From b3ef57fc19c3884c4c6117a9bd799ebfa274e4a3 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jan 04 2012 14:58:41 +0000 Subject: - New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo - Allow rpc.svcgssd to read supported_krb5_enctype - Allow zarafa domains to read /dev/random and /dev/urandom - Allow snmpd to read dev_snmp6 - Allow procmail to talk with cyrus - Add fixes for check_disk and check_nagios plugins --- diff --git a/policy-F16.patch b/policy-F16.patch index a8547ef..6577ce6 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1439,7 +1439,7 @@ index 4f7bd3c..9143343 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..a2512aa 100644 +index 7090dae..078d715 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) @@ -1485,12 +1485,13 @@ index 7090dae..a2512aa 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +118,16 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) -userdom_use_user_terminals(logrotate_t) +systemd_exec_systemctl(logrotate_t) ++init_stream_connect(logrotate_t) + +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) @@ -1508,7 +1509,7 @@ index 7090dae..a2512aa 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +138,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +139,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -1517,7 +1518,7 @@ index 7090dae..a2512aa 100644 ') optional_policy(` -@@ -154,6 +154,10 @@ optional_policy(` +@@ -154,6 +155,10 @@ optional_policy(` ') optional_policy(` @@ -1528,7 +1529,7 @@ index 7090dae..a2512aa 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +166,20 @@ optional_policy(` +@@ -162,10 +167,20 @@ optional_policy(` ') optional_policy(` @@ -1549,7 +1550,7 @@ index 7090dae..a2512aa 100644 cups_domtrans(logrotate_t) ') -@@ -200,9 +214,12 @@ optional_policy(` +@@ -200,9 +215,12 @@ optional_policy(` ') optional_policy(` @@ -1563,7 +1564,7 @@ index 7090dae..a2512aa 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +245,14 @@ optional_policy(` +@@ -228,3 +246,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -2128,10 +2129,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..9c8b64f +index 0000000..deed25f --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,10 @@ +@@ -0,0 +1,20 @@ +policy_module(permissivedomains,17) + + @@ -2142,6 +2143,16 @@ index 0000000..9c8b64f + + permissive blueman_t; +') ++ ++optional_policy(` ++ gen_require(` ++ type httpd_zoneminder_script_t, zoneminder_t; ++ ') ++ ++ permissive httpd_zoneminder_script_t; ++ permissive zoneminder_t; ++') ++ diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -11422,10 +11433,10 @@ index 1dc7a85..a01511f 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..7e6f53c 100644 +index 7590165..f40af5b 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -11464,12 +11475,14 @@ index 7590165..7e6f53c 100644 +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) ++files_mounton_rootfs(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) +files_relabelfrom_tmp_dirs(seunshare_domain) -logging_send_syslog_msg(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) +fs_manage_cgroup_files(seunshare_domain) ++fs_unmount_all_fs(seunshare_domain) -miscfiles_read_localization(seunshare_t) +logging_send_syslog_msg(seunshare_domain) @@ -16987,7 +17000,7 @@ index c19518a..04ef731 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..b682bcf 100644 +index ff006ea..90fa357 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -17152,7 +17165,32 @@ index ff006ea..b682bcf 100644 ## Unmount a rootfs filesystem. ## ## -@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',` +@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',` + + ######################################## + ## ++## Mount a filesystem on the root file system ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:dir { search_dir_perms mounton }; ++') ++ ++######################################## ++## + ## Get attributes of the /boot directory. + ## + ## +@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -17161,7 +17199,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -17186,7 +17224,7 @@ index ff006ea..b682bcf 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -17195,7 +17233,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -2507,6 +2629,25 @@ interface(`files_manage_etc_files',` +@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -17221,7 +17259,7 @@ index ff006ea..b682bcf 100644 ## Delete system configuration files in /etc. ## ## -@@ -2525,6 +2666,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -17246,7 +17284,7 @@ index ff006ea..b682bcf 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2783,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -17255,7 +17293,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -2680,24 +2839,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -17280,7 +17318,7 @@ index ff006ea..b682bcf 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2879,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -17305,7 +17343,7 @@ index ff006ea..b682bcf 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2934,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -17313,7 +17351,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -2796,6 +2956,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -17321,7 +17359,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3364,7 +3525,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -17330,7 +17368,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3502,20 +3663,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -17374,7 +17412,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3804,7 +3983,7 @@ interface(`files_kernel_modules_filetrans',` +@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',` type modules_object_t; ') @@ -17383,7 +17421,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3900,6 +4079,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -17483,7 +17521,7 @@ index ff006ea..b682bcf 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4217,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -17492,7 +17530,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4017,7 +4289,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',` ## ## ## @@ -17501,7 +17539,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4029,6 +4301,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -17526,12 +17564,13 @@ index ff006ea..b682bcf 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4375,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -17540,14 +17579,16 @@ index ff006ea..b682bcf 100644 +## This is added to support java policy. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_manage_generic_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + attribute tmpfile; + ') + @@ -17556,26 +17597,34 @@ index ff006ea..b682bcf 100644 + +######################################## +## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4139,7 +4455,7 @@ interface(`files_rw_generic_tmp_sockets',` ++## Manage temporary files and directories in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_tmp_files',` ++ gen_require(` ++ type tmp_t; + ') + + manage_files_pattern($1, tmp_t, tmp_t) +@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -4147,9 +4463,45 @@ interface(`files_rw_generic_tmp_sockets',` - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- attribute tmpfile; ++ gen_require(` + type tmp_t; + ') + @@ -17602,21 +17651,10 @@ index ff006ea..b682bcf 100644 + +######################################## +## -+## Set the attributes of all tmp directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_all_tmp_dirs',` -+ gen_require(` -+ attribute tmpfile; - ') - - allow $1 tmpfile:dir { search_dir_perms setattr }; -@@ -4202,7 +4554,7 @@ interface(`files_relabel_all_tmp_dirs',` + ## Set the attributes of all tmp directories. + ## + ## +@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -17625,7 +17663,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4262,7 +4614,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -17634,7 +17672,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4318,7 +4670,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -17643,7 +17681,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -4342,6 +4694,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -17660,7 +17698,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -4681,7 +5043,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -17669,7 +17707,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5084,7 +5446,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -17678,7 +17716,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5219,7 +5581,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17687,7 +17725,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5304,6 +5666,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -17713,7 +17751,7 @@ index ff006ea..b682bcf 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5698,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5716,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -17722,7 +17760,7 @@ index ff006ea..b682bcf 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5719,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -17738,7 +17776,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5349,12 +5734,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -17771,7 +17809,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5373,6 +5776,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -17779,7 +17817,7 @@ index ff006ea..b682bcf 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5789,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -17787,7 +17825,7 @@ index ff006ea..b682bcf 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5815,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -17796,7 +17834,7 @@ index ff006ea..b682bcf 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5831,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -17813,7 +17851,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5452,7 +5855,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -17822,7 +17860,7 @@ index ff006ea..b682bcf 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5896,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -17831,7 +17869,7 @@ index ff006ea..b682bcf 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5918,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -17840,7 +17878,7 @@ index ff006ea..b682bcf 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5950,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -17851,7 +17889,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5608,6 +6011,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6029,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -17895,7 +17933,7 @@ index ff006ea..b682bcf 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6069,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -17921,7 +17959,7 @@ index ff006ea..b682bcf 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -5736,7 +6195,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17930,7 +17968,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5815,29 +6274,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -17964,7 +18002,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5845,42 +6300,35 @@ interface(`files_read_all_pids',` +@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',` ## ## # @@ -18014,7 +18052,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5888,20 +6336,17 @@ interface(`files_delete_all_pids',` +@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -18038,7 +18076,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5909,56 +6354,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -18114,7 +18152,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5966,18 +6414,17 @@ interface(`files_list_spool',` +@@ -5966,18 +6432,17 @@ interface(`files_list_spool',` ## ## # @@ -18137,7 +18175,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5985,19 +6432,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -18162,7 +18200,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -6005,50 +6451,61 @@ interface(`files_read_generic_spool',` +@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',` ## ## # @@ -18243,7 +18281,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -6056,31 +6513,283 @@ interface(`files_spool_filetrans',` +@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',` ## ## # @@ -18258,26 +18296,11 @@ index ff006ea..b682bcf 100644 - # Need to give access to /selinux/member - selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; +- # Need sys_admin capability for mounting +######################################## +## +## Make the specified type a file @@ -18530,25 +18553,10 @@ index ff006ea..b682bcf 100644 + selinux_compute_member($1) + + # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; + allow $1 self:capability { chown fsetid sys_admin fowner }; -@@ -6117,3 +6826,284 @@ interface(`files_unconfined',` + # Need to give access to the directories to be polyinstantiated +@@ -6117,3 +6844,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -18908,7 +18916,7 @@ index cda5588..e89e4bf 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 97fcdac..6342520 100644 +index 97fcdac..dc65c9c 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -19348,7 +19356,32 @@ index 97fcdac..6342520 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3958,6 +4197,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3258,6 +3497,24 @@ interface(`fs_getattr_nfsd_files',` + getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + ++####################################### ++## ++## read files on an nfsd filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_nfsd_files',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++') ++ + ######################################## + ## + ## Read and write NFS server files. +@@ -3958,6 +4215,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -19391,7 +19424,7 @@ index 97fcdac..6342520 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4175,6 +4450,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4175,6 +4468,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -19416,7 +19449,7 @@ index 97fcdac..6342520 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4251,6 +4544,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4251,6 +4562,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -19442,7 +19475,7 @@ index 97fcdac..6342520 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4457,6 +4769,8 @@ interface(`fs_mount_all_fs',` +@@ -4457,6 +4787,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -19451,7 +19484,7 @@ index 97fcdac..6342520 100644 ') ######################################## -@@ -4503,7 +4817,7 @@ interface(`fs_unmount_all_fs',` +@@ -4503,7 +4835,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -19460,7 +19493,7 @@ index 97fcdac..6342520 100644 ## Example attributes: ##

##
    -@@ -4866,3 +5180,24 @@ interface(`fs_unconfined',` +@@ -4866,3 +5198,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -28440,10 +28473,10 @@ index 0000000..9fe3f9e +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..788087e +index 0000000..040aa2e --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,173 @@ +@@ -0,0 +1,171 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -28453,7 +28486,7 @@ index 0000000..788087e + +attribute boinc_domain; + -+type boinc_t; ++type boinc_t, boinc_domain; +type boinc_exec_t; +init_daemon_domain(boinc_t, boinc_exec_t) + @@ -28496,6 +28529,7 @@ index 0000000..788087e +dev_read_rand(boinc_domain) +dev_read_urand(boinc_domain) +dev_read_sysfs(boinc_domain) ++dev_rw_xserver_misc(boinc_domain) + +domain_read_all_domains_state(boinc_domain) + @@ -28515,7 +28549,6 @@ index 0000000..788087e +# boinc local policy +# + -+allow boinc_t self:capability { kill }; +allow boinc_t self:process { setsched sigkill }; + +allow boinc_t self:unix_stream_socket create_stream_socket_perms; @@ -28610,8 +28643,6 @@ index 0000000..788087e + +corenet_tcp_connect_boinc_port(boinc_project_t) + -+dev_rw_xserver_misc(boinc_project_t) -+ +files_dontaudit_search_home(boinc_project_t) + +optional_policy(` @@ -33940,7 +33971,7 @@ index 305ddf4..2746e6f 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..3bc4cfd 