscfiles_read_localization(tgtd_t) -+optional_policy(` -+ iscsi_manage_semaphores(tgtd_t) -+') +- + optional_policy(` + iscsi_manage_semaphores(tgtd_t) + ') diff --git a/thin.fc b/thin.fc new file mode 100644 index 0000000..7f4bce8 @@ -67749,10 +77491,10 @@ index 0000000..9127cec +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..572ab5d +index 0000000..0f9dcc7 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,126 @@ +@@ -0,0 +1,130 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -67879,38 +77621,34 @@ index 0000000..572ab5d + gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") + gnome_cache_filetrans(thumb_t, thumb_home_t, file) +') ++ ++optional_policy(` ++ nscd_dontaudit_write_sock_file(thumb_t) ++') diff --git a/thunderbird.te b/thunderbird.te -index bf37d98..0d863fc 100644 +index 4257ede..cddc4c6 100644 --- a/thunderbird.te +++ b/thunderbird.te -@@ -54,7 +54,6 @@ kernel_read_system_state(thunderbird_t) - # Startup shellscript +@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) + corecmd_exec_shell(thunderbird_t) -corenet_all_recvfrom_unlabeled(thunderbird_t) corenet_all_recvfrom_netlabel(thunderbird_t) corenet_tcp_sendrecv_generic_if(thunderbird_t) corenet_tcp_sendrecv_generic_node(thunderbird_t) -@@ -82,7 +81,6 @@ dev_dontaudit_search_sysfs(thunderbird_t) - - files_list_tmp(thunderbird_t) - files_read_usr_files(thunderbird_t) --files_read_etc_files(thunderbird_t) - files_read_etc_runtime_files(thunderbird_t) - files_read_var_files(thunderbird_t) - files_read_var_symlinks(thunderbird_t) -@@ -99,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t) +@@ -98,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t) auth_use_nsswitch(thunderbird_t) miscfiles_read_fonts(thunderbird_t) -miscfiles_read_localization(thunderbird_t) - userdom_manage_user_tmp_dirs(thunderbird_t) - userdom_read_user_tmp_files(thunderbird_t) -@@ -112,17 +109,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) + userdom_write_user_tmp_sockets(thunderbird_t) + +@@ -113,17 +111,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) + xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - # Access ~/.thunderbird -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(thunderbird_t) - fs_manage_nfs_files(thunderbird_t) @@ -67922,16 +77660,17 @@ index bf37d98..0d863fc 100644 - fs_manage_cifs_files(thunderbird_t) - fs_manage_cifs_symlinks(thunderbird_t) -') ++# Access ~/.thunderbird +userdom_home_manager(thunderbird_t) - tunable_policy(`mail_read_content && use_nfs_home_dirs',` - files_list_home(thunderbird_t) + ifndef(`enable_mls',` + fs_search_removable(thunderbird_t) diff --git a/timidity.te b/timidity.te -index 67b5592..ccddff5 100644 +index 67ca5c5..4254563 100644 --- a/timidity.te +++ b/timidity.te -@@ -39,7 +39,6 @@ kernel_read_kernel_sysctls(timidity_t) - # read /proc/cpuinfo +@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f + kernel_read_kernel_sysctls(timidity_t) kernel_read_system_state(timidity_t) -corenet_all_recvfrom_unlabeled(timidity_t) @@ -67939,102 +77678,93 @@ index 67b5592..ccddff5 100644 corenet_tcp_sendrecv_generic_if(timidity_t) corenet_udp_sendrecv_generic_if(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 0521d5a..b08a00a 100644 +index a4a949c..43988e5 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0) - +@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) type tmpreaper_t; type tmpreaper_exec_t; -+init_system_domain(tmpreaper_t, tmpreaper_exec_t) - application_domain(tmpreaper_t, tmpreaper_exec_t) - role system_r types tmpreaper_t; + init_system_domain(tmpreaper_t, tmpreaper_exec_t) ++application_domain(tmpreaper_t, tmpreaper_exec_t) -@@ -18,33 +19,48 @@ role system_r types tmpreaper_t; - allow tmpreaper_t self:process { fork sigchld }; - allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; + ######################################## + # +@@ -18,17 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; + + kernel_list_unlabeled(tmpreaper_t) + kernel_read_system_state(tmpreaper_t) ++kernel_list_unlabeled(tmpreaper_t) ++kernel_delete_unlabeled(tmpreaper_t) -+kernel_read_system_state(tmpreaper_t) -+ dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) -+fs_list_all(tmpreaper_t) + fs_list_all(tmpreaper_t) ++fs_setattr_tmpfs_dirs(tmpreaper_t) ++fs_delete_tmpfs_files(tmpreaper_t) --files_read_etc_files(tmpreaper_t) +-files_getattr_all_dirs(tmpreaper_t) +-files_getattr_all_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) +files_delete_all_non_security_files(tmpreaper_t) - # why does it need setattr? ++# why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +files_setattr_isid_type_dirs(tmpreaper_t) +files_setattr_usr_dirs(tmpreaper_t) - files_getattr_all_dirs(tmpreaper_t) - files_getattr_all_files(tmpreaper_t) -+kernel_list_unlabeled(tmpreaper_t) -+kernel_delete_unlabeled(tmpreaper_t) ++files_getattr_all_dirs(tmpreaper_t) ++files_getattr_all_files(tmpreaper_t) -+mcs_file_read_all(tmpreaper_t) -+mcs_file_write_all(tmpreaper_t) - mls_file_read_all_levels(tmpreaper_t) - mls_file_write_all_levels(tmpreaper_t) + mcs_file_read_all(tmpreaper_t) + mcs_file_write_all(tmpreaper_t) +@@ -39,14 +48,20 @@ auth_use_nsswitch(tmpreaper_t) -+auth_use_nsswitch(tmpreaper_t) -+ logging_send_syslog_msg(tmpreaper_t) -miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) --cron_system_entry(tmpreaper_t, tmpreaper_exec_t) +optional_policy(` + cron_system_entry(tmpreaper_t, tmpreaper_exec_t) +') - ++ ifdef(`distro_redhat',` - userdom_list_user_home_content(tmpreaper_t) -- userdom_delete_user_home_content_dirs(tmpreaper_t) -- userdom_delete_user_home_content_files(tmpreaper_t) -- userdom_delete_user_home_content_symlinks(tmpreaper_t) +- userdom_list_all_user_home_content(tmpreaper_t) ++ userdom_list_user_home_content(tmpreaper_t) + userdom_list_admin_dir(tmpreaper_t) -+ userdom_delete_all_user_home_content_dirs(tmpreaper_t) -+ userdom_delete_all_user_home_content_files(tmpreaper_t) + userdom_delete_all_user_home_content_dirs(tmpreaper_t) + userdom_delete_all_user_home_content_files(tmpreaper_t) + userdom_delete_all_user_home_content_sock_files(tmpreaper_t) -+ userdom_delete_all_user_home_content_symlinks(tmpreaper_t) + userdom_delete_all_user_home_content_symlinks(tmpreaper_t) + userdom_setattr_all_user_home_content_dirs(tmpreaper_t) ') optional_policy(` -@@ -52,7 +68,9 @@ optional_policy(` +@@ -54,6 +69,7 @@ optional_policy(` ') optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) apache_list_cache(tmpreaper_t) -+ apache_delete_cache_dirs(tmpreaper_t) + apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) - apache_setattr_cache_dirs(tmpreaper_t) - ') -@@ -66,9 +84,17 @@ optional_policy(` +@@ -69,7 +85,15 @@ optional_policy(` ') optional_policy(` -- rpm_manage_cache(tmpreaper_t) +- lpd_manage_spool(tmpreaper_t) + mandb_delete_cache(tmpreaper_t) - ') - - optional_policy(` -- unconfined_domain(tmpreaper_t) ++') ++ ++optional_policy(` + sandbox_list(tmpreaper_t) + sandbox_delete_dirs(tmpreaper_t) + sandbox_delete_files(tmpreaper_t) + sandbox_delete_sock_files(tmpreaper_t) + sandbox_setattr_dirs(tmpreaper_t) -+') -+ -+optional_policy(` -+ rpm_manage_cache(tmpreaper_t) ') + + optional_policy(` diff --git a/tomcat.fc b/tomcat.fc new file mode 100644 index 0000000..a8385bc @@ -68531,23 +78261,23 @@ index 0000000..0557ffc + tomcat_search_lib(tomcat_domain) +') diff --git a/tor.fc b/tor.fc -index e2e06b2..6752bc3 100644 +index 6b9d449..ac02092 100644 --- a/tor.fc +++ b/tor.fc -@@ -4,6 +4,8 @@ - /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +@@ -6,6 +6,8 @@ + + /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) +/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0) + - /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) diff --git a/tor.if b/tor.if -index 904f13e..5801347 100644 +index 61c2e07..5e1df41 100644 --- a/tor.if +++ b/tor.if -@@ -18,6 +18,29 @@ interface(`tor_domtrans',` +@@ -19,6 +19,29 @@ interface(`tor_domtrans',` domtrans_pattern($1, tor_exec_t, tor_t) ') @@ -68576,24 +78306,29 @@ index 904f13e..5801347 100644 + ######################################## ## - ## All of the rules required to administrate -@@ -40,10 +63,14 @@ interface(`tor_admin',` + ## All of the rules required to +@@ -39,12 +62,18 @@ interface(`tor_domtrans',` + interface(`tor_admin',` + gen_require(` type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_var_run_t; - type tor_initrc_exec_t; +- type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; ++ type tor_var_lib_t, tor_var_run_t; ++ type tor_initrc_exec_t; + type tor_unit_file_t; ') -- allow $1 tor_t:process { ptrace signal_perms getattr }; +- allow $1 tor_t:process { ptrace signal_perms }; + allow $1 tor_t:process signal_perms; ps_process_pattern($1, tor_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 tor_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) -@@ -61,4 +88,13 @@ interface(`tor_admin',` + role_transition $2 tor_initrc_exec_t system_r; +@@ -61,4 +90,13 @@ interface(`tor_admin',` files_list_pids($1) admin_pattern($1, tor_var_run_t) @@ -68608,10 +78343,10 @@ index 904f13e..5801347 100644 + ') ') diff --git a/tor.te b/tor.te -index c842cad..a655e4c 100644 +index 964a395..2a5bcc4 100644 --- a/tor.te +++ b/tor.te -@@ -13,6 +13,13 @@ policy_module(tor, 1.8.0) +@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4) ## gen_tunable(tor_bind_all_unreserved_ports, false) @@ -68625,66 +78360,52 @@ index c842cad..a655e4c 100644 type tor_t; type tor_exec_t; init_daemon_domain(tor_t, tor_exec_t) -@@ -36,12 +43,16 @@ logging_log_file(tor_var_log_t) - type tor_var_run_t; +@@ -33,6 +40,9 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) + init_daemon_run_dir(tor_var_run_t, "tor") +type tor_unit_file_t; +systemd_unit_file(tor_unit_file_t) + ######################################## # - # tor local policy - # - - allow tor_t self:capability { setgid setuid sys_tty_config }; -+allow tor_t self:process signal; - allow tor_t self:fifo_file rw_fifo_file_perms; - allow tor_t self:unix_stream_socket create_stream_socket_perms; - allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -73,9 +84,10 @@ manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) - files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) - + # Local policy +@@ -68,6 +78,8 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) + kernel_read_kernel_sysctls(tor_t) + kernel_read_net_sysctls(tor_t) kernel_read_system_state(tor_t) +kernel_read_net_sysctls(tor_t) +kernel_read_kernel_sysctls(tor_t) - # networking basics --corenet_all_recvfrom_unlabeled(tor_t) + corenet_all_recvfrom_unlabeled(tor_t) corenet_all_recvfrom_netlabel(tor_t) - corenet_tcp_sendrecv_generic_if(tor_t) - corenet_udp_sendrecv_generic_if(tor_t) -@@ -87,6 +99,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) +@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) + corenet_udp_sendrecv_generic_node(tor_t) corenet_tcp_bind_generic_node(tor_t) corenet_udp_bind_generic_node(tor_t) - corenet_tcp_bind_tor_port(tor_t) -+corenet_tcp_bind_tor_socks_port(tor_t) - corenet_udp_bind_dns_port(tor_t) - corenet_sendrecv_tor_server_packets(tor_t) +- corenet_sendrecv_dns_server_packets(tor_t) -@@ -95,13 +108,14 @@ corenet_tcp_connect_all_ports(tor_t) - corenet_sendrecv_all_client_packets(tor_t) - # ... especially including port 80 and other privileged ports - corenet_tcp_connect_all_reserved_ports(tor_t) -+corenet_udp_bind_dns_port(tor_t) + corenet_udp_bind_dns_port(tor_t) + corenet_udp_sendrecv_dns_port(tor_t) +@@ -94,23 +105,27 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) - # tor uses crypto and needs random + dev_read_sysfs(tor_t) dev_read_urand(tor_t) +dev_read_sysfs(tor_t) domain_use_interactive_fds(tor_t) --files_read_etc_files(tor_t) files_read_etc_runtime_files(tor_t) - files_read_usr_files(tor_t) +-files_read_usr_files(tor_t) -@@ -109,12 +123,16 @@ auth_use_nsswitch(tor_t) + auth_use_nsswitch(tor_t) logging_send_syslog_msg(tor_t) -miscfiles_read_localization(tor_t) - - tunable_policy(`tor_bind_all_unreserved_ports', ` + tunable_policy(`tor_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(tor_t) corenet_tcp_bind_all_unreserved_ports(tor_t) ') @@ -68698,10 +78419,10 @@ index c842cad..a655e4c 100644 seutil_sigchld_newrole(tor_t) ') diff --git a/transproxy.te b/transproxy.te -index 95cf0c0..f191f8a 100644 +index 20d1a28..e90a7e8 100644 --- a/transproxy.te +++ b/transproxy.te -@@ -29,7 +29,6 @@ kernel_read_kernel_sysctls(transproxy_t) +@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) kernel_list_proc(transproxy_t) kernel_read_proc_symlinks(transproxy_t) @@ -68709,7 +78430,7 @@ index 95cf0c0..f191f8a 100644 corenet_all_recvfrom_netlabel(transproxy_t) corenet_tcp_sendrecv_generic_if(transproxy_t) corenet_tcp_sendrecv_generic_node(transproxy_t) -@@ -49,8 +48,6 @@ fs_search_auto_mountpoints(transproxy_t) +@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(transproxy_t) logging_send_syslog_msg(transproxy_t) @@ -68719,10 +78440,10 @@ index 95cf0c0..f191f8a 100644 userdom_dontaudit_use_unpriv_user_fds(transproxy_t) diff --git a/tripwire.te b/tripwire.te -index 2ae8b62..bfe64af 100644 +index 2e1110d..2c989b4 100644 --- a/tripwire.te +++ b/tripwire.te -@@ -80,7 +80,7 @@ files_getattr_all_sockets(tripwire_t) +@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t) logging_send_syslog_msg(tripwire_t) @@ -68731,7 +78452,7 @@ index 2ae8b62..bfe64af 100644 optional_policy(` cron_system_entry(tripwire_t, tripwire_exec_t) -@@ -99,9 +99,7 @@ domain_use_interactive_fds(twadmin_t) +@@ -107,9 +107,7 @@ files_search_etc(twadmin_t) logging_send_syslog_msg(twadmin_t) @@ -68742,7 +78463,7 @@ index 2ae8b62..bfe64af 100644 ######################################## # -@@ -125,9 +123,7 @@ domain_use_interactive_fds(twprint_t) +@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t) logging_send_syslog_msg(twprint_t) @@ -68753,7 +78474,7 @@ index 2ae8b62..bfe64af 100644 ######################################## # -@@ -141,6 +137,4 @@ files_read_all_files(siggen_t) +@@ -150,6 +146,4 @@ files_read_all_files(siggen_t) logging_send_syslog_msg(siggen_t) @@ -68761,136 +78482,65 @@ index 2ae8b62..bfe64af 100644 - -userdom_use_user_terminals(siggen_t) +userdom_use_inherited_user_terminals(siggen_t) -diff --git a/tuned.fc b/tuned.fc -index 639c962..e789b2e 100644 ---- a/tuned.fc -+++ b/tuned.fc -@@ -1,8 +1,12 @@ - /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) - -+/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0) -+/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0) -+ - /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) - - /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) --/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) -+/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0) - -+/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0) - /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/tuned.if b/tuned.if -index 54b8605..a04f013 100644 +index e29db63..061fb98 100644 --- a/tuned.if +++ b/tuned.if -@@ -5,9 +5,9 @@ - ## Execute a domain transition to run tuned. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`tuned_domtrans',` -@@ -112,18 +112,20 @@ interface(`tuned_initrc_domtrans',` - # - interface(`tuned_admin',` - gen_require(` -- type tuned_t, tuned_var_run_t; -- type tuned_initrc_exec_t; -+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; +@@ -119,9 +119,13 @@ interface(`tuned_admin',` + type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; ') - allow $1 tuned_t:process { ptrace signal_perms }; + allow $1 tuned_t:process signal_perms; ps_process_pattern($1, tuned_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 tuned_t:process ptrace; + ') - ++ tuned_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, tuned_var_run_t) - ') diff --git a/tuned.te b/tuned.te -index db9d2a5..edfe6ba 100644 +index 7116181..5355bfc 100644 --- a/tuned.te +++ b/tuned.te -@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) - type tuned_initrc_exec_t; - init_script_file(tuned_initrc_exec_t) - -+type tuned_etc_t; -+files_config_file(tuned_etc_t) -+ -+type tuned_rw_etc_t; -+files_config_file(tuned_rw_etc_t) -+ - type tuned_log_t; - logging_log_file(tuned_log_t) +@@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t) -@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t) - # - # tuned local policy - # -- -+allow tuned_t self:capability { sys_admin sys_nice }; + allow tuned_t self:capability { sys_admin sys_nice }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; +-allow tuned_t self:process { setsched signal }; +allow tuned_t self:process { setsched signal }; -+allow tuned_t self:fifo_file rw_fifo_file_perms; + allow tuned_t self:fifo_file rw_fifo_file_perms; +allow tuned_t self:udp_socket create_socket_perms; -+ -+read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -+exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -+ -+manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) -+files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") - manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) - manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) + read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) + exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) +@@ -44,7 +45,7 @@ manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) + append_files_pattern(tuned_t, tuned_log_t, tuned_log_t) + create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) + setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -logging_log_filetrans(tuned_t, tuned_log_t, file) +logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log") manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) --files_pid_filetrans(tuned_t, tuned_var_run_t, file) -+manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -+files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) + manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +@@ -57,6 +58,7 @@ kernel_request_load_module(tuned_t) + kernel_rw_kernel_sysctl(tuned_t) + kernel_rw_hotplug_sysctls(tuned_t) + kernel_rw_vm_sysctls(tuned_t) ++kernel_setsched(tuned_t) - corecmd_exec_shell(tuned_t) corecmd_exec_bin(tuned_t) + corecmd_exec_shell(tuned_t) +@@ -69,26 +71,39 @@ dev_rw_netcontrol(tuned_t) - kernel_read_system_state(tuned_t) - kernel_read_network_state(tuned_t) -- -+kernel_read_kernel_sysctls(tuned_t) -+kernel_request_load_module(tuned_t) -+kernel_rw_kernel_sysctl(tuned_t) -+kernel_rw_hotplug_sysctls(tuned_t) -+kernel_rw_vm_sysctls(tuned_t) -+kernel_setsched(tuned_t) -+ -+dev_getattr_all_blk_files(tuned_t) -+dev_getattr_all_chr_files(tuned_t) -+dev_dontaudit_getattr_all(tuned_t) - dev_read_urand(tuned_t) --dev_read_sysfs(tuned_t) -+dev_rw_sysfs(tuned_t) - # to allow cpu tuning - dev_rw_netcontrol(tuned_t) - --files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) +-files_dontaudit_list_tmp(tuned_t) +files_list_tmp(tuned_t) -+ + +-fs_getattr_xattr_fs(tuned_t) +fs_getattr_all_fs(tuned_t) + +auth_use_nsswitch(tuned_t) @@ -68899,81 +78549,68 @@ index db9d2a5..edfe6ba 100644 -miscfiles_read_localization(tuned_t) +mount_read_pid_files(tuned_t) -+ -+udev_read_pid_files(tuned_t) + + udev_read_pid_files(tuned_t) userdom_dontaudit_search_user_home_dirs(tuned_t) -+optional_policy(` + optional_policy(` + dbus_system_bus_client(tuned_t) + dbus_connect_system_bus(tuned_t) +') + - # to allow disk tuning - optional_policy(` ++# to allow disk tuning ++optional_policy(` fstools_domtrans(tuned_t) ') -+optional_policy(` + optional_policy(` + gnome_dontaudit_search_config(tuned_t) +') + +optional_policy(` -+ mount_domtrans(tuned_t) -+') -+ - # to allow network interface tuning + mount_domtrans(tuned_t) + ') + ++# to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) ') -+ -+optional_policy(` -+ unconfined_dbus_send(tuned_t) -+') diff --git a/tvtime.te b/tvtime.te -index 531b1f1..7455f78 100644 +index 3292fcc..fff4b4a 100644 --- a/tvtime.te +++ b/tvtime.te -@@ -67,23 +67,13 @@ files_read_etc_files(tvtime_t) - # X access, Home files - fs_search_auto_mountpoints(tvtime_t) +@@ -69,21 +69,12 @@ fs_search_auto_mountpoints(tvtime_t) + auth_use_nsswitch(tvtime_t) --miscfiles_read_localization(tvtime_t) miscfiles_read_fonts(tvtime_t) +-miscfiles_read_localization(tvtime_t) -userdom_use_user_terminals(tvtime_t) +userdom_use_inherited_user_terminals(tvtime_t) - userdom_read_user_home_content_files(tvtime_t) ++userdom_read_user_home_content_files(tvtime_t) - # X access, Home files -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(tvtime_t) - fs_manage_nfs_files(tvtime_t) - fs_manage_nfs_symlinks(tvtime_t) -') +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(tvtime_t) - fs_manage_cifs_files(tvtime_t) - fs_manage_cifs_symlinks(tvtime_t) -') ++# X access, Home files +userdom_home_manager(tvtime_t) optional_policy(` xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) diff --git a/tzdata.te b/tzdata.te -index d0f2a64..9896b57 100644 +index aa6ae96..9f86987 100644 --- a/tzdata.te +++ b/tzdata.te -@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t) - # tzdata local policy - # - --files_read_etc_files(tzdata_t) -+files_read_config_files(tzdata_t) - files_search_spool(tzdata_t) - - fs_getattr_xattr_fs(tzdata_t) -@@ -24,11 +24,10 @@ term_dontaudit_list_ptys(tzdata_t) +@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t) locallogin_dontaudit_use_fds(tzdata_t) @@ -68984,52 +78621,10 @@ index d0f2a64..9896b57 100644 -userdom_use_user_terminals(tzdata_t) +userdom_use_inherited_user_terminals(tzdata_t) - # tzdata looks for /var/spool/postfix/etc/localtime. - optional_policy(` -diff --git a/ucspitcp.if b/ucspitcp.if -index c1feba4..bf82170 100644 ---- a/ucspitcp.if -+++ b/ucspitcp.if -@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', ` - - role system_r types $1; - -- domain_auto_trans(ucspitcp_t, $2, $1) -- allow $1 ucspitcp_t:fd use; -- allow $1 ucspitcp_t:process sigchld; -- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; -+ domtrans_pattern(ucspitcp_t, $2, $1) - ') -diff --git a/ucspitcp.te b/ucspitcp.te -index a0794bf..a05c54c 100644 ---- a/ucspitcp.te -+++ b/ucspitcp.te -@@ -24,7 +24,6 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t) - - corecmd_search_bin(rblsmtpd_t) - --corenet_all_recvfrom_unlabeled(rblsmtpd_t) - corenet_all_recvfrom_netlabel(rblsmtpd_t) - corenet_tcp_sendrecv_generic_if(rblsmtpd_t) - corenet_udp_sendrecv_generic_if(rblsmtpd_t) -@@ -55,7 +54,6 @@ allow ucspitcp_t self:udp_socket create_socket_perms; - corecmd_search_bin(ucspitcp_t) - - # base networking: --corenet_all_recvfrom_unlabeled(ucspitcp_t) - corenet_all_recvfrom_netlabel(ucspitcp_t) - corenet_tcp_sendrecv_generic_if(ucspitcp_t) - corenet_udp_sendrecv_generic_if(ucspitcp_t) -@@ -89,5 +87,7 @@ sysnet_read_config(ucspitcp_t) - optional_policy(` - daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) -+ daemontools_sigchld_run(ucspitcp_t) - daemontools_read_svc(ucspitcp_t) - ') -+ + postfix_search_spool(tzdata_t) diff --git a/ulogd.if b/ulogd.if -index d23be5c..a05cd68 100644 +index 9b95c3e..a892845 100644 --- a/ulogd.if +++ b/ulogd.if @@ -123,8 +123,11 @@ interface(`ulogd_admin',` @@ -69046,88 +78641,73 @@ index d23be5c..a05cd68 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index 3b953f5..d35a323 100644 +index c6acbbe..46f1120 100644 --- a/ulogd.te +++ b/ulogd.te -@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t) - - # config files - type ulogd_etc_t; --files_type(ulogd_etc_t) -+files_config_file(ulogd_etc_t) - - type ulogd_initrc_exec_t; - init_script_file(ulogd_initrc_exec_t) -@@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t) - # ulogd local policy +@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t) # --allow ulogd_t self:capability net_admin; -+allow ulogd_t self:capability { net_admin sys_nice }; + allow ulogd_t self:capability { net_admin sys_nice }; +-allow ulogd_t self:process setsched; +allow ulogd_t self:process { setsched }; allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; -+allow ulogd_t self:netlink_socket create_socket_perms; + allow ulogd_t self:netlink_socket create_socket_perms; +-allow ulogd_t self:tcp_socket create_stream_socket_perms; +allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; +allow ulogd_t self:udp_socket create_socket_perms; - # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -46,7 +51,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) + +@@ -45,7 +47,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) files_read_etc_files(ulogd_t) files_read_usr_files(ulogd_t) -miscfiles_read_localization(ulogd_t) - optional_policy(` - allow ulogd_t self:tcp_socket create_stream_socket_perms; + sysnet_dns_name_resolve(ulogd_t) + diff --git a/uml.if b/uml.if -index d2ab7cb..ddb34f1 100644 +index ab5c1d0..d13105e 100644 --- a/uml.if +++ b/uml.if -@@ -31,9 +31,9 @@ interface(`uml_role',` - allow $2 uml_t:unix_dgram_socket sendto; +@@ -32,7 +32,7 @@ interface(`uml_role',` allow uml_t $2:unix_dgram_socket sendto; -- # allow ps, ptrace, signal -+ # allow ps, signal ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; + allow $2 uml_t:process signal_perms; - allow $2 uml_ro_t:dir list_dir_perms; - read_files_pattern($2, uml_ro_t, uml_ro_t) + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; diff --git a/uml.te b/uml.te -index ff094e5..4ddeb30 100644 +index dc03cc5..fa862cf 100644 --- a/uml.te +++ b/uml.te -@@ -50,7 +50,7 @@ files_pid_file(uml_switch_var_run_t) - # +@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t) - allow uml_t self:fifo_file rw_fifo_file_perms; --allow uml_t self:process { signal_perms ptrace }; -+allow uml_t self:process signal_perms; - allow uml_t self:unix_stream_socket create_stream_socket_perms; - allow uml_t self:unix_dgram_socket create_socket_perms; - # Use the network. -@@ -97,7 +97,6 @@ kernel_write_proc_files(uml_t) - # for xterm corecmd_exec_bin(uml_t) -corenet_all_recvfrom_unlabeled(uml_t) corenet_all_recvfrom_netlabel(uml_t) corenet_tcp_sendrecv_generic_if(uml_t) - corenet_udp_sendrecv_generic_if(uml_t) -@@ -131,7 +130,7 @@ seutil_use_newrole_fds(uml_t) - # Use the network. - sysnet_read_config(uml_t) + corenet_tcp_sendrecv_generic_node(uml_t) +@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t) + + libs_exec_lib_files(uml_t) -userdom_use_user_terminals(uml_t) ++# Inherit and use descriptors from newrole. ++seutil_use_newrole_fds(uml_t) ++ ++# Use the network. ++sysnet_read_config(uml_t) ++ +userdom_use_inherited_user_terminals(uml_t) userdom_attach_admin_tun_iface(uml_t) - optional_policy(` -@@ -174,8 +173,6 @@ init_use_script_ptys(uml_switch_t) + tunable_policy(`use_nfs_home_dirs',` +@@ -171,8 +176,6 @@ init_use_script_ptys(uml_switch_t) logging_send_syslog_msg(uml_switch_t) @@ -69137,19 +78717,19 @@ index ff094e5..4ddeb30 100644 userdom_dontaudit_search_user_home_dirs(uml_switch_t) diff --git a/updfstab.te b/updfstab.te -index ef12ed5..4bd4cea 100644 +index 2d871b8..acbf304 100644 --- a/updfstab.te +++ b/updfstab.te -@@ -69,8 +69,6 @@ init_use_script_ptys(updfstab_t) - logging_send_syslog_msg(updfstab_t) +@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t) logging_search_logs(updfstab_t) + logging_send_syslog_msg(updfstab_t) -miscfiles_read_localization(updfstab_t) - seutil_read_config(updfstab_t) seutil_read_default_contexts(updfstab_t) seutil_read_file_contexts(updfstab_t) -@@ -78,9 +76,8 @@ seutil_read_file_contexts(updfstab_t) +@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t) userdom_dontaudit_search_user_home_content(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t) @@ -69160,13 +78740,13 @@ index ef12ed5..4bd4cea 100644 +auth_domtrans_pam_console(updfstab_t) optional_policy(` - init_dbus_chat_script(updfstab_t) + dbus_system_bus_client(updfstab_t) diff --git a/uptime.te b/uptime.te -index c2cf97e..d9105b0 100644 +index 09741f6..8e5b35c 100644 --- a/uptime.te +++ b/uptime.te -@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t; - files_config_file(uptimed_etc_t) +@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t; + init_script_file(uptimed_initrc_exec_t) type uptimed_spool_t; -files_type(uptimed_spool_t) @@ -69174,15 +78754,6 @@ index c2cf97e..d9105b0 100644 type uptimed_var_run_t; files_pid_file(uptimed_var_run_t) -@@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t) - - dontaudit uptimed_t self:capability sys_tty_config; - allow uptimed_t self:process signal_perms; --allow uptimed_t self:fifo_file write_file_perms; -+allow uptimed_t self:fifo_file write_fifo_file_perms; - - allow uptimed_t uptimed_etc_t:file read_file_perms; - files_search_etc(uptimed_t) @@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t) logging_send_syslog_msg(uptimed_t) @@ -69193,10 +78764,19 @@ index c2cf97e..d9105b0 100644 userdom_dontaudit_search_user_home_dirs(uptimed_t) diff --git a/usbmodules.te b/usbmodules.te -index 74354da..f04565f 100644 +index cb9b5bb..3aa7952 100644 --- a/usbmodules.te +++ b/usbmodules.te -@@ -34,9 +34,7 @@ init_use_fds(usbmodules_t) +@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t) + dev_list_usbfs(usbmodules_t) + dev_rw_usbfs(usbmodules_t) + +-files_list_etc(usbmodules_t) +- + term_read_console(usbmodules_t) + term_write_console(usbmodules_t) + +@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t) miscfiles_read_hwdata(usbmodules_t) @@ -69207,28 +78787,26 @@ index 74354da..f04565f 100644 optional_policy(` hotplug_read_config(usbmodules_t) -@@ -45,3 +43,7 @@ optional_policy(` - optional_policy(` - logging_send_syslog_msg(usbmodules_t) ') + +optional_policy(` + modutils_read_module_deps(usbmodules_t) +') diff --git a/usbmuxd.fc b/usbmuxd.fc -index 40b8b8d..cd80b9b 100644 +index 220f6ad..cd80b9b 100644 --- a/usbmuxd.fc +++ b/usbmuxd.fc @@ -1,3 +1,4 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - /var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +-/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) ++/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0) diff --git a/usbmuxd.if b/usbmuxd.if -index 53792d3..823ac94 100644 +index 1ec5e99..88e287d 100644 --- a/usbmuxd.if +++ b/usbmuxd.if -@@ -37,3 +37,65 @@ interface(`usbmuxd_stream_connect',` +@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',` files_search_pids($1) stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) ') @@ -69285,6 +78863,7 @@ index 53792d3..823ac94 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 usbmuxd_t:process ptrace; + ') ++ + allow $2 system_r; + + files_list_pids($1) @@ -69295,16 +78874,16 @@ index 53792d3..823ac94 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 4440aa6..8c94194 100644 +index 8840be6..285680c 100644 --- a/usbmuxd.te +++ b/usbmuxd.te -@@ -7,12 +7,15 @@ policy_module(usbmuxd, 1.1.0) +@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; type usbmuxd_t; type usbmuxd_exec_t; --application_domain(usbmuxd_t, usbmuxd_exec_t) +init_system_domain(usbmuxd_t, usbmuxd_exec_t) - role system_r types usbmuxd_t; + application_domain(usbmuxd_t, usbmuxd_exec_t) + role usbmuxd_roles types usbmuxd_t; type usbmuxd_var_run_t; files_pid_file(usbmuxd_var_run_t) @@ -69314,17 +78893,13 @@ index 4440aa6..8c94194 100644 + ######################################## # - # usbmuxd local policy -@@ -33,10 +36,12 @@ kernel_read_system_state(usbmuxd_t) - dev_read_sysfs(usbmuxd_t) - dev_rw_generic_usb_dev(usbmuxd_t) + # Local policy +@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) --files_read_etc_files(usbmuxd_t) -- --miscfiles_read_localization(usbmuxd_t) -- auth_use_nsswitch(usbmuxd_t) +-miscfiles_read_localization(usbmuxd_t) +- logging_send_syslog_msg(usbmuxd_t) + +seutil_dontaudit_read_file_contexts(usbmuxd_t) @@ -69333,67 +78908,288 @@ index 4440aa6..8c94194 100644 + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/userhelper.fc b/userhelper.fc -index e70b0e8..cd83b89 100644 +index c416a83..cd83b89 100644 --- a/userhelper.fc +++ b/userhelper.fc -@@ -7,3 +7,4 @@ - # /usr - # - /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +@@ -1,5 +1,10 @@ +-/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) ++# ++# /etc ++# ++/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) + +-/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) +- +-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +\ No newline at end of file ++# ++# /usr ++# ++/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 65baaac..3b93d32 100644 +index cf118fd..3b93d32 100644 --- a/userhelper.if +++ b/userhelper.if -@@ -25,6 +25,7 @@ template(`userhelper_role_template',` +@@ -1,4 +1,4 @@ +-## A wrapper that helps users run system programs. ++## SELinux utility to run a shell with a new role + + ####################################### + ## +@@ -23,9 +23,9 @@ + # + template(`userhelper_role_template',` gen_require(` - attribute userhelper_type; - type userhelper_exec_t, userhelper_conf_t; +- attribute userhelper_type, consolehelper_type; +- attribute_role userhelper_roles, consolehelper_roles; +- type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; ++ attribute userhelper_type; ++ type userhelper_exec_t, userhelper_conf_t; + class dbus send_msg; ') ######################################## -@@ -121,6 +122,9 @@ template(`userhelper_role_template',` - auth_manage_pam_pid($1_userhelper_t) - auth_manage_var_auth($1_userhelper_t) - auth_search_pam_console_data($1_userhelper_t) -+ auth_use_nsswitch($1_userhelper_t) -+ -+ logging_send_syslog_msg($1_userhelper_t) - - # Inherit descriptors from the current session. - init_use_fds($1_userhelper_t) -@@ -128,7 +132,6 @@ template(`userhelper_role_template',` - init_manage_utmp($1_userhelper_t) - init_pid_filetrans_utmp($1_userhelper_t) - -- miscfiles_read_localization($1_userhelper_t) - - seutil_read_config($1_userhelper_t) - seutil_read_default_contexts($1_userhelper_t) -@@ -145,18 +148,6 @@ template(`userhelper_role_template',` - ') +@@ -33,64 +33,123 @@ template(`userhelper_role_template',` + # Declarations + # - optional_policy(` -- logging_send_syslog_msg($1_userhelper_t) -- ') +- type $1_consolehelper_t, consolehelper_type; +- userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) +- +- role consolehelper_roles types $1_consolehelper_t; +- roleattribute $2 consolehelper_roles; - -- optional_policy(` -- nis_use_ypbind($1_userhelper_t) -- ') + type $1_userhelper_t, userhelper_type; + userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) - + domain_role_change_exemption($1_userhelper_t) + domain_obj_id_change_exemption($1_userhelper_t) + domain_interactive_fd($1_userhelper_t) + domain_subj_id_change_exemption($1_userhelper_t) +- +- role userhelper_roles types $1_userhelper_t; +- roleattribute $2 userhelper_roles; ++ role $2 types $1_userhelper_t; + + ######################################## + # +- # Consolehelper local policy ++ # Local policy + # ++ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; ++ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++ allow $1_userhelper_t self:process setexec; ++ allow $1_userhelper_t self:fd use; ++ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; ++ allow $1_userhelper_t self:shm create_shm_perms; ++ allow $1_userhelper_t self:sem create_sem_perms; ++ allow $1_userhelper_t self:msgq create_msgq_perms; ++ allow $1_userhelper_t self:msg { send receive }; ++ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; ++ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_userhelper_t self:unix_dgram_socket sendto; ++ allow $1_userhelper_t self:unix_stream_socket connectto; ++ allow $1_userhelper_t self:sock_file read_sock_file_perms; + +- allow $1_consolehelper_t $3:unix_stream_socket connectto; ++ #Transition to the derived domain. ++ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + +- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) ++ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; ++ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) + +- allow $3 $1_consolehelper_t:process { ptrace signal_perms }; +- ps_process_pattern($3, $1_consolehelper_t) ++ can_exec($1_userhelper_t, userhelper_exec_t) + +- auth_use_pam($1_consolehelper_t) ++ dontaudit $3 $1_userhelper_t:process signal; + - optional_policy(` -- nscd_socket_use($1_userhelper_t) +- dbus_connect_all_session_bus($1_consolehelper_t) ++ kernel_read_all_sysctls($1_userhelper_t) ++ kernel_getattr_debugfs($1_userhelper_t) ++ kernel_read_system_state($1_userhelper_t) + +- optional_policy(` +- userhelper_dbus_chat_all_consolehelper($3) +- ') - ') -- -- optional_policy(` ++ # Execute shells ++ corecmd_exec_shell($1_userhelper_t) ++ # By default, revert to the calling domain when a program is executed ++ corecmd_bin_domtrans($1_userhelper_t, $3) + +- ######################################## +- # +- # Userhelper local policy +- # ++ # Inherit descriptors from the current session. ++ domain_use_interactive_fds($1_userhelper_t) ++ # for when the user types "exec userhelper" at the command line ++ domain_sigchld_interactive_fds($1_userhelper_t) + +- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) ++ dev_read_urand($1_userhelper_t) ++ # Read /dev directories and any symbolic links. ++ dev_list_all_dev_nodes($1_userhelper_t) + +- dontaudit $3 $1_userhelper_t:process signal; ++ files_list_var_lib($1_userhelper_t) ++ # Read the /etc/security/default_type file ++ files_read_etc_files($1_userhelper_t) ++ # Read /var. ++ files_read_var_files($1_userhelper_t) ++ files_read_var_symlinks($1_userhelper_t) ++ # for some PAM modules and for cwd ++ files_search_home($1_userhelper_t) + +- corecmd_bin_domtrans($1_userhelper_t, $3) ++ fs_search_auto_mountpoints($1_userhelper_t) ++ fs_read_nfs_files($1_userhelper_t) ++ fs_read_nfs_symlinks($1_userhelper_t) ++ ++ # Allow $1_userhelper to obtain contexts to relabel TTYs ++ selinux_get_fs_mount($1_userhelper_t) ++ selinux_validate_context($1_userhelper_t) ++ selinux_compute_access_vector($1_userhelper_t) ++ selinux_compute_create_context($1_userhelper_t) ++ selinux_compute_relabel_context($1_userhelper_t) ++ selinux_compute_user_contexts($1_userhelper_t) ++ ++ # Read the devpts root directory. ++ term_list_ptys($1_userhelper_t) ++ # Relabel terminals. ++ term_relabel_all_ttys($1_userhelper_t) ++ term_relabel_all_ptys($1_userhelper_t) ++ # Access terminals. ++ term_use_all_ttys($1_userhelper_t) ++ term_use_all_ptys($1_userhelper_t) + + auth_domtrans_chk_passwd($1_userhelper_t) ++ auth_manage_pam_pid($1_userhelper_t) ++ auth_manage_var_auth($1_userhelper_t) ++ auth_search_pam_console_data($1_userhelper_t) + auth_use_nsswitch($1_userhelper_t) + ++ logging_send_syslog_msg($1_userhelper_t) ++ ++ # Inherit descriptors from the current session. ++ init_use_fds($1_userhelper_t) ++ # Write to utmp. ++ init_manage_utmp($1_userhelper_t) ++ init_pid_filetrans_utmp($1_userhelper_t) ++ ++ ++ seutil_read_config($1_userhelper_t) ++ seutil_read_default_contexts($1_userhelper_t) ++ ++ # Allow $1_userhelper_t to transition to user domains. + userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) + userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) + ++ ifdef(`distro_redhat',` ++ optional_policy(` ++ # Allow transitioning to rpm_t, for up2date ++ rpm_domtrans($1_userhelper_t) ++ ') ++ ') ++ + optional_policy(` tunable_policy(`! secure_mode',` - #if we are not in secure mode then we can transition to sysadm_t ++ #if we are not in secure mode then we can transition to sysadm_t sysadm_bin_spec_domtrans($1_userhelper_t) -@@ -255,3 +246,91 @@ interface(`userhelper_exec',` + sysadm_entry_spec_domtrans($1_userhelper_t) + ') +@@ -99,7 +158,7 @@ template(`userhelper_role_template',` + + ######################################## + ## +-## Search userhelper configuration directories. ++## Search the userhelper configuration directory. + ## + ## + ## +@@ -118,7 +177,7 @@ interface(`userhelper_search_config',` + ######################################## + ## + ## Do not audit attempts to search +-## userhelper configuration directories. ++## the userhelper configuration directory. + ## + ## + ## +@@ -136,8 +195,7 @@ interface(`userhelper_dontaudit_search_config',` + + ######################################## + ## +-## Send and receive messages from +-## consolehelper over dbus. ++## Allow domain to use userhelper file descriptor. + ## + ## + ## +@@ -145,19 +203,17 @@ interface(`userhelper_dontaudit_search_config',` + ## + ## + # +-interface(`userhelper_dbus_chat_all_consolehelper',` ++interface(`userhelper_use_fd',` + gen_require(` +- attribute consolehelper_type; +- class dbus send_msg; ++ attribute userhelper_type; + ') + +- allow $1 consolehelper_type:dbus send_msg; +- allow consolehelper_type $1:dbus send_msg; ++ allow $1 userhelper_type:fd use; + ') + + ######################################## + ## +-## Use userhelper all userhelper file descriptors. ++## Allow domain to send sigchld to userhelper. + ## + ## + ## +@@ -165,17 +221,17 @@ interface(`userhelper_dbus_chat_all_consolehelper',` + ## + ## + # +-interface(`userhelper_use_fd',` ++interface(`userhelper_sigchld',` + gen_require(` + attribute userhelper_type; + ') - can_exec($1, userhelper_exec_t) +- allow $1 userhelper_type:fd use; ++ allow $1 userhelper_type:process sigchld; ') + + ######################################## + ## +-## Send child terminated signals to all userhelper. ++## Execute the userhelper program in the caller domain. + ## + ## + ## +@@ -183,17 +239,87 @@ interface(`userhelper_use_fd',` + ## + ## + # +-interface(`userhelper_sigchld',` ++interface(`userhelper_exec',` + gen_require(` +- attribute userhelper_type; ++ type userhelper_exec_t; + ') + +- allow $1 userhelper_type:process sigchld; ++ can_exec($1, userhelper_exec_t) ++') + +####################################### +## @@ -69463,116 +79259,244 @@ index 65baaac..3b93d32 100644 + xserver_run_xauth($1_consolehelper_t, $2) + xserver_read_xdm_pid($1_consolehelper_t) + ') -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute the userhelper program in the caller domain. +## Execute the consolehelper program in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -201,11 +327,10 @@ interface(`userhelper_sigchld',` + ## + ## + # +-interface(`userhelper_exec',` +interface(`userhelper_exec_console',` -+ gen_require(` + gen_require(` +- type userhelper_exec_t; + type consolehelper_exec_t; -+ ') -+ + ') + +- corecmd_search_bin($1) +- can_exec($1, userhelper_exec_t) + can_exec($1, consolehelper_exec_t) -+') + ') diff --git a/userhelper.te b/userhelper.te -index f25ed61..1b381f0 100644 +index 274ed9c..1b381f0 100644 --- a/userhelper.te +++ b/userhelper.te -@@ -6,9 +6,81 @@ policy_module(userhelper, 1.7.0) +@@ -1,18 +1,15 @@ +-policy_module(userhelper, 1.7.3) ++policy_module(userhelper, 1.7.0) + + ######################################## + # + # Declarations # +-attribute consolehelper_type; attribute userhelper_type; +- +-attribute_role consolehelper_roles; +-attribute_role userhelper_roles; +attribute consolehelper_domain; type userhelper_conf_t; - files_type(userhelper_conf_t) +-files_config_file(userhelper_conf_t) ++files_type(userhelper_conf_t) type userhelper_exec_t; application_executable_file(userhelper_exec_t) -+ -+type consolehelper_exec_t; -+application_executable_file(consolehelper_exec_t) -+ -+######################################## -+# +@@ -22,141 +19,68 @@ application_executable_file(consolehelper_exec_t) + + ######################################## + # +-# Common consolehelper domain local policy +# consolehelper local policy -+# -+ + # + +-allow consolehelper_type self:capability { setgid setuid dac_override }; +-allow consolehelper_type self:process signal; +-allow consolehelper_type self:fifo_file rw_fifo_file_perms; +-allow consolehelper_type self:unix_stream_socket create_stream_socket_perms; +-allow consolehelper_type self:shm create_shm_perms; +- +-dontaudit consolehelper_type userhelper_conf_t:file audit_access; +-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) +allow consolehelper_domain self:shm create_shm_perms; +allow consolehelper_domain self:capability { setgid setuid dac_override }; +allow consolehelper_domain self:process signal; -+ + +-domain_use_interactive_fds(consolehelper_type) +allow consolehelper_domain userhelper_conf_t:file audit_access; +dontaudit consolehelper_domain userhelper_conf_t:file write; +read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) -+ + +-kernel_read_system_state(consolehelper_type) +-kernel_read_kernel_sysctls(consolehelper_type) +# Init script handling +domain_use_interactive_fds(consolehelper_domain) -+ + +-corecmd_exec_bin(consolehelper_type) +# internal communication is often done using fifo and unix sockets. +allow consolehelper_domain self:fifo_file rw_fifo_file_perms; +allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; -+ + +-dev_getattr_all_chr_files(consolehelper_type) +-dev_dontaudit_list_all_dev_nodes(consolehelper_type) +kernel_read_kernel_sysctls(consolehelper_domain) -+ + +-files_read_config_files(consolehelper_type) +-files_read_usr_files(consolehelper_type) +corecmd_exec_bin(consolehelper_domain) -+ + +-fs_getattr_all_dirs(consolehelper_type) +-fs_getattr_all_fs(consolehelper_type) +-fs_search_auto_mountpoints(consolehelper_type) +-files_search_mnt(consolehelper_type) +dev_getattr_all_chr_files(consolehelper_domain) +dev_dontaudit_list_all_dev_nodes(consolehelper_domain) +dev_dontaudit_getattr_all(consolehelper_domain) +fs_getattr_all_fs(consolehelper_domain) +fs_getattr_all_dirs(consolehelper_domain) -+ + +-term_list_ptys(consolehelper_type) +files_read_config_files(consolehelper_domain) +files_read_usr_files(consolehelper_domain) -+ + +-auth_search_pam_console_data(consolehelper_type) +-auth_read_pam_pid(consolehelper_type) +term_list_ptys(consolehelper_domain) -+ + +-miscfiles_read_localization(consolehelper_type) +-miscfiles_read_fonts(consolehelper_type) +auth_search_pam_console_data(consolehelper_domain) +auth_read_pam_pid(consolehelper_domain) -+ + +-userhelper_exec(consolehelper_type) +init_read_utmp(consolehelper_domain) +init_telinit(consolehelper_domain) -+ + +-userdom_use_user_terminals(consolehelper_type) +miscfiles_read_fonts(consolehelper_domain) -+ + +-# might want to make this consolehelper_tmp_t +-userdom_manage_user_tmp_dirs(consolehelper_type) +-userdom_manage_user_tmp_files(consolehelper_type) +-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) +- +-tunable_policy(`use_nfs_home_dirs',` +- fs_search_nfs(consolehelper_type) +-') +userhelper_exec(consolehelper_domain) -+ + +-tunable_policy(`use_samba_home_dirs',` +- fs_search_cifs(consolehelper_type) +-') +userdom_use_user_ptys(consolehelper_domain) +userdom_use_user_ttys(consolehelper_domain) +userdom_read_user_home_content_files(consolehelper_domain) -+ -+optional_policy(` + + optional_policy(` +- shutdown_run(consolehelper_type, consolehelper_roles) +- shutdown_signal(consolehelper_type) + gnome_read_gconf_home_files(consolehelper_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- xserver_domtrans_xauth(consolehelper_type) +- xserver_read_xdm_pid(consolehelper_type) +- xserver_stream_connect(consolehelper_type) + xserver_read_home_fonts(consolehelper_domain) + xserver_stream_connect(consolehelper_domain) -+') -+ + ') + +-######################################## +-# +-# Common userhelper domain local policy +-# +- +-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; +-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; +-allow userhelper_type self:fd use; +-allow userhelper_type self:fifo_file rw_fifo_file_perms; +-allow userhelper_type self:shm create_shm_perms; +-allow userhelper_type self:sem create_sem_perms; +-allow userhelper_type self:msgq create_msgq_perms; +-allow userhelper_type self:msg { send receive }; +-allow userhelper_type self:unix_dgram_socket sendto; +-allow userhelper_type self:unix_stream_socket { accept connectto listen }; +- +-dontaudit userhelper_type userhelper_conf_t:file audit_access; +-read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t) +- +-can_exec(userhelper_type, userhelper_exec_t) +- +-kernel_read_all_sysctls(userhelper_type) +-kernel_getattr_debugfs(userhelper_type) +-kernel_read_system_state(userhelper_type) +- +-corecmd_exec_shell(userhelper_type) +- +-domain_use_interactive_fds(userhelper_type) +-domain_sigchld_interactive_fds(userhelper_type) +- +-dev_read_urand(userhelper_type) +-dev_list_all_dev_nodes(userhelper_type) +- +-files_list_var_lib(userhelper_type) +-files_read_var_files(userhelper_type) +-files_read_var_symlinks(userhelper_type) +-files_search_home(userhelper_type) +- +-fs_getattr_all_fs(userhelper_type) +-fs_search_auto_mountpoints(userhelper_type) +- +-selinux_get_fs_mount(userhelper_type) +-selinux_validate_context(userhelper_type) +-selinux_compute_access_vector(userhelper_type) +-selinux_compute_create_context(userhelper_type) +-selinux_compute_relabel_context(userhelper_type) +-selinux_compute_user_contexts(userhelper_type) +- +-term_list_ptys(userhelper_type) +-term_relabel_all_ttys(userhelper_type) +-term_relabel_all_ptys(userhelper_type) +-term_use_all_ttys(userhelper_type) +-term_use_all_ptys(userhelper_type) +- +-auth_manage_pam_pid(userhelper_type) +-auth_manage_var_auth(userhelper_type) +-auth_search_pam_console_data(userhelper_type) +- +-init_use_fds(userhelper_type) +-init_manage_utmp(userhelper_type) +-init_pid_filetrans_utmp(userhelper_type) +- +-logging_send_syslog_msg(userhelper_type) +- +-miscfiles_read_localization(userhelper_type) +- +-seutil_read_config(userhelper_type) +-seutil_read_default_contexts(userhelper_type) +tunable_policy(`use_nfs_home_dirs',` + files_search_mnt(consolehelper_domain) + fs_search_nfs(consolehelper_domain) +') -+ + +-optional_policy(` +- rpm_domtrans(userhelper_type) +tunable_policy(`use_samba_home_dirs',` + files_search_mnt(consolehelper_domain) + fs_search_cifs(consolehelper_domain) -+') + ') diff --git a/usernetctl.if b/usernetctl.if -index d45c715..2d4f1ba 100644 +index 7deec55..325bb57 100644 --- a/usernetctl.if +++ b/usernetctl.if -@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',` +@@ -39,9 +39,26 @@ interface(`usernetctl_domtrans',` # interface(`usernetctl_run',` gen_require(` @@ -69587,7 +79511,7 @@ index d45c715..2d4f1ba 100644 + #roleattribute $2 usernetctl_roles; + + sysnet_run_ifconfig(usernetctl_t, $2) -+ sysnet_run_dhcpc(usernetctl_t, $2) ++ sysnet_run_dhcpc(usernetctl_t, $2) + + optional_policy(` + iptables_run(usernetctl_t, $2) @@ -69603,10 +79527,10 @@ index d45c715..2d4f1ba 100644 + ') diff --git a/usernetctl.te b/usernetctl.te -index 19c70bb..8a00ab0 100644 +index dd3f01e..a2229f7 100644 --- a/usernetctl.te +++ b/usernetctl.te -@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) +@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.1) # Declarations # @@ -69623,15 +79547,7 @@ index 19c70bb..8a00ab0 100644 ######################################## # -@@ -42,7 +43,6 @@ corecmd_exec_shell(usernetctl_t) - - domain_dontaudit_read_all_domains_state(usernetctl_t) - --files_read_etc_files(usernetctl_t) - files_exec_etc_files(usernetctl_t) - files_read_etc_runtime_files(usernetctl_t) - files_list_pids(usernetctl_t) -@@ -55,36 +55,36 @@ auth_use_nsswitch(usernetctl_t) +@@ -48,31 +49,36 @@ auth_use_nsswitch(usernetctl_t) logging_send_syslog_msg(usernetctl_t) @@ -69639,19 +79555,19 @@ index 19c70bb..8a00ab0 100644 - seutil_read_config(usernetctl_t) - sysnet_read_config(usernetctl_t) -sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) - --userdom_use_user_terminals(usernetctl_t) -+userdom_use_inherited_user_terminals(usernetctl_t) ++sysnet_read_config(usernetctl_t) + +#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) +-userdom_use_user_terminals(usernetctl_t) ++userdom_use_inherited_user_terminals(usernetctl_t) + optional_policy(` - consoletype_run(usernetctl_t, usernetctl_roles) -+ #consoletype_run(usernetctl_t, usernetctl_roles) ++# consoletype_run(usernetctl_t, usernetctl_roles) + consoletype_exec(usernetctl_t) ') @@ -69674,37 +79590,42 @@ index 19c70bb..8a00ab0 100644 +#') optional_policy(` - nis_use_ypbind(usernetctl_t) - ') - --optional_policy(` - ppp_run(usernetctl_t, usernetctl_roles) --') ++ nis_use_ypbind(usernetctl_t) + ') ++ +#optional_policy(` +# ppp_run(usernetctl_t, usernetctl_roles) +#') diff --git a/uucp.if b/uucp.if -index ebc5414..8f8ac45 100644 +index af9acc0..0119768 100644 --- a/uucp.if +++ b/uucp.if -@@ -99,8 +99,11 @@ interface(`uucp_admin',` - type uucpd_var_run_t; +@@ -104,14 +104,13 @@ interface(`uucp_admin',` + type uucpd_var_run_t, uucpd_initrc_exec_t; ') +- init_labeled_script_domtrans($1, uucpd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 uucpd_initrc_exec_t system_r; +- allow $2 system_r; +- - allow $1 uucpd_t:process { ptrace signal_perms }; + allow $1 uucpd_t:process signal_perms; ps_process_pattern($1, uucpd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 uucpd_t:process ptrace; + ') - ++ logging_list_logs($1) admin_pattern($1, uucpd_log_t) + diff --git a/uucp.te b/uucp.te -index d4349e9..e338438 100644 +index 380902c..3886551 100644 --- a/uucp.te +++ b/uucp.te -@@ -24,7 +24,7 @@ type uucpd_ro_t; +@@ -31,7 +31,7 @@ type uucpd_ro_t; files_type(uucpd_ro_t) type uucpd_spool_t; @@ -69713,85 +79634,60 @@ index d4349e9..e338438 100644 type uucpd_log_t; logging_log_file(uucpd_log_t) -@@ -74,7 +74,6 @@ kernel_read_kernel_sysctls(uucpd_t) +@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) kernel_read_network_state(uucpd_t) -corenet_all_recvfrom_unlabeled(uucpd_t) corenet_all_recvfrom_netlabel(uucpd_t) corenet_tcp_sendrecv_generic_if(uucpd_t) - corenet_udp_sendrecv_generic_if(uucpd_t) -@@ -83,6 +82,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) - corenet_tcp_sendrecv_all_ports(uucpd_t) - corenet_udp_sendrecv_all_ports(uucpd_t) - corenet_tcp_connect_ssh_port(uucpd_t) -+corenet_tcp_connect_uucpd_port(uucpd_t) + corenet_tcp_sendrecv_generic_node(uucpd_t) ++corenet_udp_sendrecv_generic_node(uucpd_t) ++corenet_tcp_sendrecv_all_ports(uucpd_t) ++corenet_udp_sendrecv_all_ports(uucpd_t) - dev_read_urand(uucpd_t) + corenet_sendrecv_ssh_client_packets(uucpd_t) + corenet_tcp_connect_ssh_port(uucpd_t) + corenet_tcp_sendrecv_ssh_port(uucpd_t) -@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t) ++corenet_tcp_connect_uucpd_port(uucpd_t) ++ corecmd_exec_bin(uucpd_t) corecmd_exec_shell(uucpd_t) --files_read_etc_files(uucpd_t) - files_search_home(uucpd_t) - files_search_spool(uucpd_t) - -@@ -101,8 +100,6 @@ auth_use_nsswitch(uucpd_t) +@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t) logging_send_syslog_msg(uucpd_t) -miscfiles_read_localization(uucpd_t) -- - mta_send_mail(uucpd_t) ++mta_send_mail(uucpd_t) optional_policy(` -@@ -125,18 +122,19 @@ optional_policy(` - allow uux_t self:capability { setuid setgid }; - allow uux_t self:fifo_file write_fifo_file_perms; - -+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) -+ - uucp_append_log(uux_t) - uucp_manage_spool(uux_t) - - corecmd_exec_bin(uux_t) - --files_read_etc_files(uux_t) - - fs_rw_anon_inodefs_files(uux_t) - --logging_send_syslog_msg(uux_t) -+auth_use_nsswitch(uux_t) + cron_system_entry(uucpd_t, uucpd_exec_t) +@@ -160,10 +164,17 @@ auth_use_nsswitch(uux_t) + logging_search_logs(uux_t) + logging_send_syslog_msg(uux_t) -miscfiles_read_localization(uux_t) +logging_send_syslog_msg(uux_t) optional_policy(` mta_send_mail(uux_t) -@@ -145,5 +143,5 @@ optional_policy(` - ') - - optional_policy(` -- nscd_socket_use(uux_t) -+ postfix_rw_master_pipes(uux_t) + mta_read_queue(uux_t) ++') ++ ++optional_policy(` + sendmail_dontaudit_rw_unix_stream_sockets(uux_t) ') -diff --git a/uuidd.fc b/uuidd.fc -index a7c9381..d810232 100644 ---- a/uuidd.fc -+++ b/uuidd.fc -@@ -1,4 +1,5 @@ --/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) + -+/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) - - /usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) - ++optional_policy(` ++ postfix_rw_inherited_master_pipes(uux_t) ++') diff --git a/uuidd.if b/uuidd.if -index 5d43bd5..879a5cb 100644 +index 6e48653..29e3648 100644 --- a/uuidd.if +++ b/uuidd.if -@@ -176,6 +176,9 @@ interface(`uuidd_admin',` +@@ -180,6 +180,9 @@ interface(`uuidd_admin',` allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) @@ -69802,16 +79698,16 @@ index 5d43bd5..879a5cb 100644 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/uuidd.te b/uuidd.te -index 04589dc..33b02b5 100644 +index e670f55..43199ee 100644 --- a/uuidd.te +++ b/uuidd.te -@@ -41,4 +41,3 @@ domain_use_interactive_fds(uuidd_t) +@@ -44,4 +44,3 @@ domain_use_interactive_fds(uuidd_t) files_read_etc_files(uuidd_t) -miscfiles_read_localization(uuidd_t) diff --git a/uwimap.te b/uwimap.te -index 46d9811..f109ba3 100644 +index b81e5c8..d120c52 100644 --- a/uwimap.te +++ b/uwimap.te @@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) @@ -69822,20 +79718,29 @@ index 46d9811..f109ba3 100644 corenet_all_recvfrom_netlabel(imapd_t) corenet_tcp_sendrecv_generic_if(imapd_t) corenet_tcp_sendrecv_generic_node(imapd_t) -@@ -65,8 +64,6 @@ auth_domtrans_chk_passwd(imapd_t) +@@ -56,8 +55,6 @@ dev_read_urand(imapd_t) + + domain_use_interactive_fds(imapd_t) + +-files_read_etc_files(imapd_t) +- + fs_getattr_all_fs(imapd_t) + fs_search_auto_mountpoints(imapd_t) + +@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t) logging_send_syslog_msg(imapd_t) -miscfiles_read_localization(imapd_t) - - sysnet_read_config(imapd_t) + sysnet_dns_name_resolve(imapd_t) userdom_dontaudit_use_unpriv_user_fds(imapd_t) diff --git a/varnishd.if b/varnishd.if -index 93975d6..bd248ce 100644 +index 1c35171..2cba4df 100644 --- a/varnishd.if +++ b/varnishd.if -@@ -151,12 +151,16 @@ interface(`varnishd_manage_log',` +@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',` # interface(`varnishd_admin_varnishlog',` gen_require(` @@ -69853,21 +79758,23 @@ index 93975d6..bd248ce 100644 init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) domain_system_change_exemption($1) -@@ -194,8 +198,11 @@ interface(`varnishd_admin',` +@@ -196,9 +200,13 @@ interface(`varnishd_admin',` type varnishd_initrc_exec_t; ') - allow $1 varnishd_t:process { ptrace signal_perms }; + allow $1 varnishd_t:process signal_perms; ps_process_pattern($1, varnishd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 varnishd_t:process ptrace; + ') - ++ init_labeled_script_domtrans($1, varnishd_initrc_exec_t) domain_system_change_exemption($1) + role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index f9310f3..b4dafb7 100644 +index 9d4d8cb..cd79417 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -69895,30 +79802,22 @@ index f9310f3..b4dafb7 100644 -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; allow varnishd_t self:fifo_file rw_fifo_file_perms; - allow varnishd_t self:tcp_socket create_stream_socket_perms; - allow varnishd_t self:udp_socket create_socket_perms; -@@ -87,14 +87,14 @@ corenet_tcp_connect_http_port(varnishd_t) - - dev_read_urand(varnishd_t) + allow varnishd_t self:tcp_socket { accept listen }; -+files_read_usr_files(varnishd_t) -+ - fs_getattr_all_fs(varnishd_t) - - auth_use_nsswitch(varnishd_t) +@@ -111,7 +111,7 @@ auth_use_nsswitch(varnishd_t) logging_send_syslog_msg(varnishd_t) -miscfiles_read_localization(varnishd_t) -- - sysnet_read_config(varnishd_t) ++sysnet_read_config(varnishd_t) tunable_policy(`varnishd_connect_any',` + corenet_sendrecv_all_client_packets(varnishd_t) diff --git a/vbetool.te b/vbetool.te -index 001c93c..f918ed2 100644 +index 14e1eec..b33d259 100644 --- a/vbetool.te +++ b/vbetool.te -@@ -22,6 +22,7 @@ init_system_domain(vbetool_t, vbetool_exec_t) +@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t; # allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; @@ -69926,7 +79825,7 @@ index 001c93c..f918ed2 100644 allow vbetool_t self:process execmem; dev_wx_raw_memory(vbetool_t) -@@ -38,7 +39,6 @@ mls_file_write_all_levels(vbetool_t) +@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t) term_use_unallocated_ttys(vbetool_t) @@ -69934,30 +79833,12 @@ index 001c93c..f918ed2 100644 tunable_policy(`vbetool_mmap_zero_ignore',` dontaudit vbetool_t self:memprotect mmap_zero; -diff --git a/vdagent.fc b/vdagent.fc -index 21c5f41..3ae71ae 100644 ---- a/vdagent.fc -+++ b/vdagent.fc -@@ -1,7 +1,7 @@ - /usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) - - /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) --/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) -+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0) - - /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) --/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) -+/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) diff --git a/vdagent.if b/vdagent.if -index e59a074..b708678 100644 +index 31c752e..e9c041d 100644 --- a/vdagent.if +++ b/vdagent.if -@@ -20,39 +20,39 @@ interface(`vdagent_domtrans',` - - ##################################### - ## --## Getattr on vdagent executable. -+## Getattr on vdagent executable. +@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',` + ## Get attributes of vdagent executable files. ## ## -## @@ -69975,14 +79856,10 @@ index e59a074..b708678 100644 + type vdagent_exec_t; + ') -- allow $1 vdagent_exec_t:file getattr; -+ allow $1 vdagent_exec_t:file getattr; + allow $1 vdagent_exec_t:file getattr_file_perms; ') - - ####################################### - ## --## Get the attributes of vdagent logs. -+## Get the attributes of vdagent logs. +@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',` + ## Get attributes of vdagent log files. ## ## -## @@ -70008,14 +79885,8 @@ index e59a074..b708678 100644 ') ######################################## -@@ -76,22 +76,22 @@ interface(`vdagent_read_pid_files',` - - ##################################### - ## --## Connect to vdagent over a unix domain --## stream socket. -+## Connect to vdagent over a unix domain -+## stream socket. +@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',` + ## domain stream socket. ## ## -## @@ -70041,7 +79912,7 @@ index e59a074..b708678 100644 ') ######################################## -@@ -104,12 +104,6 @@ interface(`vdagent_stream_connect',` +@@ -105,12 +105,6 @@ interface(`vdagent_stream_connect',` ## Domain allowed access. ## ## @@ -70054,7 +79925,7 @@ index e59a074..b708678 100644 # interface(`vdagent_admin',` gen_require(` -@@ -118,6 +112,9 @@ interface(`vdagent_admin',` +@@ -120,6 +114,9 @@ interface(`vdagent_admin',` allow $1 vdagent_t:process signal_perms; ps_process_pattern($1, vdagent_t) @@ -70062,146 +79933,66 @@ index e59a074..b708678 100644 + allow $1 vdagent_t:process ptrace; + ') - files_search_pids($1) - admin_pattern($1, vdagent_var_run_t) + init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 29e24e2..b1ca03a 100644 +index 77be35a..f9c0665 100644 --- a/vdagent.te +++ b/vdagent.te -@@ -21,6 +21,7 @@ logging_log_file(vdagent_log_t) - # +@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) dontaudit vdagent_t self:capability sys_admin; -+allow vdagent_t self:process signal; - + allow vdagent_t self:process signal; ++ allow vdagent_t self:fifo_file rw_fifo_file_perms; - allow vdagent_t self:unix_stream_socket create_stream_socket_perms; -@@ -32,7 +33,7 @@ files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) + allow vdagent_t self:unix_stream_socket { accept listen }; - manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) - manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) --logging_log_filetrans(vdagent_t, vdagent_log_t, file) -+logging_log_filetrans(vdagent_t, vdagent_log_t, { file }) +@@ -47,9 +48,14 @@ files_read_etc_files(vdagent_t) - dev_rw_input_dev(vdagent_t) - dev_read_sysfs(vdagent_t) -@@ -40,7 +41,16 @@ dev_dontaudit_write_mtrr(vdagent_t) + init_read_state(vdagent_t) - files_read_etc_files(vdagent_t) - --miscfiles_read_localization(vdagent_t) -+init_read_state(vdagent_t) -+ +-logging_send_syslog_msg(vdagent_t) +systemd_read_logind_sessions_files(vdagent_t) +systemd_login_read_pid_files(vdagent_t) + +term_use_virtio_console(vdagent_t) -+ + +-miscfiles_read_localization(vdagent_t) +userdom_read_all_users_state(vdagent_t) + +logging_send_syslog_msg(vdagent_t) - optional_policy(` - consolekit_dbus_chat(vdagent_t) + userdom_read_all_users_state(vdagent_t) + diff --git a/vhostmd.if b/vhostmd.if -index 1f872b5..8af4bce 100644 +index 22edd58..c3a5364 100644 --- a/vhostmd.if +++ b/vhostmd.if -@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',` - ') - - allow $1 vhostmd_tmpfs_t:file read_file_perms; -- files_search_tmp($1) -+ fs_search_tmpfs($1) - ') - - ######################################## -@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',` - ') - - rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -- files_search_tmp($1) -+ fs_search_tmpfs($1) - ') - - ######################################## -@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',` +@@ -216,9 +216,13 @@ interface(`vhostmd_admin',` + type vhostmd_tmpfs_t; ') - manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -- files_search_tmp($1) -+ fs_search_tmpfs($1) - ') - - ######################################## -@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',` - type vhostmd_var_run_t; - ') - -- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) -+ files_search_pids($1) -+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) - ') - - ######################################## -@@ -209,8 +210,11 @@ interface(`vhostmd_admin',` - type vhostmd_t, vhostmd_initrc_exec_t; - ') - -- allow $1 vhostmd_t:process { ptrace signal_perms getattr }; +- allow $1 vhostmd_t:process { ptrace signal_perms }; + allow $1 vhostmd_t:process signal_perms; ps_process_pattern($1, vhostmd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 vhostmd_t:process ptrace; + ') - ++ vhostmd_initrc_domtrans($1) domain_system_change_exemption($1) -@@ -220,5 +224,4 @@ interface(`vhostmd_admin',` - vhostmd_manage_tmpfs_files($1) - - vhostmd_manage_pid_files($1) -- - ') + role_transition $2 vhostmd_initrc_exec_t system_r; diff --git a/vhostmd.te b/vhostmd.te -index 32a3c13..0cbca75 100644 +index 0be8535..b96e329 100644 --- a/vhostmd.te +++ b/vhostmd.te -@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t) - # - - allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; --allow vhostmd_t self:process { setsched getsched }; --allow vhostmd_t self:fifo_file rw_file_perms; -+allow vhostmd_t self:process { setsched getsched signal }; -+allow vhostmd_t self:fifo_file rw_fifo_file_perms; - - manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) -@@ -35,6 +35,7 @@ manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) - manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) - files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) - -+kernel_read_kernel_sysctls(vhostmd_t) - kernel_read_system_state(vhostmd_t) - kernel_read_network_state(vhostmd_t) - kernel_write_xen_state(vhostmd_t) -@@ -44,17 +45,21 @@ corecmd_exec_shell(vhostmd_t) - - corenet_tcp_connect_soundd_port(vhostmd_t) - --files_read_etc_files(vhostmd_t) -+dev_read_rand(vhostmd_t) -+dev_read_urand(vhostmd_t) -+dev_read_sysfs(vhostmd_t) -+ -+# 579803 -+files_list_tmp(vhostmd_t) - files_read_usr_files(vhostmd_t) - -+dev_read_rand(vhostmd_t) +@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t) dev_read_sysfs(vhostmd_t) + files_list_tmp(vhostmd_t) +-files_read_usr_files(vhostmd_t) + auth_use_nsswitch(vhostmd_t) logging_send_syslog_msg(vhostmd_t) @@ -70211,7 +80002,7 @@ index 32a3c13..0cbca75 100644 optional_policy(` hostname_exec(vhostmd_t) ') -@@ -66,6 +71,7 @@ optional_policy(` +@@ -77,6 +74,7 @@ optional_policy(` optional_policy(` virt_stream_connect(vhostmd_t) @@ -70220,12 +80011,15 @@ index 32a3c13..0cbca75 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index 2124b6a..e55e393 100644 +index c30da4c..014e40c 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,6 +1,14 @@ --HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) --HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +@@ -1,52 +1,80 @@ +-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -70235,46 +80029,83 @@ index 2124b6a..e55e393 100644 +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) - HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) - /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t - /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) - /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - + /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +-/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) ++/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +-/etc/rc\.d/init\.d/libvirt-bin -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) -+ -+/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) + +-/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +-/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +-/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +-/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +- +-/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +-/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) +- +-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +-/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +- +-/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +-/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) + /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) - --/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - - /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) - /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) - /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) - /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) --/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) ++/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) ++/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) + + /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +-/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +-/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +-/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +-/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +- +-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) ++/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) ++/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) ++/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +- +-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) - /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) ++/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) + /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - - /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ ++/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for AEOLUS project +/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -70304,58 +80135,92 @@ index 2124b6a..e55e393 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..408a20a 100644 +index 9dec06c..347f807 100644 --- a/virt.if +++ b/virt.if -@@ -13,67 +13,30 @@ +@@ -1,120 +1,51 @@ +-## Libvirt virtualization API. ++## Libvirt virtualization API + +-####################################### ++######################################## + ## +-## The template to define a virt domain. ++## Creates types and rules for a basic ++## qemu process domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## # template(`virt_domain_template',` gen_require(` -- type virtd_t; -- attribute virt_image_type; -- attribute virt_domain; +- attribute_role virt_domain_roles; +- attribute virt_image_type, virt_domain, virt_tmpfs_type; +- attribute virt_ptynode, virt_tmp_type; + attribute virt_image_type, virt_domain; + attribute virt_tmpfs_type; + attribute virt_ptynode; + type qemu_exec_t; ') +- ######################################## +- # +- # Declarations +- # +- type $1_t, virt_domain; -- domain_type($1_t) +- application_type($1_t) +- qemu_entry_type($1_t) + application_domain($1_t, qemu_exec_t) domain_user_exemption_target($1_t) -+ mls_rangetrans_target($1_t) -+ mcs_untrusted_proc($1_t) - role system_r types $1_t; + mls_rangetrans_target($1_t) + mcs_constrained($1_t) +- role virt_domain_roles types $1_t; ++ role system_r types $1_t; -- type $1_devpts_t; -+ type $1_devpts_t, virt_ptynode; + type $1_devpts_t, virt_ptynode; term_pty($1_devpts_t) -- type $1_tmp_t; +- type $1_tmp_t, virt_tmp_type; - files_tmp_file($1_tmp_t) +- +- type $1_tmpfs_t, virt_tmpfs_type; +- files_tmpfs_file($1_tmpfs_t) + kernel_read_system_state($1_t) -- type $1_tmpfs_t; -- files_tmpfs_file($1_tmpfs_t) +- optional_policy(` +- pulseaudio_tmpfs_content($1_tmpfs_t) +- ') + auth_read_passwd($1_t) - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) +- dev_associate_sysfs($1_image_t) + logging_send_syslog_msg($1_t) -- type $1_var_run_t; -- files_pid_file($1_var_run_t) +- ######################################## +- # +- # Policy +- # - -- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; +- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) +- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) +- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) +- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) +- fs_hugetlbfs_filetrans($1_t, $1_image_t, file) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) @@ -70367,389 +80232,934 @@ index 6f0736b..408a20a 100644 - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - -- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) -- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) -- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) -- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) -- -- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) -- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -- files_pid_filetrans($1_t, $1_var_run_t, { dir file }) -- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) -- -- auth_use_nsswitch($1_t) +- optional_policy(` +- pulseaudio_run($1_t, virt_domain_roles) +- ') - - optional_policy(` - xserver_rw_shm($1_t) - ') +-') +- +-####################################### +-## +-## The template to define a virt lxc domain. +-## +-## +-## +-## Domain prefix to be used. +-## +-## +-# +-template(`virt_lxc_domain_template',` +- gen_require(` +- attribute_role svirt_lxc_domain_roles; +- attribute svirt_lxc_domain; +- ') +- +- type $1_t, svirt_lxc_domain; +- domain_type($1_t) +- domain_user_exemption_target($1_t) +- mls_rangetrans_target($1_t) +- mcs_constrained($1_t) +- role svirt_lxc_domain_roles types $1_t; ') ######################################## -@@ -98,14 +61,32 @@ interface(`virt_image',` - dev_node($1) + ## +-## Make the specified type virt image type. ++## Make the specified type usable as a virt image + ## + ## + ## +-## Type to be used as a virtual image. ++## Type to be used as a virtual image + ## + ## + # +@@ -125,51 +56,32 @@ interface(`virt_image',` + + typeattribute $1 virt_image_type; + files_type($1) +- dev_node($1) +-') +- +-######################################## +-## +-## Execute a domain transition to run virtd. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`virt_domtrans',` +- gen_require(` +- type virtd_t, virtd_exec_t; +- ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, virtd_exec_t, virtd_t) ++ # virt images can be assigned to blk devices ++ dev_node($1) ') +-######################################## +####################################### -+## + ## +-## Execute a domain transition to run virt qmf. +## Getattr on virt executable. -+## -+## + ## + ## +-## +-## Domain allowed to transition. +-## +## +## Domain allowed to transition. +## -+## -+# + ## + # +-interface(`virt_domtrans_qmf',` +- gen_require(` +- type virt_qmf_t, virt_qmf_exec_t; +- ') +interface(`virt_getattr_exec',` + gen_require(` + type virtd_exec_t; + ') -+ + +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) + allow $1 virtd_exec_t:file getattr; -+') -+ + ') + ######################################## ## - ## Execute a domain transition to run virt. +-## Execute a domain transition to +-## run virt bridgehelper. ++## Execute a domain transition to run virt. ## ## --## -+## + ## +@@ -177,161 +89,53 @@ interface(`virt_domtrans_qmf',` + ## + ## + # +-interface(`virt_domtrans_bridgehelper',` ++interface(`virt_domtrans',` + gen_require(` +- type virt_bridgehelper_t, virt_bridgehelper_exec_t; ++ type virtd_t, virtd_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) ++ domtrans_pattern($1, virtd_exec_t, virtd_t) + ') + + ######################################## + ## +-## Execute bridgehelper in the bridgehelper +-## domain, and allow the specified role +-## the bridgehelper domain. ++## Transition to virt_qmf. + ## + ## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`virt_run_bridgehelper',` +- gen_require(` +- attribute_role virt_bridgehelper_roles; +- ') +- +- virt_domtrans_bridgehelper($1) +- roleattribute $2 virt_bridgehelper_roles; +-') +- +-######################################## + ## +-## Execute virt domain in the their +-## domain, and allow the specified +-## role that virt domain. +-## +-## +-## ## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`virt_run_virt_domain',` +- gen_require(` +- attribute virt_domain; +- attribute_role virt_domain_roles; +- ') +- +- allow $1 virt_domain:process { signal transition }; +- roleattribute $2 virt_domain_roles; +- +- allow virt_domain $1:fd use; +- allow virt_domain $1:fifo_file rw_fifo_file_perms; +- allow virt_domain $1:process sigchld; +-') +- +-######################################## +-## +-## Send generic signals to all virt domains. -## -+## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`virt_signal_all_virt_domains',` +- gen_require(` +- attribute virt_domain; +- ') +- +- allow $1 virt_domain:process signal; +-') +- +-######################################## +-## +-## Send kill signals to all virt domains. + ## +-## +-## +-## Domain allowed access. +-## ## # - interface(`virt_domtrans',` -@@ -116,9 +97,45 @@ interface(`virt_domtrans',` - domtrans_pattern($1, virtd_exec_t, virtd_t) - ') - -+######################################## -+## -+## Transition to virt_qmf. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# +-interface(`virt_kill_all_virt_domains',` +interface(`virt_domtrans_qmf',` -+ gen_require(` + gen_require(` +- attribute virt_domain; + type virt_qmf_t, virt_qmf_exec_t; -+ ') -+ + ') + +- allow $1 virt_domain:process sigkill; + corecmd_search_bin($1) + domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute svirt lxc domains in their +-## domain, and allow the specified +-## role that svirt lxc domain. +## Transition to virt_bridgehelper. -+## -+## -+## + ## + ## +-## +-## Domain allowed to transition. +-## +-## +-## +-## +-## Role allowed access. +-## +-## +-# +-interface(`virt_run_svirt_lxc_domain',` +- gen_require(` +- attribute svirt_lxc_domain; +- attribute_role svirt_lxc_domain_roles; +- ') +- +- allow $1 svirt_lxc_domain:process { signal transition }; +- roleattribute $2 svirt_lxc_domain_roles; +- +- allow svirt_lxc_domain $1:fd use; +- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; +- allow svirt_lxc_domain $1:process sigchld; +-') +- +-####################################### + ## +-## Get attributes of virtd executable files. +## Domain allowed to transition. -+## -+## + ## +-## +-## +-## Domain allowed access. +-## + ## +-# +-interface(`virt_getattr_virtd_exec_files',` +interface(`virt_domtrans_bridgehelper',` -+ gen_require(` + gen_require(` +- type virtd_exec_t; + type virt_bridgehelper_t, virt_bridgehelper_exec_t; -+ ') -+ + ') + +- allow $1 virtd_exec_t:file getattr_file_perms; + domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) -+') -+ + ') + ####################################### ## --## Connect to virt over an unix domain stream socket. +-## Connect to virt with a unix +-## domain stream socket. +## Connect to virt over a unix domain stream socket. ## ## ## -@@ -166,13 +183,13 @@ interface(`virt_attach_tun_iface',` - # - interface(`virt_read_config',` - gen_require(` -- type virt_etc_t; -- type virt_etc_rw_t; -+ type virt_etc_t, virt_etc_rw_t; +@@ -350,7 +154,7 @@ interface(`virt_stream_connect',` + + ######################################## + ## +-## Attach to virt tun devices. ++## Allow domain to attach to virt TUN devices + ## + ## + ## +@@ -369,7 +173,7 @@ interface(`virt_attach_tun_iface',` + + ######################################## + ## +-## Read virt configuration content. ++## Read virt config files. + ## + ## + ## +@@ -383,7 +187,6 @@ interface(`virt_read_config',` ') files_search_etc($1) +- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - ') + read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +@@ -391,8 +194,7 @@ interface(`virt_read_config',` ######################################## -@@ -187,13 +204,13 @@ interface(`virt_read_config',` - # - interface(`virt_manage_config',` - gen_require(` -- type virt_etc_t; -- type virt_etc_rw_t; -+ type virt_etc_t, virt_etc_rw_t; + ## +-## Create, read, write, and delete +-## virt configuration content. ++## manage virt config files. + ## + ## + ## +@@ -406,7 +208,6 @@ interface(`virt_manage_config',` ') files_search_etc($1) +- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - ') + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +@@ -414,8 +215,7 @@ interface(`virt_manage_config',` ######################################## -@@ -233,6 +250,24 @@ interface(`virt_read_content',` + ## +-## Create, read, write, and delete +-## virt image files. ++## Allow domain to manage virt image files + ## + ## + ## +@@ -450,8 +250,7 @@ interface(`virt_read_content',` ######################################## ## +-## Create, read, write, and delete +-## virt content. +## Allow domain to write virt image files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -459,35 +258,17 @@ interface(`virt_read_content',` + ## + ## + # +-interface(`virt_manage_virt_content',` +interface(`virt_write_content',` -+ gen_require(` -+ type virt_content_t; -+ ') -+ + gen_require(` + type virt_content_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_content_t:dir manage_dir_perms; +- allow $1 virt_content_t:file manage_file_perms; +- allow $1 virt_content_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_content_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_content_t:sock_file manage_sock_file_perms; +- allow $1 virt_content_t:blk_file manage_blk_file_perms; +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) +- ') +- +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') + allow $1 virt_content_t:file write_file_perms; -+') -+ -+######################################## -+## - ## Read virt PID files. + ') + + ######################################## + ## +-## Relabel virt content. ++## Read virt PID files. ## ## -@@ -252,6 +287,28 @@ interface(`virt_read_pid_files',` + ## +@@ -495,53 +276,40 @@ interface(`virt_manage_virt_content',` + ## + ## + # +-interface(`virt_relabel_virt_content',` ++interface(`virt_read_pid_files',` + gen_require(` +- type virt_content_t; ++ type virt_var_run_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_content_t:dir relabel_dir_perms; +- allow $1 virt_content_t:file relabel_file_perms; +- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; +- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; +- allow $1 virt_content_t:sock_file relabel_sock_file_perms; +- allow $1 virt_content_t:blk_file relabel_blk_file_perms; ++ files_search_pids($1) ++ read_files_pattern($1, virt_var_run_t, virt_var_run_t) + ') ######################################## ## +-## Create specified objects in user home +-## directories with the virt content type. +## Manage virt pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`virt_home_filetrans_virt_content',` +interface(`virt_manage_pid_dirs',` -+ gen_require(` + gen_require(` +- type virt_content_t; + type virt_var_run_t; + type virt_lxc_var_run_t; -+ ') -+ + ') + +- virt_home_filetrans($1, virt_content_t, $2, $3) + files_search_pids($1) + manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) + manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) + virt_filetrans_named_content($1) -+') -+ -+######################################## -+## - ## Manage virt pid files. + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt home content. ++## Manage virt pid files. ## ## -@@ -263,10 +320,47 @@ interface(`virt_read_pid_files',` - interface(`virt_manage_pid_files',` + ## +@@ -549,67 +317,36 @@ interface(`virt_home_filetrans_virt_content',` + ## + ## + # +-interface(`virt_manage_svirt_home_content',` ++interface(`virt_manage_pid_files',` gen_require(` - type virt_var_run_t; +- type svirt_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 svirt_home_t:dir manage_dir_perms; +- allow $1 svirt_home_t:file manage_file_perms; +- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 svirt_home_t:sock_file manage_sock_file_perms; +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) ++ type virt_var_run_t; + type virt_lxc_var_run_t; ') - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') ++ files_search_pids($1) ++ manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Relabel svirt home content. +## Create objects in the pid directory +## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-# +-interface(`virt_relabel_svirt_home_content',` +- gen_require(` +- type svirt_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 svirt_home_t:dir relabel_dir_perms; +- allow $1 svirt_home_t:file relabel_file_perms; +- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; +- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; +- allow $1 svirt_home_t:sock_file relabel_sock_file_perms; +-') +- +-######################################## +-## +-## Create specified objects in user home +-## directories with the svirt home type. +-## +-## +## -+## + ## +-## Domain allowed access. +## Type to which the created node will be transitioned. -+## -+## + ## + ## +-## +## -+## + ## +-## Class of the object being created. +## Object class(es) (single or set including {}) for which this +## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# + ## + ## + ## +@@ -618,54 +355,36 @@ interface(`virt_relabel_svirt_home_content',` + ## + ## + # +-interface(`virt_home_filetrans_svirt_home',` +interface(`virt_pid_filetrans',` -+ gen_require(` + gen_require(` +- type svirt_home_t; + type virt_var_run_t; -+ ') -+ + ') + +- virt_home_filetrans($1, svirt_home_t, $2, $3) + filetrans_pattern($1, virt_var_run_t, $2, $3, $4) ') ######################################## -@@ -310,6 +404,24 @@ interface(`virt_read_lib_files',` + ## +-## Create specified objects in generic +-## virt home directories with private +-## home type. ++## Search virt lib directories. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Private file type. +-## +-## +-## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`virt_home_filetrans',` ++interface(`virt_search_lib',` + gen_require(` +- type virt_home_t; ++ type virt_var_lib_t; + ') + +- userdom_search_user_home_dirs($1) +- filetrans_pattern($1, virt_home_t, $2, $3, $4) ++ allow $1 virt_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt home files. ++## Read virt lib files. + ## + ## + ## +@@ -673,54 +392,38 @@ interface(`virt_home_filetrans',` + ## + ## + # +-interface(`virt_manage_home_files',` ++interface(`virt_read_lib_files',` + gen_require(` +- type virt_home_t; ++ type virt_var_lib_t; + ') + +- userdom_search_user_home_dirs($1) +- manage_files_pattern($1, virt_home_t, virt_home_t) ++ files_search_var_lib($1) ++ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + ') ######################################## ## +-## Create, read, write, and delete +-## virt home content. +## Dontaudit inherited read virt lib files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`virt_manage_generic_virt_home_content',` +interface(`virt_dontaudit_read_lib_files',` -+ gen_require(` + gen_require(` +- type virt_home_t; +- ') +- +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir manage_dir_perms; +- allow $1 virt_home_t:file manage_file_perms; +- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_home_t:sock_file manage_sock_file_perms; +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) + type virt_var_lib_t; -+ ') -+ + ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete - ## virt lib files. - ## -@@ -354,9 +466,9 @@ interface(`virt_read_log',` - ## virt log files. + ') + + ######################################## + ## +-## Relabel virt home content. ++## Create, read, write, and delete ++## virt lib files. ## ## --## -+## - ## Domain allowed access. --## -+## + ## +@@ -728,52 +431,78 @@ interface(`virt_manage_generic_virt_home_content',` + ## ## # - interface(`virt_append_log',` -@@ -390,6 +502,25 @@ interface(`virt_manage_log',` +-interface(`virt_relabel_generic_virt_home_content',` ++interface(`virt_manage_lib_files',` + gen_require(` +- type virt_home_t; ++ type virt_var_lib_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir relabel_dir_perms; +- allow $1 virt_home_t:file relabel_file_perms; +- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; +- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; +- allow $1 virt_home_t:sock_file relabel_sock_file_perms; ++ files_search_var_lib($1) ++ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + ') ######################################## ## -+## Allow domain to search virt image direcories -+## -+## -+## -+## Domain allowed access. -+## -+## +-## Create specified objects in user home +-## directories with the generic virt +-## home type. ++## Allow the specified domain to read virt's log files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## +# -+interface(`virt_search_images',` ++interface(`virt_read_log',` + gen_require(` -+ attribute virt_image_type; ++ type virt_log_t; + ') + -+ virt_search_lib($1) -+ allow $1 virt_image_type:dir search_dir_perms; ++ logging_search_logs($1) ++ read_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## - ## Allow domain to read virt image files - ## - ## -@@ -410,6 +541,7 @@ interface(`virt_read_images',` - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ read_chr_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) -@@ -426,6 +558,42 @@ interface(`virt_read_images',` - - ######################################## - ## -+## Allow domain to read virt blk image files ++## Allow the specified domain to append ++## virt log files. +## +## -+## + ## +-## Class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# -+interface(`virt_read_blk_images',` ++interface(`virt_append_log',` + gen_require(` -+ attribute virt_image_type; ++ type virt_log_t; + ') + -+ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++ logging_search_logs($1) ++ append_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## -+## Allow domain to read/write virt image chr files ++## Allow domain to manage virt log files +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`virt_home_filetrans_virt_home',` ++interface(`virt_manage_log',` + gen_require(` +- type virt_home_t; ++ type virt_log_t; + ') + +- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) ++ manage_dirs_pattern($1, virt_log_t, virt_log_t) ++ manage_files_pattern($1, virt_log_t, virt_log_t) ++ manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + ') + + ######################################## + ## +-## Read virt pid files. ++## Allow domain to search virt image direcories + ## + ## + ## +@@ -781,19 +510,18 @@ interface(`virt_home_filetrans_virt_home',` + ## + ## + # +-interface(`virt_read_pid_files',` ++interface(`virt_search_images',` + gen_require(` +- type virt_var_run_t; ++ attribute virt_image_type; + ') + +- files_search_pids($1) +- read_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir search_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt pid files. ++## Allow domain to read virt image files + ## + ## + ## +@@ -801,18 +529,36 @@ interface(`virt_read_pid_files',` + ## + ## + # +-interface(`virt_manage_pid_files',` ++interface(`virt_read_images',` + gen_require(` +- type virt_var_run_t; ++ type virt_var_lib_t; ++ attribute virt_image_type; + ') + +- files_search_pids($1) +- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir list_dir_perms; ++ list_dirs_pattern($1, virt_image_type, virt_image_type) ++ read_files_pattern($1, virt_image_type, virt_image_type) ++ read_lnk_files_pattern($1, virt_image_type, virt_image_type) ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++ read_chr_files_pattern($1, virt_image_type, virt_image_type) ++ ++ tunable_policy(`virt_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ fs_read_nfs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ fs_read_cifs_symlinks($1) ++ ') + ') + + ######################################## + ## +-## Search virt lib directories. ++## Allow domain to read virt blk image files + ## + ## + ## +@@ -820,18 +566,17 @@ interface(`virt_manage_pid_files',` + ## + ## + # +-interface(`virt_search_lib',` ++interface(`virt_read_blk_images',` + gen_require(` +- type virt_var_lib_t; ++ attribute virt_image_type; + ') + +- files_search_var_lib($1) +- allow $1 virt_var_lib_t:dir search_dir_perms; ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) + ') + + ######################################## + ## +-## Read virt lib files. ++## Allow domain to read/write virt image chr files + ## + ## + ## +@@ -839,20 +584,18 @@ interface(`virt_search_lib',` + ## + ## + # +-interface(`virt_read_lib_files',` +interface(`virt_rw_chr_files',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; + attribute virt_image_type; -+ ') -+ + ') + +- files_search_var_lib($1) +- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## ## Create, read, write, and delete - ## svirt cache files. +-## virt lib files. ++## svirt cache files. ## -@@ -435,15 +603,15 @@ interface(`virt_read_images',` + ## + ## +@@ -860,94 +603,205 @@ interface(`virt_read_lib_files',` ## ## # --interface(`virt_manage_svirt_cache',` +-interface(`virt_manage_lib_files',` +interface(`virt_manage_cache',` gen_require(` -- type svirt_cache_t; +- type virt_var_lib_t; + type virt_cache_t; ') - files_search_var($1) -- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) -- manage_files_pattern($1, svirt_cache_t, svirt_cache_t) -- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ files_search_var($1) + manage_dirs_pattern($1, virt_cache_t, virt_cache_t) + manage_files_pattern($1, virt_cache_t, virt_cache_t) + manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) ') ######################################## -@@ -468,18 +636,52 @@ interface(`virt_manage_images',` - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) + ## +-## Create objects in virt pid +-## directories with a private type. ++## Allow domain to manage virt image files + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`virt_manage_images',` ++ gen_require(` ++ type virt_var_lib_t; ++ attribute virt_image_type; ++ ') ++ ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir list_dir_perms; ++ manage_dirs_pattern($1, virt_image_type, virt_image_type) ++ manage_files_pattern($1, virt_image_type, virt_image_type) ++ read_lnk_files_pattern($1, virt_image_type, virt_image_type) ++ rw_blk_files_pattern($1, virt_image_type, virt_image_type) + rw_chr_files_pattern($1, virt_image_type, virt_image_type) +') - -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_read_nfs_symlinks($1) -- ') ++ +####################################### +## +## Allow domain to manage virt image files @@ -70771,47 +81181,67 @@ index 6f0736b..408a20a 100644 + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) +') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_files($1) -- fs_manage_cifs_files($1) -- fs_read_cifs_symlinks($1) ++ +######################################## +## +## Execute virt server in the virt domain. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed to transition. -+## -+## + ## + ## +-## +# +interface(`virt_systemctl',` + gen_require(` + type virtd_unit_file_t; + type virtd_t; - ') ++ ') + + systemd_exec_systemctl($1) + allow $1 virtd_unit_file_t:file read_file_perms; + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) - ') - - ######################################## -@@ -502,10 +704,20 @@ interface(`virt_manage_images',` - interface(`virt_admin',` ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an virt environment ++## ++## + ## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++## + ## +-## The name of the object being created. ++## Role allowed access. + ## + ## +-## ++## + # +-interface(`virt_pid_filetrans',` ++interface(`virt_admin',` gen_require(` - type virtd_t, virtd_initrc_exec_t; +- type virt_var_run_t; ++ type virtd_t, virtd_initrc_exec_t; + attribute virt_domain; + type virt_lxc_t; + type virtd_unit_file_t; ') -- allow $1 virtd_t:process { ptrace signal_perms }; +- files_search_pids($1) +- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + allow $1 virtd_t:process signal_perms; - ps_process_pattern($1, virtd_t) ++ ps_process_pattern($1, virtd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 virtd_t:process ptrace; + allow $1 virt_lxc_t:process ptrace; @@ -70819,13 +81249,17 @@ index 6f0736b..408a20a 100644 + + allow $1 virt_lxc_t:process signal_perms; + ps_process_pattern($1, virt_lxc_t) - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) -@@ -517,4 +729,305 @@ interface(`virt_admin',` - virt_manage_lib_files($1) - - virt_manage_log($1) ++ ++ init_labeled_script_domtrans($1, virtd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 virtd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ virt_manage_pid_files($1) ++ ++ virt_manage_lib_files($1) ++ ++ virt_manage_log($1) + + virt_manage_images($1) + @@ -70834,33 +81268,39 @@ index 6f0736b..408a20a 100644 + virt_systemctl($1) + admin_pattern($1, virtd_unit_file_t) + allow $1 virtd_unit_file_t:service all_service_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read virt log files. +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access +## +## +## +## +## The role to be allowed the sandbox domain. -+## -+## -+## -+# + ## + ## + ## + # +-interface(`virt_read_log',` +interface(`virt_transition_svirt',` -+ gen_require(` + gen_require(` +- type virt_log_t; + attribute virt_domain; + type virt_bridgehelper_t; + type svirt_image_t; + type svirt_socket_t; -+ ') -+ + ') + +- logging_search_logs($1) +- read_files_pattern($1, virt_log_t, virt_log_t) + allow $1 virt_domain:process transition; + role $2 types virt_domain; + role $2 types virt_bridgehelper_t; @@ -70875,82 +81315,115 @@ index 6f0736b..408a20a 100644 + optional_policy(` + ptchown_run(virt_domain, $2) + ') -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Append virt log files. +## Do not audit attempts to write virt daemon unnamed pipes. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`virt_append_log',` +interface(`virt_dontaudit_write_pipes',` -+ gen_require(` + gen_require(` +- type virt_log_t; + type virtd_t; -+ ') -+ + ') + +- logging_search_logs($1) +- append_files_pattern($1, virt_log_t, virt_log_t) + dontaudit $1 virtd_t:fd use; + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt log files. +## Send a sigkill to virtual machines -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -955,20 +809,17 @@ interface(`virt_append_log',` + ## + ## + # +-interface(`virt_manage_log',` +interface(`virt_kill_svirt',` -+ gen_require(` + gen_require(` +- type virt_log_t; + attribute virt_domain; -+ ') -+ + ') + +- logging_search_logs($1) +- manage_dirs_pattern($1, virt_log_t, virt_log_t) +- manage_files_pattern($1, virt_log_t, virt_log_t) +- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + allow $1 virt_domain:process sigkill; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search virt image directories. +## Send a signal to virtual machines -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -976,18 +827,17 @@ interface(`virt_manage_log',` + ## + ## + # +-interface(`virt_search_images',` +interface(`virt_signal_svirt',` -+ gen_require(` + gen_require(` +- attribute virt_image_type; + attribute virt_domain; -+ ') -+ + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir search_dir_perms; + allow $1 virt_domain:process signal; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read virt image files. +## Manage virt home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -995,57 +845,57 @@ interface(`virt_search_images',` + ## + ## + # +-interface(`virt_read_images',` +interface(`virt_manage_home_files',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; + type virt_home_t; -+ ') -+ + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- list_dirs_pattern($1, virt_image_type, virt_image_type) +- read_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- read_blk_files_pattern($1, virt_image_type, virt_image_type) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, virt_home_t, virt_home_t) +') -+ + +- tunable_policy(`virt_use_nfs',` +- fs_list_nfs($1) +- fs_read_nfs_files($1) +- fs_read_nfs_symlinks($1) +######################################## +## +## allow domain to read @@ -70965,41 +81438,59 @@ index 6f0736b..408a20a 100644 +interface(`virt_read_tmpfs_files',` + gen_require(` + attribute virt_tmpfs_type; -+ ') -+ + ') + +- tunable_policy(`virt_use_samba',` +- fs_list_cifs($1) +- fs_read_cifs_files($1) +- fs_read_cifs_symlinks($1) +- ') + allow $1 virt_tmpfs_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write all virt image +-## character files. +## allow domain to manage +## virt tmpfs files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access -+## -+## -+# + ## + ## + # +-interface(`virt_rw_all_image_chr_files',` +interface(`virt_manage_tmpfs_files',` -+ gen_require(` + gen_require(` +- attribute virt_image_type; + attribute virt_tmpfs_type; -+ ') -+ + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- rw_chr_files_pattern($1, virt_image_type, virt_image_type) + allow $1 virt_tmpfs_type:file manage_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt cache files. +## Create .virt directory in the user home directory +## with an correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1053,15 +903,27 @@ interface(`virt_rw_all_image_chr_files',` + ## + ## + # +-interface(`virt_manage_svirt_cache',` +- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') +- virt_manage_virt_cache($1) +interface(`virt_filetrans_home_content',` + gen_require(` + type virt_home_t; @@ -71016,49 +81507,74 @@ index 6f0736b..408a20a 100644 + gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") + gnome_data_filetrans($1, svirt_home_t, dir, "images") + ') -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt cache content. +## Dontaudit attempts to Read virt_image_type devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1069,117 +931,103 @@ interface(`virt_manage_svirt_cache',` + ## + ## + # +-interface(`virt_manage_virt_cache',` +interface(`virt_dontaudit_read_chr_dev',` -+ gen_require(` + gen_require(` +- type virt_cache_t; + attribute virt_image_type; -+ ') -+ + ') + +- files_search_var($1) +- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) +- manage_files_pattern($1, virt_cache_t, virt_cache_t) +- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt image files. +## Creates types and rules for a basic +## virt_lxc process domain. -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Prefix for the domain. -+## -+## -+# + ## + ## + # +-interface(`virt_manage_images',` +template(`virt_lxc_domain_template',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; + attribute svirt_lxc_domain; -+ ') -+ + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- manage_dirs_pattern($1, virt_image_type, virt_image_type) +- manage_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- rw_blk_files_pattern($1, virt_image_type, virt_image_type) + type $1_t, svirt_lxc_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) -+ mcs_untrusted_proc($1_t) ++ mcs_constrained($1_t) + role system_r types $1_t; -+ + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_read_nfs_symlinks($1) + kernel_read_system_state($1_t) +') + @@ -71075,8 +81591,12 @@ index 6f0736b..408a20a 100644 +interface(`virt_exec_qemu',` + gen_require(` + type qemu_exec_t; -+ ') -+ + ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) + can_exec($1, qemu_exec_t) +') + @@ -71094,45 +81614,98 @@ index 6f0736b..408a20a 100644 + gen_require(` + type virt_lxc_var_run_t; + type virt_var_run_t; -+ ') + ') + + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an virt environment. +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access -+## -+## -+## -+## + ## + ## + ## + ## +-## Role allowed access. +## The role to be allowed the sandbox domain. -+## -+## -+## -+# + ## + ## + ## + # +-interface(`virt_admin',` +interface(`virt_transition_svirt_lxc',` -+ gen_require(` + gen_require(` +- attribute virt_domain, virt_image_type, virt_tmpfs_type; +- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; +- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; +- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; +- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; +- type virt_var_run_t, virt_tmp_t, virt_log_t; +- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; +- type virt_etc_t, svirt_cache_t; + attribute svirt_lxc_domain; -+ ') -+ + ') + +- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; +- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) +- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) +- +- init_labeled_script_domtrans($1, virtd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 virtd_initrc_exec_t system_r; +- allow $2 system_r; +- +- fs_search_tmpfs($1) +- admin_pattern($1, virt_tmpfs_type) +- +- files_search_tmp($1) +- admin_pattern($1, { virt_tmp_type virt_tmp_t }) +- +- files_search_etc($1) +- admin_pattern($1, { virt_etc_t virt_etc_rw_t }) +- +- logging_search_logs($1) +- admin_pattern($1, virt_log_t) +- +- files_search_pids($1) +- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) +- +- files_search_var($1) +- admin_pattern($1, svirt_cache_t) +- +- files_search_var_lib($1) +- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) + allow $1 svirt_lxc_domain:process transition; + role $2 types svirt_lxc_domain; -+ + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) +- +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..12c15cb 100644 +index 1f22fba..e096fc5 100644 --- a/virt.te +++ b/virt.te -@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) +@@ -1,94 +1,105 @@ +-policy_module(virt, 1.6.10) ++policy_module(virt, 1.5.0) + + ######################################## + # # Declarations # @@ -71154,125 +81727,162 @@ index 947bbc6..12c15cb 100644 +dev_associate_sysfs(svirt_image_t) + ## - ##

