diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te index 5725183..b09816f 100644 --- a/policy/modules/apps/chrome.te +++ b/policy/modules/apps/chrome.te @@ -38,6 +38,9 @@ fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) kernel_read_system_state(chrome_sandbox_t) kernel_read_kernel_sysctls(chrome_sandbox_t) +fs_manage_cgroup_dirs(chrome_sandbox_t) +fs_manage_cgroup_files(chrome_sandbox_t) + corecmd_exec_bin(chrome_sandbox_t) domain_dontaudit_read_all_domains_state(chrome_sandbox_t) diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te index 23890a7..7bc0dcf 100644 --- a/policy/modules/apps/nsplugin.te +++ b/policy/modules/apps/nsplugin.te @@ -63,6 +63,8 @@ allow nsplugin_t self:msgq create_msgq_perms; allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow nsplugin_t self:unix_dgram_socket create_socket_perms; allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; +read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) tunable_policy(`allow_nsplugin_execmem',` allow nsplugin_t self:process { execstack execmem }; diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 6db2fe7..86641dd 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -724,7 +724,7 @@ optional_policy(` optional_policy(` passenger_domtrans(httpd_t) - passenger_manage_state_content(httpd_t) + passenger_manage_pid_content(httpd_t) passenger_read_lib_files(httpd_t) ') diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te index 9d97456..fdb0dcb 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -5,13 +5,6 @@ policy_module(corosync, 1.0.0) # Declarations # -## -##

-## Allow corosync to read and write generic tmpfs files. -##

-##
-gen_tunable(allow_corosync_rw_tmpfs, false) - type corosync_t; type corosync_exec_t; init_daemon_domain(corosync_t, corosync_exec_t) @@ -98,8 +91,13 @@ miscfiles_read_localization(corosync_t) userdom_delete_user_tmpfs_files(corosync_t) userdom_rw_user_tmpfs_files(corosync_t) -tunable_policy(`allow_corosync_rw_tmpfs',` - fs_rw_tmpfs_files(corosync_t) +optional_policy(` + gen_require(` + attribute unconfined_services; + ') + + fs_manage_tmpfs_files(corosync_t) + init_manage_script_status_files(corosync_t) ') optional_policy(` diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc index 462de63..a8ce02e 100644 --- a/policy/modules/services/gnomeclock.fc +++ b/policy/modules/services/gnomeclock.fc @@ -1,2 +1,4 @@ /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if index e738452..7ca90f6 100644 --- a/policy/modules/services/passenger.if +++ b/policy/modules/services/passenger.if @@ -13,6 +13,7 @@ interface(`passenger_domtrans',` gen_require(` type passenger_t; + type passenger_exec_t; ') allow $1 self:capability { fowner fsetid }; @@ -26,7 +27,7 @@ interface(`passenger_domtrans',` ###################################### ## -## Manage passenger state content. +## Manage passenger var_run content. ## ## ## @@ -34,16 +35,16 @@ interface(`passenger_domtrans',` ## ## # -interface(`passenger_manage_state_content',` +interface(`passenger_manage_pid_content',` gen_require(` - type passenger_state_t; + type passenger_var_run_t; ') files_search_pids($1) - manage_dirs_pattern($1, passenger_state_t, passenger_state_t) - manage_files_pattern($1, passenger_state_t, passenger_state_t) - manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t) - manage_sock_files_pattern($1, passenger_state_t, passenger_state_t) + manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) + manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) + manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) + manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ') ######################################## diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te index 845d90f..9cb0d1c 100644 --- a/policy/modules/services/passenger.te +++ b/policy/modules/services/passenger.te @@ -18,8 +18,8 @@ files_tmp_file(passenger_tmp_t) type passenger_var_lib_t; files_type(passenger_var_lib_t) -type passenger_state_t; -files_pid_file(passenger_state_t) +type passenger_var_run_t; +files_pid_file(passenger_var_run_t) permissive passenger_t; @@ -34,15 +34,16 @@ allow passenger_t self:process signal; allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; -manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t) -manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t) -manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t) -manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t) - files_search_var_lib(passenger_t) manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) +manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) + kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index f28524b..447aaec 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1541,6 +1541,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## +## Manage init script +## status files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_manage_script_status_files',` + gen_require(` + type initrc_state_t; + ') + + manage_files_pattern($1, initrc_state_t, initrc_state_t) +') + +######################################## +## ## Do not audit attempts to read init script ## status files. ## diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index a2f7102..1f8fee9 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -141,6 +141,8 @@ fs_read_tmpfs_symlinks(mount_t) fs_read_fusefs_files(mount_t) fs_manage_nfs_dirs(mount_t) fs_read_nfs_symlinks(mount_t) +fs_manage_cgroup_dirs(mount_t) +fs_manage_cgroup_files(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t)