100644 +index 0f28095..0172ea8 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -33999,7 +34030,15 @@ index 0f28095..3bc4cfd 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -270,12 +275,6 @@ files_dontaudit_list_home(cupsd_t) +@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t) + + domain_use_interactive_fds(cupsd_t) + ++files_getattr_boot_dirs(cupsd_t) + files_list_spool(cupsd_t) + files_read_etc_files(cupsd_t) + files_read_etc_runtime_files(cupsd_t) +@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -34012,7 +34051,7 @@ index 0f28095..3bc4cfd 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -297,8 +296,10 @@ optional_policy(` +@@ -297,8 +297,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -34023,7 +34062,7 @@ index 0f28095..3bc4cfd 100644 ') ') -@@ -311,10 +312,22 @@ optional_policy(` +@@ -311,10 +313,22 @@ optional_policy(` ') optional_policy(` @@ -34046,7 +34085,7 @@ index 0f28095..3bc4cfd 100644 mta_send_mail(cupsd_t) ') -@@ -371,8 +384,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -34057,7 +34096,7 @@ index 0f28095..3bc4cfd 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +407,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -34068,7 +34107,7 @@ index 0f28095..3bc4cfd 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +443,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -34082,7 +34121,7 @@ index 0f28095..3bc4cfd 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +471,10 @@ optional_policy(` +@@ -453,6 +472,10 @@ optional_policy(` ') optional_policy(` @@ -34093,7 +34132,7 @@ index 0f28095..3bc4cfd 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +489,10 @@ optional_policy(` +@@ -467,6 +490,10 @@ optional_policy(` ') optional_policy(` @@ -34104,7 +34143,7 @@ index 0f28095..3bc4cfd 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,23 +614,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -34137,7 +34176,7 @@ index 0f28095..3bc4cfd 100644 ') ######################################## -@@ -639,7 +664,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +665,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -34146,7 +34185,7 @@ index 0f28095..3bc4cfd 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +710,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +711,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -34154,7 +34193,7 @@ index 0f28095..3bc4cfd 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +722,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +723,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -45627,7 +45666,7 @@ index 256166a..71e7a36 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..867dfac 100644 +index 343cee3..381f8c1 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -45750,7 +45789,7 @@ index 343cee3..867dfac 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -391,12 +416,17 @@ interface(`mta_send_mail',` +@@ -391,12 +416,19 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -45766,11 +45805,13 @@ index 343cee3..867dfac 100644 + + allow $2 mta_exec_type:file entrypoint; + domtrans_pattern($1, mta_exec_type, $2) ++ allow mta_user_agent $1:fd use; ++ allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file { read write }; ') ######################################## -@@ -409,7 +439,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +441,6 @@ interface(`mta_sendmail_domtrans',` ##
## # @@ -45778,7 +45819,7 @@ index 343cee3..867dfac 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +449,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +451,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -45803,7 +45844,7 @@ index 343cee3..867dfac 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +485,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +487,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -45830,7 +45871,7 @@ index 343cee3..867dfac 100644 ## Read mail server configuration. ## ## -@@ -474,7 +541,8 @@ interface(`mta_write_config',` +@@ -474,7 +543,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -45840,7 +45881,7 @@ index 343cee3..867dfac 100644 ') ######################################## -@@ -494,6 +562,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +564,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -45848,7 +45889,7 @@ index 343cee3..867dfac 100644 ') ######################################## -@@ -532,7 +601,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +603,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -45857,7 +45898,7 @@ index 343cee3..867dfac 100644 ') ######################################## -@@ -552,7 +621,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +623,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -45866,7 +45907,7 @@ index 343cee3..867dfac 100644 ') ####################################### -@@ -646,8 +715,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +717,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -45877,7 +45918,7 @@ index 343cee3..867dfac 100644 ') ####################################### -@@ -677,7 +746,26 @@ interface(`mta_spool_filetrans',` +@@ -677,7 +748,26 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) @@ -45905,7 +45946,7 @@ index 343cee3..867dfac 100644 ') ######################################## -@@ -697,8 +785,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +787,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -45916,7 +45957,7 @@ index 343cee3..867dfac 