    --## Allow virt to use serial/parallell communication ports +-##

    +-## Determine whether confined virtual guests +-## can use serial/parallel communication ports. +-##

    ++##

    +## Allow confined virtual guests to use serial/parallel communication ports - ##

    ++##

    ##     gen_tunable(virt_use_comm, false) ## - ##

    --## Allow virt to read fuse files +-##

    +-## Determine whether confined virtual guests +-## can use executable memory and can make +-## their stack executable. +-##

    ++##

    +## Allow confined virtual guests to use executable memory and executable stack +##

    -+##     -+gen_tunable(virt_use_execmem, false) -+ -+## + ## + gen_tunable(virt_use_execmem, false) + + ## +-##

    +-## Determine whether confined virtual guests +-## can use fuse file systems. +-##

    +##

    +## Allow confined virtual guests to read fuse files - ##

    ++##

    ##     gen_tunable(virt_use_fusefs, false) ## - ##

    --## Allow virt to manage nfs files +-##

    +-## Determine whether confined virtual guests +-## can use nfs file systems. +-##

    ++##

    +## Allow confined virtual guests to manage nfs files - ##

    ++##

    ##     gen_tunable(virt_use_nfs, false) ## - ##

    --## Allow virt to manage cifs files +-##

    +-## Determine whether confined virtual guests +-## can use cifs file systems. +-##

    ++##

    +## Allow confined virtual guests to manage cifs files - ##

    ++##

    ##     gen_tunable(virt_use_samba, false) ## - ##

    --## Allow virt to manage device configuration, (pci) +-##

    +-## Determine whether confined virtual guests +-## can manage device configuration. +-##

    ++##

    +## Allow confined virtual guests to manage device configuration, (pci) - ##

    ++##

    ##     gen_tunable(virt_use_sysfs, false) ## +-##

    +-## Determine whether confined virtual guests +-## can use usb devices. +-##

    +##

    +## Allow confined virtual guests to interact with the sanlock +##

    -+##     + ## +-gen_tunable(virt_use_usb, false) +gen_tunable(virt_use_sanlock, false) -+ -+## + + ## +-##

    +-## Determine whether confined virtual guests +-## can interact with xserver. +-##

    +##

    +## Allow confined virtual guests to interact with rawip sockets +##

    -+##     + ##     +-gen_tunable(virt_use_xserver, false) +gen_tunable(virt_use_rawip, false) -+ + +-attribute virt_ptynode; +-attribute virt_domain; +-attribute virt_image_type; +-attribute virt_tmp_type; +-attribute virt_tmpfs_type; +- +-attribute svirt_lxc_domain; +## +##

    +## Allow confined virtual guests to interact with the xserver +##

    +##     +gen_tunable(virt_use_xserver, false) -+ + +-attribute_role virt_domain_roles; +-roleattribute system_r virt_domain_roles; +## - ##

