From fc059db54d3cc7cf37a350463959f52dfbe9c35a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 05 2014 07:52:08 +0000 Subject: - Add kernel_mounton_messages() interface - init wants to manage lock files for iscsi - Add support for dey_sapi port - Fixes needed for docker - Allow epmd to manage /var/log/rabbitmq/startup_err file - Allow beam.smp connect to amqp port - drbdadm executes drbdmeta - Added osad policy - Allow postfix to deliver to procmail - Allow vmtools to execute /usr/bin/lsb_release - Allow geoclue to read /etc/passwd - Allow docker to write system net ctrls - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix pcp.te - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f75f5e3..7b7b458 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..51daa72 100644 +index b191055..b60c687 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5497,7 +5497,7 @@ index b191055..51daa72 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0) +@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5521,7 +5521,11 @@ index b191055..51daa72 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -119,20 +143,28 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, + network_port(dbskkd, tcp,1178,s0) + network_port(dcc, udp,6276,s0, udp,6277,s0) + network_port(dccm, tcp,5679,s0, udp,5679,s0) ++network_port(dey_sapi, tcp,4330,s0) + network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5552,7 +5556,7 @@ index b191055..51daa72 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5619,7 +5623,7 @@ index b191055..51daa72 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5659,7 +5663,7 @@ index b191055..51daa72 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5712,7 +5716,7 @@ index b191055..51daa72 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5723,7 +5727,7 @@ index b191055..51daa72 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5736,7 +5740,7 @@ index b191055..51daa72 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5763,7 +5767,7 @@ index b191055..51daa72 100644 ######################################## # -@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5772,7 +5776,7 @@ index b191055..51daa72 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -14917,7 +14921,7 @@ index 7be4ddf..d5ef507 100644 +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..6f745f0 100644 +index e100d88..ee4c057 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -15031,7 +15035,33 @@ index e100d88..6f745f0 100644 ## Do not audit attempts by caller to ## read system state information in proc. ## -@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',` + + ######################################## + ## ++## Allow caller to read kernel messages ++## using the /proc/kmsg interface. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mounton_messages',` ++ gen_require(` ++ type proc_kmsg_t, proc_t; ++ ') ++ ++ allow $1 proc_kmsg_t:dir mounton; ++') ++ ++######################################## ++## + ## Allow caller to get the attributes of kernel message + ## interface (/proc/kmsg). + ## +@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -15056,7 +15086,7 @@ index e100d88..6f745f0 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1750,16 +1820,9 @@ interface(`kernel_rw_unix_sysctls',` +@@ -1750,16 +1839,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## @@ -15074,7 +15104,7 @@ index e100d88..6f745f0 100644 ') ######################################## -@@ -1771,16 +1834,9 @@ interface(`kernel_read_hotplug_sysctls',` +@@ -1771,16 +1853,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -15092,7 +15122,7 @@ index e100d88..6f745f0 100644 ') ######################################## -@@ -1792,16 +1848,9 @@ interface(`kernel_rw_hotplug_sysctls',` +@@ -1792,16 +1867,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -15110,7 +15140,7 @@ index e100d88..6f745f0 100644 ') ######################################## -@@ -1813,16 +1862,9 @@ interface(`kernel_read_modprobe_sysctls',` +@@ -1813,16 +1881,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## @@ -15128,7 +15158,7 @@ index e100d88..6f745f0 100644 ') ######################################## -@@ -2085,7 +2127,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2146,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -15137,7 +15167,7 @@ index e100d88..6f745f0 100644 ') ######################################## -@@ -2282,6 +2324,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2343,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -15163,7 +15193,7 @@ index e100d88..6f745f0 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2367,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2386,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -15172,7 +15202,7 @@ index e100d88..6f745f0 100644 ## ## # -@@ -2488,6 +2549,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2568,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -15197,7 +15227,7 @@ index e100d88..6f745f0 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2604,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2623,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -15222,7 +15252,7 @@ index e100d88..6f745f0 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2764,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2783,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -15247,7 +15277,7 @@ index e100d88..6f745f0 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2809,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2828,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -15273,7 +15303,7 @@ index e100d88..6f745f0 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +2937,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +2956,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -15307,7 +15337,7 @@ index e100d88..6f745f0 100644 ######################################## ## -@@ -2958,6 +3119,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3138,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -15332,7 +15362,7 @@ index e100d88..6f745f0 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3170,565 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -29278,7 +29308,7 @@ index 79a45f6..9a14d49 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..fdd335a 100644 +index 17eda24..17932ac 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29526,7 +29556,7 @@ index 17eda24..fdd335a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +286,212 @@ ifdef(`distro_gentoo',` +@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -29571,6 +29601,7 @@ index 17eda24..fdd335a 100644 + +optional_policy(` + iscsi_read_lib_files(init_t) ++ iscsi_manage_lock(init_t) +') + +optional_policy(` @@ -29747,7 +29778,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -216,7 +499,30 @@ optional_policy(` +@@ -216,7 +500,30 @@ optional_policy(` ') optional_policy(` @@ -29778,7 +29809,7 @@ index 17eda24..fdd335a 100644 ') ######################################## -@@ -225,9 +531,9 @@ optional_policy(` +@@ -225,9 +532,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29790,7 +29821,7 @@ index 17eda24..fdd335a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +564,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29807,7 +29838,7 @@ index 17eda24..fdd335a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +589,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29850,7 +29881,7 @@ index 17eda24..fdd335a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +626,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29862,7 +29893,7 @@ index 17eda24..fdd335a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +638,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29873,7 +29904,7 @@ index 17eda24..fdd335a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +649,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29883,7 +29914,7 @@ index 17eda24..fdd335a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +658,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29891,7 +29922,7 @@ index 17eda24..fdd335a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +665,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29899,7 +29930,7 @@ index 17eda24..fdd335a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +673,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29917,7 +29948,7 @@ index 17eda24..fdd335a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +691,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29931,7 +29962,7 @@ index 17eda24..fdd335a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +706,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29945,7 +29976,7 @@ index 