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +926,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +928,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -45925,7 +45966,7 @@ index 343cee3..867dfac 100644 ') ######################################## -@@ -864,6 +952,36 @@ interface(`mta_manage_queue',` +@@ -864,6 +954,36 @@ interface(`mta_manage_queue',` ####################################### ## @@ -45962,7 +46003,7 @@ index 343cee3..867dfac 100644 ## Read sendmail binary. ## ## -@@ -899,3 +1017,114 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +1019,114 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -47221,7 +47262,7 @@ index 8581040..039bfa0 100644 init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..1147e19 100644 +index bf64a4c..9ad9024 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -25,7 +25,10 @@ type nagios_var_run_t; @@ -47368,14 +47409,24 @@ index bf64a4c..1147e19 100644 ') optional_policy(` -@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) --kernel_read_system_state(nagios_system_plugin_t) ++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) ++ + kernel_read_system_state(nagios_system_plugin_t) kernel_read_kernel_sysctls(nagios_system_plugin_t) - corecmd_exec_bin(nagios_system_plugin_t) +@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t) + + files_read_etc_files(nagios_system_plugin_t) + ++fs_getattr_all_fs(nagios_system_plugin_t) ++ + # needed by check_users plugin + optional_policy(` + init_read_utmp(nagios_system_plugin_t) diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc index 74da57f..b94bb3b 100644 --- a/policy/modules/services/nessus.fc @@ -53398,7 +53449,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..999b986 100644 +index 29b9295..df6c236 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -53452,7 +53503,7 @@ index 29b9295..999b986 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -97,17 +110,7 @@ ifdef(`hide_broken_symptoms',` +@@ -97,21 +110,16 @@ ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') @@ -53471,18 +53522,16 @@ index 29b9295..999b986 100644 optional_policy(` clamav_domtrans_clamscan(procmail_t) -@@ -115,6 +118,10 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_manage_data(procmail_t) + clamav_search_lib(procmail_t) ++ cyrus_stream_connect(procmail_t) +') + +optional_policy(` - munin_dontaudit_search_lib(procmail_t) ++ gnome_manage_data(procmail_t) ') -@@ -125,6 +132,11 @@ optional_policy(` + optional_policy(` +@@ -125,6 +133,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -53859,7 +53908,7 @@ index 2855a44..58bb459 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..39d23dc 100644 +index 64c5f95..d70e965 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -54163,14 +54212,16 @@ index 64c5f95..39d23dc 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +368,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -205,22 +367,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t) + corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) - ++corenet_tcp_connect_ntop_port(puppetmaster_t) ++ +# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. +corenet_udp_bind_generic_node(puppetmaster_t) +corenet_udp_bind_generic_port(puppetmaster_t) -+ + dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) +dev_search_sysfs(puppetmaster_t) @@ -54213,7 +54264,7 @@ index 64c5f95..39d23dc 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +418,9 @@ optional_policy(` +@@ -231,3 +419,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -56988,10 +57039,10 @@ index 0000000..6572600 +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..4d1d0c7 +index 0000000..c0952a3 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,65 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## @@ -57038,14 +57089,18 @@ index 0000000..4d1d0c7 +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) + ++kernel_read_network_state(rhsmcertd_t) +kernel_read_system_state(rhsmcertd_t) + ++files_list_tmp(rhsmcertd_t) ++ +corecmd_exec_bin(rhsmcertd_t) + +dev_read_urand(rhsmcertd_t) + +files_read_etc_files(rhsmcertd_t) +files_read_usr_files(rhsmcertd_t) ++files_manage_generic_locks(rhsmcertd_t) + +miscfiles_read_localization(rhsmcertd_t) +miscfiles_read_certs(rhsmcertd_t) @@ -57836,7 +57891,7 @@ index cda37bb..617e83f 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..1896e20 100644 +index b1468ed..32dd23d 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -57994,7 +58049,7 @@ index b1468ed..1896e20 100644 fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -+fs_search_nfsd_fs(gssd_t) ++fs_read_nfsd_files(gssd_t) fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) @@ -58749,7 +58804,7 @@ index 82cb169..48c023e 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..5d2dfe7 100644 +index e30bb63..895d6c0 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -58797,7 +58852,15 @@ index e30bb63..5d2dfe7 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -249,6 +250,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow smbd_t nmbd_t:process { signal signull }; + + allow smbd_t nmbd_var_run_t:file rw_file_perms; ++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + + allow smbd_t samba_etc_t:file { rw_file_perms setattr }; + +@@ -263,7 +265,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -58806,7 +58869,7 @@ index e30bb63..5d2dfe7 100644 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -279,7 +281,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -58815,7 +58878,7 @@ index e30bb63..5d2dfe7 100644 allow smbd_t swat_t:process signal; -@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,15 +325,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -58834,7 +58897,7 @@ index e30bb63..5d2dfe7 100644 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t) +@@ -343,6 +348,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -58842,7 +58905,7 @@ index e30bb63..5d2dfe7 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +391,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -58856,7 +58919,7 @@ index e30bb63..5d2dfe7 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +411,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -58867,7 +58930,7 @@ index e30bb63..5d2dfe7 100644 optional_policy(` cups_read_rw_config(smbd_t) -@@ -445,26 +449,25 @@ optional_policy(` +@@ -445,26 +450,25 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -58901,7 +58964,7 @@ index e30bb63..5d2dfe7 100644 ######################################## # # nmbd Local policy -@@ -484,8 +487,10 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +488,10 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -58913,7 +58976,7 @@ index e30bb63..5d2dfe7 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -555,18 +560,21 @@ optional_policy(` +@@ -555,18 +561,21 @@ optional_policy(` # smbcontrol local policy # @@ -58939,7 +59002,7 @@ index e30bb63..5d2dfe7 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +582,19 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +583,19 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -58960,7 +59023,7 @@ index e30bb63..5d2dfe7 100644 ######################################## # -@@ -644,19 +660,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +661,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -58985,7 +59048,7 @@ index e30bb63..5d2dfe7 100644 ######################################## # # SWAT Local policy -@@ -677,7 +695,8 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +696,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -58995,7 +59058,7 @@ index e30bb63..5d2dfe7 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +711,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +712,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -59010,7 +59073,7 @@ index e30bb63..5d2dfe7 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +731,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +732,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -59018,7 +59081,7 @@ index e30bb63..5d2dfe7 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +776,8 @@ logging_search_logs(swat_t) +@@ -754,6 +777,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -59027,7 +59090,7 @@ index e30bb63..5d2dfe7 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +808,7 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -59036,7 +59099,7 @@ index e30bb63..5d2dfe7 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +831,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -59058,7 +59121,7 @@ index e30bb63..5d2dfe7 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +859,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -59066,7 +59129,7 @@ index e30bb63..5d2dfe7 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t) +@@ -850,10 +877,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) @@ -59081,7 +59144,7 @@ index e30bb63..5d2dfe7 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -863,6 +894,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -59094,7 +59157,7 @@ index e30bb63..5d2dfe7 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +941,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -59103,7 +59166,7 @@ index e30bb63..5d2dfe7 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +958,18 @@ optional_policy(` +@@ -922,6 +959,18 @@ optional_policy(` # optional_policy(` @@ -59122,7 +59185,7 @@ index e30bb63..5d2dfe7 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +980,12 @@ optional_policy(` +@@ -932,9 +981,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -60332,7 +60395,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..1d22eed 100644 +index 3d8d1b3..73fdfdc 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -60360,7 +60423,7 @@ index 3d8d1b3..1d22eed 100644 allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; -@@ -41,18 +44,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) +@@ -41,18 +44,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) @@ -60376,14 +60439,15 @@ index 3d8d1b3..1d22eed 100644 kernel_read_kernel_sysctls(snmpd_t) kernel_read_fs_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) - kernel_read_proc_symlinks(snmpd_t) +-kernel_read_proc_symlinks(snmpd_t) -kernel_read_system_state(snmpd_t) --kernel_read_network_state(snmpd_t) + kernel_read_network_state(snmpd_t) ++kernel_read_proc_symlinks(snmpd_t) +kernel_read_all_proc(snmpd_t) corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) -@@ -94,15 +97,19 @@ files_search_home(snmpd_t) +@@ -94,15 +98,19 @@ files_search_home(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) @@ -60404,7 +60468,7 @@ index 3d8d1b3..1d22eed 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -68616,7 +68680,7 @@ index 21ae664..3e448dd 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te -index 9fb4747..6e2c42a 100644 +index 9fb4747..92c156b 100644 --- a/policy/modules/services/zarafa.te +++ b/policy/modules/services/zarafa.te @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) @@ -68630,16 +68694,7 @@ index 9fb4747..6e2c42a 100644 zarafa_domain_template(monitor) zarafa_domain_template(server) -@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t - manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) - files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) - -+dev_read_rand(zarafa_deliver_t) -+ - ######################################## - # - # zarafa_gateway local policy -@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) +@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) @@ -68660,7 +68715,7 @@ index 9fb4747..6e2c42a 100644 ####################################### # # zarafa-ical local policy -@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) +@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) files_read_usr_files(zarafa_server_t) @@ -68668,22 +68723,16 @@ index 9fb4747..6e2c42a 100644 logging_send_audit_msgs(zarafa_server_t) sysnet_dns_name_resolve(zarafa_server_t) -@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) - corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) - corenet_tcp_connect_smtp_port(zarafa_spooler_t) +@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t) -+dev_read_rand(zarafa_spooler_t) -+ -+######################################## -+# + ######################################## + # +# zarafa_gateway local policy +# + +allow zarafa_gateway_t self:capability { chown kill }; +allow zarafa_gateway_t self:process setrlimit; + -+dev_read_rand(zarafa_gateway_t) -+ +corenet_tcp_bind_pop_port(zarafa_gateway_t) + +####################################### @@ -68702,10 +68751,19 @@ index 9fb4747..6e2c42a 100644 + +allow zarafa_monitor_t self:capability chown; + - ######################################## - # ++######################################## ++# # zarafa domains local policy -@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain) + # + +@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var + + read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) + ++dev_read_rand(zarafa_domain) ++dev_read_urand(zarafa_domain) ++ + kernel_read_system_state(zarafa_domain) files_read_etc_files(zarafa_domain) @@ -68782,6 +68840,478 @@ index ade6c2c..2b78f0d 100644 manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) +diff --git a/policy/modules/services/zoneminder.fc b/policy/modules/services/zoneminder.fc +new file mode 100644 +index 0000000..b74fadf +--- /dev/null ++++ b/policy/modules/services/zoneminder.fc +@@ -0,0 +1,12 @@ ++ ++/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) ++ ++/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0) ++ ++/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) ++ ++/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) ++ ++/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) ++ ++/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) +diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if +new file mode 100644 +index 0000000..aadeef3 +--- /dev/null ++++ b/policy/modules/services/zoneminder.if +@@ -0,0 +1,320 @@ ++ ++## policy for zoneminder ++ ++ ++######################################## ++## ++## Transition to zoneminder. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`zoneminder_domtrans',` ++ gen_require(` ++ type zoneminder_t, zoneminder_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) ++') ++ ++ ++######################################## ++## ++## Execute zoneminder server in the zoneminder domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_initrc_domtrans',` ++ gen_require(` ++ type zoneminder_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read zoneminder's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`zoneminder_read_log',` ++ gen_require(` ++ type zoneminder_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++') ++ ++######################################## ++## ++## Append to zoneminder log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_append_log',` ++ gen_require(` ++ type zoneminder_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++') ++ ++######################################## ++## ++## Manage zoneminder log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_log',` ++ gen_require(` ++ type zoneminder_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t) ++ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t) ++') ++ ++######################################## ++## ++## Search zoneminder lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_search_lib',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ allow $1 zoneminder_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read zoneminder lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_read_lib_files',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++######################################## ++## ++## Manage zoneminder lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_lib_files',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++######################################## ++## ++## Manage zoneminder lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_lib_dirs',` ++ gen_require(` ++ type zoneminder_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Search zoneminder spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_search_spool',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ allow $1 zoneminder_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') ++ ++######################################## ++## ++## Read zoneminder spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_read_spool_files',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) ++') ++ ++######################################## ++## ++## Manage zoneminder spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_spool_files',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) ++') ++ ++######################################## ++## ++## Manage zoneminder spool dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_manage_spool_dirs',` ++ gen_require(` ++ type zoneminder_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t) ++') ++ ++######################################## ++## ++## Connect to zoneminder over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`zoneminder_stream_connect',` ++ gen_require(` ++ type zoneminder_t, zoneminder_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an zoneminder environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`zoneminder_admin',` ++ gen_require(` ++ type zoneminder_t; ++ type zoneminder_initrc_exec_t; ++ type zoneminder_log_t; ++ type zoneminder_var_lib_t; ++ type zoneminder_spool_t; ++ ') ++ ++ allow $1 zoneminder_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, zoneminder_t) ++ ++ zoneminder_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 zoneminder_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, zoneminder_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, zoneminder_var_lib_t) ++ ++ files_search_spool($1) ++ admin_pattern($1, zoneminder_spool_t) ++ ++') ++ +diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te +new file mode 100644 +index 0000000..bcbe09f +--- /dev/null ++++ b/policy/modules/services/zoneminder.te +@@ -0,0 +1,122 @@ ++policy_module(zoneminder, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

++## Allow ZoneMinder to modify public files ++## used for public file transfer services. ++##

++## ++gen_tunable(zoneminder_anon_write, false) ++ ++type zoneminder_t; ++type zoneminder_exec_t; ++init_daemon_domain(zoneminder_t, zoneminder_exec_t) ++ ++type zoneminder_initrc_exec_t; ++init_script_file(zoneminder_initrc_exec_t) ++ ++type zoneminder_log_t; ++logging_log_file(zoneminder_log_t) ++ ++type zoneminder_tmpfs_t; ++files_tmpfs_file(zoneminder_tmpfs_t) ++ ++type zoneminder_spool_t; ++files_type(zoneminder_spool_t) ++ ++type zoneminder_var_lib_t; ++files_type(zoneminder_var_lib_t) ++ ++type zoneminder_var_run_t; ++files_pid_file(zoneminder_var_run_t) ++ ++######################################## ++# ++# zoneminder local policy ++# ++allow zoneminder_t self:capability { chown dac_override }; ++allow zoneminder_t self:process { signal_perms setpgid }; ++allow zoneminder_t self:shm create_shm_perms; ++allow zoneminder_t self:fifo_file rw_fifo_file_perms; ++allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) ++manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t) ++logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) ++manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) ++files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file }) ++ ++manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) ++manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t) ++files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file }) ++ ++kernel_read_system_state(zoneminder_t) ++ ++corecmd_exec_bin(zoneminder_t) ++corecmd_exec_shell(zoneminder_t) ++ ++dev_read_sysfs(zoneminder_t) ++dev_read_rand(zoneminder_t) ++dev_read_urand(zoneminder_t) ++dev_read_video_dev(zoneminder_t) ++ ++domain_use_interactive_fds(zoneminder_t) ++ ++files_read_etc_files(zoneminder_t) ++files_read_usr_files(zoneminder_t) ++ ++auth_use_nsswitch(zoneminder_t) ++ ++logging_send_syslog_msg(zoneminder_t) ++ ++miscfiles_read_localization(zoneminder_t) ++ ++tunable_policy(`zoneminder_anon_write',` ++ miscfiles_manage_public_files(zoneminder_t) ++') ++ ++optional_policy(` ++ mysql_stream_connect(zoneminder_t) ++') ++ ++######################################## ++# ++# zoneminder cgi local policy ++# ++ ++optional_policy(` ++ apache_content_template(zoneminder) ++ ++ # need more testing ++ #allow httpd_zoneminder_script_t self:shm create_shm_perms; ++ ++ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++ zoneminder_stream_connect(httpd_zoneminder_script_t) ++ ++ files_search_var_lib(httpd_zoneminder_script_t) ++ ++ logging_send_syslog_msg(httpd_zoneminder_script_t) ++ ++ optional_policy(` ++ mysql_stream_connect(httpd_zoneminder_script_t) ++ ') ++ ++') diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc index d719d0b..7a7fc61 100644 --- a/policy/modules/services/zosremote.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index fdee870..1983e28 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 4 2012 Miroslav Grepl 3.10.0-72 +- New fix for seunshare, requires seunshare_domains to be able to mounton / +- Allow systemctl running as logrotate_t to connect to private systemd socket +- Allow tmpwatch to read meminfo +- Allow rpc.svcgssd to read supported_krb5_enctype +- Allow zarafa domains to read /dev/random and /dev/urandom +- Allow snmpd to read dev_snmp6 +- Allow procmail to talk with cyrus +- Add fixes for check_disk and check_nagios plugins + * Tue Dec 20 2011 Miroslav Grepl 3.10.0-71 - default trans rules for Rawhide policy - Make sure sound_devices controlC* are labeled correctly on creation