    --## Allow virt to use usb devices ++##

    +## Allow confined virtual guests to use usb devices - ##

    - ##     - gen_tunable(virt_use_usb, true) ++##

    ++## ++gen_tunable(virt_use_usb, true) - virt_domain_template(svirt) - role system_r types svirt_t; +-attribute_role virt_bridgehelper_roles; +-roleattribute system_r virt_bridgehelper_roles; ++virt_domain_template(svirt) ++role system_r types svirt_t; +typealias svirt_t alias qemu_t; --type svirt_cache_t; --files_type(svirt_cache_t) +-attribute_role svirt_lxc_domain_roles; +-roleattribute system_r svirt_lxc_domain_roles; +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; --attribute virt_domain; --attribute virt_image_type; +-virt_domain_template(svirt) +-virt_domain_template(svirt_prot_exec) +type qemu_exec_t; -+ -+type virt_cache_t alias svirt_cache_t; -+files_type(virt_cache_t) - type virt_etc_t; - files_config_file(virt_etc_t) -@@ -62,26 +110,37 @@ files_config_file(virt_etc_t) - type virt_etc_rw_t; - files_type(virt_etc_rw_t) + type virt_cache_t alias svirt_cache_t; + files_type(virt_cache_t) +@@ -105,27 +116,25 @@ userdom_user_home_content(virt_home_t) + type svirt_home_t; + userdom_user_home_content(svirt_home_t) -+type virt_home_t; -+userdom_user_home_content(virt_home_t) -+ -+type svirt_home_t; -+userdom_user_home_content(svirt_home_t) -+ - # virt Image files +-type svirt_var_run_t; +-files_pid_file(svirt_var_run_t) +-mls_trusted_object(svirt_var_run_t) +- ++# virt Image files type virt_image_t; # customizable virt_image(virt_image_t) -+files_mountpoint(virt_image_t) + files_mountpoint(virt_image_t) - # virt Image files ++# virt Image files type virt_content_t; # customizable virt_image(virt_content_t) userdom_user_home_content(virt_content_t) +-type virt_lock_t; +-files_lock_file(virt_lock_t) +type virt_tmp_t; +files_tmp_file(virt_tmp_t) -+ + type virt_log_t; logging_log_file(virt_log_t) -+mls_trusted_object(virt_log_t) + mls_trusted_object(virt_log_t) -type virt_tmp_t; -files_tmp_file(virt_tmp_t) @@ -71281,14 +81891,7 @@ index 947bbc6..12c15cb 100644 type virt_var_run_t; files_pid_file(virt_var_run_t) - - type virt_var_lib_t; --files_type(virt_var_lib_t) -+files_mountpoint(virt_var_lib_t) - - type virtd_t; - type virtd_exec_t; -@@ -89,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) +@@ -139,9 +148,17 @@ init_daemon_domain(virtd_t, virtd_exec_t) domain_obj_id_change_exemption(virtd_t) domain_subj_id_change_exemption(virtd_t) @@ -71306,19 +81909,16 @@ index 947bbc6..12c15cb 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -100,28 +167,53 @@ ifdef(`enable_mls',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) - ') +@@ -155,251 +172,82 @@ type virt_qmf_exec_t; + init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) -+type virt_qmf_t; -+type virt_qmf_exec_t; -+init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) -+ -+type virt_bridgehelper_t; -+domain_type(virt_bridgehelper_t) + type virt_bridgehelper_t; +-type virt_bridgehelper_exec_t; + domain_type(virt_bridgehelper_t) + +type virt_bridgehelper_exec_t; -+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) + domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) +-role virt_bridgehelper_roles types virt_bridgehelper_t; +role system_r types virt_bridgehelper_t; + +# policy for qemu_ga @@ -71332,101 +81932,273 @@ index 947bbc6..12c15cb 100644 +type virt_qemu_ga_log_t; +logging_log_file(virt_qemu_ga_log_t) + - ######################################## - # --# svirt local policy ++######################################## ++# +# Declarations - # ++# +attribute svirt_lxc_domain; --allow svirt_t self:udp_socket create_socket_perms; -+type virtd_lxc_t; -+type virtd_lxc_exec_t; -+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + type virtd_lxc_t; + type virtd_lxc_exec_t; + init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) --manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) --manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) --files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) +-type virtd_lxc_var_run_t; +-files_pid_file(virtd_lxc_var_run_t) +type virt_lxc_var_run_t; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; --read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) +# virt lxc container files -+type svirt_lxc_file_t; -+files_mountpoint(svirt_lxc_file_t) + type svirt_lxc_file_t; + files_mountpoint(svirt_lxc_file_t) +-fs_noxattr_type(svirt_lxc_file_t) +-term_pty(svirt_lxc_file_t) +- +-virt_lxc_domain_template(svirt_lxc_net) +- +-type virsh_t; +-type virsh_exec_t; +-init_system_domain(virsh_t, virsh_exec_t) --allow svirt_t svirt_image_t:dir search_dir_perms; --manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) --manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) --fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) -+######################################## -+# + ######################################## + # +-# Common virt domain local policy +# svirt local policy -+# + # --list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) --read_files_pattern(svirt_t, virt_content_t, virt_content_t) --dontaudit svirt_t virt_content_t:file write_file_perms; --dontaudit svirt_t virt_content_t:dir write; +-allow virt_domain self:process { signal getsched signull }; +-allow virt_domain self:fifo_file rw_fifo_file_perms; +-allow virt_domain self:netlink_route_socket r_netlink_socket_perms; +-allow virt_domain self:shm create_shm_perms; +-allow virt_domain self:tcp_socket create_stream_socket_perms; +-allow virt_domain self:unix_stream_socket { accept listen }; +-allow virt_domain self:unix_dgram_socket sendto; +- +-allow virt_domain virtd_t:fd use; +-allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; +-allow virt_domain virtd_t:process sigchld; +- +-dontaudit virt_domain virtd_t:unix_stream_socket { read write }; +- +-manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +-manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +-files_var_filetrans(virt_domain, virt_cache_t, { file dir }) +- +-manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) +-files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file }) +- +-stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t) +- +-dontaudit virt_domain virt_tmpfs_type:file { read write }; +- +-append_files_pattern(virt_domain, virt_log_t, virt_log_t) +- +-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) +- +-kernel_read_system_state(virt_domain) +- +-fs_getattr_xattr_fs(virt_domain) +- +-corecmd_exec_bin(virt_domain) +-corecmd_exec_shell(virt_domain) +- +-corenet_all_recvfrom_unlabeled(virt_domain) +-corenet_all_recvfrom_netlabel(virt_domain) +-corenet_tcp_sendrecv_generic_if(virt_domain) +-corenet_tcp_sendrecv_generic_node(virt_domain) +-corenet_tcp_bind_generic_node(virt_domain) +- +-corenet_sendrecv_vnc_server_packets(virt_domain) +-corenet_tcp_bind_vnc_port(virt_domain) +-corenet_tcp_sendrecv_vnc_port(virt_domain) +- +-corenet_sendrecv_virt_migration_server_packets(virt_domain) +-corenet_tcp_bind_virt_migration_port(virt_domain) +-corenet_sendrecv_virt_migration_client_packets(virt_domain) +-corenet_tcp_connect_virt_migration_port(virt_domain) +-corenet_tcp_sendrecv_virt_migration_port(virt_domain) +- +-corenet_rw_tun_tap_dev(virt_domain) +- +-dev_getattr_fs(virt_domain) +-dev_list_sysfs(virt_domain) +-dev_read_generic_symlinks(virt_domain) +-dev_read_rand(virt_domain) +-dev_read_sound(virt_domain) +-dev_read_urand(virt_domain) +-dev_write_sound(virt_domain) +-dev_rw_ksm(virt_domain) +-dev_rw_kvm(virt_domain) +-dev_rw_qemu(virt_domain) +-dev_rw_vhost(virt_domain) +- +-domain_use_interactive_fds(virt_domain) +- +-files_read_etc_files(virt_domain) +-files_read_mnt_symlinks(virt_domain) +-files_read_usr_files(virt_domain) +-files_read_var_files(virt_domain) +-files_search_all(virt_domain) +- +-fs_getattr_all_fs(virt_domain) +-fs_rw_anon_inodefs_files(virt_domain) +-fs_rw_tmpfs_files(virt_domain) +-fs_getattr_hugetlbfs(virt_domain) +- +-# fs_rw_inherited_nfs_files(virt_domain) +-# fs_rw_inherited_cifs_files(virt_domain) +-# fs_rw_inherited_noxattr_fs_files(virt_domain) +- +-storage_raw_write_removable_device(virt_domain) +-storage_raw_read_removable_device(virt_domain) +- +-term_use_all_terms(virt_domain) +-term_getattr_pty_fs(virt_domain) +-term_use_generic_ptys(virt_domain) +-term_use_ptmx(virt_domain) +- +-logging_send_syslog_msg(virt_domain) +- +-miscfiles_read_localization(virt_domain) +-miscfiles_read_public_files(virt_domain) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - corenet_udp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) -@@ -131,67 +223,71 @@ corenet_udp_bind_all_ports(svirt_t) - corenet_tcp_bind_all_ports(svirt_t) - corenet_tcp_connect_all_ports(svirt_t) - --dev_list_sysfs(svirt_t) -+miscfiles_read_generic_certs(svirt_t) - --userdom_search_user_home_content(svirt_t) --userdom_read_user_home_content_symlinks(svirt_t) --userdom_read_all_users_state(svirt_t) +-sysnet_read_config(virt_domain) +- +-userdom_search_user_home_dirs(virt_domain) +-userdom_read_all_users_state(virt_domain) +- +-virt_run_bridgehelper(virt_domain, virt_domain_roles) +-virt_read_config(virt_domain) +-virt_read_lib_files(virt_domain) +-virt_read_content(virt_domain) +-virt_stream_connect(virt_domain) +- +-qemu_exec(virt_domain) +- +-tunable_policy(`virt_use_execmem',` +- allow virt_domain self:process { execmem execstack }; +-') - -tunable_policy(`virt_use_comm',` -- term_use_unallocated_ttys(svirt_t) -- dev_rw_printer(svirt_t) +- term_use_unallocated_ttys(virt_domain) +- dev_rw_printer(virt_domain) -') - -tunable_policy(`virt_use_fusefs',` -- fs_read_fusefs_files(svirt_t) -- fs_read_fusefs_symlinks(svirt_t) +- fs_manage_fusefs_dirs(virt_domain) +- fs_manage_fusefs_files(virt_domain) +- fs_read_fusefs_symlinks(virt_domain) -') - -tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs(svirt_t) -- fs_manage_nfs_files(svirt_t) +- fs_manage_nfs_dirs(virt_domain) +- fs_manage_nfs_files(virt_domain) +- fs_manage_nfs_named_sockets(virt_domain) +- fs_read_nfs_symlinks(virt_domain) -') - -tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs(svirt_t) -- fs_manage_cifs_files(svirt_t) -+optional_policy(` +- fs_manage_cifs_dirs(virt_domain) +- fs_manage_cifs_files(virt_domain) +- fs_manage_cifs_named_sockets(virt_domain) +- fs_read_cifs_symlinks(virt_domain) +-') +- +-tunable_policy(`virt_use_sysfs',` +- dev_rw_sysfs(virt_domain) +-') +- +-tunable_policy(`virt_use_usb',` +- dev_rw_usbfs(virt_domain) +- dev_read_sysfs(virt_domain) +- fs_manage_dos_dirs(virt_domain) +- fs_manage_dos_files(virt_domain) +-') +- +-optional_policy(` +- tunable_policy(`virt_use_xserver',` +- xserver_read_xdm_pid(virt_domain) +- xserver_stream_connect(virt_domain) +- ') +-') +- +-optional_policy(` +- dbus_read_lib_files(virt_domain) +-') ++corenet_udp_sendrecv_generic_if(svirt_t) ++corenet_udp_sendrecv_generic_node(svirt_t) ++corenet_udp_sendrecv_all_ports(svirt_t) ++corenet_udp_bind_generic_node(svirt_t) ++corenet_udp_bind_all_ports(svirt_t) ++corenet_tcp_bind_all_ports(svirt_t) ++corenet_tcp_connect_all_ports(svirt_t) + +-optional_policy(` +- nscd_use(virt_domain) +-') ++miscfiles_read_generic_certs(svirt_t) + + optional_policy(` +- samba_domtrans_smbd(virt_domain) + xen_rw_image_files(svirt_t) ') --tunable_policy(`virt_use_sysfs',` -- dev_rw_sysfs(svirt_t) -+optional_policy(` + optional_policy(` +- xen_rw_image_files(virt_domain) + nscd_use(svirt_t) ') --tunable_policy(`virt_use_usb',` -- dev_rw_usbfs(svirt_t) -- fs_manage_dos_dirs(svirt_t) -- fs_manage_dos_files(svirt_t) --') +-######################################## +####################################### -+# + # +-# svirt local policy +# svirt_prot_exec local policy -+# + # --optional_policy(` -- xen_rw_image_files(svirt_t) --') +-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +-read_files_pattern(svirt_t, virt_content_t, virt_content_t) +- +-dontaudit svirt_t virt_content_t:file write_file_perms; +-dontaudit svirt_t virt_content_t:dir rw_dir_perms; +- +-append_files_pattern(svirt_t, virt_home_t, virt_home_t) +-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) +-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) +- +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- +-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +- +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) +- +-corenet_all_recvfrom_unlabeled(svirt_t) +-corenet_all_recvfrom_netlabel(svirt_t) +-corenet_tcp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_tcp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_tcp_sendrecv_all_ports(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_tcp_bind_generic_node(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) +- +-corenet_sendrecv_all_server_packets(svirt_t) +-corenet_udp_bind_all_ports(svirt_t) +-corenet_tcp_bind_all_ports(svirt_t) +allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + +-corenet_sendrecv_all_client_packets(svirt_t) +-corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) +corenet_udp_sendrecv_generic_node(svirt_tcg_t) +corenet_udp_sendrecv_all_ports(svirt_tcg_t) @@ -71437,40 +82209,52 @@ index 947bbc6..12c15cb 100644 ######################################## # - # virtd local policy +@@ -407,38 +255,41 @@ corenet_tcp_connect_all_ports(svirt_t) # --allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; --allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; -+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; + allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:capability2 compromise_kernel; -+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; + allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit virtd_t self:capability { sys_module sys_ptrace }; +') - --allow virtd_t self:fifo_file rw_fifo_file_perms; --allow virtd_t self:unix_stream_socket create_stream_socket_perms; -+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; ++ + allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; +-allow virtd_t self:unix_stream_socket { accept connectto listen }; +-allow virtd_t self:tcp_socket { accept listen }; +allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow virtd_t self:tcp_socket create_stream_socket_perms; --allow virtd_t self:tun_socket create_socket_perms; -+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -+allow virtd_t self:rawip_socket create_socket_perms; -+allow virtd_t self:packet_socket create_socket_perms; ++allow virtd_t self:tcp_socket create_stream_socket_perms; + allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; + allow virtd_t self:rawip_socket create_socket_perms; + allow virtd_t self:packet_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; +-allow virtd_t self:netlink_route_socket nlmsg_write; +- +-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +-dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; +- +-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; +-allow virtd_t svirt_lxc_domain:process signal_perms; +- +-allow virtd_t virtd_lxc_t:process { signal signull sigkill }; +- +-domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t self:netlink_route_socket create_netlink_socket_perms; --manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) --manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) -+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) -+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) + manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) + manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) manage_files_pattern(virtd_t, virt_content_t, virt_content_t) - - allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") + +-allow virtd_t svirt_var_run_t:file relabel_file_perms; +-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) +-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") ++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virt_domain virtd_t:fd use; +dontaudit virt_domain virtd_t:unix_stream_socket { read write }; + @@ -71486,120 +82270,128 @@ index 947bbc6..12c15cb 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +298,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +299,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +-manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) +-manage_files_pattern(virtd_t, virt_home_t, virt_home_t) +-manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +-manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +- +-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt") +-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst") +-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines") +- manage_files_pattern(virtd_t, virt_image_type, virt_image_type) -+manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) + manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) --allow virtd_t virt_image_type:file { relabelfrom relabelto }; --allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; + manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) - --manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) --manage_files_pattern(virtd_t, virt_log_t, virt_log_t) --logging_log_filetrans(virtd_t, virt_log_t, { file dir }) -+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) +allow virtd_t virt_image_type:dir setattr; -+allow virtd_t virt_image_type:file relabel_file_perms; -+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; -+allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -+allow virtd_t virt_ptynode:chr_file rw_term_perms; + allow virtd_t virt_image_type:file relabel_file_perms; + allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; + allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +- + allow virtd_t virt_ptynode:chr_file rw_term_perms; manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) - can_exec(virtd_t, virt_tmp_t) - -+manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) -+manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) -+manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) -+files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) -+ -+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) ++can_exec(virtd_t, virt_tmp_t) + +-# This needs a file context specification + manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) + manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) + manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) + files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) + + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +-append_files_pattern(virtd_t, virt_log_t, virt_log_t) +-create_files_pattern(virtd_t, virt_log_t, virt_log_t) +-read_files_pattern(virtd_t, virt_log_t, virt_log_t) +-setattr_files_pattern(virtd_t, virt_log_t, virt_log_t) +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -+logging_log_filetrans(virtd_t, virt_log_t, { file dir }) -+ + logging_log_filetrans(virtd_t, virt_log_t, { file dir }) + manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) - manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) - manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +331,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +333,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) -+ + +-can_exec(virtd_t, virt_tmp_t) +- +-kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -+kernel_read_kernel_sysctls(virtd_t) - kernel_request_load_module(virtd_t) - kernel_search_debugfs(virtd_t) -+kernel_setsched(virtd_t) - - corecmd_exec_bin(virtd_t) - corecmd_exec_shell(virtd_t) - --corenet_all_recvfrom_unlabeled(virtd_t) +@@ -520,22 +352,12 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +359,31 @@ corenet_tcp_connect_soundd_port(virtd_t) ++corenet_tcp_sendrecv_all_ports(virtd_t) + corenet_tcp_bind_generic_node(virtd_t) +- +-corenet_sendrecv_virt_server_packets(virtd_t) + corenet_tcp_bind_virt_port(virtd_t) +-corenet_tcp_sendrecv_virt_port(virtd_t) +- +-corenet_sendrecv_vnc_server_packets(virtd_t) + corenet_tcp_bind_vnc_port(virtd_t) +-corenet_sendrecv_vnc_client_packets(virtd_t) + corenet_tcp_connect_vnc_port(virtd_t) +-corenet_tcp_sendrecv_vnc_port(virtd_t) +- +-corenet_sendrecv_soundd_client_packets(virtd_t) + corenet_tcp_connect_soundd_port(virtd_t) +-corenet_tcp_sendrecv_soundd_port(virtd_t) +- corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) -+dev_read_urand(virtd_t) - dev_read_rand(virtd_t) - dev_rw_kvm(virtd_t) - dev_getattr_all_chr_files(virtd_t) - dev_rw_mtrr(virtd_t) -+dev_rw_vhost(virtd_t) -+dev_setattr_generic_usb_dev(virtd_t) -+dev_relabel_generic_usb_dev(virtd_t) - - # Init script handling +@@ -548,22 +370,25 @@ dev_rw_vhost(virtd_t) + dev_setattr_generic_usb_dev(virtd_t) + dev_relabel_generic_usb_dev(virtd_t) + ++# Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) +domain_read_all_domains_state(virtd_t) files_read_usr_files(virtd_t) --files_read_etc_files(virtd_t) +files_read_usr_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) --files_manage_etc_files(virtd_t) +files_relabelto_system_conf_files(virtd_t) +files_relabelfrom_system_conf_files(virtd_t) -+ -+# Manages /etc/sysconfig/system-config-firewall + + # Manages /etc/sysconfig/system-config-firewall +-# files_relabelto_system_conf_files(virtd_t) +-# files_relabelfrom_system_conf_files(virtd_t) +-# files_manage_system_conf_files(virtd_t) +files_manage_system_conf_files(virtd_t) fs_list_auto_mountpoints(virtd_t) - fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +391,18 @@ fs_rw_anon_inodefs_files(virtd_t) +-fs_getattr_all_fs(virtd_t) ++fs_getattr_xattr_fs(virtd_t) + fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) - fs_rw_cgroup_files(virtd_t) -+fs_manage_hugetlbfs_dirs(virtd_t) -+fs_rw_hugetlbfs_files(virtd_t) -+ -+mls_fd_share_all_levels(virtd_t) -+mls_file_read_to_clearance(virtd_t) -+mls_file_write_to_clearance(virtd_t) -+mls_process_read_to_clearance(virtd_t) -+mls_process_write_to_clearance(virtd_t) -+mls_net_write_within_range(virtd_t) -+mls_socket_write_to_clearance(virtd_t) -+mls_socket_read_to_clearance(virtd_t) -+mls_rangetrans_source(virtd_t) - - mcs_process_set_categories(virtd_t) - -@@ -284,7 +417,8 @@ term_use_ptmx(virtd_t) +@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -71609,32 +82401,40 @@ index 947bbc6..12c15cb 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +427,36 @@ modutils_read_module_config(virtd_t) + modutils_read_module_deps(virtd_t) ++modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) -+logging_send_audit_msgs(virtd_t) + logging_send_audit_msgs(virtd_t) +logging_stream_connect_syslog(virtd_t) -+ -+selinux_validate_context(virtd_t) - seutil_read_config(virtd_t) - seutil_read_default_contexts(virtd_t) -+seutil_read_file_contexts(virtd_t) + selinux_validate_context(virtd_t) -+sysnet_signull_ifconfig(virtd_t) -+sysnet_signal_ifconfig(virtd_t) +@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t) + sysnet_signull_ifconfig(virtd_t) + sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) - sysnet_read_config(virtd_t) ++sysnet_read_config(virtd_t) +-userdom_read_all_users_state(virtd_t) +- +-ifdef(`hide_broken_symptoms',` +- dontaudit virtd_t self:capability { sys_module sys_ptrace }; +-') +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) -+ + +-tunable_policy(`virt_use_fusefs',` +- fs_manage_fusefs_dirs(virtd_t) +- fs_manage_fusefs_files(virtd_t) +- fs_read_fusefs_symlinks(virtd_t) +-') +userdom_list_admin_dir(virtd_t) - userdom_getattr_all_users(virtd_t) - userdom_list_user_home_content(virtd_t) - userdom_read_all_users_state(virtd_t) - userdom_read_user_home_content_files(virtd_t) ++userdom_getattr_all_users(virtd_t) ++userdom_list_user_home_content(virtd_t) ++userdom_read_all_users_state(virtd_t) ++userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) +manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) @@ -71646,21 +82446,35 @@ index 947bbc6..12c15cb 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +475,10 @@ optional_policy(` +@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',` ') - optional_policy(` -+ consoletype_exec(virtd_t) -+') -+ -+optional_policy(` - dbus_system_bus_client(virtd_t) + tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files(virtd_t) ++ fs_manage_nfs_files(virtd_t) + fs_manage_cifs_files(virtd_t) + fs_read_cifs_symlinks(virtd_t) + ') +@@ -646,107 +480,330 @@ optional_policy(` + consoletype_exec(virtd_t) + ') - optional_policy(` -@@ -335,19 +492,34 @@ optional_policy(` - optional_policy(` - hal_dbus_chat(virtd_t) - ') +-optional_policy(` +- dbus_system_bus_client(virtd_t) ++optional_policy(` ++ dbus_system_bus_client(virtd_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(virtd_t) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat(virtd_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(virtd_t) ++ ') + + optional_policy(` + networkmanager_dbus_chat(virtd_t) @@ -71669,14 +82483,13 @@ index 947bbc6..12c15cb 100644 + +optional_policy(` + dmidecode_domtrans(virtd_t) - ') - - optional_policy(` - dnsmasq_domtrans(virtd_t) - dnsmasq_signal(virtd_t) - dnsmasq_kill(virtd_t) -- dnsmasq_read_pid_files(virtd_t) - dnsmasq_signull(virtd_t) ++') ++ ++optional_policy(` ++ dnsmasq_domtrans(virtd_t) ++ dnsmasq_signal(virtd_t) ++ dnsmasq_kill(virtd_t) ++ dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) + dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); + dnsmasq_manage_pid_files(virtd_t) @@ -71684,67 +82497,79 @@ index 947bbc6..12c15cb 100644 + +optional_policy(` + firewalld_dbus_chat(virtd_t) - ') - - optional_policy(` - iptables_domtrans(virtd_t) - iptables_initrc_domtrans(virtd_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(virtd_t) ++ iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) - - # Manages /etc/sysconfig/system-config-firewall - iptables_manage_config(virtd_t) -@@ -362,6 +534,12 @@ optional_policy(` - ') - - optional_policy(` ++ ++ # Manages /etc/sysconfig/system-config-firewall ++ iptables_manage_config(virtd_t) ++') ++ ++optional_policy(` ++ kerberos_keytab_template(virtd, virtd_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(virtd_t) ++') ++ ++optional_policy(` + # Run mount in the mount_t domain. + mount_domtrans(virtd_t) + mount_signal(virtd_t) +') + +optional_policy(` - policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) -@@ -369,11 +547,11 @@ optional_policy(` - ') - - optional_policy(` -- qemu_domtrans(virtd_t) -- qemu_read_state(virtd_t) -- qemu_signal(virtd_t) -- qemu_kill(virtd_t) -- qemu_setsched(virtd_t) ++ policykit_dbus_chat(virtd_t) ++ policykit_domtrans_auth(virtd_t) ++ policykit_domtrans_resolve(virtd_t) ++ policykit_read_lib(virtd_t) ++') ++ ++optional_policy(` + qemu_exec(virtd_t) +') + +optional_policy(` + sanlock_stream_connect(virtd_t) - ') - - optional_policy(` -@@ -384,6 +562,7 @@ optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - ++') ++ ++optional_policy(` ++ sasl_connect(virtd_t) ++') ++ ++optional_policy(` ++ kernel_read_xen_state(virtd_t) ++ kernel_write_xen_state(virtd_t) ++ + xen_exec(virtd_t) - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) - xen_read_image_files(virtd_t) -@@ -402,35 +581,85 @@ optional_policy(` - # - # virtual domains common policy - # -- --allow virt_domain self:capability { dac_read_search dac_override kill }; --allow virt_domain self:process { execmem execstack signal getsched signull }; --allow virt_domain self:fifo_file rw_file_perms; ++ xen_stream_connect(virtd_t) ++ xen_stream_connect_xenstore(virtd_t) ++ xen_read_image_files(virtd_t) ++') ++ ++optional_policy(` ++ udev_domtrans(virtd_t) ++ udev_read_db(virtd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(virtd_t) ++') ++ ++######################################## ++# ++# virtual domains common policy ++# +allow virt_domain self:process { signal getsched signull }; +allow virt_domain self:fifo_file rw_fifo_file_perms; - allow virt_domain self:shm create_shm_perms; - allow virt_domain self:unix_stream_socket create_stream_socket_perms; - allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; - allow virt_domain self:tcp_socket create_stream_socket_perms; ++allow virt_domain self:shm create_shm_perms; ++allow virt_domain self:unix_stream_socket create_stream_socket_perms; ++allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; ++allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:udp_socket create_socket_perms; + +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) @@ -71798,119 +82623,153 @@ index 947bbc6..12c15cb 100644 +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; + +dontaudit virt_domain virt_tmpfs_type:file { read write }; - - append_files_pattern(virt_domain, virt_log_t, virt_log_t) - - append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - --kernel_read_system_state(virt_domain) -- - corecmd_exec_bin(virt_domain) - corecmd_exec_shell(virt_domain) - --corenet_all_recvfrom_unlabeled(virt_domain) --corenet_all_recvfrom_netlabel(virt_domain) - corenet_tcp_sendrecv_generic_if(virt_domain) - corenet_tcp_sendrecv_generic_node(virt_domain) - corenet_tcp_sendrecv_all_ports(virt_domain) - corenet_tcp_bind_generic_node(virt_domain) - corenet_tcp_bind_vnc_port(virt_domain) --corenet_rw_tun_tap_dev(virt_domain) - corenet_tcp_bind_virt_migration_port(virt_domain) - corenet_tcp_connect_virt_migration_port(virt_domain) ++ ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++ ++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) ++ ++corecmd_exec_bin(virt_domain) ++corecmd_exec_shell(virt_domain) ++ ++corenet_tcp_sendrecv_generic_if(virt_domain) ++corenet_tcp_sendrecv_generic_node(virt_domain) ++corenet_tcp_sendrecv_all_ports(virt_domain) ++corenet_tcp_bind_generic_node(virt_domain) ++corenet_tcp_bind_vnc_port(virt_domain) ++corenet_tcp_bind_virt_migration_port(virt_domain) ++corenet_tcp_connect_virt_migration_port(virt_domain) +corenet_rw_inherited_tun_tap_dev(virt_domain) - ++ +dev_list_sysfs(virt_domain) +dev_getattr_fs(virt_domain) +dev_read_generic_symlinks(virt_domain) - dev_read_rand(virt_domain) - dev_read_sound(virt_domain) - dev_read_urand(virt_domain) -@@ -438,34 +667,628 @@ dev_write_sound(virt_domain) - dev_rw_ksm(virt_domain) - dev_rw_kvm(virt_domain) - dev_rw_qemu(virt_domain) ++dev_read_rand(virt_domain) ++dev_read_sound(virt_domain) ++dev_read_urand(virt_domain) ++dev_write_sound(virt_domain) ++dev_rw_ksm(virt_domain) ++dev_rw_kvm(virt_domain) ++dev_rw_qemu(virt_domain) +dev_rw_inherited_vhost(virt_domain) ++ ++domain_use_interactive_fds(virt_domain) - domain_use_interactive_fds(virt_domain) - --files_read_etc_files(virt_domain) +- optional_policy(` +- avahi_dbus_chat(virtd_t) +- ') +files_read_mnt_symlinks(virt_domain) - files_read_usr_files(virt_domain) - files_read_var_files(virt_domain) - files_search_all(virt_domain) ++files_read_usr_files(virt_domain) ++files_read_var_files(virt_domain) ++files_search_all(virt_domain) +- optional_policy(` +- consolekit_dbus_chat(virtd_t) +- ') +fs_getattr_xattr_fs(virt_domain) - fs_getattr_tmpfs(virt_domain) - fs_rw_anon_inodefs_files(virt_domain) - fs_rw_tmpfs_files(virt_domain) ++fs_getattr_tmpfs(virt_domain) ++fs_rw_anon_inodefs_files(virt_domain) ++fs_rw_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +- optional_policy(` +- firewalld_dbus_chat(virtd_t) +- ') +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) --term_use_all_terms(virt_domain) +- optional_policy(` +- hal_dbus_chat(virtd_t) +- ') +sysnet_read_config(virt_domain) -+ + +- optional_policy(` +- networkmanager_dbus_chat(virtd_t) +- ') +term_use_all_inherited_terms(virt_domain) - term_getattr_pty_fs(virt_domain) - term_use_generic_ptys(virt_domain) - term_use_ptmx(virt_domain) ++term_getattr_pty_fs(virt_domain) ++term_use_generic_ptys(virt_domain) ++term_use_ptmx(virt_domain) --logging_send_syslog_msg(virt_domain) +- optional_policy(` +- policykit_dbus_chat(virtd_t) +- ') +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; -+') + ') --miscfiles_read_localization(virt_domain) -+optional_policy(` + optional_policy(` +- dmidecode_domtrans(virtd_t) + alsa_read_rw_config(virt_domain) -+') + ') optional_policy(` - ptchown_domtrans(virt_domain) +- dnsmasq_domtrans(virtd_t) +- dnsmasq_signal(virtd_t) +- dnsmasq_kill(virtd_t) +- dnsmasq_signull(virtd_t) +- dnsmasq_create_pid_dirs(virtd_t) +- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") +- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") +- dnsmasq_manage_pid_files(virtd_t) ++ ptchown_domtrans(virt_domain) ') optional_policy(` +- iptables_domtrans(virtd_t) +- iptables_initrc_domtrans(virtd_t) +- iptables_manage_config(virtd_t) + pulseaudio_dontaudit_exec(virt_domain) -+') -+ -+optional_policy(` - virt_read_config(virt_domain) - virt_read_lib_files(virt_domain) - virt_read_content(virt_domain) - virt_stream_connect(virt_domain) + ') + + optional_policy(` +- kerberos_keytab_template(virtd, virtd_t) ++ virt_read_config(virt_domain) ++ virt_read_lib_files(virt_domain) ++ virt_read_content(virt_domain) ++ virt_stream_connect(virt_domain) + virt_domtrans_bridgehelper(virt_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- lvm_domtrans(virtd_t) + xserver_rw_shm(virt_domain) ') -+ + +-optional_policy(` +- mount_domtrans(virtd_t) +- mount_signal(virtd_t) +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) -+') -+ + ') + +-optional_policy(` +- policykit_domtrans_auth(virtd_t) +- policykit_domtrans_resolve(virtd_t) +- policykit_read_lib(virtd_t) +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) -+') -+ + ') + +-optional_policy(` +- qemu_exec(virtd_t) +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) + fs_manage_nfs_named_sockets(virt_domain) + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) -+') -+ + ') + +-optional_policy(` +- sasl_connect(virtd_t) +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -71928,37 +82787,49 @@ index 947bbc6..12c15cb 100644 + dev_read_sysfs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- kernel_read_xen_state(virtd_t) +- kernel_write_xen_state(virtd_t) + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + ') +') -+ + +- xen_exec(virtd_t) +- xen_stream_connect(virtd_t) +- xen_stream_connect_xenstore(virtd_t) +- xen_read_image_files(virtd_t) +tunable_policy(`virt_use_rawip',` + allow virt_domain self:rawip_socket create_socket_perms; -+') -+ -+optional_policy(` + ') + + optional_policy(` +- udev_domtrans(virtd_t) +- udev_read_db(virtd_t) + tunable_policy(`virt_use_xserver',` + xserver_stream_connect(virt_domain) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Virsh local policy +# xm local policy -+# + # +type virsh_t; +type virsh_exec_t; +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_chroot sys_nice sys_tty_config }; -+allow virsh_t self:process { getcap getsched setsched setcap signal }; -+allow virsh_t self:fifo_file rw_fifo_file_perms; + allow virsh_t self:process { getcap getsched setsched setcap signal }; + allow virsh_t self:fifo_file rw_fifo_file_perms; +-allow virsh_t self:unix_stream_socket { accept connectto listen }; +-allow virsh_t self:tcp_socket { accept listen }; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; + @@ -71969,225 +82840,217 @@ index 947bbc6..12c15cb 100644 +virt_manage_images(virsh_t) +virt_manage_config(virsh_t) +virt_stream_connect(virsh_t) -+ -+manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) -+ -+manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) + + manage_files_pattern(virsh_t, virt_image_type, virt_image_type) + manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +@@ -758,23 +815,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) + manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) + manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) + manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +virt_transition_svirt_lxc(virsh_t, system_r) -+ + +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) -+ + +-allow virsh_t svirt_lxc_domain:process transition; +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; -+ -+kernel_read_system_state(virsh_t) -+kernel_read_network_state(virsh_t) -+kernel_read_kernel_sysctls(virsh_t) -+kernel_read_sysctl(virsh_t) -+kernel_read_xen_state(virsh_t) -+kernel_write_xen_state(virsh_t) -+ -+corecmd_exec_bin(virsh_t) -+corecmd_exec_shell(virsh_t) -+ -+corenet_tcp_sendrecv_generic_if(virsh_t) -+corenet_tcp_sendrecv_generic_node(virsh_t) -+corenet_tcp_connect_soundd_port(virsh_t) -+ -+dev_read_rand(virsh_t) -+dev_read_urand(virsh_t) -+dev_read_sysfs(virsh_t) -+ -+files_read_etc_runtime_files(virsh_t) -+files_read_etc_files(virsh_t) -+files_read_usr_files(virsh_t) -+files_list_mnt(virsh_t) -+files_list_tmp(virsh_t) + +-can_exec(virsh_t, virsh_exec_t) +- +-virt_domtrans(virsh_t) +-virt_manage_images(virsh_t) +-virt_manage_config(virsh_t) +-virt_stream_connect(virsh_t) +- +-kernel_read_crypto_sysctls(virsh_t) + kernel_read_system_state(virsh_t) + kernel_read_network_state(virsh_t) + kernel_read_kernel_sysctls(virsh_t) +@@ -785,15 +833,9 @@ kernel_write_xen_state(virsh_t) + corecmd_exec_bin(virsh_t) + corecmd_exec_shell(virsh_t) + +-corenet_all_recvfrom_unlabeled(virsh_t) +-corenet_all_recvfrom_netlabel(virsh_t) + corenet_tcp_sendrecv_generic_if(virsh_t) + corenet_tcp_sendrecv_generic_node(virsh_t) +-corenet_tcp_bind_generic_node(virsh_t) +- +-corenet_sendrecv_soundd_client_packets(virsh_t) + corenet_tcp_connect_soundd_port(virsh_t) +-corenet_tcp_sendrecv_soundd_port(virsh_t) + + dev_read_rand(virsh_t) + dev_read_urand(virsh_t) +@@ -804,6 +846,7 @@ files_read_etc_files(virsh_t) + files_read_usr_files(virsh_t) + files_list_mnt(virsh_t) + files_list_tmp(virsh_t) +# Some common macros (you might be able to remove some) -+ -+fs_getattr_all_fs(virsh_t) -+fs_manage_xenfs_dirs(virsh_t) -+fs_manage_xenfs_files(virsh_t) -+fs_search_auto_mountpoints(virsh_t) -+ -+storage_raw_read_fixed_disk(virsh_t) -+ + + fs_getattr_all_fs(virsh_t) + fs_manage_xenfs_dirs(virsh_t) +@@ -812,24 +855,21 @@ fs_search_auto_mountpoints(virsh_t) + + storage_raw_read_fixed_disk(virsh_t) + +-term_use_all_terms(virsh_t) +term_use_all_inherited_terms(virsh_t) + +userdom_search_admin_dir(virsh_t) +userdom_read_home_certs(virsh_t) -+ -+init_stream_connect_script(virsh_t) -+init_rw_script_stream_sockets(virsh_t) -+init_use_fds(virsh_t) -+ + + init_stream_connect_script(virsh_t) + init_rw_script_stream_sockets(virsh_t) + init_use_fds(virsh_t) + +-logging_send_syslog_msg(virsh_t) +auth_read_passwd(virsh_t) -+ + +-miscfiles_read_localization(virsh_t) +logging_send_syslog_msg(virsh_t) -+ -+sysnet_dns_name_resolve(virsh_t) -+ -+tunable_policy(`virt_use_nfs',` -+ fs_manage_nfs_dirs(virsh_t) -+ fs_manage_nfs_files(virsh_t) -+ fs_read_nfs_symlinks(virsh_t) -+') -+ -+tunable_policy(`virt_use_samba',` -+ fs_manage_cifs_files(virsh_t) -+ fs_manage_cifs_files(virsh_t) -+ fs_read_cifs_symlinks(virsh_t) -+') -+ -+optional_policy(` -+ cron_system_entry(virsh_t, virsh_exec_t) -+') -+ -+optional_policy(` + + sysnet_dns_name_resolve(virsh_t) + +-tunable_policy(`virt_use_fusefs',` +- fs_manage_fusefs_dirs(virsh_t) +- fs_manage_fusefs_files(virsh_t) +- fs_read_fusefs_symlinks(virsh_t) +-') +- + tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virsh_t) + fs_manage_nfs_files(virsh_t) +@@ -847,6 +887,10 @@ optional_policy(` + ') + + optional_policy(` + rhcs_domtrans_fenced(virsh_t) +') + +optional_policy(` -+ rpm_exec(virsh_t) -+') -+ -+optional_policy(` -+ xen_manage_image_dirs(virsh_t) -+ xen_append_log(virsh_t) -+ xen_domtrans(virsh_t) + rpm_exec(virsh_t) + ') + +@@ -854,7 +898,7 @@ optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) +- xen_read_xenstored_pid_files(virsh_t) + xen_read_pid_files_xenstored(virsh_t) -+ xen_stream_connect(virsh_t) -+ xen_stream_connect_xenstore(virsh_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(virsh_t) -+ -+ optional_policy(` -+ hal_dbus_chat(virsh_t) -+ ') -+') -+ -+optional_policy(` -+ vhostmd_rw_tmpfs_files(virsh_t) -+ vhostmd_stream_connect(virsh_t) -+ vhostmd_dontaudit_rw_stream_connect(virsh_t) -+') -+ -+optional_policy(` -+ ssh_basic_client_template(virsh, virsh_t, system_r) -+ -+ kernel_read_xen_state(virsh_ssh_t) -+ kernel_write_xen_state(virsh_ssh_t) -+ + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) + ') +@@ -879,34 +923,39 @@ optional_policy(` + kernel_read_xen_state(virsh_ssh_t) + kernel_write_xen_state(virsh_ssh_t) + + dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; -+ files_search_tmp(virsh_ssh_t) -+ -+ fs_manage_xenfs_dirs(virsh_ssh_t) -+ fs_manage_xenfs_files(virsh_ssh_t) + files_search_tmp(virsh_ssh_t) + + fs_manage_xenfs_dirs(virsh_ssh_t) + fs_manage_xenfs_files(virsh_ssh_t) + + userdom_search_admin_dir(virsh_ssh_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Lxc local policy +# virt_lxc