17eda24..fdd335a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +719,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29956,7 +29987,7 @@ index 17eda24..fdd335a 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +732,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29964,7 +29995,7 @@ index 17eda24..fdd335a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +751,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29988,7 +30019,7 @@ index 17eda24..fdd335a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +784,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29996,7 +30027,7 @@ index 17eda24..fdd335a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +818,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30007,7 +30038,7 @@ index 17eda24..fdd335a 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +842,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +843,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30016,7 +30047,7 @@ index 17eda24..fdd335a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +857,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +858,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30024,7 +30055,7 @@ index 17eda24..fdd335a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +878,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +879,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30032,7 +30063,7 @@ index 17eda24..fdd335a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +888,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +889,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30077,7 +30108,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -559,14 +933,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +934,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30109,7 +30140,7 @@ index 17eda24..fdd335a 100644 ') ') -@@ -577,6 +968,39 @@ ifdef(`distro_suse',` +@@ -577,6 +969,39 @@ ifdef(`distro_suse',` ') ') @@ -30149,7 +30180,7 @@ index 17eda24..fdd335a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1013,8 @@ optional_policy(` +@@ -589,6 +1014,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30158,7 +30189,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -610,6 +1036,7 @@ optional_policy(` +@@ -610,6 +1037,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30166,7 +30197,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -626,6 +1053,17 @@ optional_policy(` +@@ -626,6 +1054,17 @@ optional_policy(` ') optional_policy(` @@ -30184,7 +30215,7 @@ index 17eda24..fdd335a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1080,13 @@ optional_policy(` +@@ -642,9 +1081,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30198,7 +30229,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -657,15 +1099,11 @@ optional_policy(` +@@ -657,15 +1100,11 @@ optional_policy(` ') optional_policy(` @@ -30216,7 +30247,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -686,6 +1124,15 @@ optional_policy(` +@@ -686,6 +1125,15 @@ optional_policy(` ') optional_policy(` @@ -30232,7 +30263,7 @@ index 17eda24..fdd335a 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1173,7 @@ optional_policy(` +@@ -726,6 +1174,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30240,7 +30271,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -743,7 +1191,13 @@ optional_policy(` +@@ -743,7 +1192,13 @@ optional_policy(` ') optional_policy(` @@ -30255,7 +30286,7 @@ index 17eda24..fdd335a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1220,10 @@ optional_policy(` +@@ -766,6 +1221,10 @@ optional_policy(` ') optional_policy(` @@ -30266,7 +30297,7 @@ index 17eda24..fdd335a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1233,20 @@ optional_policy(` +@@ -775,10 +1234,20 @@ optional_policy(` ') optional_policy(` @@ -30287,7 +30318,7 @@ index 17eda24..fdd335a 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1255,10 @@ optional_policy(` +@@ -787,6 +1256,10 @@ optional_policy(` ') optional_policy(` @@ -30298,7 +30329,7 @@ index 17eda24..fdd335a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1280,6 @@ optional_policy(` +@@ -808,8 +1281,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30307,7 +30338,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -818,6 +1288,10 @@ optional_policy(` +@@ -818,6 +1289,10 @@ optional_policy(` ') optional_policy(` @@ -30318,7 +30349,7 @@ index 17eda24..fdd335a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1301,12 @@ optional_policy(` +@@ -827,10 +1302,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30331,7 +30362,7 @@ index 17eda24..fdd335a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1333,60 @@ optional_policy(` +@@ -857,21 +1334,60 @@ optional_policy(` ') optional_policy(` @@ -30393,7 +30424,7 @@ index 17eda24..fdd335a 100644 ') optional_policy(` -@@ -887,6 +1402,10 @@ optional_policy(` +@@ -887,6 +1403,10 @@ optional_policy(` ') optional_policy(` @@ -30404,7 +30435,7 @@ index 17eda24..fdd335a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1416,218 @@ optional_policy(` +@@ -897,3 +1417,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -32364,7 +32395,7 @@ index b50c5fe..e55a556 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..6118015 100644 +index 4e94884..b144ffe 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -32516,12 +32547,19 @@ index 4e94884..6118015 100644 +interface(`logging_read_syslog_pid',` + gen_require(` + type syslogd_var_run_t; -+ ') -+ + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Relabel the syslog pid sock_file. @@ -32535,18 +32573,15 @@ index 4e94884..6118015 100644 +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` + type syslogd_var_run_t; - ') ++ ') -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Connect to the syslog control unix stream socket. @@ -32561,11 +32596,7 @@ index 4e94884..6118015 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') @@ -32808,13 +32839,32 @@ index 4e94884..6118015 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1380,35 @@ interface(`logging_admin',` +@@ -1085,3 +1380,54 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') + +######################################## +## ++## Transition to syslog.conf ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_filetrans_named_conf',` ++ gen_require(` ++ type syslog_conf_t; ++ ') ++ ++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") ++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") ++') ++ ++######################################## ++## +## Transition to logging named content +## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 47a5a74..bb62aba 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8322,6 +8322,18 @@ index 7811450..d8a8bd6 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) +diff --git a/bacula.if b/bacula.if +index dcd774e..c240ffa 100644 +--- a/bacula.if ++++ b/bacula.if +@@ -69,6 +69,7 @@ interface(`bacula_admin',` + type bacula_t, bacula_etc_t, bacula_log_t; + type bacula_spool_t, bacula_var_lib_t; + type bacula_var_run_t, bacula_initrc_exec_t; ++ attribute_role bacula_admin_roles; + ') + + allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te index f16b000..ed47057 100644 --- a/bacula.te @@ -10390,6 +10402,19 @@ index a3760bc..a570048 100644 +dev_search_sysfs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) +diff --git a/calamaris.if b/calamaris.if +index cd9c528..9de38c4 100644 +--- a/calamaris.if ++++ b/calamaris.if +@@ -42,7 +42,7 @@ interface(`calamaris_run',` + attribute_role calamaris_roles; + ') + +- lightsquid_domtrans($1) ++ clamd_domtrans($1) + roleattribute $2 calamaris_roles; + ') + diff --git a/calamaris.te b/calamaris.te index 7e57460..b0cf254 100644 --- a/calamaris.te @@ -13418,7 +13443,7 @@ index ad2b696..28d1af0 100644 /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) diff --git a/condor.if b/condor.if -index 881d92f..eb35613 100644 +index 881d92f..4998ee9 100644 --- a/condor.if +++ b/condor.if @@ -1,75 +1,390 @@ @@ -13476,13 +13501,13 @@ index 881d92f..eb35613 100644 +## +## +# -+interface(`condor_domtrans',` ++interface(`condor_domtrans_master',` + gen_require(` -+ type condor_t, condor_exec_t; ++ type condor_master_t, condor_master_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, condor_exec_t, condor_t) ++ domtrans_pattern($1, condor_master_exec_t, condor_master_t) +') + +####################################### @@ -13662,15 +13687,10 @@ index 881d92f..eb35613 100644 # -interface(`condor_admin',` +interface(`condor_read_lib_files',` - gen_require(` -- attribute condor_domain; -- type condor_initrc_exec_config_t, condor_log_t; -- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; -- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t; ++ gen_require(` + type