diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc index 59e51aa..fafcfb0 100644 --- a/policy/modules/services/lpd.fc +++ b/policy/modules/services/lpd.fc @@ -27,5 +27,6 @@ # # /var # +/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index b7eb9ad..9517dd6 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -303,6 +303,25 @@ interface(`lpd_list_spool',` ######################################## ## +## Read the printer spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`lpd_read_spool',` + gen_require(` + type print_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1,print_spool_t,print_spool_t) +') + +######################################## +## ## Create, read, write, and delete printer spool files. ## ## diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 1562aa8..943b896 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.7.1) +policy_module(lpd,1.7.2) ######################################## # diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index 9a2883c..1eca6bd 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -159,6 +159,25 @@ interface(`ppp_exec',` ######################################## ## +## Read ppp configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`ppp_read_config',` + gen_require(` + type pppd_etc_t; + ') + + read_files_pattern($1, pppd_etc_t, pppd_etc_t) + files_search_etc($1) +') + +######################################## +## ## Read PPP-writable configuration files. ## ## diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index f45e044..559e81d 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -1,5 +1,5 @@ -policy_module(ppp,1.5.1) +policy_module(ppp,1.5.2) ######################################## # diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 12ae74c..7a95ff1 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -1,5 +1,5 @@ -policy_module(procmail,1.7.0) +policy_module(procmail,1.7.1) ######################################## # @@ -52,6 +52,7 @@ dev_read_urand(procmail_t) fs_getattr_xattr_fs(procmail_t) fs_search_auto_mountpoints(procmail_t) +fs_rw_anon_inodefs_files(procmail_t) auth_use_nsswitch(procmail_t) @@ -67,6 +68,8 @@ files_read_usr_files(procmail_t) libs_use_ld_so(procmail_t) libs_use_shared_libs(procmail_t) +logging_send_syslog_msg(procmail_t) + miscfiles_read_localization(procmail_t) # only works until we define a different type for maildir @@ -99,11 +102,7 @@ optional_policy(` ') optional_policy(` - logging_send_syslog_msg(procmail_t) -') - -optional_policy(` - nis_use_ypbind(procmail_t) + munin_dontaudit_search_lib(procmail_t) ') optional_policy(` diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc index 50b60a6..6f48bb0 100644 --- a/policy/modules/services/radius.fc +++ b/policy/modules/services/radius.fc @@ -8,6 +8,8 @@ /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) +/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) + /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) /var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) /var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index 6668fca..7e37903 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -1,5 +1,5 @@ -policy_module(radius,1.5.2) +policy_module(radius,1.5.3) ######################################## # @@ -19,6 +19,9 @@ files_type(radiusd_etc_rw_t) type radiusd_log_t; logging_log_file(radiusd_log_t) +type radiusd_var_lib_t; +files_type(radiusd_var_lib_t) + type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -52,6 +55,8 @@ manage_dirs_pattern(radiusd_t,radiusd_log_t,radiusd_log_t) manage_files_pattern(radiusd_t,radiusd_log_t,radiusd_log_t) logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir }) +manage_files_pattern(radiusd_t,radiusd_var_lib_t,radiusd_var_lib_t) + manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t) files_pid_filetrans(radiusd_t,radiusd_var_run_t,file) @@ -73,6 +78,7 @@ corenet_sendrecv_radius_server_packets(radiusd_t) corenet_sendrecv_radacct_server_packets(radiusd_t) # for RADIUS proxy port corenet_udp_bind_generic_port(radiusd_t) +corenet_dontaudit_udp_bind_all_ports(radiusd_t) corenet_sendrecv_generic_server_packets(radiusd_t) dev_read_sysfs(radiusd_t) diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index c9ed994..3739d8b 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -1,5 +1,5 @@ -policy_module(rhgb,1.5.1) +policy_module(rhgb,1.5.2) ######################################## # @@ -59,6 +59,7 @@ corenet_tcp_connect_all_ports(rhgb_t) corenet_sendrecv_all_client_packets(rhgb_t) dev_read_sysfs(rhgb_t) +dev_read_urand(rhgb_t) domain_use_interactive_fds(rhgb_t) @@ -68,6 +69,7 @@ files_read_etc_runtime_files(rhgb_t) files_search_tmp(rhgb_t) files_read_usr_files(rhgb_t) files_mounton_mnt(rhgb_t) +files_dontaudit_rw_root_dir(rhgb_t) files_dontaudit_read_default_files(rhgb_t) files_dontaudit_search_pids(rhgb_t) # for nscd @@ -100,6 +102,7 @@ logging_send_syslog_msg(rhgb_t) miscfiles_read_localization(rhgb_t) miscfiles_read_fonts(rhgb_t) +miscfiles_dontaudit_write_fonts(rhgb_t) seutil_search_default_contexts(rhgb_t) seutil_read_config(rhgb_t) @@ -118,6 +121,7 @@ xserver_read_xkb_libs(rhgb_t) xserver_domtrans_xdm_xserver(rhgb_t) xserver_signal_xdm_xserver(rhgb_t) xserver_read_xdm_tmp_files(rhgb_t) +xserver_stream_connect_xdm_xserver(rhgb_t) optional_policy(` consoletype_exec(rhgb_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index da4fde8..baff761 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -1,5 +1,5 @@ -policy_module(ricci,1.2.2) +policy_module(ricci,1.2.3) ######################################## # @@ -260,7 +260,7 @@ optional_policy(` # ricci_modclusterd local policy # -allow ricci_modclusterd_t self:capability sys_nice; +allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config }; allow ricci_modclusterd_t self:process { signal sigkill setsched }; allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; @@ -468,9 +468,6 @@ libs_use_shared_libs(ricci_modstorage_t) logging_send_syslog_msg(ricci_modstorage_t) -lvm_domtrans(ricci_modstorage_t) -lvm_manage_config(ricci_modstorage_t) - miscfiles_read_localization(ricci_modstorage_t) modutils_read_module_deps(ricci_modstorage_t) @@ -482,6 +479,7 @@ optional_policy(` optional_policy(` lvm_domtrans(ricci_modstorage_t) + lvm_manage_config(ricci_modstorage_t) ') optional_policy(` diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 25c0238..68e05a1 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync,1.5.1) +policy_module(rsync,1.5.2) ######################################## # @@ -8,6 +8,13 @@ policy_module(rsync,1.5.1) ## ##