local policy -+# -+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; + # +- + allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; +allow virtd_lxc_t self:capability2 compromise_kernel; + -+allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; -+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; + allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; + allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; +-allow virtd_lxc_t self:netlink_route_socket nlmsg_write; +-allow virtd_lxc_t self:unix_stream_socket { accept listen }; +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms; -+allow virtd_lxc_t self:packet_socket create_socket_perms; -+ -+allow virtd_lxc_t virt_image_type:dir mounton; -+manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) -+ + allow virtd_lxc_t self:packet_socket create_socket_perms; + +-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; +- + allow virtd_lxc_t virt_image_type:dir mounton; + manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) + +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t virtd_lxc_t:process { signal signull sigkill }; + -+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; + allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; +-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) +manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) -+ -+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -+allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; -+allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; + + manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) + manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +965,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) + manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) + allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; + allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; +files_associate_rootfs(svirt_lxc_file_t) -+ -+storage_manage_fixed_disk(virtd_lxc_t) + + storage_manage_fixed_disk(virtd_lxc_t) +storage_rw_fuse(virtd_lxc_t) -+ -+kernel_read_all_sysctls(virtd_lxc_t) -+kernel_read_network_state(virtd_lxc_t) -+kernel_read_system_state(virtd_lxc_t) + + kernel_read_all_sysctls(virtd_lxc_t) + kernel_read_network_state(virtd_lxc_t) + kernel_read_system_state(virtd_lxc_t) +kernel_request_load_module(virtd_lxc_t) -+ -+corecmd_exec_bin(virtd_lxc_t) -+corecmd_exec_shell(virtd_lxc_t) -+ -+dev_relabel_all_dev_nodes(virtd_lxc_t) -+dev_rw_sysfs(virtd_lxc_t) -+dev_read_sysfs(virtd_lxc_t) -+dev_read_urand(virtd_lxc_t) -+ -+domain_use_interactive_fds(virtd_lxc_t) -+ -+files_search_all(virtd_lxc_t) -+files_getattr_all_files(virtd_lxc_t) -+files_read_usr_files(virtd_lxc_t) -+files_relabel_rootfs(virtd_lxc_t) -+files_mounton_non_security(virtd_lxc_t) -+files_mount_all_file_type_fs(virtd_lxc_t) -+files_unmount_all_file_type_fs(virtd_lxc_t) -+files_list_isid_type_dirs(virtd_lxc_t) -+files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) -+ -+fs_getattr_all_fs(virtd_lxc_t) -+fs_manage_tmpfs_dirs(virtd_lxc_t) -+fs_manage_tmpfs_chr_files(virtd_lxc_t) -+fs_manage_tmpfs_symlinks(virtd_lxc_t) -+fs_manage_cgroup_dirs(virtd_lxc_t) -+fs_mounton_tmpfs(virtd_lxc_t) -+fs_remount_all_fs(virtd_lxc_t) -+fs_rw_cgroup_files(virtd_lxc_t) -+fs_unmount_all_fs(virtd_lxc_t) -+fs_relabelfrom_tmpfs(virtd_lxc_t) -+ + + corecmd_exec_bin(virtd_lxc_t) + corecmd_exec_shell(virtd_lxc_t) +@@ -933,7 +985,6 @@ dev_read_urand(virtd_lxc_t) + + domain_use_interactive_fds(virtd_lxc_t) + +-files_associate_rootfs(svirt_lxc_file_t) + files_search_all(virtd_lxc_t) + files_getattr_all_files(virtd_lxc_t) + files_read_usr_files(virtd_lxc_t) +@@ -955,15 +1006,11 @@ fs_rw_cgroup_files(virtd_lxc_t) + fs_unmount_all_fs(virtd_lxc_t) + fs_relabelfrom_tmpfs(virtd_lxc_t) + +logging_send_audit_msgs(virtd_lxc_t) + -+selinux_mount_fs(virtd_lxc_t) -+selinux_unmount_fs(virtd_lxc_t) + selinux_mount_fs(virtd_lxc_t) + selinux_unmount_fs(virtd_lxc_t) +-selinux_get_enforce_mode(virtd_lxc_t) +-selinux_get_fs_mount(virtd_lxc_t) +-selinux_validate_context(virtd_lxc_t) +-selinux_compute_access_vector(virtd_lxc_t) +-selinux_compute_create_context(virtd_lxc_t) +-selinux_compute_relabel_context(virtd_lxc_t) +-selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) -+ -+term_use_generic_ptys(virtd_lxc_t) -+term_use_ptmx(virtd_lxc_t) -+term_relabel_pty_fs(virtd_lxc_t) -+ -+auth_use_nsswitch(virtd_lxc_t) -+ -+logging_send_syslog_msg(virtd_lxc_t) -+ -+seutil_domtrans_setfiles(virtd_lxc_t) -+seutil_read_default_contexts(virtd_lxc_t) -+ + + term_use_generic_ptys(virtd_lxc_t) + term_use_ptmx(virtd_lxc_t) +@@ -973,20 +1020,39 @@ auth_use_nsswitch(virtd_lxc_t) + + logging_send_syslog_msg(virtd_lxc_t) + +-miscfiles_read_localization(virtd_lxc_t) +- + seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) + seutil_read_default_contexts(virtd_lxc_t) + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +selinux_get_enforce_mode(virtd_lxc_t) +selinux_get_fs_mount(virtd_lxc_t) +selinux_validate_context(virtd_lxc_t) @@ -72197,14 +83060,17 @@ index 947bbc6..12c15cb 100644 +selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_default_contexts(virtd_lxc_t) + ++sysnet_exec_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') -+ -+######################################## -+# + + ######################################## + # +-# Common virt lxc domain local policy +# virt_lxc_domain local policy -+# + # +allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock }; + +allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; @@ -72215,185 +83081,231 @@ index 947bbc6..12c15cb 100644 +allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms; +allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -+ -+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -+allow svirt_lxc_domain self:fifo_file manage_file_perms; -+allow svirt_lxc_domain self:sem create_sem_perms; -+allow svirt_lxc_domain self:shm create_shm_perms; -+allow svirt_lxc_domain self:msgq create_msgq_perms; -+allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -+ -+manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -+rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; + allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; + allow svirt_lxc_domain self:fifo_file manage_file_perms; + allow svirt_lxc_domain self:sem create_sem_perms; +@@ -995,19 +1061,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; + allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; + allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; + +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- + manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) + rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +can_exec(svirt_lxc_domain, svirt_lxc_file_t) -+allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; -+allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -+ -+kernel_getattr_proc(svirt_lxc_domain) -+kernel_list_all_proc(svirt_lxc_domain) -+kernel_read_kernel_sysctls(svirt_lxc_domain) -+kernel_rw_net_sysctls(svirt_lxc_domain) -+kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -+ -+corecmd_exec_all_executables(svirt_lxc_domain) -+ -+files_dontaudit_getattr_all_dirs(svirt_lxc_domain) -+files_dontaudit_getattr_all_files(svirt_lxc_domain) -+files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) -+files_dontaudit_getattr_all_pipes(svirt_lxc_domain) -+files_dontaudit_getattr_all_sockets(svirt_lxc_domain) -+files_dontaudit_list_all_mountpoints(svirt_lxc_domain) -+files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) + allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; + allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; + +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- + kernel_getattr_proc(svirt_lxc_domain) + kernel_list_all_proc(svirt_lxc_domain) + kernel_read_kernel_sysctls(svirt_lxc_domain) + kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) + kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) + + corecmd_exec_all_executables(svirt_lxc_domain) +@@ -1037,21 +1087,21 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) + files_dontaudit_getattr_all_sockets(svirt_lxc_domain) + files_dontaudit_list_all_mountpoints(svirt_lxc_domain) + files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +files_entrypoint_all_files(svirt_lxc_domain) -+files_list_var(svirt_lxc_domain) -+files_list_var_lib(svirt_lxc_domain) -+files_search_all(svirt_lxc_domain) -+files_read_config_files(svirt_lxc_domain) -+files_read_usr_files(svirt_lxc_domain) -+files_read_usr_symlinks(svirt_lxc_domain) + files_list_var(svirt_lxc_domain) + files_list_var_lib(svirt_lxc_domain) + files_search_all(svirt_lxc_domain) + files_read_config_files(svirt_lxc_domain) + files_read_usr_files(svirt_lxc_domain) + files_read_usr_symlinks(svirt_lxc_domain) +files_search_locks(svirt_lxc_domain) -+ -+fs_getattr_all_fs(svirt_lxc_domain) -+fs_list_inotifyfs(svirt_lxc_domain) + + fs_getattr_all_fs(svirt_lxc_domain) + fs_list_inotifyfs(svirt_lxc_domain) +fs_rw_inherited_tmpfs_files(svirt_lxc_domain) -+ ++fs_read_fusefs_files(svirt_lxc_net_t) + +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +auth_dontaudit_read_passwd(svirt_lxc_domain) -+auth_dontaudit_read_login_records(svirt_lxc_domain) -+auth_dontaudit_write_login_records(svirt_lxc_domain) -+auth_search_pam_console_data(svirt_lxc_domain) -+ -+clock_read_adjtime(svirt_lxc_domain) -+ -+init_read_utmp(svirt_lxc_domain) -+init_dontaudit_write_utmp(svirt_lxc_domain) -+ -+libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -+ -+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) -+miscfiles_read_fonts(svirt_lxc_domain) -+ + auth_dontaudit_read_login_records(svirt_lxc_domain) + auth_dontaudit_write_login_records(svirt_lxc_domain) + auth_search_pam_console_data(svirt_lxc_domain) +@@ -1063,11 +1113,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain) + + libs_dontaudit_setattr_lib_files(svirt_lxc_domain) + +-miscfiles_read_localization(svirt_lxc_domain) + miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) + miscfiles_read_fonts(svirt_lxc_domain) + +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +') + +systemd_read_unit_files(svirt_lxc_domain) -+ -+optional_policy(` -+ udev_read_pid_files(svirt_lxc_domain) -+') -+ -+optional_policy(` -+ apache_exec_modules(svirt_lxc_domain) -+ apache_read_sys_content(svirt_lxc_domain) -+') -+ + + optional_policy(` + udev_read_pid_files(svirt_lxc_domain) +@@ -1078,81 +1131,63 @@ optional_policy(` + apache_read_sys_content(svirt_lxc_domain) + ') + +-######################################## +-# +-# Lxc net local policy +-# +virt_lxc_domain_template(svirt_lxc_net) -+ + +-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; +allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+dontaudit svirt_lxc_net_t self:capability2 block_suspend; + dontaudit svirt_lxc_net_t self:capability2 block_suspend; +allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -+allow svirt_lxc_net_t self:process setrlimit; + allow svirt_lxc_net_t self:process setrlimit; +-allow svirt_lxc_net_t self:tcp_socket { accept listen }; +-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; + +allow svirt_lxc_net_t self:udp_socket create_socket_perms; +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms; +allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms; -+allow svirt_lxc_net_t self:packet_socket create_socket_perms; -+allow svirt_lxc_net_t self:socket create_socket_perms; -+allow svirt_lxc_net_t self:rawip_socket create_socket_perms; -+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -+allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+ -+kernel_read_network_state(svirt_lxc_net_t) -+kernel_read_irq_sysctls(svirt_lxc_net_t) -+ + allow svirt_lxc_net_t self:packet_socket create_socket_perms; + allow svirt_lxc_net_t self:socket create_socket_perms; + allow svirt_lxc_net_t self:rawip_socket create_socket_perms; +-allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; + + kernel_read_network_state(svirt_lxc_net_t) + kernel_read_irq_sysctls(svirt_lxc_net_t) + +-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) +-corenet_all_recvfrom_netlabel(svirt_lxc_net_t) +-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) +-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t) +-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t) +-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t) +-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) +-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) +dev_getattr_mtrr_dev(svirt_lxc_net_t) +dev_read_rand(svirt_lxc_net_t) +dev_read_urand(svirt_lxc_net_t) + -+corenet_tcp_bind_generic_node(svirt_lxc_net_t) -+corenet_udp_bind_generic_node(svirt_lxc_net_t) + corenet_tcp_bind_generic_node(svirt_lxc_net_t) + corenet_udp_bind_generic_node(svirt_lxc_net_t) +- +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -+corenet_udp_bind_all_ports(svirt_lxc_net_t) -+corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+ -+files_read_kernel_modules(svirt_lxc_net_t) -+ + corenet_udp_bind_all_ports(svirt_lxc_net_t) + corenet_tcp_bind_all_ports(svirt_lxc_net_t) +- +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) + corenet_tcp_connect_all_ports(svirt_lxc_net_t) + +-dev_getattr_mtrr_dev(svirt_lxc_net_t) +-dev_read_rand(svirt_lxc_net_t) +-dev_read_sysfs(svirt_lxc_net_t) +-dev_read_urand(svirt_lxc_net_t) +- + files_read_kernel_modules(svirt_lxc_net_t) + +fs_noxattr_type(svirt_lxc_file_t) -+fs_mount_cgroup(svirt_lxc_net_t) -+fs_manage_cgroup_dirs(svirt_lxc_net_t) + fs_mount_cgroup(svirt_lxc_net_t) + fs_manage_cgroup_dirs(svirt_lxc_net_t) +-fs_rw_cgroup_files(svirt_lxc_net_t) +- +-auth_use_nsswitch(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) -+ + +-logging_send_audit_msgs(svirt_lxc_net_t) +term_pty(svirt_lxc_file_t) -+ + +-userdom_use_user_ptys(svirt_lxc_net_t) +auth_use_nsswitch(svirt_lxc_net_t) -+ + +-optional_policy(` +- rpm_read_db(svirt_lxc_net_t) +-') +rpm_read_db(svirt_lxc_net_t) -+ + +-####################################### +-# +-# Prot exec local policy +-# +logging_send_audit_msgs(svirt_lxc_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +userdom_use_inherited_user_ptys(svirt_lxc_net_t) -+ -+######################################## -+# + + ######################################## + # +-# Qmf local policy +# virt_qmf local policy -+# -+allow virt_qmf_t self:capability { sys_nice sys_tty_config }; -+allow virt_qmf_t self:process { setsched signal }; -+allow virt_qmf_t self:fifo_file rw_fifo_file_perms; + # +- + allow virt_qmf_t self:capability { sys_nice sys_tty_config }; + allow virt_qmf_t self:process { setsched signal }; + allow virt_qmf_t self:fifo_file rw_fifo_file_perms; +-allow virt_qmf_t self:unix_stream_socket { accept listen }; +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; -+allow virt_qmf_t self:tcp_socket create_stream_socket_perms; -+allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -+ -+can_exec(virt_qmf_t, virtd_exec_t) -+ -+kernel_read_system_state(virt_qmf_t) -+kernel_read_network_state(virt_qmf_t) -+ -+dev_read_sysfs(virt_qmf_t) -+dev_read_rand(virt_qmf_t) -+dev_read_urand(virt_qmf_t) -+ + allow virt_qmf_t self:tcp_socket create_stream_socket_perms; + allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + +@@ -1165,12 +1200,12 @@ dev_read_sysfs(virt_qmf_t) + dev_read_rand(virt_qmf_t) + dev_read_urand(virt_qmf_t) + +corenet_tcp_connect_matahari_port(virt_qmf_t) + -+domain_use_interactive_fds(virt_qmf_t) -+ -+logging_send_syslog_msg(virt_qmf_t) -+ -+sysnet_read_config(virt_qmf_t) -+ -+optional_policy(` -+ dbus_read_lib_files(virt_qmf_t) -+') -+ -+optional_policy(` -+ virt_stream_connect(virt_qmf_t) -+') -+ -+######################################## -+# + domain_use_interactive_fds(virt_qmf_t) + + logging_send_syslog_msg(virt_qmf_t) + +-miscfiles_read_localization(virt_qmf_t) +- + sysnet_read_config(virt_qmf_t) + + optional_policy(` +@@ -1183,9 +1218,8 @@ optional_policy(` + + ######################################## + # +-# Bridgehelper local policy +# virt_bridgehelper local policy -+# -+allow virt_bridgehelper_t self:process { setcap getcap }; -+allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; -+allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -+allow virt_bridgehelper_t self:tun_socket create_socket_perms; -+allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; -+ -+manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) -+ -+kernel_read_network_state(virt_bridgehelper_t) -+ -+corenet_rw_tun_tap_dev(virt_bridgehelper_t) -+ + # +- + allow virt_bridgehelper_t self:process { setcap getcap }; + allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; + allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1198,5 +1232,66 @@ kernel_read_network_state(virt_bridgehelper_t) + + corenet_rw_tun_tap_dev(virt_bridgehelper_t) + +-userdom_search_user_home_dirs(virt_bridgehelper_t) +-userdom_use_user_ptys(virt_bridgehelper_t) +userdom_use_inherited_user_ptys(virt_bridgehelper_t) + +####################################### @@ -72457,27 +83369,26 @@ index 947bbc6..12c15cb 100644 +type svirt_socket_t; +role system_r types svirt_socket_t; +allow svirt_t svirt_socket_t:unix_stream_socket connectto; -+ -+ diff --git a/vlock.te b/vlock.te -index 2511093..669dc13 100644 +index 9ead775..b5285e7 100644 --- a/vlock.te +++ b/vlock.te -@@ -47,7 +47,5 @@ init_dontaudit_rw_utmp(vlock_t) +@@ -38,7 +38,7 @@ auth_use_pam(vlock_t) - logging_send_syslog_msg(vlock_t) + init_dontaudit_rw_utmp(vlock_t) -miscfiles_read_localization(vlock_t) -- ++logging_send_syslog_msg(vlock_t) + userdom_dontaudit_search_user_home_dirs(vlock_t) -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmware.te b/vmware.te -index 7d334c4..979e82f 100644 +index 3a56513..1fb1463 100644 --- a/vmware.te +++ b/vmware.te -@@ -68,7 +68,8 @@ ifdef(`enable_mcs',` - # VMWare host local policy +@@ -65,7 +65,8 @@ ifdef(`enable_mcs',` + # Host local policy # -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; @@ -72486,7 +83397,7 @@ index 7d334c4..979e82f 100644 dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; -@@ -97,8 +98,8 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) +@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t) kernel_read_kernel_sysctls(vmware_host_t) kernel_read_system_state(vmware_host_t) kernel_read_network_state(vmware_host_t) @@ -72496,7 +83407,7 @@ index 7d334c4..979e82f 100644 corenet_all_recvfrom_netlabel(vmware_host_t) corenet_tcp_sendrecv_generic_if(vmware_host_t) corenet_udp_sendrecv_generic_if(vmware_host_t) -@@ -122,6 +123,7 @@ dev_getattr_all_blk_files(vmware_host_t) +@@ -115,6 +116,7 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) @@ -72504,7 +83415,7 @@ index 7d334c4..979e82f 100644 domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) -@@ -129,7 +131,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) +@@ -122,7 +124,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) files_list_tmp(vmware_host_t) files_read_etc_files(vmware_host_t) files_read_etc_runtime_files(vmware_host_t) @@ -72513,7 +83424,7 @@ index 7d334c4..979e82f 100644 fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) -@@ -145,8 +147,6 @@ libs_exec_ld_so(vmware_host_t) +@@ -138,8 +140,6 @@ libs_exec_ld_so(vmware_host_t) logging_send_syslog_msg(vmware_host_t) @@ -72522,7 +83433,7 @@ index 7d334c4..979e82f 100644 sysnet_dns_name_resolve(vmware_host_t) sysnet_domtrans_ifconfig(vmware_host_t) -@@ -156,11 +156,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) +@@ -149,11 +149,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) netutils_domtrans_ping(vmware_host_t) optional_policy(` @@ -72551,8 +83462,8 @@ index 7d334c4..979e82f 100644 ') optional_policy(` -@@ -269,9 +285,8 @@ libs_exec_ld_so(vmware_t) - # Access X11 config files +@@ -258,9 +274,8 @@ storage_raw_write_removable_device(vmware_t) + libs_exec_ld_so(vmware_t) libs_read_lib_files(vmware_t) -miscfiles_read_localization(vmware_t) @@ -72560,13 +83471,13 @@ index 7d334c4..979e82f 100644 -userdom_use_user_terminals(vmware_t) +userdom_use_inherited_user_terminals(vmware_t) userdom_list_user_home_dirs(vmware_t) - # cjp: why? - userdom_read_user_home_content_files(vmware_t) + + sysnet_dns_name_resolve(vmware_t) diff --git a/vnstatd.if b/vnstatd.if -index 727fe95..47ec114 100644 +index 137ac44..a0089e6 100644 --- a/vnstatd.if +++ b/vnstatd.if -@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',` +@@ -152,12 +152,6 @@ interface(`vnstatd_manage_lib_files',` ## Domain allowed access. ##     ## @@ -72579,25 +83490,28 @@ index 727fe95..47ec114 100644 # interface(`vnstatd_admin',` gen_require(` - type vnstatd_t, vnstatd_var_lib_t; +@@ -165,9 +159,13 @@ interface(`vnstatd_admin',` + type vnstatd_var_run_t; ') - allow $1 vnstatd_t:process { ptrace signal_perms }; + allow $1 vnstatd_t:process signal_perms; ps_process_pattern($1, vnstatd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 vnstatd_t:process ptrace; + ') - - files_list_var_lib($1) - admin_pattern($1, vnstatd_var_lib_t) ++ + init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 vnstatd_initrc_exec_t system_r; diff --git a/vnstatd.te b/vnstatd.te -index 8121937..f90b43b 100644 +index febc3e5..9183e32 100644 --- a/vnstatd.te +++ b/vnstatd.te -@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal; +@@ -34,9 +34,13 @@ allow vnstatd_t self:process signal; allow vnstatd_t self:fifo_file rw_fifo_file_perms; - allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; + allow vnstatd_t self:unix_stream_socket { accept listen }; +manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) +manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) @@ -72610,18 +83524,24 @@ index 8121937..f90b43b 100644 manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -@@ -47,8 +51,6 @@ fs_getattr_xattr_fs(vnstatd_t) +@@ -47,14 +51,10 @@ kernel_read_system_state(vnstatd_t) + + domain_use_interactive_fds(vnstatd_t) + +-files_read_etc_files(vnstatd_t) +- + fs_getattr_xattr_fs(vnstatd_t) logging_send_syslog_msg(vnstatd_t) -miscfiles_read_localization(vnstatd_t) - - optional_policy(` - cron_system_entry(vnstat_t, vnstat_exec_t) - ') -@@ -62,9 +64,9 @@ allow vnstat_t self:process signal; + ######################################## + # + # Client local policy +@@ -64,23 +64,19 @@ allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; - allow vnstat_t self:unix_stream_socket create_stream_socket_perms; + allow vnstat_t self:unix_stream_socket { accept listen }; +files_search_var_lib(vnstat_t) manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) @@ -72630,17 +83550,75 @@ index 8121937..f90b43b 100644 kernel_read_network_state(vnstat_t) kernel_read_system_state(vnstat_t) -@@ -76,5 +78,3 @@ files_read_etc_files(vnstat_t) + + domain_use_interactive_fds(vnstat_t) + +-files_read_etc_files(vnstat_t) +- fs_getattr_xattr_fs(vnstat_t) logging_send_syslog_msg(vnstat_t) -- + -miscfiles_read_localization(vnstat_t) +- + optional_policy(` + cron_system_entry(vnstat_t, vnstat_exec_t) + ') +diff --git a/vpn.fc b/vpn.fc +index 524ac2f..076dcc3 100644 +--- a/vpn.fc ++++ b/vpn.fc +@@ -1,7 +1,13 @@ +-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) ++# ++# sbin ++# ++/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + ++# ++# /usr ++# + /usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) ++/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +-/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) ++/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/vpn.if b/vpn.if -index 7b93e07..a4e2f60 100644 +index 7a7f342..a4e2f60 100644 --- a/vpn.if +++ b/vpn.if -@@ -37,11 +37,16 @@ interface(`vpn_domtrans',` +@@ -1,8 +1,8 @@ +-## Virtual Private Networking client. ++## Virtual Private Networking client + + ######################################## + ## +-## Execute vpn clients in the vpnc domain. ++## Execute VPN clients in the vpnc domain. + ## + ## + ## +@@ -15,15 +15,13 @@ interface(`vpn_domtrans',` + type vpnc_t, vpnc_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, vpnc_exec_t, vpnc_t) + ') + + ######################################## + ## +-## Execute vpn clients in the vpnc +-## domain, and allow the specified +-## role the vpnc domain. ++## Execute VPN clients in the vpnc domain, and ++## allow the specified role the vpnc domain. + ## + ## + ## +@@ -39,16 +37,21 @@ interface(`vpn_domtrans',` # interface(`vpn_run',` gen_require(` @@ -72659,22 +83637,59 @@ index 7b93e07..a4e2f60 100644 ') ######################################## + ## +-## Send kill signals to vpnc. ++## Send VPN clients the kill signal. + ## + ## + ## +@@ -66,7 +69,7 @@ interface(`vpn_kill',` + + ######################################## + ## +-## Send generic signals to vpnc. ++## Send generic signals to VPN clients. + ## + ## + ## +@@ -84,7 +87,7 @@ interface(`vpn_signal',` + + ######################################## + ## +-## Send null signals to vpnc. ++## Send signull to VPN clients. + ## + ## + ## +@@ -103,7 +106,7 @@ interface(`vpn_signull',` + ######################################## + ## + ## Send and receive messages from +-## vpnc over dbus. ++## Vpnc over dbus. + ## + ## + ## diff --git a/vpn.te b/vpn.te -index 83a80ba..ddf48c0 100644 +index 9329eae..ddf48c0 100644 --- a/vpn.te +++ b/vpn.te -@@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0) +@@ -1,17 +1,19 @@ +-policy_module(vpn, 1.15.1) ++policy_module(vpn, 1.15.0) + + ######################################## + # # Declarations # -attribute_role vpnc_roles; --roleattribute system_r vpnc_roles; +#attribute_role vpnc_roles; +#roleattribute system_r vpnc_roles; type vpnc_t; type vpnc_exec_t; -+init_system_domain(vpnc_t, vpnc_exec_t) + init_system_domain(vpnc_t, vpnc_exec_t) application_domain(vpnc_t, vpnc_exec_t) -role vpnc_roles types vpnc_t; +#role vpnc_roles types vpnc_t; @@ -72682,16 +83697,22 @@ index 83a80ba..ddf48c0 100644 type vpnc_tmp_t; files_tmp_file(vpnc_tmp_t) -@@ -24,7 +26,7 @@ files_pid_file(vpnc_var_run_t) - # Local policy - # - --allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; -+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; +@@ -28,9 +30,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -@@ -51,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t) +-allow vpnc_t self:tcp_socket { accept listen }; ++allow vpnc_t self:tcp_socket create_stream_socket_perms; ++allow vpnc_t self:udp_socket create_socket_perms; + allow vpnc_t self:rawip_socket create_socket_perms; ++allow vpnc_t self:unix_dgram_socket create_socket_perms; ++allow vpnc_t self:unix_stream_socket create_socket_perms; + allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; ++# cjp: this needs to be fixed + allow vpnc_t self:socket create_socket_perms; + + manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) +@@ -47,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t) kernel_request_load_module(vpnc_t) kernel_rw_net_sysctls(vpnc_t) @@ -72699,7 +83720,40 @@ index 83a80ba..ddf48c0 100644 corenet_all_recvfrom_netlabel(vpnc_t) corenet_tcp_sendrecv_generic_if(vpnc_t) corenet_udp_sendrecv_generic_if(vpnc_t) -@@ -80,18 +81,19 @@ domain_use_interactive_fds(vpnc_t) +@@ -58,38 +63,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) + corenet_tcp_sendrecv_all_ports(vpnc_t) + corenet_udp_sendrecv_all_ports(vpnc_t) + corenet_udp_bind_generic_node(vpnc_t) +- +-corenet_sendrecv_all_server_packets(vpnc_t) + corenet_udp_bind_generic_port(vpnc_t) +- +-corenet_sendrecv_isakmp_server_packets(vpnc_t) + corenet_udp_bind_isakmp_port(vpnc_t) +- +-corenet_sendrecv_generic_server_packets(vpnc_t) + corenet_udp_bind_ipsecnat_port(vpnc_t) +- +-corenet_sendrecv_all_client_packets(vpnc_t) + corenet_tcp_connect_all_ports(vpnc_t) +- ++corenet_sendrecv_all_client_packets(vpnc_t) ++corenet_sendrecv_isakmp_server_packets(vpnc_t) ++corenet_sendrecv_generic_server_packets(vpnc_t) + corenet_rw_tun_tap_dev(vpnc_t) + +-corecmd_exec_all_executables(vpnc_t) +- + dev_read_rand(vpnc_t) + dev_read_urand(vpnc_t) + dev_read_sysfs(vpnc_t) + + domain_use_interactive_fds(vpnc_t) + +-files_exec_etc_files(vpnc_t) +-files_read_etc_runtime_files(vpnc_t) +-files_dontaudit_search_home(vpnc_t) +- fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) @@ -72707,29 +83761,23 @@ index 83a80ba..ddf48c0 100644 -term_use_all_ttys(vpnc_t) +term_use_all_inherited_ptys(vpnc_t) +term_use_all_inherited_ttys(vpnc_t) - - corecmd_exec_all_executables(vpnc_t) - - files_exec_etc_files(vpnc_t) - files_read_etc_runtime_files(vpnc_t) --files_read_etc_files(vpnc_t) - files_dontaudit_search_home(vpnc_t) ++ ++corecmd_exec_all_executables(vpnc_t) ++ ++files_exec_etc_files(vpnc_t) ++files_read_etc_runtime_files(vpnc_t) ++files_dontaudit_search_home(vpnc_t) auth_use_nsswitch(vpnc_t) -+init_dontaudit_use_fds(vpnc_t) -+ - libs_exec_ld_so(vpnc_t) - libs_exec_lib_files(vpnc_t) - -@@ -100,17 +102,15 @@ locallogin_use_fds(vpnc_t) +@@ -103,16 +102,15 @@ locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) logging_dontaudit_search_logs(vpnc_t) -miscfiles_read_localization(vpnc_t) - -seutil_dontaudit_search_config(vpnc_t) - seutil_use_newrole_fds(vpnc_t) ++seutil_use_newrole_fds(vpnc_t) -sysnet_run_ifconfig(vpnc_t, vpnc_roles) +#sysnet_run_ifconfig(vpnc_t, vpnc_roles) @@ -72743,105 +83791,68 @@ index 83a80ba..ddf48c0 100644 optional_policy(` dbus_system_bus_client(vpnc_t) -diff --git a/w3c.te b/w3c.te -index 1174ad8..bd7a7da 100644 ---- a/w3c.te -+++ b/w3c.te -@@ -5,20 +5,34 @@ policy_module(w3c, 1.0.0) - # Declarations - # - --apache_content_template(w3c_validator) -+ -+type httpd_w3c_validator_tmp_t; -+files_tmp_file(httpd_w3c_validator_tmp_t) - - ######################################## - # - # Local policy - # - --corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) --corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) --corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -+optional_policy(` -+ apache_content_template(w3c_validator) -+ -+ manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -+ manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t) -+ files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir }) -+ -+ corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) -+ corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) -+ corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -+ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) -+ corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) -+ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -+ -+ miscfiles_read_generic_certs(httpd_w3c_validator_script_t) - --miscfiles_read_generic_certs(httpd_w3c_validator_script_t) -+ sysnet_dns_name_resolve(httpd_w3c_validator_script_t) - --sysnet_dns_name_resolve(httpd_w3c_validator_script_t) -+ optional_policy(` -+ apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) -+ ') -+') +@@ -125,7 +123,3 @@ optional_policy(` + optional_policy(` + networkmanager_attach_tun_iface(vpnc_t) + ') +- +-optional_policy(` +- seutil_use_newrole_fds(vpnc_t) +-') diff --git a/watchdog.te b/watchdog.te -index b10bb05..f0d56b5 100644 +index 29f79e8..c58abd5 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -42,7 +42,6 @@ kernel_unmount_proc(watchdog_t) - corecmd_exec_shell(watchdog_t) +@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t) + domain_signal_all_domains(watchdog_t) + domain_kill_all_domains(watchdog_t) - # cjp: why networking? --corenet_all_recvfrom_unlabeled(watchdog_t) - corenet_all_recvfrom_netlabel(watchdog_t) - corenet_tcp_sendrecv_generic_if(watchdog_t) - corenet_udp_sendrecv_generic_if(watchdog_t) -@@ -81,8 +80,6 @@ auth_append_login_records(watchdog_t) +-files_read_etc_files(watchdog_t) + files_manage_etc_runtime_files(watchdog_t) + files_etc_filetrans_etc_runtime(watchdog_t, file) + +@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) -miscfiles_read_localization(watchdog_t) - - sysnet_read_config(watchdog_t) + sysnet_dns_name_resolve(watchdog_t) userdom_dontaudit_use_unpriv_user_fds(watchdog_t) diff --git a/wdmd.fc b/wdmd.fc -new file mode 100644 -index 0000000..0d6257d ---- /dev/null +index 66f11f7..e051997 100644 +--- a/wdmd.fc +++ b/wdmd.fc -@@ -0,0 +1,8 @@ -+ -+/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) -+ +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) + +-/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) +/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) + +/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) +/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0) -+ + +-/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) diff --git a/wdmd.if b/wdmd.if -new file mode 100644 -index 0000000..d17ff39 ---- /dev/null +index 1e3aec0..d17ff39 100644 +--- a/wdmd.if +++ b/wdmd.if -@@ -0,0 +1,133 @@ +@@ -1,29 +1,47 @@ +-## Watchdog multiplexing daemon. + +## watchdog multiplexing daemon -+ -+######################################## -+## + + ######################################## + ## +-## Connect to wdmd with a unix +-## domain stream socket. +## Execute a domain transition to run wdmd. -+## -+## + ## + ## +-## +## -+## Domain allowed access. + ## Domain allowed access. +## +## +# @@ -72861,51 +83872,52 @@ index 0000000..d17ff39 +## +## +## The type of the process performing this action. -+## -+## -+# + ## + ## + # +-interface(`wdmd_stream_connect',` +interface(`wdmd_initrc_domtrans',` -+ gen_require(` + gen_require(` +- type wdmd_t, wdmd_var_run_t; + type wdmd_initrc_exec_t; -+ ') -+ + ') + +- files_search_pids($1) +- stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) + init_labeled_script_domtrans($1, wdmd_initrc_exec_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an wdmd environment. +## All of the rules required to administrate +## an wdmd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`wdmd_admin',` -+ gen_require(` + ## + ## + ## +@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',` + # + interface(`wdmd_admin',` + gen_require(` +- type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; + type wdmd_t; + type wdmd_initrc_exec_t; -+ ') -+ + ') + +- allow $1 wdmd_t:process { ptrace signal_perms }; + allow $1 wdmd_t:process signal_perms; -+ ps_process_pattern($1, wdmd_t) + ps_process_pattern($1, wdmd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 wdmd_t:process ptrace; + ') -+ + +- init_labeled_script_domtrans($1, wdmd_initrc_exec_t) + wdmd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 wdmd_initrc_exec_t system_r; -+ allow $2 system_r; -+ + domain_system_change_exemption($1) + role_transition $2 wdmd_initrc_exec_t system_r; + allow $2 system_r; + +') + +###################################### @@ -72923,7 +83935,8 @@ index 0000000..d17ff39 + type wdmd_var_run_t; + ') + -+ files_search_pids($1) + files_search_pids($1) +- admin_pattern($1, wdmd_var_run_t) + manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t) +') + @@ -72964,79 +83977,25 @@ index 0000000..d17ff39 + + rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t) + -+') + ') diff --git a/wdmd.te b/wdmd.te -new file mode 100644 -index 0000000..09b45bb ---- /dev/null +index ebbdaf6..63c53ba 100644 +--- a/wdmd.te +++ b/wdmd.te -@@ -0,0 +1,61 @@ -+policy_module(wdmd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type wdmd_t; -+type wdmd_exec_t; -+init_daemon_domain(wdmd_t, wdmd_exec_t) -+ -+type wdmd_var_run_t; -+files_pid_file(wdmd_var_run_t) -+ -+type wdmd_initrc_exec_t; -+init_script_file(wdmd_initrc_exec_t) -+ -+type wdmd_tmpfs_t; -+files_tmpfs_file(wdmd_tmpfs_t) -+ -+######################################## -+# -+# wdmd local policy -+# -+allow wdmd_t self:capability { chown sys_nice ipc_lock }; -+allow wdmd_t self:process { setsched signal }; -+ -+allow wdmd_t self:fifo_file rw_fifo_file_perms; -+allow wdmd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -+manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -+manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -+files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file }) -+ -+manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) -+manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) -+fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file }) -+ -+kernel_read_system_state(wdmd_t) -+ -+corecmd_exec_bin(wdmd_t) -+corecmd_exec_shell(wdmd_t) -+ -+dev_read_watchdog(wdmd_t) -+dev_write_watchdog(wdmd_t) -+ -+domain_use_interactive_fds(wdmd_t) -+ -+fs_getattr_tmpfs(wdmd_t) -+fs_read_anon_inodefs_files(wdmd_t) -+ -+auth_use_nsswitch(wdmd_t) -+ -+logging_send_syslog_msg(wdmd_t) -+ -+optional_policy(` -+ corosync_initrc_domtrans(wdmd_t) -+ corosync_stream_connect(wdmd_t) -+ corosync_rw_tmpfs(wdmd_t) -+') +@@ -51,8 +51,6 @@ auth_use_nsswitch(wdmd_t) + + logging_send_syslog_msg(wdmd_t) + +-miscfiles_read_localization(wdmd_t) +- + optional_policy(` + corosync_initrc_domtrans(wdmd_t) + corosync_stream_connect(wdmd_t) diff --git a/webadm.te b/webadm.te -index 0ecc786..79a664a 100644 +index 708254f..2db084b 100644 --- a/webadm.te +++ b/webadm.te -@@ -23,12 +23,21 @@ role webadm_r; +@@ -25,6 +25,9 @@ role webadm_r; userdom_base_user_template(webadm) @@ -73045,23 +84004,23 @@ index 0ecc786..79a664a 100644 + ######################################## # - # webadmin local policy - # + # Local policy +@@ -32,6 +35,12 @@ userdom_base_user_template(webadm) + + allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; --allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; -+ +manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir }) +can_exec(webadm_t, webadm_tmp_t) - ++ files_dontaudit_search_all_dirs(webadm_t) - files_manage_generic_locks(webadm_t) -@@ -38,10 +47,13 @@ selinux_get_enforce_mode(webadm_t) - seutil_domtrans_setfiles(webadm_t) + files_list_var(webadm_t) +@@ -40,10 +49,13 @@ seutil_domtrans_setfiles(webadm_t) + + logging_send_audit_msgs(webadm_t) logging_send_syslog_msg(webadm_t) +logging_send_audit_msgs(webadm_t) @@ -73075,23 +84034,25 @@ index 0ecc786..79a664a 100644 tunable_policy(`webadm_manage_user_files',` userdom_manage_user_home_content_files(webadm_t) diff --git a/webalizer.te b/webalizer.te -index 32b4f76..b00362b 100644 +index cdca8c7..bc76d1b 100644 --- a/webalizer.te +++ b/webalizer.te -@@ -59,7 +59,6 @@ files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) +@@ -55,26 +55,38 @@ can_exec(webalizer_t, webalizer_exec_t) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) --corenet_all_recvfrom_unlabeled(webalizer_t) - corenet_all_recvfrom_netlabel(webalizer_t) - corenet_tcp_sendrecv_generic_if(webalizer_t) - corenet_tcp_sendrecv_generic_node(webalizer_t) -@@ -69,24 +68,26 @@ fs_search_auto_mountpoints(webalizer_t) +-files_read_etc_runtime_files(webalizer_t) ++corenet_all_recvfrom_netlabel(webalizer_t) ++corenet_tcp_sendrecv_generic_if(webalizer_t) ++corenet_tcp_sendrecv_generic_node(webalizer_t) ++corenet_tcp_sendrecv_all_ports(webalizer_t) + + fs_search_auto_mountpoints(webalizer_t) fs_getattr_xattr_fs(webalizer_t) fs_rw_anon_inodefs_files(webalizer_t) --files_read_etc_files(webalizer_t) - files_read_etc_runtime_files(webalizer_t) +-auth_use_nsswitch(webalizer_t) ++files_read_etc_runtime_files(webalizer_t) logging_list_logs(webalizer_t) logging_send_syslog_msg(webalizer_t) @@ -73101,96 +84062,108 @@ index 32b4f76..b00362b 100644 + miscfiles_read_public_files(webalizer_t) - sysnet_dns_name_resolve(webalizer_t) - sysnet_read_config(webalizer_t) - -userdom_use_user_terminals(webalizer_t) ++sysnet_dns_name_resolve(webalizer_t) ++sysnet_read_config(webalizer_t) ++ +userdom_use_inherited_user_terminals(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) userdom_dontaudit_search_user_home_content(webalizer_t) --apache_read_log(webalizer_t) --apache_manage_sys_content(webalizer_t) -+optional_policy(` -+ apache_read_log(webalizer_t) + optional_policy(` + apache_read_log(webalizer_t) + apache_manage_sys_content(webalizer_t) +') - - optional_policy(` - cron_system_entry(webalizer_t, webalizer_exec_t) -diff --git a/wine.fc b/wine.fc -index 9d24449..2666317 100644 ---- a/wine.fc -+++ b/wine.fc -@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - - /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - -+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) - /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - - /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) - ++ ++optional_policy(` ++ apache_read_log(webalizer_t) + apache_content_template(webalizer) + manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) + manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) diff --git a/wine.if b/wine.if -index f9a73d0..4b83bb0 100644 +index fd2b6cc..4b83bb0 100644 --- a/wine.if +++ b/wine.if -@@ -10,10 +10,9 @@ - ## for wine applications. - ##