condor_var_lib_t; - ') - -- allow $1 condor_domain:process { ptrace signal_perms }; ++ ') ++ + files_search_var_lib($1) + read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) +') @@ -13743,10 +13763,15 @@ index 881d92f..eb35613 100644 +## +# +interface(`condor_read_pid_files',` -+ gen_require(` + gen_require(` +- attribute condor_domain; +- type condor_initrc_exec_config_t, condor_log_t; +- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; +- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t; + type condor_var_run_t; -+ ') -+ + ') + +- allow $1 condor_domain:process { ptrace signal_perms }; + files_search_pids($1) + allow $1 condor_var_run_t:file read_file_perms; +') @@ -13763,7 +13788,7 @@ index 881d92f..eb35613 100644 +# +interface(`condor_systemctl',` + gen_require(` -+ type condor_t; ++ type condor_domain; + type condor_unit_file_t; + ') + @@ -13772,7 +13797,7 @@ index 881d92f..eb35613 100644 + allow $1 condor_unit_file_t:file read_file_perms; + allow $1 condor_unit_file_t:service manage_service_perms; + -+ ps_process_pattern($1, condor_t) + ps_process_pattern($1, condor_domain) +') + +####################################### @@ -13789,7 +13814,11 @@ index 881d92f..eb35613 100644 + gen_require(` + type condor_startd_t; + ') -+ + +- init_labeled_script_domtrans($1, condor_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 condor_initrc_exec_t system_r; +- allow $2 system_r; + allow $1 condor_startd_t:tcp_socket rw_socket_perms; +') + @@ -13837,12 +13866,8 @@ index 881d92f..eb35613 100644 + ') + + allow $1 condor_domain:process { signal_perms }; - ps_process_pattern($1, condor_domain) - -- init_labeled_script_domtrans($1, condor_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 condor_initrc_exec_t system_r; -- allow $2 system_r; ++ ps_process_pattern($1, condor_domain) ++ + init_labeled_script_domtrans($1, condor_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 condor_initrc_exec_t system_r; @@ -19231,7 +19256,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..4d3ed7b 100644 +index 62d22cb..ff0c9da 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -19356,7 +19381,7 @@ index 62d22cb..4d3ed7b 100644 ## ## ## -@@ -103,65 +129,29 @@ template(`dbus_role_template',` +@@ -103,91 +129,82 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -19390,12 +19415,17 @@ index 62d22cb..4d3ed7b 100644 ## -## Acquire service on DBUS -## session bus. --## ++## Creating connections to specified ++## DBUS sessions. + ## -## --## ++## + ## -## Domain allowed access. --## --## ++## The prefix of the user role (e.g., user ++## is the prefix for user_r). + ## + ## -# -interface(`dbus_connect_session_bus',` - refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.') @@ -19407,207 +19437,337 @@ index 62d22cb..4d3ed7b 100644 -## Acquire service on all DBUS -## session busses. -## --## --## --## Domain allowed access. --## --## --# + ## + ## + ## Domain allowed access. + ## + ## + # -interface(`dbus_connect_all_session_bus',` -- gen_require(` ++interface(`dbus_session_client',` + gen_require(` - attribute session_bus_type; - class dbus acquire_svc; -- ') -- ++ class dbus send_msg; ++ type $1_dbusd_t; + ') + - allow $1 session_bus_type:dbus acquire_svc; --') -- --####################################### --## ++ allow $2 $1_dbusd_t:fd use; ++ allow $2 { $1_dbusd_t self }:dbus send_msg; ++ allow $2 $1_dbusd_t:unix_stream_socket connectto; + ') + + ####################################### + ## -## Acquire service on specified -## DBUS session bus. -+## Creating connections to specified -+## DBUS sessions. ++## Template for creating connections to ++## a user DBUS. ## - ## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## + ## ## -@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',` + ## Domain allowed access. ## ## # -interface(`dbus_connect_spec_session_bus',` -+interface(`dbus_session_client',` ++interface(`dbus_session_bus_client',` gen_require(` -+ class dbus send_msg; - type $1_dbusd_t; +- type $1_dbusd_t; - class dbus acquire_svc; ++ attribute session_bus_type; ++ class dbus send_msg; ') - allow $2 $1_dbusd_t:dbus acquire_svc; -+ allow $2 $1_dbusd_t:fd use; -+ allow $2 { $1_dbusd_t self }:dbus send_msg; -+ allow $2 $1_dbusd_t:unix_stream_socket connectto; ++ # SE-DBus specific permissions ++ allow $1 { session_bus_type self }:dbus send_msg; ++ ++ # For connecting to the bus ++ allow $1 session_bus_type:unix_stream_socket connectto; ++ ++ allow session_bus_type $1:process sigkill; ') - ####################################### +-####################################### ++######################################## ## -## Creating connections to DBUS -## session bus. -+## Template for creating connections to -+## a user DBUS. ++## Send a message the session DBUS. ## ## ## -@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',` +@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',` + ## ## # - interface(`dbus_session_bus_client',` +-interface(`dbus_session_bus_client',` - refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.') - dbus_all_session_bus_client($1) --') -- ++interface(`dbus_send_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ class dbus send_msg; ++ ') ++ ++ allow $1 session_bus_type:dbus send_msg; + ') + -####################################### --## ++######################################## + ## -## Creating connections to all -## DBUS session busses. --## --## --## --## Domain allowed access. --## --## --# ++## Read dbus configuration. + ## + ## + ## +@@ -211,57 +231,39 @@ interface(`dbus_session_bus_client',` + ## + ## + # -interface(`dbus_all_session_bus_client',` ++interface(`dbus_read_config',` gen_require(` - attribute session_bus_type, dbusd_session_bus_client; -+ attribute session_bus_type; - class dbus send_msg; +- class dbus send_msg; ++ type dbusd_etc_t; ') - typeattribute $1 dbusd_session_bus_client; - -+ # SE-DBus specific permissions - allow $1 { session_bus_type self }:dbus send_msg; +- allow $1 { session_bus_type self }:dbus send_msg; - allow session_bus_type $1:dbus send_msg; - - allow $1 session_bus_type:unix_stream_socket connectto; - allow $1 session_bus_type:fd use; --') ++ allow $1 dbusd_etc_t:dir list_dir_perms; ++ allow $1 dbusd_etc_t:file read_file_perms; + ') -####################################### --## ++######################################## + ## -## Creating connections to specified -## DBUS session bus. --## ++## Read system dbus lib files. + ## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## --## --## --## Domain allowed access. --## --## --# + ## + ## + ## Domain allowed access. + ## + ## + # -interface(`dbus_spec_session_bus_client',` -- gen_require(` ++interface(`dbus_read_lib_files',` + gen_require(` - attribute dbusd_session_bus_client; - type $1_dbusd_t; - class dbus send_msg; -- ') -- ++ type system_dbusd_var_lib_t; + ') + - typeattribute $2 dbusd_session_bus_client; - - allow $2 { $1_dbusd_t self }:dbus send_msg; - allow $1_dbusd_t $2:dbus send_msg; -+ # For connecting to the bus -+ allow $1 session_bus_type:unix_stream_socket connectto; - +- - allow $2 $1_dbusd_t:unix_stream_socket connectto; - allow $2 $1_dbusd_t:fd use; -+ allow session_bus_type $1:process sigkill; ++ files_search_var_lib($1) ++ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ') -####################################### +######################################## ## -## Send messages to DBUS session bus. -+## Send a message the session DBUS. ++## Create, read, write, and delete ++## system dbus lib files. ## ## ## -@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',` +@@ -269,15 +271,19 @@ interface(`dbus_spec_session_bus_client',` + ## ## # - interface(`dbus_send_session_bus',` +-interface(`dbus_send_session_bus',` - refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.') - dbus_send_all_session_bus($1) --') -- ++interface(`dbus_manage_lib_files',` ++ gen_require(` ++ type system_dbusd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ') + -####################################### --## ++######################################## + ## -## Send messages to all DBUS -## session busses. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +@@ -285,44 +291,52 @@ interface(`dbus_send_session_bus',` + ## + ## + # -interface(`dbus_send_all_session_bus',` ++interface(`dbus_connect_session_bus',` gen_require(` attribute session_bus_type; - class dbus send_msg; +- class dbus send_msg; ++ class dbus acquire_svc; ') - allow $1 dbus_session_bus_type:dbus send_msg; --') -- ++ allow $1 session_bus_type:dbus acquire_svc; + ') + -####################################### --## ++######################################## + ## -## Send messages to specified -## DBUS session busses. --## ++## Allow a application domain to be started ++## by the session dbus. + ## -## --## ++## + ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). --## --## --## --## ++## User domain prefix to be used. + ## + ## + ## + ## -## Domain allowed access. --## --## --# ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an ++## entry point to this domain. + ## + ## + # -interface(`dbus_send_spec_session_bus',` -- gen_require(` -- type $1_dbusd_t; ++interface(`dbus_session_domain',` + gen_require(` + type $1_dbusd_t; - class dbus send_msg; -- ') -- + ') + - allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1 session_bus_type:dbus send_msg; ++ domtrans_pattern($1_dbusd_t, $2, $3) ++ ++ dbus_session_bus_client($3) ++ dbus_connect_session_bus($3) ') ######################################## ## -## Read dbus configuration content. -+## Read dbus configuration. ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +@@ -330,18 +344,18 @@ interface(`dbus_send_spec_session_bus',` + ## + ## + # +-interface(`dbus_read_config',` ++interface(`dbus_connect_system_bus',` + gen_require(` +- type dbusd_etc_t; ++ type system_dbusd_t; ++ class dbus acquire_svc; + ') + +- allow $1 dbusd_etc_t:dir list_dir_perms; +- allow $1 dbusd_etc_t:file read_file_perms; ++ allow $1 system_dbusd_t:dbus acquire_svc; + ') + + ######################################## + ## +-## Read system dbus lib files. ++## Send a message on the system DBUS. + ## + ## + ## +@@ -349,20 +363,18 @@ interface(`dbus_read_config',` + ## + ## + # +-interface(`dbus_read_lib_files',` ++interface(`dbus_send_system_bus',` + gen_require(` +- type system_dbusd_var_lib_t; ++ type system_dbusd_t; ++ class dbus send_msg; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +- read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ allow $1 system_dbusd_t:dbus send_msg; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## system dbus lib files. ++## Allow unconfined access to the system DBUS. ## ## ## -@@ -381,69 +282,32 @@ interface(`dbus_manage_lib_files',` +@@ -370,26 +382,20 @@ interface(`dbus_read_lib_files',` + ## + ## + # +-interface(`dbus_manage_lib_files',` ++interface(`dbus_system_bus_unconfined',` + gen_require(` +- type system_dbusd_var_lib_t; ++ type system_dbusd_t; ++ class dbus all_dbus_perms; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ allow $1 system_dbusd_t:dbus *; + ') ######################################## ## -## Allow a application domain to be -## started by the specified session bus. -+## Connect to the system DBUS -+## for service (acquire_svc). ++## Create a domain for processes ++## which can be started by the system dbus ## -## -## @@ -19617,28 +19777,45 @@ index 62d22cb..4d3ed7b 100644 -## ## ## --## Type to be used as a domain. --## --## --## --## + ## Type to be used as a domain. +@@ -397,81 +403,66 @@ interface(`dbus_manage_lib_files',` + ## + ## + ## -## Type of the program to be used as an -## entry point to this domain. --## --## --# ++## Type of the program to be used as an entry point to this domain. + ## + ## + # -interface(`dbus_session_domain',` - refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.') - dbus_all_session_domain($1, $2) --') -- --######################################## --## ++interface(`dbus_system_domain',` ++ gen_require(` ++ attribute system_bus_type; ++ type system_dbusd_t; ++ role system_r; ++ ') ++ typeattribute $1 system_bus_type; ++ ++ domain_type($1) ++ domain_entry_file($1, $2) ++ ++ domtrans_pattern(system_dbusd_t, $2, $1) ++ ++ ps_process_pattern($1, system_dbusd_t) ++ + ') + + ######################################## + ## -## Allow a application domain to be -## started by the specified session bus. --## --## --## ++## Use and inherit system DBUS file descriptors. + ## + ## + ## -## Type to be used as a domain. -## -## @@ -19651,254 +19828,254 @@ index 62d22cb..4d3ed7b 100644 ## # -interface(`dbus_all_session_domain',` -+interface(`dbus_connect_session_bus',` ++interface(`dbus_use_system_bus_fds',` gen_require(` - type session_bus_type; -+ attribute session_bus_type; -+ class dbus acquire_svc; ++ type system_dbusd_t; ') - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) -+ allow $1 session_bus_type:dbus acquire_svc; ++ allow $1 system_dbusd_t:fd use; ') ######################################## ## -## Allow a application domain to be -## started by the specified session bus. -+## Allow a application domain to be started -+## by the session dbus. ++## Allow unconfined access to the system DBUS. ## -## -+## - ## +-## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -+## User domain prefix to be used. - ## - ## +-## +-## ## -@@ -458,20 +322,21 @@ interface(`dbus_all_session_domain',` + ## +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an +-## entry point to this domain. ++## Domain allowed access. ## ## # -interface(`dbus_spec_session_domain',` -+interface(`dbus_session_domain',` ++interface(`dbus_unconfined',` gen_require(` - type $1_dbusd_t; +- type $1_dbusd_t; ++ attribute dbusd_unconfined; ') - domtrans_pattern($1_dbusd_t, $2, $3) - +- domtrans_pattern($1_dbusd_t, $2, $3) +- - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) -+ dbus_session_bus_client($3) -+ dbus_connect_session_bus($3) ++ typeattribute $1 dbusd_unconfined; ') ######################################## ## -## Acquire service on the DBUS system bus. -+## Connect to the system DBUS -+## for service (acquire_svc). ++## Delete all dbus pid files ## ## ## -@@ -490,7 +355,7 @@ interface(`dbus_connect_system_bus',` +@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',` + ## + ## + # +-interface(`dbus_connect_system_bus',` ++interface(`dbus_delete_pid_files',` + gen_require(` +- type system_dbusd_t; +- class dbus acquire_svc; ++ type system_dbusd_var_run_t; + ') + +- allow $1 system_dbusd_t:dbus acquire_svc; ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) + ') ######################################## ## -## Send messages to the DBUS system bus. -+## Send a message on the system DBUS. ++## Read all dbus pid files ## ## ## -@@ -509,7 +374,7 @@ interface(`dbus_send_system_bus',` +@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',` + ## + ## + # +-interface(`dbus_send_system_bus',` ++interface(`dbus_read_pid_files',` + gen_require(` +- type system_dbusd_t; +- class dbus send_msg; ++ type system_dbusd_var_run_t; + ') + +- allow $1 system_dbusd_t:dbus send_msg; ++ files_search_pids($1) ++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) + ') ######################################## ## -## Unconfined access to DBUS system bus. -+## Allow unconfined access to the system DBUS. ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## -@@ -528,8 +393,8 @@ interface(`dbus_system_bus_unconfined',` +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_system_bus_unconfined',` ++interface(`dbus_dontaudit_stream_connect_session_bus',` + gen_require(` +- type system_dbusd_t; +- class dbus all_dbus_perms; ++ attribute session_bus_type; + ') + +- allow $1 system_dbusd_t:dbus *; ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; + ') ######################################## ## -## Create a domain for processes which -## can be started by the DBUS system bus. -+## Create a domain for processes -+## which can be started by the system dbus ++## Allow attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## -@@ -544,33 +409,24 @@ interface(`dbus_system_bus_unconfined',` +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an entry point to this domain. ++## Domain to not audit. + ## + ## # - interface(`dbus_system_domain',` +-interface(`dbus_system_domain',` ++interface(`dbus_stream_connect_session_bus',` gen_require(` -+ attribute system_bus_type; - type system_dbusd_t; - role system_r; +- type system_dbusd_t; +- role system_r; ++ attribute session_bus_type; ') -+ typeattribute $1 system_bus_type; - - domain_type($1) - domain_entry_file($1, $2) +- domain_type($1) +- domain_entry_file($1, $2) +- - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - +- domtrans_pattern(system_dbusd_t, $2, $1) +- - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) -+ ps_process_pattern($1, system_dbusd_t) - +- - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') ++ allow $1 session_bus_type:unix_stream_socket connectto; ') ######################################## ## -## Use and inherit DBUS system bus -## file descriptors. -+## Use and inherit system DBUS file descriptors. ++## Do not audit attempts to send dbus ++## messages to session bus types. ## ## ## -@@ -588,26 +444,25 @@ interface(`dbus_use_system_bus_fds',` +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_use_system_bus_fds',` ++interface(`dbus_chat_session_bus',` + gen_require(` +- type system_dbusd_t; ++ attribute session_bus_type; ++ class dbus send_msg; + ') + +- allow $1 system_dbusd_t:fd use; ++ allow $1 session_bus_type:dbus send_msg; ++ allow session_bus_type $1:dbus send_msg; + ') ######################################## ## -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. -+## Allow unconfined access to the system DBUS. ++## Do not audit attempts to send dbus ++## messages to session bus types. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -597,28 +570,32 @@ interface(`dbus_use_system_bus_fds',` ## ## # -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_unconfined',` ++interface(`dbus_dontaudit_chat_session_bus',` gen_require(` - type system_dbusd_t; -+ attribute dbusd_unconfined; ++ attribute session_bus_type; ++ class dbus send_msg; ') - dontaudit $1 system_dbusd_t:tcp_socket { read write }; -+ typeattribute $1 dbusd_unconfined; ++ dontaudit $1 session_bus_type:dbus send_msg; ') ######################################## ## -## Unconfined access to DBUS. -+## Delete all dbus pid files ++## Do not audit attempts to send dbus ++## messages to system bus types. ## ## ## -@@ -615,10 +470,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`dbus_unconfined',` -+interface(`dbus_delete_pid_files',` ++interface(`dbus_dontaudit_chat_system_bus',` gen_require(` - attribute dbusd_unconfined; -+ type system_dbusd_var_run_t; ++ attribute system_bus_type; ++ class dbus send_msg; ') - typeattribute $1 dbusd_unconfined; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -+') -+ -+######################################## -+## -+## Read all dbus pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_read_pid_files',` -+ gen_require(` -+ type system_dbusd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to connect to -+## session bus types with a unix -+## stream socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_stream_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ ') -+ -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 session_bus_type:dbus send_msg; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to system bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_system_bus',` -+ gen_require(` -+ attribute system_bus_type; -+ class dbus send_msg; -+ ') -+ + dontaudit $1 system_bus_type:dbus send_msg; + dontaudit system_bus_type $1:dbus send_msg; ') @@ -22896,7 +23073,7 @@ index 0000000..1c4ac02 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..3061ae5 +index 0000000..cc6846a --- /dev/null +++ b/docker.if @@ -0,0 +1,323 @@ @@ -23147,7 +23324,7 @@ index 0000000..3061ae5 + type docker_devpts_t; + ') + -+ allow $1 docker_devpts_t:chr_file rw_inherited_term_perms; ++ allow $1 docker_devpts_t:chr_file rw_term_perms; +') + +####################################### @@ -23225,10 +23402,10 @@ index 0000000..3061ae5 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..236e417 +index 0000000..18e4ef8 --- /dev/null +++ b/docker.te -@@ -0,0 +1,218 @@ +@@ -0,0 +1,236 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23260,6 +23437,9 @@ index 0000000..236e417 +type docker_tmp_t; +files_tmp_file(docker_tmp_t) + ++type docker_tmpfs_t; ++files_tmpfs_file(docker_tmpfs_t) ++ +type docker_var_run_t; +files_pid_file(docker_var_run_t) + @@ -23298,6 +23478,13 @@ index 0000000..236e417 +manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) +files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) + ++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) ++ +manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) +manage_files_pattern(docker_t, docker_share_t, docker_share_t) +manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) @@ -23323,6 +23510,7 @@ index 0000000..236e417 +kernel_read_system_state(docker_t) +kernel_read_network_state(docker_t) +kernel_read_all_sysctls(docker_t) ++kernel_rw_net_sysctls(docker_t) + +domain_use_interactive_fds(docker_t) + @@ -23375,12 +23563,13 @@ index 0000000..236e417 +# lxc rules +# + -+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; ++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; ++ +allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; + +allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; +allow docker_t self:netlink_audit_socket create_netlink_socket_perms; -+allow docker_t self:unix_dgram_socket create_socket_perms; ++allow docker_t self:unix_dgram_socket { create_socket_perms sendto }; +allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow docker_t docker_var_lib_t:dir mounton; @@ -23390,6 +23579,7 @@ index 0000000..236e417 +kernel_setsched(docker_t) +kernel_get_sysvipc_info(docker_t) +kernel_request_load_module(docker_t) ++kernel_mounton_messages(docker_t) + +dev_getattr_all_blk_files(docker_t) +dev_getattr_sysfs_fs(docker_t) @@ -23427,6 +23617,11 @@ index 0000000..236e417 +modutils_domtrans_insmod(docker_t) + +optional_policy(` ++ dbus_system_bus_client(docker_t) ++ init_dbus_chat(docker_t) ++') ++ ++optional_policy(` + udev_read_db(docker_t) +') + @@ -24293,7 +24488,7 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..8975946 100644 +index f2516cc..2b307a8 100644 --- a/drbd.te +++ b/drbd.te @@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config; @@ -24305,7 +24500,13 @@ index f2516cc..8975946 100644 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -@@ -46,10 +46,6 @@ dev_read_rand(drbd_t) +@@ -42,14 +42,12 @@ can_exec(drbd_t, drbd_exec_t) + + kernel_read_system_state(drbd_t) + ++corecmd_exec_bin(drbd_t) ++ + dev_read_rand(drbd_t) dev_read_sysfs(drbd_t) dev_read_urand(drbd_t) @@ -25590,7 +25791,7 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index c62c567..0fc685b 100644 +index c62c567..1893f7f 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,7 +2,7 @@ @@ -25693,7 +25894,12 @@ index c62c567..0fc685b 100644 ## ## ## -@@ -83,10 +124,14 @@ interface(`firewalld_admin',` +@@ -79,14 +120,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` + interface(`firewalld_admin',` + gen_require(` + type firewalld_t, firewalld_initrc_exec_t; +- type firewall_etc_rw_t, firewalld_var_run_t; ++ type firewalld_etc_rw_t, firewalld_var_run_t; type firewalld_var_log_t; ') @@ -25715,7 +25921,8 @@ index c62c567..0fc685b 100644 admin_pattern($1, firewalld_var_log_t) - files_search_etc($1) - admin_pattern($1, firewall_etc_rw_t) +- admin_pattern($1, firewall_etc_rw_t) ++ admin_pattern($1, firewalld_etc_rw_t) + + admin_pattern($1, firewalld_unit_file_t) + firewalld_systemctl($1) @@ -27118,10 +27325,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..9b199ec +index 0000000..95c3a2b --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,47 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -27154,6 +27361,8 @@ index 0000000..9b199ec +manage_dirs_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) +files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file }) + ++auth_read_passwd(geoclue_t) ++ +corenet_tcp_connect_http_port(geoclue_t) + +corecmd_exec_bin(geoclue_t) @@ -37058,7 +37267,7 @@ index d5d1572..82267a7 100644 /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tp.if b/l2tp.if -index 73e2803..2fc7570 100644 +index 73e2803..34ca3aa 100644 --- a/l2tp.if +++ b/l2tp.if @@ -1,9 +1,45 @@ @@ -37262,7 +37471,7 @@ index 73e2803..2fc7570 100644 ## ## ## -@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',` +@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',` ## ## # @@ -37270,8 +37479,7 @@ index 73e2803..2fc7570 100644 +interface(`l2tpd_admin',` gen_require(` type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; -- type l2tp_conf_t, l2tpd_tmp_t; -+ type l2tp_etc_t, l2tpd_tmp_t; + type l2tp_conf_t, l2tpd_tmp_t; ') - allow $1 l2tpd_t:process { ptrace signal_perms }; @@ -37287,13 +37495,6 @@ index 73e2803..2fc7570 100644 domain_system_change_exemption($1) role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; - - files_search_etc($1) -- admin_pattern($1, l2tp_conf_t) -+ admin_pattern($1, l2tp_etc_t) - - files_search_pids($1) - admin_pattern($1, l2tpd_var_run_t) diff --git a/l2tp.te b/l2tp.te index bb06a7f..5546de2 100644 --- a/l2tp.te @@ -38321,16 +38522,23 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..e4d6e6f 100644 +index be0ab84..1859690 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0) +@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) # Declarations # -attribute_role logrotate_roles; -roleattribute system_r logrotate_roles; -- ++## ++##

++## Allow logrotate to manage nfs files ++##

++##