+## Allow rsync export files read only +##

+##
+gen_tunable(rsync_export_all_ro,false) + +## +##

## Allow rsync to modify public files ## used for public file transfer services. ##

@@ -58,6 +65,8 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) files_pid_filetrans(rsync_t,rsync_var_run_t,file) +auth_use_nsswitch(rsync_t) + kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -90,8 +99,6 @@ logging_dontaudit_search_logs(rsync_t) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) -sysnet_read_config(rsync_t) - tunable_policy(`allow_rsync_anon_write',` miscfiles_manage_public_files(rsync_t) ') @@ -108,10 +115,8 @@ optional_policy(` inetd_service_domain(rsync_t,rsync_exec_t) ') -optional_policy(` - nis_use_ypbind(rsync_t) -') - -optional_policy(` - nscd_socket_use(rsync_t) +tunable_policy(`rsync_export_all_ro',` + allow rsync_t self:capability dac_override; + fs_read_noxattr_fs_files(rsync_t) + auth_read_all_files_except_shadow(rsync_t) ') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 4edddfb..0a781f8 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -1,11 +1,19 @@ -policy_module(tftp,1.5.2) +policy_module(tftp,1.5.3) ######################################## # # Declarations # +## +##

+## Allow tftp to modify public files +## used for public file transfer services. +##

+##
+gen_tunable(tftp_anon_write,false) + type tftpd_t; type tftpd_exec_t; init_daemon_domain(tftpd_t,tftpd_exec_t) @@ -16,6 +24,9 @@ files_pid_file(tftpd_var_run_t) type tftpdir_t; files_type(tftpdir_t) +type tftpdir_rw_t; +files_type(tftpdir_rw_t) + ######################################## # # Local policy @@ -33,6 +44,10 @@ allow tftpd_t tftpdir_t:dir { getattr read search }; allow tftpd_t tftpdir_t:file { read getattr }; allow tftpd_t tftpdir_t:lnk_file { getattr read }; +manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) +manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) + manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t) files_pid_filetrans(tftpd_t,tftpd_var_run_t,file) @@ -80,6 +95,10 @@ userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_sysadm_ttys(tftpd_t) userdom_dontaudit_search_sysadm_home_dirs(tftpd_t) +tunable_policy(`tftp_anon_write',` + miscfiles_manage_public_files(tftpd_t) +') + optional_policy(` inetd_udp_service_domain(tftpd_t,tftpd_exec_t) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index cf640b6..bebb25f 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -48,6 +48,26 @@ interface(`miscfiles_read_fonts',` ######################################## ## +## Do not audit attempts to write fonts. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_dontaudit_write_fonts',` + gen_require(` + type fonts_t; + ') + + dontaudit $1 fonts_t:dir write; + dontaudit $1 fonts_t:file write; +') + +######################################## +## ## Create, read, write, and delete fonts. ## ## @@ -253,6 +273,8 @@ interface(`miscfiles_delete_man_pages',` files_search_usr($1) allow $1 man_t:dir setattr; + # RH bug #309351 + allow $1 man_t:dir list_dir_perms; delete_dirs_pattern($1,man_t,man_t) delete_files_pattern($1,man_t,man_t) delete_lnk_files_pattern($1,man_t,man_t) diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 48c25c3..2b51b6e 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,5 +1,5 @@ -policy_module(miscfiles,1.4.0) +policy_module(miscfiles,1.4.1) ######################################## #