    - ## --## +@@ -1,46 +1,57 @@ +-## Run Windows programs in Linux. ++## Wine Is Not an Emulator. Run Windows programs in Linux. + +-######################################## ++####################################### + ## +-## Role access for wine. ++## The per role template for the wine module. + ## +-## ++## ++##

    ++## This template creates a derived domains which are used ++## for wine applications. ++##

    ++##     +## ## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). +-## Role allowed access. +## The role associated with the user domain. ## ## - ## -@@ -21,20 +20,19 @@ - ## The type of the user domain. +-## ++## + ## +-## User domain for the role. ++## The type of the user domain. ## ## --## --## --## The role associated with the user domain. --## --## # - template(`wine_role',` +-interface(`wine_role',` ++template(`wine_role',` gen_require(` +- attribute_role wine_roles; +- type wine_exec_t, wine_t, wine_tmp_t; + type wine_t; -+ type wine_home_t; - type wine_exec_t; + type wine_home_t; ++ type wine_exec_t; ') - role $1 types wine_t; +- roleattribute $1 wine_roles; +- +- domtrans_pattern($2, wine_exec_t, wine_t) ++ role $1 types wine_t; - domain_auto_trans($2, wine_exec_t, wine_t) ++ domain_auto_trans($2, wine_exec_t, wine_t) + # Unrestricted inheritance from the caller. + allow $2 wine_t:process { noatsecure siginh rlimitinh }; - allow wine_t $2:fd use; - allow wine_t $2:process { sigchld signull }; ++ allow wine_t $2:fd use; ++ allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; -@@ -44,8 +42,7 @@ template(`wine_role',` - allow $2 wine_t:process signal_perms; +- allow wine_t $2:process signull; + ++ # Allow the user domain to signal/ps. + ps_process_pattern($2, wine_t) +- allow $2 wine_t:process { ptrace signal_perms }; ++ allow $2 wine_t:process signal_perms; allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; -- allow $2 wine_t:shm { unix_read unix_write }; +- allow $2 wine_t:shm rw_shm_perms; + allow $2 wine_t:shm { associate getattr unix_read unix_write }; allow $2 wine_t:unix_stream_socket connectto; - # X access, Home files -@@ -86,6 +83,7 @@ template(`wine_role',` +- allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; +- allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; +- allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; +- userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") ++ # X access, Home files ++ manage_dirs_pattern($2, wine_home_t, wine_home_t) ++ manage_files_pattern($2, wine_home_t, wine_home_t) ++ manage_lnk_files_pattern($2, wine_home_t, wine_home_t) ++ relabel_dirs_pattern($2, wine_home_t, wine_home_t) ++ relabel_files_pattern($2, wine_home_t, wine_home_t) ++ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) + ') + + ####################################### +@@ -72,24 +83,23 @@ interface(`wine_role',` # template(`wine_role_template',` gen_require(` @@ -73198,14 +84171,23 @@ index f9a73d0..4b83bb0 100644 type wine_exec_t; ') -@@ -96,12 +94,12 @@ template(`wine_role_template',` + type $1_wine_t; +- userdom_user_application_domain($1_wine_t, wine_exec_t) ++ domain_type($1_wine_t) ++ domain_entry_file($1_wine_t, wine_exec_t) ++ ubac_constrained($1_wine_t) role $2 types $1_wine_t; allow $1_wine_t self:process { execmem execstack }; -- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; +- +- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; +- ps_process_pattern($3, $1_wine_t) +- + allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $1_t) +- +- corecmd_bin_domtrans($1_wine_t, $3) ++ corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) @@ -73213,7 +84195,7 @@ index f9a73d0..4b83bb0 100644 domain_mmap_low($1_wine_t) -@@ -109,6 +107,10 @@ template(`wine_role_template',` +@@ -97,6 +107,10 @@ template(`wine_role_template',` dontaudit $1_wine_t self:memprotect mmap_zero; ') @@ -73224,11 +84206,37 @@ index f9a73d0..4b83bb0 100644 optional_policy(` xserver_role($1_r, $1_wine_t) ') +@@ -123,9 +137,8 @@ interface(`wine_domtrans',` + + ######################################## + ## +-## Execute wine in the wine domain, +-## and allow the specified role +-## the wine domain. ++## Execute wine in the wine domain, and ++## allow the specified role the wine domain. + ## + ## + ## +@@ -140,11 +153,11 @@ interface(`wine_domtrans',` + # + interface(`wine_run',` + gen_require(` +- attribute_role wine_roles; ++ type wine_t; + ') + + wine_domtrans($1) +- roleattribute $2 wine_roles; ++ role $2 types wine_t; + ') + + ######################################## diff --git a/wine.te b/wine.te -index 7a17516..56fbcc2 100644 +index b51923c..335c8c2 100644 --- a/wine.te +++ b/wine.te -@@ -38,7 +38,7 @@ domain_mmap_low(wine_t) +@@ -48,7 +48,7 @@ domain_mmap_low(wine_t) files_execmod_all_files(wine_t) @@ -73237,7 +84245,7 @@ index 7a17516..56fbcc2 100644 tunable_policy(`wine_mmap_zero_ignore',` dontaudit wine_t self:memprotect mmap_zero; -@@ -53,6 +53,10 @@ optional_policy(` +@@ -71,6 +71,10 @@ optional_policy(` ') optional_policy(` @@ -73249,62 +84257,32 @@ index 7a17516..56fbcc2 100644 ') diff --git a/wireshark.te b/wireshark.te -index fc0adf8..cf479f3 100644 +index cf5cab6..f0f5dcb 100644 --- a/wireshark.te +++ b/wireshark.te -@@ -31,18 +31,19 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) +@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) # Local Policy # -allow wireshark_t self:capability { net_admin net_raw setgid }; +allow wireshark_t self:capability { net_admin net_raw }; allow wireshark_t self:process { signal getsched }; - allow wireshark_t self:fifo_file { getattr read write }; - allow wireshark_t self:shm destroy; + allow wireshark_t self:fifo_file rw_fifo_file_perms; allow wireshark_t self:shm create_shm_perms; - allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms }; --allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write }; -+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read }; - allow wireshark_t self:tcp_socket create_socket_perms; - allow wireshark_t self:udp_socket create_socket_perms; - - # Re-execute itself (why?) - can_exec(wireshark_t, wireshark_exec_t) -+corecmd_search_bin(wireshark_t) - - # /home/.wireshark - manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t) -@@ -67,7 +68,6 @@ kernel_read_system_state(wireshark_t) - kernel_read_sysctl(wireshark_t) - - corecmd_exec_bin(wireshark_t) --corecmd_search_bin(wireshark_t) +@@ -90,31 +90,17 @@ fs_search_auto_mountpoints(wireshark_t) - corenet_tcp_connect_generic_port(wireshark_t) - corenet_tcp_sendrecv_generic_if(wireshark_t) -@@ -76,7 +76,6 @@ dev_read_rand(wireshark_t) - dev_read_sysfs(wireshark_t) - dev_read_urand(wireshark_t) - --files_read_etc_files(wireshark_t) - files_read_usr_files(wireshark_t) - - fs_list_inotifyfs(wireshark_t) -@@ -84,31 +83,17 @@ fs_search_auto_mountpoints(wireshark_t) - - libs_read_lib_files(wireshark_t) + auth_use_nsswitch(wireshark_t) +-libs_read_lib_files(wireshark_t) +auth_use_nsswitch(wireshark_t) -+ + miscfiles_read_fonts(wireshark_t) -miscfiles_read_localization(wireshark_t) - seutil_use_newrole_fds(wireshark_t) - - sysnet_read_config(wireshark_t) + userdom_use_user_terminals(wireshark_t) userdom_manage_user_home_content_files(wireshark_t) --userdom_use_user_ptys(wireshark_t) +-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(wireshark_t) @@ -73317,121 +84295,199 @@ index fc0adf8..cf479f3 100644 - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') -- ++userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) + -optional_policy(` -- nscd_socket_use(wireshark_t) +- seutil_use_newrole_fds(wireshark_t) -') +userdom_home_manager(wireshark_t) - # Manual transition from userhelper optional_policy(` + userhelper_use_fd(wireshark_t) +diff --git a/wm.fc b/wm.fc +index 304ae09..c1d10a1 100644 +--- a/wm.fc ++++ b/wm.fc +@@ -1,4 +1,4 @@ + /usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0) + /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) + /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) +-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) ++/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/wm.if b/wm.if -index b3efef7..177cf16 100644 +index 25b702d..177cf16 100644 --- a/wm.if +++ b/wm.if -@@ -31,17 +31,14 @@ template(`wm_role_template',` +@@ -1,4 +1,4 @@ +-## X Window Managers. ++## X Window Managers + + ####################################### + ## +@@ -29,58 +29,44 @@ + # + template(`wm_role_template',` gen_require(` +- attribute wm_domain; type wm_exec_t; - class dbus send_msg; ++ class dbus send_msg; + attribute wm_domain; ') -- type $1_wm_t; -+ type $1_wm_t, wm_domain; - domain_type($1_wm_t) - domain_entry_file($1_wm_t, wm_exec_t) +- ######################################## +- # +- # Declarations +- # +- + type $1_wm_t, wm_domain; +- userdom_user_application_domain($1_wm_t, wm_exec_t) ++ domain_type($1_wm_t) ++ domain_entry_file($1_wm_t, wm_exec_t) role $2 types $1_wm_t; -- allow $1_wm_t self:fifo_file rw_fifo_file_perms; -- allow $1_wm_t self:process getsched; -- allow $1_wm_t self:shm create_shm_perms; +- ######################################## +- # +- # Policy +- # - allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; - allow $3 $1_wm_t:process { signal sigchld signull }; -@@ -50,19 +47,19 @@ template(`wm_role_template',` - allow $1_wm_t $3:dbus send_msg; - allow $3 $1_wm_t:dbus send_msg; ++ allow $3 $1_wm_t:process { signal sigchld signull }; ++ allow $1_wm_t $3:process { signull sigkill }; + +- allow $3 $1_wm_t:process { ptrace signal_perms }; +- ps_process_pattern($3, $1_wm_t) ++ allow $1_wm_t $3:dbus send_msg; ++ allow $3 $1_wm_t:dbus send_msg; -- domtrans_pattern($3, wm_exec_t, $1_wm_t) +- allow $1_wm_t $3:process { signull sigkill }; + userdom_manage_home_role($2, $1_wm_t) + userdom_manage_tmpfs_role($2, $1_wm_t) + userdom_manage_tmp_role($2, $1_wm_t) + userdom_exec_user_tmp_files($1_wm_t) -- kernel_read_system_state($1_wm_t) -+ domtrans_pattern($3, wm_exec_t, $1_wm_t) + domtrans_pattern($3, wm_exec_t, $1_wm_t) corecmd_bin_domtrans($1_wm_t, $3) corecmd_shell_domtrans($1_wm_t, $3) -- dev_read_urand($1_wm_t) -- -- files_read_etc_files($1_wm_t) -- files_read_usr_files($1_wm_t) + auth_use_nsswitch($1_wm_t) - -- fs_getattr_tmpfs($1_wm_t) ++ + kernel_read_system_state($1_wm_t) - ++ mls_file_read_all_levels($1_wm_t) mls_file_write_all_levels($1_wm_t) -@@ -70,22 +67,6 @@ template(`wm_role_template',` + mls_xwin_read_all_levels($1_wm_t) mls_xwin_write_all_levels($1_wm_t) mls_fd_use_all_levels($1_wm_t) - auth_use_nsswitch($1_wm_t) - -- application_signull($1_wm_t) -- -- miscfiles_read_fonts($1_wm_t) -- miscfiles_read_localization($1_wm_t) -- - optional_policy(` +- dbus_spec_session_bus_client($1, $1_wm_t) - dbus_system_bus_client($1_wm_t) -- dbus_session_bus_client($1_wm_t) +- +- optional_policy(` +- wm_dbus_chat($1, $3) +- ') - ') - - optional_policy(` -- pulseaudio_stream_connect($1_wm_t) +- pulseaudio_run($1_wm_t, $2) - ') - optional_policy(` xserver_role($2, $1_wm_t) xserver_manage_core_devices($1_wm_t) +@@ -89,7 +75,7 @@ template(`wm_role_template',` + + ######################################## + ## +-## Execute wm in the caller domain. ++## Execute the wm program in the wm domain. + ## + ## + ## +@@ -102,33 +88,5 @@ interface(`wm_exec',` + type wm_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, wm_exec_t) + ') +- +-######################################## +-## +-## Send and receive messages from +-## specified wm over dbus. +-## +-## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`wm_dbus_chat',` +- gen_require(` +- type $1_wm_t; +- class dbus send_msg; +- ') +- +- allow $2 $1_wm_t:dbus send_msg; +- allow $1_wm_t $2:dbus send_msg; +-') diff --git a/wm.te b/wm.te -index 19d447e..996a3d4 100644 +index 7c7f7fa..996a3d4 100644 --- a/wm.te +++ b/wm.te -@@ -1,5 +1,7 @@ - policy_module(wm, 1.2.0) - -+attribute wm_domain; +@@ -1,36 +1,42 @@ +-policy_module(wm, 1.2.5) ++policy_module(wm, 1.2.0) + ++attribute wm_domain; + ######################################## # # Declarations -@@ -7,3 +9,34 @@ policy_module(wm, 1.2.0) + # +-attribute wm_domain; +- type wm_exec_t; - corecmd_executable_file(wm_exec_t) -+ -+allow wm_domain self:fifo_file rw_fifo_file_perms; -+allow wm_domain self:process getsched; -+allow wm_domain self:shm create_shm_perms; -+allow wm_domain self:unix_dgram_socket create_socket_perms; -+ -+dev_read_urand(wm_domain) -+ +- +-######################################## +-# +-# Common wm domain local policy +-# ++corecmd_executable_file(wm_exec_t) + + allow wm_domain self:fifo_file rw_fifo_file_perms; + allow wm_domain self:process getsched; + allow wm_domain self:shm create_shm_perms; + allow wm_domain self:unix_dgram_socket create_socket_perms; + +-kernel_read_system_state(wm_domain) +- + dev_read_urand(wm_domain) + +files_read_etc_files(wm_domain) -+files_read_usr_files(wm_domain) -+ + files_read_usr_files(wm_domain) + +fs_getattr_tmpfs(wm_domain) + +application_signull(wm_domain) + -+miscfiles_read_fonts(wm_domain) -+ + miscfiles_read_fonts(wm_domain) +-miscfiles_read_localization(wm_domain) + +-userdom_manage_user_tmp_sockets(wm_domain) +-userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) +optional_policy(` + dbus_system_bus_client(wm_domain) + dbus_session_bus_client(wm_domain) @@ -73445,110 +84501,195 @@ index 19d447e..996a3d4 100644 + xserver_manage_core_devices(wm_domain) +') + -+ + +-userdom_manage_user_home_content_dirs(wm_domain) +-userdom_manage_user_home_content_files(wm_domain) +-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) diff --git a/xen.fc b/xen.fc -index 1a1b374..574794d 100644 +index 42d83b0..7977c2c 100644 --- a/xen.fc +++ b/xen.fc -@@ -1,12 +1,10 @@ +@@ -1,38 +1,40 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) --/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) +-/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) - /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) - --/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ++ +#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) - - ifdef(`distro_debian',` - /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -@@ -17,6 +15,7 @@ ifdef(`distro_debian',` ++ ++ifdef(`distro_debian',` ++/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) ++/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) ++/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) ++/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ++',` /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) - /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) +-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) ++/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) -+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) - /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) - ') +-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) +-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ++') -@@ -25,11 +24,11 @@ ifdef(`distro_debian',` - /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) ++/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) + /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) ++/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) --/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) -+/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) - /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) --/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) --/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) --/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) -+/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) -+/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) -+/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) +-/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) + /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) +-/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) +-/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) ++/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) ++/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) + /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +-/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) ++/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) + /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) + /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) + +-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) ++/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/xen.if b/xen.if -index 77d41b6..cc73c96 100644 +index f93558c..cc73c96 100644 --- a/xen.if +++ b/xen.if -@@ -20,6 +20,25 @@ interface(`xen_domtrans',` +@@ -1,13 +1,13 @@ +-## Xen hypervisor. ++## Xen hypervisor ######################################## ## -+## Allow the specified domain to execute xend -+## in the caller domain. -+## -+## + ## Execute a domain transition to run xend. + ## + ## +-## +## -+## Domain allowed access. + ## Domain allowed to transition. +-## +## -+## -+# -+interface(`xen_exec',` -+ gen_require(` -+ type xend_exec_t; -+ ') -+ -+ can_exec($1, xend_exec_t) -+') -+ -+######################################## -+## - ## Inherit and use xen file descriptors. + ## + # + interface(`xen_domtrans',` +@@ -15,18 +15,18 @@ interface(`xen_domtrans',` + type xend_t, xend_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, xend_exec_t, xend_t) + ') + + ######################################## + ## +-## Execute xend in the caller domain. ++## Allow the specified domain to execute xend ++## in the caller domain. ## ## -@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',` +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`xen_exec',` +@@ -34,7 +34,6 @@ interface(`xen_exec',` + type xend_exec_t; + ') + +- corecmd_search_bin($1) + can_exec($1, xend_exec_t) + ') + +@@ -75,24 +74,24 @@ interface(`xen_dontaudit_use_fds',` dontaudit $1 xend_t:fd use; ') +-######################################## +####################################### -+## + ## +-## Create, read, write, and delete +-## xend image directories. +## Read xend pid files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`xen_manage_image_dirs',` +- gen_require(` +- type xend_var_lib_t; +- ') +interface(`xen_read_pid_files_xenstored',` + gen_require(` + type xenstored_var_run_t; + ') -+ + +- files_search_var_lib($1) +- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + files_search_pids($1) + + read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) -+') -+ + ') + ######################################## - ## +@@ -100,9 +99,9 @@ interface(`xen_manage_image_dirs',` ## Read xend image files. -@@ -87,6 +126,26 @@ interface(`xen_read_image_files',` - ## + ## + ## +-## ++## + ## Domain allowed access. +-## ++## ## # + interface(`xen_read_image_files',` +@@ -111,18 +110,40 @@ interface(`xen_read_image_files',` + ') + + files_list_var_lib($1) ++ + list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) + ') + + ######################################## + ## +-## Read and write xend image files. ++## Allow the specified domain to read/write ++## xend image files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## ++## ++# +interface(`xen_manage_image_dirs',` + gen_require(` + type xend_var_lib_t; @@ -73567,48 +84708,109 @@ index 77d41b6..cc73c96 100644 +## +## Domain allowed to transition. +## -+## -+# + ## + # interface(`xen_rw_image_files',` - gen_require(` - type xen_image_t, xend_var_lib_t; -@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` +@@ -137,7 +158,8 @@ interface(`xen_rw_image_files',` + + ######################################## + ## +-## Append xend log files. ++## Allow the specified domain to append ++## xend log files. + ## + ## + ## +@@ -157,13 +179,13 @@ interface(`xen_append_log',` + + ######################################## + ## +-## Create, read, write, and delete ++## Create, read, write, and delete the + ## xend log files. + ## + ## +-## ++## + ## Domain allowed access. +-## ++## + ## + # + interface(`xen_manage_log',` +@@ -176,29 +198,11 @@ interface(`xen_manage_log',` + manage_files_pattern($1, xend_var_log_t, xend_var_log_t) + ') + +-####################################### +-## +-## Read xenstored pid files. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`xen_read_xenstored_pid_files',` +- gen_require(` +- type xenstored_var_run_t; +- ') +- +- files_search_pids($1) +- read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) +-') +- + ######################################## + ## + ## Do not audit attempts to read and write +-## Xen unix domain stream sockets. ++## Xen unix domain stream sockets. These ++## are leaked file descriptors. + ## + ## + ## +@@ -216,8 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` ######################################## ## --## Connect to xenstored over an unix stream socket. +-## Connect to xenstored with a unix +-## domain stream socket. +## Connect to xenstored over a unix stream socket. ## ## ## -@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',` +@@ -236,8 +239,7 @@ interface(`xen_stream_connect_xenstore',` ######################################## ## --## Connect to xend over an unix domain stream socket. +-## Connect to xend with a unix +-## domain stream socket. +## Connect to xend over a unix domain stream socket. ## ## ## -@@ -213,14 +272,15 @@ interface(`xen_stream_connect',` +@@ -270,16 +272,15 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; + attribute virsh_transition_domain; ') - +- corecmd_search_bin($1) + typeattribute $1 virsh_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') ######################################## ## --## Connect to xm over an unix stream socket. +-## Connect to xm with a unix +-## domain stream socket. +## Connect to xm over a unix stream socket. ## ## ## -@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',` +@@ -289,7 +290,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` @@ -73618,39 +84820,164 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index 07033bb..8358a63 100644 +index ed40676..8358a63 100644 --- a/xen.te +++ b/xen.te -@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0) +@@ -1,42 +1,34 @@ +-policy_module(xen, 1.12.5) ++policy_module(xen, 1.12.0) + + ######################################## # # Declarations # +attribute xm_transition_domain; ## - ##