++gen_tunable(logrotate_use_nfs, false) ++ + type logrotate_t; -type logrotate_exec_t; domain_type(logrotate_t) @@ -38344,7 +38552,7 @@ index be0ab84..e4d6e6f 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +31,27 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -38378,7 +38586,7 @@ index be0ab84..e4d6e6f 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +52,52 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +60,52 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -38436,7 +38644,7 @@ index be0ab84..e4d6e6f 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -103,24 +123,34 @@ init_all_labeled_script_domtrans(logrotate_t) +@@ -103,24 +131,39 @@ init_all_labeled_script_domtrans(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) @@ -38462,7 +38670,11 @@ index be0ab84..e4d6e6f 100644 +userdom_dontaudit_getattr_user_home_content(logrotate_t) -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -- ++tunable_policy(`logrotate_use_nfs',` ++ fs_read_nfs_files(logrotate_t) ++ fs_read_nfs_symlinks(logrotate_t) ++') + -ifdef(`distro_debian',` +ifdef(`distro_debian', ` allow logrotate_t logrotate_tmp_t:file relabel_file_perms; @@ -38478,7 +38690,7 @@ index be0ab84..e4d6e6f 100644 ') optional_policy(` -@@ -135,16 +165,17 @@ optional_policy(` +@@ -135,16 +178,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -38498,7 +38710,7 @@ index be0ab84..e4d6e6f 100644 ') optional_policy(` -@@ -170,6 +201,10 @@ optional_policy(` +@@ -170,6 +214,10 @@ optional_policy(` ') optional_policy(` @@ -38509,7 +38721,7 @@ index be0ab84..e4d6e6f 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +213,7 @@ optional_policy(` +@@ -178,7 +226,7 @@ optional_policy(` ') optional_policy(` @@ -38518,7 +38730,7 @@ index be0ab84..e4d6e6f 100644 ') optional_policy(` -@@ -198,21 +233,26 @@ optional_policy(` +@@ -198,21 +246,26 @@ optional_policy(` ') optional_policy(` @@ -38549,7 +38761,7 @@ index be0ab84..e4d6e6f 100644 ') optional_policy(` -@@ -228,10 +268,21 @@ optional_policy(` +@@ -228,10 +281,21 @@ optional_policy(` ') optional_policy(` @@ -38571,7 +38783,7 @@ index be0ab84..e4d6e6f 100644 su_exec(logrotate_t) ') -@@ -241,13 +292,11 @@ optional_policy(` +@@ -241,13 +305,11 @@ optional_policy(` ####################################### # @@ -57379,6 +57591,234 @@ index 0000000..0493b99 +optional_policy(` + modutils_domtrans_insmod(oracleasm_t) +') +diff --git a/osad.fc b/osad.fc +new file mode 100644 +index 0000000..1e1eceb +--- /dev/null ++++ b/osad.fc +@@ -0,0 +1,7 @@ ++/etc/rc\.d/init\.d/osad -- gen_context(system_u:object_r:osad_initrc_exec_t,s0) ++ ++/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0) ++ ++/var/log/osad -- gen_context(system_u:object_r:osad_log_t,s0) ++ ++/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0) +diff --git a/osad.if b/osad.if +new file mode 100644 +index 0000000..05648bd +--- /dev/null ++++ b/osad.if +@@ -0,0 +1,165 @@ ++ ++## Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. ++ ++######################################## ++## ++## Execute osad in the osad domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`osad_domtrans',` ++ gen_require(` ++ type osad_t, osad_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, osad_exec_t, osad_t) ++') ++ ++######################################## ++## ++## Execute osad server in the osad domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`osad_initrc_domtrans',` ++ gen_require(` ++ type osad_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, osad_initrc_exec_t) ++') ++######################################## ++## ++## Read osad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`osad_read_log',` ++ gen_require(` ++ type osad_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, osad_log_t, osad_log_t) ++') ++ ++######################################## ++## ++## Append to osad log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`osad_append_log',` ++ gen_require(` ++ type osad_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, osad_log_t, osad_log_t) ++') ++ ++######################################## ++## ++## Manage osad log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`osad_manage_log',` ++ gen_require(` ++ type osad_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, osad_log_t, osad_log_t) ++ manage_files_pattern($1, osad_log_t, osad_log_t) ++ manage_lnk_files_pattern($1, osad_log_t, osad_log_t) ++') ++######################################## ++## ++## Read osad PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`osad_read_pid_files',` ++ gen_require(` ++ type osad_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, osad_var_run_t, osad_var_run_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an osad environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`osad_admin',` ++ gen_require(` ++ type osad_t; ++ type osad_initrc_exec_t; ++ type osad_log_t; ++ type osad_var_run_t; ++ ') ++ ++ allow $1 osad_t:process { signal_perms }; ++ ps_process_pattern($1, osad_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 osad_t:process ptrace; ++ ') ++ ++ osad_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 osad_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, osad_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, osad_var_run_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/osad.te b/osad.te +new file mode 100644 +index 0000000..ac767bc +--- /dev/null ++++ b/osad.te +@@ -0,0 +1,38 @@ ++policy_module(osad, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type osad_t; ++type osad_exec_t; ++init_daemon_domain(osad_t, osad_exec_t) ++ ++type osad_initrc_exec_t; ++init_script_file(osad_initrc_exec_t) ++ ++type osad_log_t; ++logging_log_file(osad_log_t) ++ ++type osad_var_run_t; ++files_pid_file(osad_var_run_t) ++ ++######################################## ++# ++# osad local policy ++# ++allow osad_t self:process setpgid; ++ ++manage_files_pattern(osad_t, osad_log_t, osad_log_t) ++logging_log_filetrans(osad_t, osad_log_t, { file }) ++ ++manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t) ++files_pid_filetrans(osad_t, osad_var_run_t, { file}) ++ ++kernel_read_system_state(osad_t) ++ ++auth_read_passwd(osad_t) ++ ++dev_read_urand(osad_t) ++ diff --git a/pacemaker.fc b/pacemaker.fc index 2f0ad56..d4da0b8 100644 --- a/pacemaker.fc @@ -58076,17 +58516,19 @@ index 8176e4a..2df1789 100644 diff --git a/pcp.fc b/pcp.fc new file mode 100644 -index 0000000..59d23a4 +index 0000000..ceecf91 --- /dev/null +++ b/pcp.fc -@@ -0,0 +1,20 @@ +@@ -0,0 +1,22 @@ +/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/pmwie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0) + ++/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++ +/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) +/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) +/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) @@ -58099,7 +58541,7 @@ index 0000000..59d23a4 +/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) + +/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0) -+ ++/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 index 0000000..9ca6d26 @@ -58188,10 +58630,10 @@ index 0000000..9ca6d26 +') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..51d765d +index 0000000..6493b00 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,135 @@ +@@ -0,0 +1,150 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -58229,6 +58671,9 @@ index 0000000..51d765d +# + +allow pcp_domain self:capability { setuid setgid dac_override }; ++allow pcp_domain self:process signal_perms; ++allow pcp_domain self:tcp_socket create_stream_socket_perms; ++allow pcp_domain self:udp_socket create_socket_perms; + +manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t) +manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t) @@ -58242,7 +58687,7 @@ index 0000000..51d765d +manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) +manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) +manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) -+files_pid_filetrans(pcp_domain, pcp_var_run_t, { file }) ++files_pid_filetrans(pcp_domain, pcp_var_run_t, { file sock_file }) + +manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) +manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) @@ -58254,6 +58699,8 @@ index 0000000..51d765d + +dev_read_urand(pcp_domain) + ++fs_getattr_all_fs(pcp_domain) ++ +auth_read_passwd(pcp_domain) + +miscfiles_read_generic_certs(pcp_domain) @@ -58265,16 +58712,15 @@ index 0000000..51d765d +# pcp_pmcd local policy +# + -+allow pcp_pmcd_t self:process { setsched signal }; ++allow pcp_pmcd_t self:process { setsched }; +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; -+allow pcp_pmcd_t self:tcp_socket create_socket_perms; -+allow pcp_pmcd_t self:tcp_socket listen; -+allow pcp_pmcd_t self:udp_socket create_socket_perms; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; + -+kernel_read_system_state(pcp_pmcd_t) +kernel_read_network_state(pcp_pmcd_t) ++kernel_read_system_state(pcp_pmcd_t) +kernel_read_state(pcp_pmcd_t) ++kernel_read_fs_sysctls(pcp_pmcd_t) ++kernel_read_rpc_sysctls(pcp_pmcd_t) + +corecmd_exec_bin(pcp_pmcd_t) + @@ -58282,6 +58728,17 @@ index 0000000..51d765d + +domain_read_all_domains_state(pcp_pmcd_t) + ++dev_getattr_all_blk_files(pcp_pmcd_t) ++dev_getattr_all_chr_files(pcp_pmcd_t) ++dev_read_sysfs(pcp_pmcd_t) ++dev_read_urand(pcp_pmcd_t) ++ ++fs_getattr_all_fs(pcp_pmcd_t) ++fs_getattr_all_dirs(pcp_pmcd_t) ++fs_list_cgroup_dirs(pcp_pmcd_t) ++ ++storage_getattr_fixed_disk_dev(pcp_pmcd_t) ++ +auth_use_nsswitch(pcp_pmcd_t) + +optional_policy(` @@ -58298,10 +58755,7 @@ index 0000000..51d765d +# + +allow pcp_pmproxy_t self:process setsched; -+allow pcp_pmproxy_t self:tcp_socket listen; +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; -+allow pcp_pmproxy_t self:tcp_socket create_socket_perms; -+allow pcp_pmproxy_t self:udp_socket create_socket_perms; + +auth_use_nsswitch(pcp_pmproxy_t) + @@ -58310,9 +58764,6 @@ index 0000000..51d765d +# pcp_pmwebd local policy +# + -+allow pcp_pmwebd_t self:tcp_socket listen; -+allow pcp_pmwebd_t self:tcp_socket create_socket_perms; -+ +corenet_tcp_bind_generic_node(pcp_pmwebd_t) + +######################################## @@ -58320,10 +58771,16 @@ index 0000000..51d765d +# pcp_pmmgr local policy +# + -+allow pcp_pmmgr_t self:process { setpgid signal signull }; ++allow pcp_pmmgr_t self:process { setpgid }; ++ ++allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto; + +kernel_read_system_state(pcp_pmmgr_t) + ++corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t) ++ ++corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t) ++ +corecmd_exec_bin(pcp_pmmgr_t) + +auth_use_nsswitch(pcp_pmmgr_t) @@ -58393,10 +58850,10 @@ index 1fb1964..c5ec0c4 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..fabf59e 100644 +index dfd46e4..d40433a 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,30 @@ +@@ -1,15 +1,32 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -58405,23 +58862,25 @@ index dfd46e4..fabf59e 100644 -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+ -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0) ++ ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++ +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) + +/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) @@ -58536,7 +58995,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..7ba84e6 100644 +index 608f454..192f5c5 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -58555,7 +59014,7 @@ index 608f454..7ba84e6 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,297 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,304 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -58578,6 +59037,9 @@ index 608f454..7ba84e6 100644 +type pegasus_openlmi_storage_lib_t; +files_type(pegasus_openlmi_storage_lib_t) + ++type pegasus_openlmi_storage_var_run_t; ++files_pid_file(pegasus_openlmi_storage_var_run_t) ++ +pegasus_openlmi_domain_template(system) +typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t; +pegasus_openlmi_domain_template(unconfined) @@ -58771,6 +59233,10 @@ index 608f454..7ba84e6 100644 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) +files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) + ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t) ++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t) ++files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage") ++ +kernel_read_all_sysctls(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) +kernel_request_load_module(pegasus_openlmi_storage_t) @@ -58858,7 +59324,7 @@ index 608f454..7ba84e6 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +330,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -58889,7 +59355,7 @@ index 608f454..7ba84e6 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +356,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -58922,7 +59388,7 @@ index 608f454..7ba84e6 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +384,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -58934,7 +59400,7 @@ index 608f454..7ba84e6 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +400,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -58952,14 +59418,14 @@ index 608f454..7ba84e6 100644 - dbus_connect_system_bus(pegasus_t) + dmidecode_domtrans(pegasus_t) +') -+ -+optional_policy(` -+ dbus_system_bus_client(pegasus_t) -+ dbus_connect_system_bus(pegasus_t) - optional_policy(` - networkmanager_dbus_chat(pegasus_t) - ') ++optional_policy(` ++ dbus_system_bus_client(pegasus_t) ++ dbus_connect_system_bus(pegasus_t) ++ + optional_policy(` + networkmanager_dbus_chat(pegasus_t) + ') @@ -58970,7 +59436,7 @@ index 608f454..7ba84e6 100644 ') optional_policy(` -@@ -151,16 +434,24 @@ optional_policy(` +@@ -151,16 +441,24 @@ optional_policy(` ') optional_policy(` @@ -58999,7 +59465,7 @@ index 608f454..7ba84e6 100644 ') optional_policy(` -@@ -168,7 +459,7 @@ optional_policy(` +@@ -168,7 +466,7 @@ optional_policy(` ') optional_policy(` @@ -66053,7 +66519,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index cc426e6..3bbf1d7 100644 +index cc426e6..cb47806 100644 --- a/procmail.te +++ b/procmail.te @@ -14,7 +14,7 @@ type procmail_home_t; @@ -66082,7 +66548,7 @@ index cc426e6..3bbf1d7 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,83 +44,96 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,83 +44,97 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -66114,6 +66580,7 @@ index cc426e6..3bbf1d7 100644 -corecmd_exec_bin(procmail_t) -corecmd_exec_shell(procmail_t) ++dev_read_rand(procmail_t) dev_read_urand(procmail_t) -fs_getattr_all_fs(procmail_t) @@ -66136,10 +66603,10 @@ index cc426e6..3bbf1d7 100644 -miscfiles_read_localization(procmail_t) +init_read_utmp(procmail_t) -+ + +logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) - ++ +list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t) +read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) userdom_search_user_home_dirs(procmail_t) @@ -66161,17 +66628,17 @@ index cc426e6..3bbf1d7 100644 +userdom_manage_user_tmp_dirs(procmail_t) +userdom_manage_user_tmp_files(procmail_t) +userdom_manage_user_tmp_symlinks(procmail_t) -+ -+# Execute user executables -+userdom_exec_user_bin_files(procmail_t) -+ -+mta_manage_spool(procmail_t) -+mta_read_queue(procmail_t) -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(procmail_t) - fs_manage_cifs_files(procmail_t) - fs_manage_cifs_symlinks(procmail_t) ++# Execute user executables ++userdom_exec_user_bin_files(procmail_t) ++ ++mta_manage_spool(procmail_t) ++mta_read_queue(procmail_t) ++ +ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(procmail_t) ') @@ -66215,7 +66682,7 @@ index cc426e6..3bbf1d7 100644 postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_use_fds(procmail_t) postfix_read_spool_files(procmail_t) -@@ -126,11 +143,17 @@ optional_policy(` +@@ -126,11 +144,17 @@ optional_policy(` ') optional_policy(` @@ -66233,6 +66700,15 @@ index cc426e6..3bbf1d7 100644 sendmail_domtrans(procmail_t) sendmail_signal(procmail_t) sendmail_dontaudit_rw_tcp_sockets(procmail_t) +@@ -145,3 +169,8 @@ optional_policy(` + spamassassin_domtrans_client(procmail_t) + spamassassin_read_lib_files(procmail_t) + ') ++ ++optional_policy(` ++ zarafa_stream_connect_server(procmail_t) ++ zarafa_domtrans_deliver(procmail_t) ++') diff --git a/prosody.fc b/prosody.fc new file mode 100644 index 0000000..96a0d9f @@ -71438,7 +71914,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..d760e9e 100644 +index dc3b0ed..0d48e31 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -71481,7 +71957,7 @@ index dc3b0ed..d760e9e 100644 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -@@ -55,11 +64,14 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) +@@ -55,51 +64,67 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -71496,7 +71972,10 @@ index dc3b0ed..d760e9e 100644 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) corenet_tcp_bind_amqp_port(rabbitmq_beam_t) -@@ -69,37 +81,49 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) ++corenet_tcp_connect_amqp_port(rabbitmq_beam_t) + corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t) + + corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -71559,7 +72038,16 @@ index dc3b0ed..d760e9e 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -107,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; + + allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; + ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++ + corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) + corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) + corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) +@@ -117,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -76173,21 +76661,23 @@ index 3f32e4b..f97ea42 100644 diff --git a/rhnsd.fc b/rhnsd.fc new file mode 100644 -index 0000000..1936028 +index 0000000..88fe240 --- /dev/null +++ b/rhnsd.