    -@@ -65,6 +66,7 @@ type xen_image_t; # customizable +-##

    +-## Determine whether xend can +-## run blktapctrl and tapdisk. ++##

    ++## Allow xend to run blktapctrl/tapdisk. ++## Not required if using dedicated logical volumes for disk images. + ##

    + ##     +-gen_tunable(xend_run_blktap, false) ++gen_tunable(xend_run_blktap, true) + + ## +-##

    +-## Determine whether xen can +-## use fusefs file systems. +-##

    ++##

    ++## Allow xend to run qemu-dm. ++## Not required if using paravirt and no vfb. ++##

    + ##     +-gen_tunable(xen_use_fusefs, false) ++gen_tunable(xend_run_qemu, true) + + ## +-##

    +-## Determine whether xen can +-## use nfs file systems. +-##

    ++##

    ++## Allow xen to manage nfs files ++##

    + ##     + gen_tunable(xen_use_nfs, false) + +-## +-##

    +-## Determine whether xen can +-## use samba file systems. +-##

    +-##     +-gen_tunable(xen_use_samba, false) +- + type blktap_t; + type blktap_exec_t; + domain_type(blktap_t) +@@ -50,41 +42,55 @@ type evtchnd_t; + type evtchnd_exec_t; + init_daemon_domain(evtchnd_t, evtchnd_exec_t) + ++# log files + type evtchnd_var_log_t; + logging_log_file(evtchnd_var_log_t) + ++# pid files + type evtchnd_var_run_t; + files_pid_file(evtchnd_var_run_t) + ++type qemu_dm_t; ++type qemu_dm_exec_t; ++domain_type(qemu_dm_t) ++domain_entry_file(qemu_dm_t, qemu_dm_exec_t) ++role system_r types qemu_dm_t; ++ ++# console ptys + type xen_devpts_t; + term_pty(xen_devpts_t) + files_type(xen_devpts_t) + ++# Xen Image files + type xen_image_t; # customizable files_type(xen_image_t) - # xen_image_t can be assigned to blk devices ++# xen_image_t can be assigned to blk devices dev_node(xen_image_t) +- +-optional_policy(` +- virt_image(xen_image_t) +-') +virt_image(xen_image_t) type xenctl_t; files_type(xenctl_t) -@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) + + type xend_t; + type xend_exec_t; ++domain_type(xend_t) + init_daemon_domain(xend_t, xend_exec_t) + ++# tmp files + type xend_tmp_t; + files_tmp_file(xend_tmp_t) + ++# var/lib files + type xend_var_lib_t; + files_type(xend_var_lib_t) ++# for mounting an NFS store + files_mountpoint(xend_var_lib_t) + ++# log files + type xend_var_log_t; + logging_log_file(xend_var_log_t) + ++# pid files + type xend_var_run_t; + files_pid_file(xend_var_run_t) + files_mountpoint(xend_var_run_t) +@@ -96,51 +102,51 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) + type xenstored_tmp_t; + files_tmp_file(xenstored_tmp_t) + ++# var/lib files + type xenstored_var_lib_t; + files_type(xenstored_var_lib_t) + files_mountpoint(xenstored_var_lib_t) + ++# log files + type xenstored_var_log_t; + logging_log_file(xenstored_var_log_t) + ++# pid files + type xenstored_var_run_t; + files_pid_file(xenstored_var_run_t) +-init_daemon_run_dir(xenstored_var_run_t, "xenstored") + + type xenconsoled_t; + type xenconsoled_exec_t; + init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) + ++# pid files type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) -type xm_t; -type xm_exec_t; --domain_type(xm_t) -init_system_domain(xm_t, xm_exec_t) - ######################################## # # blktap local policy -@@ -135,22 +132,21 @@ tunable_policy(`xend_run_blktap',` - # If yes, transition to its own domain. + # +- ++# Do we need to allow execution of blktap? + tunable_policy(`xend_run_blktap',` ++ # If yes, transition to its own domain. domtrans_pattern(xend_t, blktap_exec_t, blktap_t) - allow blktap_t self:fifo_file { read write }; @@ -73675,58 +85002,150 @@ index 07033bb..8358a63 100644 - xen_stream_connect_xenstore(blktap_t) -',` -- # If no, then silently refuse to run it. - dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; -') +xen_stream_connect_xenstore(blktap_t) ####################################### # -@@ -170,6 +166,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) +@@ -148,9 +154,7 @@ tunable_policy(`xend_run_blktap',` # - # qemu-dm local policy + + manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +-append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +-create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +-setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) ++manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) + logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) + + manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) +@@ -160,28 +164,70 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + + ######################################## # ++# qemu-dm local policy ++# + +# TODO: This part of policy should be removed +# qemu-dm should run in xend_t domain + - # Do we need to allow execution of qemu-dm? - tunable_policy(`xend_run_qemu',` - allow qemu_dm_t self:capability sys_resource; -@@ -195,7 +195,6 @@ tunable_policy(`xend_run_qemu',` - fs_manage_xenfs_dirs(qemu_dm_t) - fs_manage_xenfs_files(qemu_dm_t) - -- miscfiles_read_localization(qemu_dm_t) - - xen_stream_connect_xenstore(qemu_dm_t) - ',` -@@ -208,10 +207,13 @@ tunable_policy(`xend_run_qemu',` ++# Do we need to allow execution of qemu-dm? ++tunable_policy(`xend_run_qemu',` ++ allow qemu_dm_t self:capability sys_resource; ++ allow qemu_dm_t self:process setrlimit; ++ allow qemu_dm_t self:fifo_file { read write }; ++ allow qemu_dm_t self:tcp_socket create_stream_socket_perms; ++ ++ # If yes, transition to its own domain. ++ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) ++ ++ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) ++ ++ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) ++ ++ corenet_tcp_bind_generic_node(qemu_dm_t) ++ corenet_tcp_bind_vnc_port(qemu_dm_t) ++ ++ dev_rw_xen(qemu_dm_t) ++ ++ files_read_etc_files(qemu_dm_t) ++ files_read_usr_files(qemu_dm_t) ++ ++ fs_manage_xenfs_dirs(qemu_dm_t) ++ fs_manage_xenfs_files(qemu_dm_t) ++ ++ ++ xen_stream_connect_xenstore(qemu_dm_t) ++',` ++ # If no, then silently refuse to run it. ++ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; ++') ++ ++######################################## ++# # xend local policy # --allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; +-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; -dontaudit xend_t self:capability { sys_ptrace }; -+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; - allow xend_t self:process { signal sigkill }; +-allow xend_t self:process { setrlimit signal sigkill }; -dontaudit xend_t self:process ptrace; ++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio }; ++allow xend_t self:process { signal sigkill }; + +# needed by qemu_dm +allow xend_t self:capability sys_resource; +allow xend_t self:process setrlimit; + - # internal communication is often done using fifo and unix sockets. ++# internal communication is often done using fifo and unix sockets. allow xend_t self:fifo_file rw_fifo_file_perms; - allow xend_t self:unix_stream_socket create_stream_socket_perms; -@@ -219,6 +221,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms; - allow xend_t self:netlink_route_socket r_netlink_socket_perms; - allow xend_t self:tcp_socket create_stream_socket_perms; +-allow xend_t self:unix_stream_socket { accept listen }; +-allow xend_t self:tcp_socket { accept listen }; ++allow xend_t self:unix_stream_socket create_stream_socket_perms; ++allow xend_t self:unix_dgram_socket create_socket_perms; ++allow xend_t self:netlink_route_socket r_netlink_socket_perms; ++allow xend_t self:tcp_socket create_stream_socket_perms; allow xend_t self:packet_socket create_socket_perms; -+allow xend_t self:tun_socket create_socket_perms; + allow xend_t self:tun_socket create_socket_perms; allow xend_t xen_image_t:dir list_dir_perms; manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) -@@ -275,7 +278,6 @@ kernel_read_network_state(xend_t) +-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t) + manage_files_pattern(xend_t, xen_image_t, xen_image_t) + read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) +-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t) +-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t) + rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) +-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file) + + allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; + dev_filetrans(xend_t, xenctl_t, fifo_file) +@@ -190,33 +236,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) + manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) + files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) + ++# pid file + manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) + manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) + manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) + manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) + files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) + ++# log files + manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) +-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) +-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) ++manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) + manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) + logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) + ++# var/lib files for xend + manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) + files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) + ++# transition to store ++domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) ++ ++# manage xenstored pid file + manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) + +-allow xend_t xenstored_var_lib_t:dir list_dir_perms; ++# mount tmpfs on /var/lib/xenstored ++allow xend_t xenstored_var_lib_t:dir read; + ++# transition to console + domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) +-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) +- +-xen_stream_connect_xenstore(xend_t) + + kernel_read_kernel_sysctls(xend_t) + kernel_read_system_state(xend_t) +@@ -228,41 +278,31 @@ kernel_read_network_state(xend_t) corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) @@ -73734,9 +85153,34 @@ index 07033bb..8358a63 100644 corenet_all_recvfrom_netlabel(xend_t) corenet_tcp_sendrecv_generic_if(xend_t) corenet_tcp_sendrecv_generic_node(xend_t) -@@ -294,12 +296,13 @@ corenet_sendrecv_soundd_server_packets(xend_t) + corenet_tcp_sendrecv_all_ports(xend_t) + corenet_tcp_bind_generic_node(xend_t) +- +-corenet_sendrecv_xen_server_packets(xend_t) + corenet_tcp_bind_xen_port(xend_t) +- +-corenet_sendrecv_soundd_server_packets(xend_t) + corenet_tcp_bind_soundd_port(xend_t) +- +-corenet_sendrecv_generic_server_packets(xend_t) + corenet_tcp_bind_generic_port(xend_t) +- +-corenet_sendrecv_vnc_server_packets(xend_t) + corenet_tcp_bind_vnc_port(xend_t) +- +-corenet_sendrecv_xserver_client_packets(xend_t) + corenet_tcp_connect_xserver_port(xend_t) +- +-corenet_sendrecv_xen_client_packets(xend_t) + corenet_tcp_connect_xen_port(xend_t) +- ++corenet_sendrecv_xserver_client_packets(xend_t) ++corenet_sendrecv_xen_server_packets(xend_t) ++corenet_sendrecv_xen_client_packets(xend_t) ++corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) +-dev_getattr_all_chr_files(xend_t) dev_read_urand(xend_t) +# run lsscsi +dev_getattr_all_chr_files(xend_t) @@ -73749,83 +85193,90 @@ index 07033bb..8358a63 100644 files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) -@@ -309,7 +312,13 @@ files_etc_filetrans_etc_runtime(xend_t, file) +@@ -271,14 +311,8 @@ files_manage_etc_runtime_files(xend_t) + files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) files_read_default_symlinks(xend_t) +-files_search_mnt(xend_t) -+fs_read_removable_blk_files(xend_t) -+ -+storage_read_scsi_generic(xend_t) -+ -+term_setattr_generic_ptys(xend_t) - term_getattr_all_ptys(xend_t) -+term_setattr_all_ptys(xend_t) - term_use_generic_ptys(xend_t) - term_use_ptmx(xend_t) - term_getattr_pty_fs(xend_t) -@@ -320,13 +329,10 @@ locallogin_dontaudit_use_fds(xend_t) +-fs_getattr_all_fs(xend_t) +-fs_list_auto_mountpoints(xend_t) +-fs_read_dos_files(xend_t) + fs_read_removable_blk_files(xend_t) +-fs_manage_xenfs_dirs(xend_t) +-fs_manage_xenfs_files(xend_t) - logging_send_syslog_msg(xend_t) + storage_read_scsi_generic(xend_t) --lvm_domtrans(xend_t) -+auth_read_passwd(xend_t) +@@ -295,7 +329,8 @@ locallogin_dontaudit_use_fds(xend_t) + + logging_send_syslog_msg(xend_t) -miscfiles_read_localization(xend_t) ++auth_read_passwd(xend_t) ++ miscfiles_read_hwdata(xend_t) --mount_domtrans(xend_t) -- sysnet_domtrans_dhcpc(xend_t) - sysnet_signal_dhcpc(xend_t) - sysnet_domtrans_ifconfig(xend_t) -@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -308,23 +343,7 @@ sysnet_rw_dhcp_config(xend_t) - xen_stream_connect_xenstore(xend_t) + userdom_dontaudit_search_user_home_dirs(xend_t) --netutils_domtrans(xend_t) +-tunable_policy(`xen_use_fusefs',` +- fs_manage_fusefs_dirs(xend_t) +- fs_manage_fusefs_files(xend_t) +- fs_read_fusefs_symlinks(xend_t) +-') - +-tunable_policy(`xen_use_nfs',` +- fs_manage_nfs_dirs(xend_t) +- fs_manage_nfs_files(xend_t) +- fs_read_nfs_symlinks(xend_t) +-') +- +-tunable_policy(`xen_use_samba',` +- fs_manage_cifs_dirs(xend_t) +- fs_manage_cifs_files(xend_t) +- fs_read_cifs_symlinks(xend_t) +-') ++xen_stream_connect_xenstore(xend_t) + optional_policy(` brctl_domtrans(xend_t) - ') -@@ -349,6 +353,28 @@ optional_policy(` - consoletype_exec(xend_t) +@@ -342,7 +361,7 @@ optional_policy(` + mount_domtrans(xend_t) ') -+optional_policy(` -+ lvm_domtrans(xend_t) -+') -+ -+optional_policy(` -+ mount_domtrans(xend_t) -+') -+ +-optional_policy(` +optional_policy(` -+ netutils_domtrans(xend_t) -+') -+ -+optional_policy(` -+ ptchown_exec(xend_t) -+') -+ -+optional_policy(` + netutils_domtrans(xend_t) + ') + +@@ -351,6 +370,7 @@ optional_policy(` + ') + + optional_policy(` + virt_manage_default_image_type(xend_t) -+ virt_search_images(xend_t) -+ virt_read_config(xend_t) -+') -+ - ######################################## - # - # Xen console local policy -@@ -359,7 +385,7 @@ allow xenconsoled_t self:process setrlimit; + virt_search_images(xend_t) + virt_read_config(xend_t) + ') +@@ -365,13 +385,9 @@ allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; --allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; +-allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; +- +-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr }; - # pid file ++# pid file manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -@@ -374,8 +400,6 @@ dev_rw_xen(xenconsoled_t) + manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) + files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) +@@ -384,8 +400,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -73834,32 +85285,58 @@ index 07033bb..8358a63 100644 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) -@@ -390,7 +414,7 @@ term_use_console(xenconsoled_t) +@@ -400,10 +414,9 @@ term_use_console(xenconsoled_t) init_use_fds(xenconsoled_t) init_use_script_ptys(xenconsoled_t) +-logging_search_logs(xenconsoled_t) +- -miscfiles_read_localization(xenconsoled_t) +auth_read_passwd(xenconsoled_t) - xen_manage_log(xenconsoled_t) ++xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) -@@ -413,9 +437,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) + + optional_policy(` +@@ -416,24 +429,26 @@ optional_policy(` + # + + allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; +-allow xenstored_t self:unix_stream_socket { accept listen }; ++allow xenstored_t self:unix_stream_socket create_stream_socket_perms; ++allow xenstored_t self:unix_dgram_socket create_socket_perms; + + manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) + manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) - # pid file -+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) ++# pid file + manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) --files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) -+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) + files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) - # log files ++# log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,111 +467,24 @@ files_read_etc_files(xenstored_t) - +-append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +-create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) +-setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) ++manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) + manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) + logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) + ++# var/lib files for xenstored + manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) + manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) + manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) +@@ -449,156 +464,37 @@ dev_rw_xen(xenstored_t) + dev_read_sysfs(xenstored_t) + + files_read_etc_files(xenstored_t) ++ files_read_usr_files(xenstored_t) -+fs_search_xenfs(xenstored_t) + fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) term_use_generic_ptys(xenstored_t) @@ -73877,26 +85354,35 @@ index 07033bb..8358a63 100644 ######################################## # -# xm local policy --# -- --allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; --allow xm_t self:process { getsched signal }; ++# SSH component local policy + # - --# internal communication is often done using fifo and unix sockets. +-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +-allow xm_t self:process { getcap getsched setsched setcap signal }; -allow xm_t self:fifo_file rw_fifo_file_perms; --allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow xm_t self:tcp_socket create_stream_socket_perms; +-allow xm_t self:unix_stream_socket { accept connectto listen }; +-allow xm_t self:tcp_socket { accept listen }; - -manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) --files_search_var_lib(xm_t) - --allow xm_t xen_image_t:dir rw_dir_perms; --allow xm_t xen_image_t:file read_file_perms; --allow xm_t xen_image_t:blk_file read_blk_file_perms; +-manage_files_pattern(xm_t, xen_image_t, xen_image_t) +-manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t) +-manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t) +- +-read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) +- +-xen_manage_image_dirs(xm_t) +-xen_append_log(xm_t) +-xen_domtrans(xm_t) +-xen_stream_connect(xm_t) +-xen_stream_connect_xenstore(xm_t) +- +-can_exec(xm_t, xm_exec_t) - -kernel_read_system_state(xm_t) +-kernel_read_network_state(xm_t) -kernel_read_kernel_sysctls(xm_t) -kernel_read_sysctl(xm_t) -kernel_read_xen_state(xm_t) @@ -73905,22 +85391,33 @@ index 07033bb..8358a63 100644 -corecmd_exec_bin(xm_t) -corecmd_exec_shell(xm_t) - +-corenet_all_recvfrom_unlabeled(xm_t) +-corenet_all_recvfrom_netlabel(xm_t) -corenet_tcp_sendrecv_generic_if(xm_t) -corenet_tcp_sendrecv_generic_node(xm_t) +- +-corenet_sendrecv_soundd_client_packets(xm_t) -corenet_tcp_connect_soundd_port(xm_t) +-corenet_tcp_sendrecv_soundd_port(xm_t) - +-dev_read_rand(xm_t) -dev_read_urand(xm_t) -dev_read_sysfs(xm_t) - -files_read_etc_runtime_files(xm_t) +-files_read_etc_files(xm_t) -files_read_usr_files(xm_t) +-files_search_pids(xm_t) +-files_search_var_lib(xm_t) -files_list_mnt(xm_t) --# Some common macros (you might be able to remove some) --files_read_etc_files(xm_t) +-files_list_tmp(xm_t) - -fs_getattr_all_fs(xm_t) -fs_manage_xenfs_dirs(xm_t) -fs_manage_xenfs_files(xm_t) +-fs_search_auto_mountpoints(xm_t) +- +-storage_raw_read_fixed_disk(xm_t) - -term_use_all_terms(xm_t) - @@ -73928,20 +85425,61 @@ index 07033bb..8358a63 100644 -init_rw_script_stream_sockets(xm_t) -init_use_fds(xm_t) - +-logging_send_syslog_msg(xm_t) +- -miscfiles_read_localization(xm_t) - -sysnet_dns_name_resolve(xm_t) - --xen_append_log(xm_t) --xen_stream_connect(xm_t) --xen_stream_connect_xenstore(xm_t) +-tunable_policy(`xen_use_fusefs',` +- fs_manage_fusefs_dirs(xm_t) +- fs_manage_fusefs_files(xm_t) +- fs_read_fusefs_symlinks(xm_t) +-') +- +-tunable_policy(`xen_use_nfs',` +- fs_manage_nfs_dirs(xm_t) +- fs_manage_nfs_files(xm_t) +- fs_read_nfs_symlinks(xm_t) +-') +- +-tunable_policy(`xen_use_samba',` +- fs_manage_cifs_dirs(xm_t) +- fs_manage_cifs_files(xm_t) +- fs_read_cifs_symlinks(xm_t) +-') +- + optional_policy(` +- cron_system_entry(xm_t, xm_exec_t) +-') - -optional_policy(` - dbus_system_bus_client(xm_t) - - optional_policy(` - hal_dbus_chat(xm_t) -- ') ++ #Should have a boolean wrapping these ++ fs_list_auto_mountpoints(xend_t) ++ files_search_mnt(xend_t) ++ fs_getattr_all_fs(xend_t) ++ fs_read_dos_files(xend_t) ++ fs_manage_xenfs_dirs(xend_t) ++ fs_manage_xenfs_files(xend_t) ++ ++ tunable_policy(`xen_use_nfs',` ++ fs_manage_nfs_files(xend_t) ++ fs_read_nfs_symlinks(xend_t) + ') + ') +- +-optional_policy(` +- rpm_exec(xm_t) +-') +- +-optional_policy(` +- vhostmd_rw_tmpfs_files(xm_t) +- vhostmd_stream_connect(xm_t) +- vhostmd_dontaudit_rw_stream_connect(xm_t) -') - -optional_policy(` @@ -73951,11 +85489,7 @@ index 07033bb..8358a63 100644 - virt_stream_connect(xm_t) -') - --######################################## --# - # SSH component local policy - # - optional_policy(` +-optional_policy(` - ssh_basic_client_template(xm, xm_t, system_r) - - kernel_read_xen_state(xm_ssh_t) @@ -73965,24 +85499,12 @@ index 07033bb..8358a63 100644 - - fs_manage_xenfs_dirs(xm_ssh_t) - fs_manage_xenfs_files(xm_ssh_t) -- - #Should have a boolean wrapping these - fs_list_auto_mountpoints(xend_t) - files_search_mnt(xend_t) -@@ -559,8 +497,4 @@ optional_policy(` - fs_manage_nfs_files(xend_t) - fs_read_nfs_symlinks(xend_t) - ') -- -- optional_policy(` -- unconfined_domain(xend_t) -- ') - ') +-') diff --git a/xfs.te b/xfs.te -index 11c1b12..fc5d128 100644 +index 0cea2cd..d9518f8 100644 --- a/xfs.te +++ b/xfs.te -@@ -37,7 +37,6 @@ files_pid_filetrans(xfs_t, xfs_var_run_t, file) +@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) @@ -73990,15 +85512,7 @@ index 11c1b12..fc5d128 100644 corenet_all_recvfrom_netlabel(xfs_t) corenet_tcp_sendrecv_generic_if(xfs_t) corenet_tcp_sendrecv_generic_node(xfs_t) -@@ -57,7 +56,6 @@ fs_search_auto_mountpoints(xfs_t) - - domain_use_interactive_fds(xfs_t) - --files_read_etc_files(xfs_t) - files_read_etc_runtime_files(xfs_t) - files_read_usr_files(xfs_t) - -@@ -65,7 +63,6 @@ auth_use_nsswitch(xfs_t) +@@ -71,7 +70,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") logging_send_syslog_msg(xfs_t) @@ -74007,27 +85521,69 @@ index 11c1b12..fc5d128 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index e88b95f..3dd3d9a 100644 +index 2882821..cc48c69 100644 --- a/xguest.te +++ b/xguest.te -@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true) +@@ -1,4 +1,4 @@ +-policy_module(xguest, 1.1.2) ++policy_module(xguest, 1.1.0) + + ######################################## + # +@@ -6,46 +6,46 @@ policy_module(xguest, 1.1.2) + # + + ## +-##

    +-## Determine whether xguest can +-## mount removable media. +-##

    ++##

    ++## Allow xguest users to mount removable media ++##

    + ##     +-gen_tunable(xguest_mount_media, false) ++gen_tunable(xguest_mount_media, true) ## - ##

    --## Allow xguest to configure Network Manager +-##

    +-## Determine whether xguest can +-## configure network manager. +-##

    ++##

    +## Allow xguest users to configure Network Manager and connect to apache ports - ##

    ++##

    + ##     +-gen_tunable(xguest_connect_network, false) ++gen_tunable(xguest_connect_network, true) + + ## +-##

    +-## Determine whether xguest can +-## use blue tooth devices. +-##

    ++##

    ++## Allow xguest to use blue tooth devices ++##

    ##     - gen_tunable(xguest_connect_network, true) -@@ -29,6 +29,7 @@ gen_tunable(xguest_use_bluetooth, true) +-gen_tunable(xguest_use_bluetooth, false) ++gen_tunable(xguest_use_bluetooth, true) + role xguest_r; userdom_restricted_xwindows_user_template(xguest) +sysnet_dns_name_resolve(xguest_t) ++ ++init_dbus_chat(xguest_t) ++init_status(xguest_t) ######################################## # -@@ -38,7 +39,7 @@ userdom_restricted_xwindows_user_template(xguest) + # Local policy + # + +-kernel_dontaudit_request_load_module(xguest_t) +- ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) @@ -74035,12 +85591,14 @@ index e88b95f..3dd3d9a 100644 + tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files(xguest_t) fs_manage_noxattr_fs_dirs(xguest_t) - # Write floppies -@@ -49,11 +50,22 @@ ifndef(`enable_mls',` - ') ++ # Write floppies + storage_raw_read_removable_device(xguest_t) + storage_raw_write_removable_device(xguest_t) + ',` +@@ -54,9 +54,21 @@ ifndef(`enable_mls',` ') -+optional_policy(` + optional_policy(` + # Dontaudit fusermount + mount_dontaudit_exec_fusermount(xguest_t) +') @@ -74051,8 +85609,8 @@ index e88b95f..3dd3d9a 100644 + allow xguest_t self:process execstack; +') + - # Allow mounting of file systems - optional_policy(` ++# Allow mounting of file systems ++optional_policy(` tunable_policy(`xguest_mount_media',` kernel_read_fs_sysctls(xguest_t) - @@ -74060,7 +85618,7 @@ index e88b95f..3dd3d9a 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -62,10 +74,9 @@ optional_policy(` +@@ -65,10 +77,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -74072,81 +85630,116 @@ index e88b95f..3dd3d9a 100644 ') ') -@@ -76,23 +87,97 @@ optional_policy(` +@@ -84,88 +95,92 @@ optional_policy(` + ') ') - optional_policy(` -+ tunable_policy(`xguest_use_bluetooth',` -+ blueman_dbus_chat(xguest_t) -+ ') -+') -+ + +optional_policy(` + chrome_role(xguest_r, xguest_t) +') + +optional_policy(` - hal_dbus_chat(xguest_t) ++ hal_dbus_chat(xguest_t) ++') ++ + optional_policy(` + apache_role(xguest_r, xguest_t) ') optional_policy(` -- java_role(xguest_r, xguest_t) -+ apache_role(xguest_r, xguest_t) ++ gnome_role(xguest_r, xguest_t) +') + +optional_policy(` -+ gnome_role(xguest_r, xguest_t) + gnomeclock_dontaudit_dbus_chat(xguest_t) ') optional_policy(` -- mozilla_role(xguest_r, xguest_t) -+ gnomeclock_dontaudit_dbus_chat(xguest_t) -+') -+ -+optional_policy(` +- hal_dbus_chat(xguest_t) + mozilla_run_plugin(xguest_t, xguest_r) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- java_role(xguest_r, xguest_t) + pcscd_read_pub_files(xguest_t) + pcscd_stream_connect(xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) + rhsmcertd_dontaudit_dbus_chat(xguest_t) ') optional_policy(` tunable_policy(`xguest_connect_network',` +- kernel_read_network_state(xguest_t) +- networkmanager_dbus_chat(xguest_t) +- networkmanager_read_lib_files(xguest_t) + networkmanager_read_lib_files(xguest_t) + ') +') -+ + +- corenet_all_recvfrom_unlabeled(xguest_t) +- corenet_all_recvfrom_netlabel(xguest_t) +optional_policy(` + tunable_policy(`xguest_connect_network',` + kernel_read_network_state(xguest_t) + - corenet_tcp_connect_pulseaudio_port(xguest_t) -+ corenet_tcp_sendrecv_generic_if(xguest_t) -+ corenet_raw_sendrecv_generic_if(xguest_t) -+ corenet_tcp_sendrecv_generic_node(xguest_t) -+ corenet_raw_sendrecv_generic_node(xguest_t) -+ corenet_tcp_connect_commplex_port(xguest_t) -+ corenet_tcp_sendrecv_http_port(xguest_t) -+ corenet_tcp_sendrecv_http_cache_port(xguest_t) -+ corenet_tcp_sendrecv_squid_port(xguest_t) -+ corenet_tcp_sendrecv_ftp_port(xguest_t) -+ corenet_tcp_sendrecv_ipp_port(xguest_t) ++ corenet_tcp_connect_pulseaudio_port(xguest_t) + corenet_tcp_sendrecv_generic_if(xguest_t) + corenet_raw_sendrecv_generic_if(xguest_t) + corenet_tcp_sendrecv_generic_node(xguest_t) + corenet_raw_sendrecv_generic_node(xguest_t) +- +- corenet_sendrecv_pulseaudio_client_packets(xguest_t) +- corenet_tcp_connect_pulseaudio_port(xguest_t) +- corenet_tcp_sendrecv_pulseaudio_port(xguest_t) +- +- corenet_sendrecv_http_client_packets(xguest_t) +- corenet_tcp_connect_http_port(xguest_t) ++ corenet_tcp_connect_commplex_link_port(xguest_t) + corenet_tcp_sendrecv_http_port(xguest_t) +- +- corenet_sendrecv_http_cache_client_packets(xguest_t) +- corenet_tcp_connect_http_cache_port(xguest_t) + corenet_tcp_sendrecv_http_cache_port(xguest_t) +- +- corenet_sendrecv_squid_client_packets(xguest_t) +- corenet_tcp_connect_squid_port(xguest_t) + corenet_tcp_sendrecv_squid_port(xguest_t) +- +- corenet_sendrecv_ftp_client_packets(xguest_t) +- corenet_tcp_connect_ftp_port(xguest_t) + corenet_tcp_sendrecv_ftp_port(xguest_t) +- +- corenet_sendrecv_ipp_client_packets(xguest_t) +- corenet_tcp_connect_ipp_port(xguest_t) + corenet_tcp_sendrecv_ipp_port(xguest_t) +- +- corenet_sendrecv_generic_client_packets(xguest_t) + corenet_tcp_connect_http_port(xguest_t) + corenet_tcp_connect_http_cache_port(xguest_t) + corenet_tcp_connect_squid_port(xguest_t) + corenet_tcp_connect_flash_port(xguest_t) + corenet_tcp_connect_ftp_port(xguest_t) - corenet_tcp_connect_ipp_port(xguest_t) -+ corenet_tcp_connect_generic_port(xguest_t) -+ corenet_tcp_connect_soundd_port(xguest_t) ++ corenet_tcp_connect_ipp_port(xguest_t) + corenet_tcp_connect_generic_port(xguest_t) +- corenet_tcp_sendrecv_generic_port(xguest_t) +- +- corenet_sendrecv_soundd_client_packets(xguest_t) + corenet_tcp_connect_soundd_port(xguest_t) +- corenet_tcp_sendrecv_soundd_port(xguest_t) +- +- corenet_sendrecv_speech_client_packets(xguest_t) +- corenet_tcp_connect_speech_port(xguest_t) +- corenet_tcp_sendrecv_speech_port(xguest_t) +- +- corenet_sendrecv_transproxy_client_packets(xguest_t) +- corenet_tcp_connect_transproxy_port(xguest_t) +- corenet_tcp_sendrecv_transproxy_port(xguest_t) +- + corenet_sendrecv_http_client_packets(xguest_t) + corenet_sendrecv_http_cache_client_packets(xguest_t) + corenet_sendrecv_squid_client_packets(xguest_t) @@ -74154,27 +85747,29 @@ index e88b95f..3dd3d9a 100644 + corenet_sendrecv_ipp_client_packets(xguest_t) + corenet_sendrecv_generic_client_packets(xguest_t) + # Should not need other ports -+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) -+ corenet_dontaudit_tcp_bind_generic_port(xguest_t) + corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) + corenet_dontaudit_tcp_bind_generic_port(xguest_t) + corenet_tcp_connect_speech_port(xguest_t) + corenet_tcp_sendrecv_transproxy_port(xguest_t) + corenet_tcp_connect_transproxy_port(xguest_t) ') ') --#gen_user(xguest_u,, xguest_r, s0, s0) -+optional_policy(` + optional_policy(` +- pcscd_read_pid_files(xguest_t) +- pcscd_stream_connect(xguest_t) + gen_require(` + type mozilla_t; + ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; -+') -+ + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/xprint.te b/xprint.te -index 68d13e5..4fe8668 100644 +index 3c44d84..14b42e5 100644 --- a/xprint.te +++ b/xprint.te @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) @@ -74194,93 +85789,95 @@ index 68d13e5..4fe8668 100644 sysnet_read_config(xprint_t) diff --git a/xscreensaver.te b/xscreensaver.te -index 1487a4e..c099b55 100644 +index c9c9650..4a24446 100644 --- a/xscreensaver.te +++ b/xscreensaver.te -@@ -33,9 +33,7 @@ init_read_utmp(xscreensaver_t) +@@ -35,9 +35,8 @@ init_read_utmp(xscreensaver_t) logging_send_audit_msgs(xscreensaver_t) logging_send_syslog_msg(xscreensaver_t) -miscfiles_read_localization(xscreensaver_t) - --userdom_use_user_ptys(xscreensaver_t) +-userdom_use_user_terminals(xscreensaver_t) +userdom_use_inherited_user_ptys(xscreensaver_t) - #access to .icons and ~/.xscreensaver ++#access to .icons and ~/.xscreensaver userdom_read_user_home_content_files(xscreensaver_t) + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/yam.te b/yam.te -index 223ad43..a3267e5 100644 +index d837e88..910aeec 100644 --- a/yam.te +++ b/yam.te -@@ -58,7 +58,6 @@ corecmd_exec_bin(yam_t) - - # Rsync and lftp need to network. They also set files attributes to - # match whats on the remote server. --corenet_all_recvfrom_unlabeled(yam_t) - corenet_all_recvfrom_netlabel(yam_t) - corenet_tcp_sendrecv_generic_if(yam_t) - corenet_tcp_sendrecv_generic_node(yam_t) -@@ -71,7 +70,6 @@ corenet_sendrecv_rsync_client_packets(yam_t) - # mktemp - dev_read_urand(yam_t) - --files_read_etc_files(yam_t) - files_read_etc_runtime_files(yam_t) - # /usr/share/createrepo/genpkgmetadata.py: - files_exec_usr_files(yam_t) -@@ -83,16 +81,15 @@ fs_search_auto_mountpoints(yam_t) - # Content can also be on ISO image files. - fs_read_iso9660_files(yam_t) - --logging_send_syslog_msg(yam_t) -+auth_use_nsswitch(yam_t) +@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t) --miscfiles_read_localization(yam_t) -+logging_send_syslog_msg(yam_t) + logging_send_syslog_msg(yam_t) +-miscfiles_read_localization(yam_t) +- seutil_read_config(yam_t) --sysnet_dns_name_resolve(yam_t) - sysnet_read_config(yam_t) - -userdom_use_user_terminals(yam_t) ++sysnet_read_config(yam_t) ++ +userdom_use_inherited_user_terminals(yam_t) userdom_use_unpriv_users_fds(yam_t) - # Reading dotfiles... - # cjp: ? -diff --git a/zabbix.fc b/zabbix.fc -index aa5a521..980c0df 100644 ---- a/zabbix.fc -+++ b/zabbix.fc -@@ -1,8 +1,12 @@ - /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) --/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) - - /usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) - /usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) -+/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -+/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) -+/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) - - /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + userdom_search_user_home_dirs(yam_t) diff --git a/zabbix.if b/zabbix.if -index c9981d1..38ce620 100644 +index dd63de0..38ce620 100644 --- a/zabbix.if +++ b/zabbix.if -@@ -61,6 +61,26 @@ interface(`zabbix_read_log',` +@@ -1,4 +1,4 @@ +-## Distributed infrastructure monitoring. ++## Distributed infrastructure monitoring + + ######################################## + ## +@@ -15,13 +15,12 @@ interface(`zabbix_domtrans',` + type zabbix_t, zabbix_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, zabbix_exec_t, zabbix_t) + ') + + ######################################## + ## +-## Connect to zabbit on the TCP network. ++## Allow connectivity to the zabbix server + ## + ## + ## +@@ -34,7 +33,7 @@ interface(`zabbix_tcp_connect',` + type zabbix_t; + ') + +- corenet_sendrecv_zabbix_client_packets($1) ++ corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_port($1) +@@ -42,7 +41,7 @@ interface(`zabbix_tcp_connect',` ######################################## ## +-## Read zabbix log files. ++## Allow the specified domain to read zabbix's log files. + ## + ## + ## +@@ -62,13 +61,34 @@ interface(`zabbix_read_log',` + + ######################################## + ## +-## Append zabbix log files. +## Allow the specified domain to read zabbix's tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +# +interface(`zabbix_read_tmp',` @@ -74294,9 +85891,35 @@ index c9981d1..38ce620 100644 + +######################################## +## - ## Allow the specified domain to append - ## zabbix log files. ++## Allow the specified domain to append ++## zabbix log files. ++## ++## ++## ++## Domain allowed access. ++## ++## + # + interface(`zabbix_append_log',` + gen_require(` +@@ -81,7 +101,7 @@ interface(`zabbix_append_log',` + + ######################################## + ## +-## Read zabbix pid files. ++## Read zabbix PID files. + ## + ## + ## +@@ -100,7 +120,7 @@ interface(`zabbix_read_pid_files',` + + ######################################## + ## +-## Connect to zabbix agent on the TCP network. ++## Allow connectivity to a zabbix agent ## + ## + ## @@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',` # interface(`zabbix_agent_tcp_connect',` @@ -74306,111 +85929,98 @@ index c9981d1..38ce620 100644 ') corenet_sendrecv_zabbix_agent_client_packets($1) -@@ -142,8 +162,11 @@ interface(`zabbix_admin',` - type zabbix_initrc_exec_t; +@@ -121,8 +141,8 @@ interface(`zabbix_agent_tcp_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an zabbix environment. ++## All of the rules required to administrate ++## an zabbix environment + ## + ## + ## +@@ -131,7 +151,7 @@ interface(`zabbix_agent_tcp_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the zabbix domain. + ## + ## + ## +@@ -139,16 +159,18 @@ interface(`zabbix_agent_tcp_connect',` + interface(`zabbix_admin',` + gen_require(` + type zabbix_t, zabbix_log_t, zabbix_var_run_t; +- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t; +- type zabbit_tmpfs_t; ++ type zabbix_initrc_exec_t; ') -- allow $1 zabbix_t:process { ptrace signal_perms }; +- allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { zabbix_t zabbix_agent_t }) + allow $1 zabbix_t:process signal_perms; - ps_process_pattern($1, zabbix_t) ++ ps_process_pattern($1, zabbix_t) + tunable_policy(`deny_ptrace',`',` + allow $1 zabbix_t:process ptrace; + ') - init_labeled_script_domtrans($1, zabbix_initrc_exec_t) +- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) ++ init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) +- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; ++ role_transition $2 zabbix_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) +@@ -156,10 +178,4 @@ interface(`zabbix_admin',` + + files_list_pids($1) + admin_pattern($1, zabbix_var_run_t) +- +- files_list_tmp($1) +- admin_pattern($1, zabbix_tmp_t) +- +- fs_list_tmpfs($1) +- admin_pattern($1, zabbix_tmpfs_t) + ') diff --git a/zabbix.te b/zabbix.te -index 8c0bd70..24dd920 100644 +index 46e4cd3..af38ff2 100644 --- a/zabbix.te +++ b/zabbix.te -@@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0) - # Declarations +@@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3) # -+## -+##