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0) ++ +/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0) + +/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0) diff --git a/rhnsd.if b/rhnsd.if new file mode 100644 -index 0000000..88087b7 +index 0000000..335573a --- /dev/null +++ b/rhnsd.if -@@ -0,0 +1,74 @@ +@@ -0,0 +1,98 @@ +## policy for rhnsd + +######################################## @@ -76229,6 +76719,30 @@ index 0000000..88087b7 + +######################################## +## ++## Execute rhnsd server in the rhnsd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhnsd_systemctl',` ++ gen_require(` ++ type rhnsd_t; ++ type rhnsd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rhnsd_unit_file_t:file read_file_perms; ++ allow $1 rhnsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rhnsd_t) ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an rhnsd environment +## @@ -76264,10 +76778,10 @@ index 0000000..88087b7 +') diff --git a/rhnsd.te b/rhnsd.te new file mode 100644 -index 0000000..0e965c3 +index 0000000..be2e57e --- /dev/null +++ b/rhnsd.te -@@ -0,0 +1,40 @@ +@@ -0,0 +1,43 @@ +policy_module(rhnsd, 1.0.0) + +######################################## @@ -76285,6 +76799,9 @@ index 0000000..0e965c3 +type rhnsd_initrc_exec_t; +init_script_file(rhnsd_initrc_exec_t) + ++type rhnsd_unit_file_t; ++systemd_unit_file(rhnsd_unit_file_t) ++ +######################################## +# +# rhnsd local policy @@ -85739,7 +86256,7 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..b3df839 100644 +index ce67935..88fea69 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) @@ -85806,7 +86323,14 @@ index ce67935..b3df839 100644 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -61,14 +70,13 @@ corecmd_exec_bin(setroubleshootd_t) +@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t) + kernel_read_network_state(setroubleshootd_t) + kernel_dontaudit_list_all_proc(setroubleshootd_t) + kernel_read_irq_sysctls(setroubleshootd_t) ++kernel_read_rpc_sysctls(setroubleshootd_t) + kernel_read_unlabeled_state(setroubleshootd_t) + + corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) corecmd_read_all_executables(setroubleshootd_t) @@ -85824,7 +86348,7 @@ index ce67935..b3df839 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +84,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) +@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) @@ -85836,7 +86360,7 @@ index ce67935..b3df839 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -109,27 +116,24 @@ init_read_utmp(setroubleshootd_t) +@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -85869,7 +86393,7 @@ index ce67935..b3df839 100644 ') optional_policy(` -@@ -137,10 +141,18 @@ optional_policy(` +@@ -137,10 +142,18 @@ optional_policy(` ') optional_policy(` @@ -85888,7 +86412,7 @@ index ce67935..b3df839 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -150,26 +162,36 @@ optional_policy(` +@@ -150,26 +163,36 @@ optional_policy(` ######################################## # @@ -85927,7 +86451,7 @@ index ce67935..b3df839 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -177,23 +199,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -93541,10 +94065,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..81e8be9 +index 0000000..bb3e477 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,155 @@ +@@ -0,0 +1,156 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -93665,8 +94189,9 @@ index 0000000..81e8be9 + +optional_policy(` + dbus_exec_dbusd(thumb_t) -+ dbus_dontaudit_stream_connect_session_bus(thumb_t) -+ dbus_dontaudit_chat_session_bus(thumb_t) ++ dbus_connect_session_bus(thumb_t) ++ dbus_stream_connect_session_bus(thumb_t) ++ dbus_chat_session_bus(thumb_t) +') + +optional_policy(` @@ -94608,7 +95133,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..fc018c1 100644 +index 393a330..b500795 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -94673,7 +95198,7 @@ index 393a330..fc018c1 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +78,59 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -94697,6 +95222,7 @@ index 393a330..fc018c1 100644 logging_send_syslog_msg(tuned_t) +#bug in tuned +logging_manage_syslog_config(tuned_t) ++logging_filetrans_named_conf(tuned_t) + +mount_read_pid_files(tuned_t) @@ -96383,7 +96909,7 @@ index a4f20bc..6351bcb 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..15562ad 100644 +index facdee8..fddb027 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -97398,7 +97924,7 @@ index facdee8..15562ad 100644 ##
## ## -@@ -860,74 +658,263 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',` ## ## # @@ -97542,6 +98068,8 @@ index facdee8..15562ad 100644 + + manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) + manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) + manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) +') + @@ -97684,7 +98212,7 @@ index facdee8..15562ad 100644 ##
## ## -@@ -935,19 +922,17 @@ interface(`virt_read_log',` +@@ -935,19 +924,17 @@ interface(`virt_read_log',` ## ## # @@ -97708,7 +98236,7 @@ index facdee8..15562ad 100644 ##
## ## -@@ -955,20 +940,17 @@ interface(`virt_append_log',` +@@ -955,20 +942,17 @@ interface(`virt_append_log',` ## ## # @@ -97733,7 +98261,7 @@ index facdee8..15562ad 100644 ##
## ## -@@ -976,18 +958,17 @@ interface(`virt_manage_log',` +@@ -976,18 +960,17 @@ interface(`virt_manage_log',` ## ## # @@ -97756,7 +98284,7 @@ index facdee8..15562ad 100644 ## ## ## -@@ -995,36 +976,57 @@ interface(`virt_search_images',` +@@ -995,36 +978,57 @@ interface(`virt_search_images',` ## ## # @@ -97833,7 +98361,7 @@ index facdee8..15562ad 100644 ## ## ## -@@ -1032,20 +1034,28 @@ interface(`virt_read_images',` +@@ -1032,20 +1036,28 @@ interface(`virt_read_images',` ## ## # @@ -97869,7 +98397,7 @@ index facdee8..15562ad 100644 ## ## ## -@@ -1053,37 +1063,131 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -98015,7 +98543,7 @@ index facdee8..15562ad 100644 ## ## ## -@@ -1091,36 +1195,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -98089,7 +98617,7 @@ index facdee8..15562ad 100644 ## ## ## -@@ -1136,50 +1258,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -100358,10 +100886,10 @@ index 0000000..044be2f +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..1398ead +index 0000000..5549375 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,44 @@ +@@ -0,0 +1,46 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -100383,6 +100911,7 @@ index 0000000..1398ead +# +# vmtools local policy +# ++ +allow vmtools_t self:capability { sys_time sys_rawio }; +allow vmtools_t self:fifo_file rw_fifo_file_perms; +allow vmtools_t self:unix_stream_socket create_stream_socket_perms; @@ -100396,6 +100925,7 @@ index 0000000..1398ead +kernel_read_system_state(vmtools_t) +kernel_read_network_state(vmtools_t) + ++corecmd_exec_bin(vmtools_t) +corecmd_exec_shell(vmtools_t) + +dev_read_urand(vmtools_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index be21a00..07ae53c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -578,6 +578,30 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Feb 5 2014 Miroslav Grepl 3.13.1-21 +- Add kernel_mounton_messages() interface +- init wants to manage lock files for iscsi +- Add support for dey_sapi port +- Fixes needed for docker +- Allow epmd to manage /var/log/rabbitmq/startup_err file +- Allow beam.smp connect to amqp port +- drbdadm executes drbdmeta +- Added osad policy +- Allow postfix to deliver to procmail +- Allow vmtools to execute /usr/bin/lsb_release +- Allow geoclue to read /etc/passwd +- Allow docker to write system net ctrls +- Add support for rhnsd unit file +- Add dbus_chat_session_bus() interface +- Add dbus_stream_connect_session_bus() interface +- Fix pcp.te +- Fix logrotate_use_nfs boolean +- Add lot of pcp fixes found in RHEL7 +- fix labeling for pmie for pcp pkg +- Change thumb_t to be allowed to chat/connect with session bus type +- Add logrotate_use_nfs boolean +- Allow setroubleshootd to read rpc sysctl + * Thu Jan 30 2014 Miroslav Grepl 3.13.1-20 - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring - Allow geoclue to create temporary files/dirs in /tmp