    -+## Allow zabbix to connect to unreserved ports -+##

    -+##     -+gen_tunable(zabbix_can_network, false) -+ - type zabbix_t; - type zabbix_exec_t; - init_daemon_domain(zabbix_t, zabbix_exec_t) -@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t) - type zabbix_log_t; - logging_log_file(zabbix_log_t) - -+# tmp files -+type zabbix_tmp_t; -+files_tmp_file(zabbix_tmp_t) -+ - # shared memory - type zabbix_tmpfs_t; - files_tmpfs_file(zabbix_tmpfs_t) -@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t) - # zabbix local policy - # - --allow zabbix_t self:capability { setuid setgid }; --allow zabbix_t self:fifo_file rw_file_perms; --allow zabbix_t self:process { setsched getsched signal }; -+allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; -+allow zabbix_t self:process { setsched signal_perms }; -+allow zabbix_t self:sem create_sem_perms; -+allow zabbix_t self:fifo_file rw_fifo_file_perms; - allow zabbix_t self:unix_stream_socket create_stream_socket_perms; - allow zabbix_t self:sem create_sem_perms; - allow zabbix_t self:shm create_shm_perms; - allow zabbix_t self:tcp_socket create_stream_socket_perms; - - # log files --allow zabbix_t zabbix_log_t:dir setattr; -+allow zabbix_t zabbix_log_t:dir setattr_dir_perms; - manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) - logging_log_filetrans(zabbix_t, zabbix_log_t, file) - -+# tmp files -+manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -+manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -+files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file }) -+ - # shared memory - rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) - fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -@@ -58,26 +75,48 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) - manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) - files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) - -+kernel_read_system_state(zabbix_t) -+kernel_read_kernel_sysctls(zabbix_t) -+ -+corecmd_exec_bin(zabbix_t) -+corecmd_exec_shell(zabbix_t) -+ - corenet_tcp_bind_generic_node(zabbix_t) + ## +-##

    ++##

    + ## Determine whether zabbix can + ## connect to all TCP ports + ##

    +@@ -90,6 +90,12 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) + corenet_tcp_sendrecv_zabbix_port(zabbix_t) + +# needed by zabbix-server-mysql +corenet_tcp_connect_http_port(zabbix_t) +# to monitor ftp urls +corenet_tcp_connect_ftp_port(zabbix_t) ++ ++ + corecmd_exec_bin(zabbix_t) + corecmd_exec_shell(zabbix_t) --files_read_etc_files(zabbix_t) -+dev_read_urand(zabbix_t) +@@ -99,7 +105,6 @@ files_read_usr_files(zabbix_t) --miscfiles_read_localization(zabbix_t) -+files_read_usr_files(zabbix_t) -+ -+auth_use_nsswitch(zabbix_t) + auth_use_nsswitch(zabbix_t) --sysnet_dns_name_resolve(zabbix_t) +-miscfiles_read_localization(zabbix_t) zabbix_agent_tcp_connect(zabbix_t) -+tunable_policy(`zabbix_can_network',` -+ corenet_tcp_connect_all_ports(zabbix_t) -+') -+ +@@ -115,7 +120,10 @@ optional_policy(` + optional_policy(` mysql_stream_connect(zabbix_t) - mysql_tcp_connect(zabbix_t) @@ -74421,17 +86031,15 @@ index 8c0bd70..24dd920 100644 ') optional_policy(` - postgresql_stream_connect(zabbix_t) - ') +@@ -125,6 +133,7 @@ optional_policy(` -+optional_policy(` + optional_policy(` + snmp_read_snmp_var_lib_files(zabbix_t) + snmp_read_snmp_var_lib_dirs(zabbix_t) -+') -+ + ') + ######################################## - # - # zabbix agent local policy -@@ -121,7 +160,6 @@ domain_search_all_domains_state(zabbix_agent_t) +@@ -182,7 +191,6 @@ domain_search_all_domains_state(zabbix_agent_t) files_getattr_all_dirs(zabbix_agent_t) files_getattr_all_files(zabbix_agent_t) files_read_all_symlinks(zabbix_agent_t) @@ -74439,7 +86047,7 @@ index 8c0bd70..24dd920 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -129,7 +167,6 @@ init_read_utmp(zabbix_agent_t) +@@ -190,7 +198,6 @@ init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) @@ -74448,75 +86056,233 @@ index 8c0bd70..24dd920 100644 sysnet_dns_name_resolve(zabbix_agent_t) diff --git a/zarafa.fc b/zarafa.fc -index 3defaa1..a451e97 100644 +index faf99ed..a451e97 100644 --- a/zarafa.fc +++ b/zarafa.fc -@@ -8,19 +8,24 @@ - /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) - /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) - --/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) +@@ -1,20 +1,18 @@ +-/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) ++/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + +-/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) ++/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) ++/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) ++/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) ++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) ++/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) ++/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) ++/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) + +-/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) +-/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) +-/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) +-/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +-/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) +-/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) +-/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) +- +-/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) + /var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +-/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) --/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) --/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) --/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) --/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) --/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) --/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +-/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) +/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) -+/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) -+/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) -+/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -+/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) -+/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -+/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) - - /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) + /var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) + /var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) + /var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +@@ -22,11 +20,11 @@ + /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) + /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) + +-/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +-/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) ++/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) --/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +-/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -+/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) + /var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) - /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/zarafa.if b/zarafa.if -index 21ae664..3d08962 100644 +index 36e32df..3d08962 100644 --- a/zarafa.if +++ b/zarafa.if -@@ -42,6 +42,12 @@ template(`zarafa_domain_template',` +@@ -1,55 +1,59 @@ + ## Zarafa collaboration platform. - manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) +-####################################### ++###################################### + ## +-## The template to define a zarafa domain. ++## Creates types and rules for a basic ++## zararfa init daemon domain. + ## +-## ++## + ## +-## Domain prefix to be used. ++## Prefix for the domain. + ## + ## + # + template(`zarafa_domain_template',` + gen_require(` +- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; ++ attribute zarafa_domain; + ') + +- ######################################## ++ ############################## + # +- # Declarations ++ # $1_t declarations + # + + type zarafa_$1_t, zarafa_domain; + type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + +- type zarafa_$1_log_t, zarafa_logfile; ++ type zarafa_$1_log_t; + logging_log_file(zarafa_$1_log_t) + +- type zarafa_$1_var_run_t, zarafa_pidfile; ++ type zarafa_$1_var_run_t; + files_pid_file(zarafa_$1_var_run_t) + +- ######################################## ++ ############################## + # +- # Policy ++ # $1_t local policy + # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + +- append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) +- create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) +- setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) +- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) ++ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) ++ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) + + kernel_read_system_state(zarafa_$1_t) -+ -+ auth_use_nsswitch(zarafa_$1_t) + + auth_use_nsswitch(zarafa_$1_t) + + logging_send_syslog_msg(zarafa_$1_t) ') ###################################### -@@ -118,3 +124,25 @@ interface(`zarafa_stream_connect_server',` - files_search_var_lib($1) + ## +-## search zarafa configuration directories. ++## Allow the specified domain to search ++## zarafa configuration dirs. + ## + ## + ## +@@ -68,7 +72,7 @@ interface(`zarafa_search_config',` + + ######################################## + ## +-## Execute a domain transition to run zarafa deliver. ++## Execute a domain transition to run zarafa_deliver. + ## + ## + ## +@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',` + type zarafa_deliver_t, zarafa_deliver_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) + ') + + ######################################## + ## +-## Execute a domain transition to run zarafa server. ++## Execute a domain transition to run zarafa_server. + ## + ## + ## +@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',` + type zarafa_server_t, zarafa_server_exec_t; + ') + +- corecmd_search_bin($1) + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) + ') + + ####################################### + ## +-## Connect to zarafa server with a unix +-## domain stream socket. ++## Connect to zarafa-server unix domain stream socket. + ## + ## + ## +@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',` stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') -+ + +-######################################## +#################################### -+## + ## +-## All of the rules required to +-## administrate an zarafa environment. +## Allow the specified domain to manage +## zarafa /var/lib files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## +-## + # +-interface(`zarafa_admin',` +- gen_require(` +- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; +- type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; +- type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; +- type zarafa_var_lib_t; +- ') +- +- allow $1 zarafa_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, zarafa_domain) +- +- init_labeled_script_domtrans($1, zarafa_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 zarafa_initrc_exec_t system_r; +- allow $2 system_r; +- +- files_search_etc($1) +- admin_pattern($1, zarafa_etc_t) +- +- files_search_tmp($1) +- admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) +- +- logging_search_log($1) +- admin_pattern($1, zarafa_logfile) +- +- files_search_var_lib($1) +- admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) +- +- files_search_pids($1) +- admin_pattern($1, zarafa_pidfile) +interface(`zarafa_manage_lib_files',` + gen_require(` + type zarafa_var_lib_t; @@ -74526,39 +86292,70 @@ index 21ae664..3d08962 100644 + manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) + manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) -+') + ') diff --git a/zarafa.te b/zarafa.te -index 91267bc..0aa9870 100644 +index a4479b1..0aa9870 100644 --- a/zarafa.te +++ b/zarafa.te -@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) +@@ -1,4 +1,4 @@ +-policy_module(zarafa, 1.1.4) ++policy_module(zarafa, 1.1.0) + + ######################################## + # +@@ -6,8 +6,6 @@ policy_module(zarafa, 1.1.4) + # + + attribute zarafa_domain; +-attribute zarafa_logfile; +-attribute zarafa_pidfile; + + zarafa_domain_template(deliver) + +@@ -17,9 +15,6 @@ files_tmp_file(zarafa_deliver_tmp_t) + type zarafa_etc_t; + files_config_file(zarafa_etc_t) + +-type zarafa_initrc_exec_t; +-init_script_file(zarafa_initrc_exec_t) +- zarafa_domain_template(gateway) zarafa_domain_template(ical) zarafa_domain_template(indexer) -+ -+type zarafa_indexer_tmp_t; -+files_tmp_file(zarafa_indexer_tmp_t) -+ - zarafa_domain_template(monitor) - zarafa_domain_template(server) +@@ -43,61 +38,77 @@ files_tmp_file(zarafa_var_lib_t) -@@ -48,10 +52,9 @@ auth_use_nsswitch(zarafa_deliver_t) - # zarafa_gateway local policy + ######################################## + # +-# Deliver local policy ++# zarafa-deliver local policy # --allow zarafa_gateway_t self:capability { chown kill }; -+allow zarafa_gateway_t self:capability { kill }; - allow zarafa_gateway_t self:process setrlimit; + manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) + manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) + files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) + ++auth_use_nsswitch(zarafa_deliver_t) ++ + ######################################## + # +-# Gateway local policy ++# zarafa_gateway local policy + # -corenet_all_recvfrom_unlabeled(zarafa_gateway_t) ++allow zarafa_gateway_t self:capability { kill }; ++allow zarafa_gateway_t self:process setrlimit; ++ corenet_all_recvfrom_netlabel(zarafa_gateway_t) corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) -@@ -59,16 +62,28 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) ++corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) +- +-corenet_sendrecv_pop_server_packets(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) - --auth_use_nsswitch(zarafa_gateway_t) +-corenet_tcp_sendrecv_pop_port(zarafa_gateway_t) ++ +###################################### +# +# zarafa-indexer local policy @@ -74577,39 +86374,52 @@ index 91267bc..0aa9870 100644 ####################################### # - # zarafa-ical local policy +-# Ical local policy ++# zarafa-ical local policy # --allow zarafa_ical_t self:capability chown; - -corenet_all_recvfrom_unlabeled(zarafa_ical_t) ++ corenet_all_recvfrom_netlabel(zarafa_ical_t) corenet_tcp_sendrecv_generic_if(zarafa_ical_t) corenet_tcp_sendrecv_generic_node(zarafa_ical_t) -@@ -83,7 +98,6 @@ auth_use_nsswitch(zarafa_ical_t) - # zarafa-monitor local policy ++corenet_tcp_sendrecv_all_ports(zarafa_ical_t) + corenet_tcp_bind_generic_node(zarafa_ical_t) +- +-corenet_sendrecv_http_cache_client_packets(zarafa_ical_t) + corenet_tcp_bind_http_cache_port(zarafa_ical_t) +-corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) ++ ++auth_use_nsswitch(zarafa_ical_t) + + ###################################### + # +-# Indexer local policy ++# zarafa-monitor local policy # --allow zarafa_monitor_t self:capability chown; +-manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +-manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +-files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) - auth_use_nsswitch(zarafa_monitor_t) +-manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +-manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +-manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) ++auth_use_nsswitch(zarafa_monitor_t) -@@ -92,7 +106,7 @@ auth_use_nsswitch(zarafa_monitor_t) - # zarafa_server local policy + ######################################## + # +-# Server local policy ++# zarafa_server local policy # --allow zarafa_server_t self:capability { chown kill net_bind_service }; +allow zarafa_server_t self:capability { kill net_bind_service }; - allow zarafa_server_t self:process setrlimit; - ++allow zarafa_server_t self:process setrlimit; ++ manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) -@@ -101,11 +115,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) - - manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) - manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) --files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) -+manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }) + manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) + files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) +@@ -109,70 +120,89 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) @@ -74617,23 +86427,60 @@ index 91267bc..0aa9870 100644 corenet_all_recvfrom_netlabel(zarafa_server_t) corenet_tcp_sendrecv_generic_if(zarafa_server_t) corenet_tcp_sendrecv_generic_node(zarafa_server_t) -@@ -135,11 +149,10 @@ optional_policy(` - # zarafa_spooler local policy ++corenet_tcp_sendrecv_all_ports(zarafa_server_t) + corenet_tcp_bind_generic_node(zarafa_server_t) +- +-corenet_sendrecv_zarafa_server_packets(zarafa_server_t) + corenet_tcp_bind_zarafa_port(zarafa_server_t) +-corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) + + files_read_usr_files(zarafa_server_t) + ++auth_use_nsswitch(zarafa_server_t) ++ ++logging_send_syslog_msg(zarafa_server_t) + logging_send_audit_msgs(zarafa_server_t) + ++sysnet_dns_name_resolve(zarafa_server_t) ++ + optional_policy(` + kerberos_use(zarafa_server_t) + ') + + optional_policy(` + mysql_stream_connect(zarafa_server_t) +- mysql_tcp_connect(zarafa_server_t) +-') +- +-optional_policy(` +- postgresql_stream_connect(zarafa_server_t) +- postgresql_tcp_connect(zarafa_server_t) + ') + + ######################################## + # +-# Spooler local policy ++# zarafa_spooler local policy # --allow zarafa_spooler_t self:capability { chown kill }; +allow zarafa_spooler_t self:capability { kill }; - ++ can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) -corenet_all_recvfrom_unlabeled(zarafa_spooler_t) corenet_all_recvfrom_netlabel(zarafa_spooler_t) corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) -@@ -150,11 +163,35 @@ auth_use_nsswitch(zarafa_spooler_t) - - ######################################## - # +- +-corenet_sendrecv_smtp_client_packets(zarafa_spooler_t) ++corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) + corenet_tcp_connect_smtp_port(zarafa_spooler_t) +-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) ++ ++auth_use_nsswitch(zarafa_spooler_t) ++ ++######################################## ++# +# zarafa_gateway local policy +# + @@ -74655,43 +86502,130 @@ index 91267bc..0aa9870 100644 +# zarafa-monitor local policy +# + -+ -+######################################## -+# - # zarafa domains local policy + + ######################################## + # +-# Zarafa domain local policy ++# zarafa domains local policy # - # bad permission on /etc/zarafa --allow zarafa_domain self:capability { dac_override setgid setuid }; +-allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +-allow zarafa_domain self:process { setrlimit signal }; ++# bad permission on /etc/zarafa +allow zarafa_domain self:capability { dac_override chown setgid setuid }; - allow zarafa_domain self:process signal; ++allow zarafa_domain self:process signal; allow zarafa_domain self:fifo_file rw_fifo_file_perms; - allow zarafa_domain self:tcp_socket create_stream_socket_perms; -@@ -164,8 +201,8 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var +-allow zarafa_domain self:tcp_socket { accept listen }; +-allow zarafa_domain self:unix_stream_socket { accept listen }; ++allow zarafa_domain self:tcp_socket create_stream_socket_perms; ++allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; + + stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) -kernel_read_system_state(zarafa_domain) -+dev_read_rand(zarafa_domain) -+dev_read_urand(zarafa_domain) +- + dev_read_rand(zarafa_domain) + dev_read_urand(zarafa_domain) - files_read_etc_files(zarafa_domain) +-logging_send_syslog_msg(zarafa_domain) ++files_read_etc_files(zarafa_domain) -miscfiles_read_localization(zarafa_domain) +diff --git a/zebra.fc b/zebra.fc +index 28ee4ca..e1b30b2 100644 +--- a/zebra.fc ++++ b/zebra.fc +@@ -1,21 +1,22 @@ +-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +- + /etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) ++ ++/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) ++ ++/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) ++/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) + +-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) + /usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) ++/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) + +-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) ++/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) ++/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) + + /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) + /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) +-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) ++/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) diff --git a/zebra.if b/zebra.if -index 6b87605..ef64e73 100644 +index 3416401..ef64e73 100644 --- a/zebra.if +++ b/zebra.if -@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',` - ') +@@ -1,8 +1,8 @@ +-## Zebra border gateway protocol network routing service. ++## Zebra border gateway protocol network routing service - files_search_pids($1) -- allow $1 zebra_var_run_t:sock_file write; -- allow $1 zebra_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) + ######################################## + ## +-## Read zebra configuration content. ++## Read the configuration files for zebra. + ## + ## + ## +@@ -18,14 +18,13 @@ interface(`zebra_read_config',` + + files_search_etc($1) + allow $1 zebra_conf_t:dir list_dir_perms; +- allow $1 zebra_conf_t:file read_file_perms; +- allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; ++ read_files_pattern($1, zebra_conf_t, zebra_conf_t) ++ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) ') ######################################## + ## +-## Connect to zebra with a unix +-## domain stream socket. ++## Connect to zebra over an unix stream socket. + ## + ## + ## +@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',` + + ######################################## + ## +-## All of the rules required to +-## administrate an zebra environment. ++## All of the rules required to administrate ++## an zebra environment + ## + ## + ## +@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',` + ## + ## + ## +-## Role allowed access. ++## The role to be allowed to manage the zebra domain. + ## + ## + ## @@ -62,12 +61,14 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` gen_require(` @@ -74711,14 +86645,29 @@ index 6b87605..ef64e73 100644 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te -index ade6c2c..ac46eb2 100644 +index b0803c2..ac46eb2 100644 --- a/zebra.te +++ b/zebra.te -@@ -11,14 +11,14 @@ policy_module(zebra, 1.12.0) - ##

    - ## +@@ -1,4 +1,4 @@ +-policy_module(zebra, 1.12.1) ++policy_module(zebra, 1.12.0) + + ######################################## # +@@ -6,19 +6,19 @@ policy_module(zebra, 1.12.1) + # + + ## +-##

    +-## Determine whether zebra daemon can +-## manage its configuration files. +-##

    ++##

    ++## Allow zebra daemon to write it configuration files ++##

    + ##     -gen_tunable(allow_zebra_write_config, false) ++# +gen_tunable(zebra_write_config, false) type zebra_t; @@ -74731,15 +86680,38 @@ index ade6c2c..ac46eb2 100644 type zebra_initrc_exec_t; init_script_file(zebra_initrc_exec_t) -@@ -52,7 +52,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms; - read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - --allow zebra_t zebra_log_t:dir setattr; -+allow zebra_t zebra_log_t:dir setattr_dir_perms; - manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t) + allow zebra_t self:capability { setgid setuid net_admin net_raw }; + dontaudit zebra_t self:capability sys_tty_config; + allow zebra_t self:process { signal_perms getcap setcap }; +-allow zebra_t self:fifo_file rw_fifo_file_perms; +-allow zebra_t self:unix_stream_socket { accept connectto listen }; ++allow zebra_t self:file rw_file_perms; ++allow zebra_t self:unix_dgram_socket create_socket_perms; ++allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; + allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; + allow zebra_t self:udp_socket create_socket_perms; + allow zebra_t self:rawip_socket create_socket_perms; + + allow zebra_t zebra_conf_t:dir list_dir_perms; +-allow zebra_t zebra_conf_t:file read_file_perms; +-allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; ++read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ++read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + + allow zebra_t zebra_log_t:dir setattr_dir_perms; +-append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +-create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) +-setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t) ++manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) + ++# /tmp/.bgpd is such a bad idea! + allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; + files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) + @@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t) kernel_read_kernel_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t) @@ -74748,16 +86720,57 @@ index ade6c2c..ac46eb2 100644 corenet_all_recvfrom_netlabel(zebra_t) corenet_tcp_sendrecv_generic_if(zebra_t) corenet_udp_sendrecv_generic_if(zebra_t) -@@ -106,16 +105,16 @@ files_search_etc(zebra_t) +@@ -79,48 +78,43 @@ corenet_raw_sendrecv_generic_if(zebra_t) + corenet_tcp_sendrecv_generic_node(zebra_t) + corenet_udp_sendrecv_generic_node(zebra_t) + corenet_raw_sendrecv_generic_node(zebra_t) ++corenet_tcp_sendrecv_all_ports(zebra_t) ++corenet_udp_sendrecv_all_ports(zebra_t) + corenet_tcp_bind_generic_node(zebra_t) + corenet_udp_bind_generic_node(zebra_t) +- +-corenet_sendrecv_bgp_server_packets(zebra_t) + corenet_tcp_bind_bgp_port(zebra_t) +-corenet_sendrecv_bgp_client_packets(zebra_t) ++corenet_tcp_bind_zebra_port(zebra_t) ++corenet_udp_bind_router_port(zebra_t) + corenet_tcp_connect_bgp_port(zebra_t) +-corenet_tcp_sendrecv_bgp_port(zebra_t) +- + corenet_sendrecv_zebra_server_packets(zebra_t) +-corenet_tcp_bind_zebra_port(zebra_t) +-corenet_tcp_sendrecv_zebra_port(zebra_t) +- + corenet_sendrecv_router_server_packets(zebra_t) +-corenet_udp_bind_router_port(zebra_t) +-corenet_udp_sendrecv_router_port(zebra_t) + + dev_associate_usbfs(zebra_var_run_t) + dev_list_all_dev_nodes(zebra_t) + dev_read_sysfs(zebra_t) + dev_rw_zero(zebra_t) + ++fs_getattr_all_fs(zebra_t) ++fs_search_auto_mountpoints(zebra_t) ++ ++term_list_ptys(zebra_t) ++ + domain_use_interactive_fds(zebra_t) + ++files_search_etc(zebra_t) files_read_etc_files(zebra_t) files_read_etc_runtime_files(zebra_t) --logging_send_syslog_msg(zebra_t) +-fs_getattr_all_fs(zebra_t) +-fs_search_auto_mountpoints(zebra_t) +- +-term_list_ptys(zebra_t) +auth_read_passwd(zebra_t) --miscfiles_read_localization(zebra_t) -+logging_send_syslog_msg(zebra_t) + logging_send_syslog_msg(zebra_t) +-miscfiles_read_localization(zebra_t) +- sysnet_read_config(zebra_t) userdom_dontaudit_use_unpriv_user_fds(zebra_t) @@ -74768,6 +86781,14 @@ index ade6c2c..ac46eb2 100644 manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ') +@@ -139,3 +133,7 @@ optional_policy(` + optional_policy(` + udev_read_db(zebra_t) + ') ++ ++optional_policy(` ++ unconfined_sigchld(zebra_t) ++') diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 index 0000000..e1602ec @@ -74800,14 +86821,12 @@ index 0000000..e1602ec + diff --git a/zoneminder.if b/zoneminder.if new file mode 100644 -index 0000000..b34b8b4 +index 0000000..c72a70d --- /dev/null +++ b/zoneminder.if -@@ -0,0 +1,339 @@ -+ +@@ -0,0 +1,337 @@ +## policy for zoneminder + -+ +######################################## +## +## Transition to zoneminder. @@ -75271,19 +87290,11 @@ index 0000000..a98b795 + ') + +') -diff --git a/zosremote.fc b/zosremote.fc -index d719d0b..7a7fc61 100644 ---- a/zosremote.fc -+++ b/zosremote.fc -@@ -1 +1,3 @@ - /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -+ -+/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) diff --git a/zosremote.if b/zosremote.if -index 702e768..2a4f2cc 100644 +index b14698c..16e1581 100644 --- a/zosremote.if +++ b/zosremote.if -@@ -34,6 +34,7 @@ interface(`zosremote_domtrans',` +@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',` ## Role allowed access. ## ## @@ -75292,19 +87303,11 @@ index 702e768..2a4f2cc 100644 interface(`zosremote_run',` gen_require(` diff --git a/zosremote.te b/zosremote.te -index f9a06d2..fade72a 100644 +index 9ba9f81..983b6c8 100644 --- a/zosremote.te +++ b/zosremote.te -@@ -16,13 +16,9 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) - # +@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen }; - allow zos_remote_t self:process signal; --allow zos_remote_t self:fifo_file rw_file_perms; -+allow zos_remote_t self:fifo_file rw_fifo_file_perms; - allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; - --files_read_etc_files(zos_remote_t) -- auth_use_nsswitch(zos_remote_t) -miscfiles_read_localization(zos_remote_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a7c5fa8..48e08c1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -13,13 +13,21 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif +<<<<<<< HEAD %define POLICYVER 29 %define POLICYCOREUTILSVER 2.1.13-34 +||||||| merged common ancestors +%define POLICYVER 28 +%define POLICYCOREUTILSVER 2.1.13-34 +======= +%define POLICYVER 29 +%define POLICYCOREUTILSVER 2.1.13-53 +>>>>>>> fa970c32f1409d9b0322c292f1e89b2028368e3b %define CHECKPOLICYVER 2.1.11-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.11.1 -Release: 69.1%{?dist} +Version: 3.12.1 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -252,9 +260,9 @@ fi; . %{_sysconfdir}/selinux/config; \ if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ - (cd /etc/selinux/%2/modules/active/modules; rm -f ctdbd.pp fcoemon.pp glusterd.pp isnsd.pp qemu.pp nsplugin.pp razor.pp pyzord.pp phpfpm.pp hotplug.pp consoletype.pp kudzu.pp howl.pp) \ + (cd /etc/selinux/%2/modules/active/modules; rm -f consolekit.pp ctdbd.pp fcoemon.pp isnsd.pp l2tpd.pp qemu.pp nsplugin.pp razor.pp pyzord.pp phpfpm.pp hotplug.pp consoletype.pp kudzu.pp howl.pp) \ if [ %1 -ne 1 ]; then \ - /usr/sbin/semodule -n -s %2 -r matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon glusterd isnsd 2>/dev/null; \ + /usr/sbin/semodule -n -s %2 -r matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp consolekit 2>/dev/null; \ fi \ /usr/sbin/semodule -B -n -s %2; \ else \ @@ -524,6 +532,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 9 2013 Miroslav Grepl 3.12.1-1 +- Mass merge with upstream + * Sat Jan 5 2013 Dan Walsh 3.11.1-69.1 - Bump the policy version to 28 to match selinux userspace - Rebuild versus latest libsepol diff --git a/sources b/sources index bb07f17..774fff0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -ee1c09715a7b04a16aa2e7004703b72a serefpolicy-3.11.1.tgz -8637c3e6add4e83a882c5cea26625257 serefpolicy-contrib-3.11.1.tgz +6acb2ca4d59b3883eaee9cac5b5d57d9 serefpolicy-3.12.1.tgz +59575158d23f6eb99eedcd50cc01439a serefpolicy-contrib-3.12.1.tgz c107c73fcdf6cd137d2e79ce07d15601 config.tgz