diff --git a/aiccu.te b/aiccu.te index 6e4206c..a9039ce 100644 --- a/aiccu.te +++ b/aiccu.te @@ -69,6 +69,10 @@ optional_policy(` ') optional_policy(` + pcscd_stream_connect(aiccu_t) +') + +optional_policy(` sysnet_dns_name_resolve(aiccu_t) sysnet_domtrans_ifconfig(aiccu_t) ') diff --git a/antivirus.te b/antivirus.te index 8ba9c95..83590aa 100644 --- a/antivirus.te +++ b/antivirus.te @@ -37,7 +37,7 @@ typealias antivirus_unit_file_t alias { clamd_unit_file_t }; systemd_unit_file(antivirus_unit_file_t) type antivirus_conf_t; -typealias antivirus_conf_t alias { clamd_etc_t }; +typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t }; files_config_file(antivirus_conf_t) type antivirus_var_run_t; @@ -166,6 +166,7 @@ dev_read_urand(antivirus_domain) domain_dontaudit_read_all_domains_state(antivirus_domain) +files_dontaudit_read_security_files(antivirus_domain) files_read_etc_runtime_files(antivirus_domain) files_search_spool(antivirus_domain) @@ -190,8 +191,6 @@ userdom_dontaudit_search_user_home_dirs(antivirus_domain) tunable_policy(`antivirus_can_scan_system',` files_read_non_security_files(antivirus_domain) - #files_dontaudit_read_all_non_security_files(antivirus_domain) - files_dontaudit_read_security_files(antivirus_domain) files_getattr_all_pipes(antivirus_domain) files_getattr_all_sockets(antivirus_domain) dev_getattr_all_blk_files(antivirus_domain) diff --git a/apache.fc b/apache.fc index 43bb1c9..b903cc0 100644 --- a/apache.fc +++ b/apache.fc @@ -133,6 +133,7 @@ ifdef(`distro_suse', ` /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) diff --git a/apache.if b/apache.if index 64beed7..9426db5 100644 --- a/apache.if +++ b/apache.if @@ -74,6 +74,8 @@ template(`apache_content_template',` manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) + allow httpd_$1_script_t httpd_t:unix_stream_socket { getattr read write }; + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) diff --git a/apache.te b/apache.te index 21d7195..bce7760 100644 --- a/apache.te +++ b/apache.te @@ -474,7 +474,7 @@ role system_r types httpd_passwd_t; # Apache server local policy # -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; @@ -510,6 +510,7 @@ allow httpd_t httpd_log_t:dir setattr; create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t) # cjp: need to refine create interfaces to @@ -1035,6 +1036,7 @@ optional_policy(` optional_policy(` passenger_exec(httpd_t) + passenger_kill(httpd_t) passenger_manage_pid_content(httpd_t) ') @@ -1649,7 +1651,7 @@ allow httpd_t httpd_script_type:unix_stream_socket connectto; allow httpd_t httpd_script_exec_type:file read_file_perms; allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; -allow httpd_t httpd_script_type:process { signal sigkill sigstop }; +allow httpd_t httpd_script_type:process { signal sigkill sigstop signull }; allow httpd_t httpd_script_exec_type:dir list_dir_perms; allow httpd_script_type self:process { setsched signal_perms }; @@ -1660,6 +1662,7 @@ allow httpd_script_type httpd_t:fd use; allow httpd_script_type httpd_t:process sigchld; dontaudit httpd_script_type httpd_t:tcp_socket { read write }; +dontaudit httpd_script_type httpd_t:unix_stream_socket { read write }; fs_getattr_xattr_fs(httpd_script_type) diff --git a/apcupsd.te b/apcupsd.te index a370cb8..5206035 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -82,6 +82,8 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) dev_rw_generic_usb_dev(apcupsd_t) +domain_signull_all_domains(apcupsd_t) + files_manage_etc_runtime_files(apcupsd_t) files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") diff --git a/automount.te b/automount.te index f27656d..11dbe9d 100644 --- a/automount.te +++ b/automount.te @@ -89,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t) files_dontaudit_write_var_dirs(automount_t) files_getattr_all_dirs(automount_t) +files_getattr_all_files(automount_t) files_getattr_default_dirs(automount_t) files_getattr_home_dir(automount_t) files_getattr_isid_type_dirs(automount_t) diff --git a/bind.if b/bind.if index 6c2dbe4..43b445c 100644 --- a/bind.if +++ b/bind.if @@ -408,6 +408,25 @@ interface(`bind_udp_chat_named',` ######################################## ## +## Allow the domain to read bind state files in /proc. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_read_state',` + gen_require(` + type named_t; + ') + + kernel_search_proc($1) + ps_process_pattern($1, named_t) +') + +######################################## +## ## All of the rules required to ## administrate an bind environment. ## diff --git a/chronyd.te b/chronyd.te index 7d723c0..d0c8001 100644 --- a/chronyd.te +++ b/chronyd.te @@ -87,6 +87,7 @@ domain_dontaudit_getsession_all_domains(chronyd_t) dev_read_rand(chronyd_t) dev_read_urand(chronyd_t) +dev_read_sysfs(chronyd_t) dev_rw_realtime_clock(chronyd_t) diff --git a/cloudform.te b/cloudform.te index 786d623..496ce03 100644 --- a/cloudform.te +++ b/cloudform.te @@ -270,8 +270,9 @@ files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) +manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) #needed by dbomatic -files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) +files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir }) corecmd_exec_bin(mongod_t) corecmd_exec_shell(mongod_t) diff --git a/conman.te b/conman.te index 0de2d4d..d6b0314 100644 --- a/conman.te +++ b/conman.te @@ -25,7 +25,7 @@ allow conman_t self:process { setrlimit signal_perms }; allow conman_t self:fifo_file rw_fifo_file_perms; allow conman_t self:unix_stream_socket create_stream_socket_perms; -allow conman_t self:tcp_socket { listen create_socket_perms }; +allow conman_t self:tcp_socket { accept listen create_socket_perms }; manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) manage_files_pattern(conman_t, conman_log_t, conman_log_t) @@ -40,6 +40,10 @@ auth_read_passwd(conman_t) logging_send_syslog_msg(conman_t) +sysnet_dns_name_resolve(conman_t) + +userdom_use_user_ptys(conman_t) + optional_policy(` freeipmi_stream_connect(conman_t) ') diff --git a/cups.fc b/cups.fc index afe482b..9437dbe 100644 --- a/cups.fc +++ b/cups.fc @@ -76,10 +76,14 @@ /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) /usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/dhcp.te b/dhcp.te index cdb4d60..5d61f10 100644 --- a/dhcp.te +++ b/dhcp.te @@ -103,13 +103,26 @@ auth_use_nsswitch(dhcpd_t) logging_send_syslog_msg(dhcpd_t) +sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_user_home_dirs(dhcpd_t) tunable_policy(`dhcpd_use_ldap',` - sysnet_use_ldap(dhcpd_t) + allow dhcpd_t self:tcp_socket create_socket_perms; +') + +tunable_policy(`dhcpd_use_ldap',` + corenet_tcp_sendrecv_generic_if(dhcpd_t) + corenet_tcp_sendrecv_generic_node(dhcpd_t) + corenet_tcp_sendrecv_ldap_port(dhcpd_t) + corenet_tcp_connect_ldap_port(dhcpd_t) + corenet_sendrecv_ldap_client_packets(dhcpd_t) +') + +tunable_policy(`dhcpd_use_ldap',` + ldap_read_certs(dhcpd_t) ') ifdef(`distro_gentoo',` diff --git a/docker.te b/docker.te index c80e06c..73e71c1 100644 --- a/docker.te +++ b/docker.te @@ -97,6 +97,7 @@ manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) @@ -135,12 +136,14 @@ files_read_etc_files(docker_t) fs_read_cgroup_files(docker_t) fs_read_tmpfs_symlinks(docker_t) +fs_getattr_all_fs(docker_t) storage_raw_rw_fixed_disk(docker_t) auth_use_nsswitch(docker_t) init_read_state(docker_t) +init_status(docker_t) logging_send_audit_msgs(docker_t) logging_send_syslog_msg(docker_t) @@ -220,6 +223,12 @@ term_mounton_unallocated_ttys(docker_t) modutils_domtrans_insmod(docker_t) +systemd_status_all_unit_files(docker_t) +systemd_start_systemd_services(docker_t) + +userdom_stream_connect(docker_t) +userdom_search_user_home_content(docker_t) + optional_policy(` dbus_system_bus_client(docker_t) init_dbus_chat(docker_t) diff --git a/drbd.fc b/drbd.fc index 671a3fb..c781675 100644 --- a/drbd.fc +++ b/drbd.fc @@ -3,7 +3,7 @@ /sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) /sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) -/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) +/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) /usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) /usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) diff --git a/exim.fc b/exim.fc index dc0254b..9df498d 100644 --- a/exim.fc +++ b/exim.fc @@ -3,6 +3,8 @@ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) /usr/sbin/exim_tidydb -- gen_context(system_u:object_r:exim_exec_t,s0) +/var/lib/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_lib_t,s0) + /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) diff --git a/exim.if b/exim.if index ef3b449..4a8d053 100644 --- a/exim.if +++ b/exim.if @@ -241,8 +241,46 @@ interface(`exim_manage_spool_files',` ######################################## ## -## All of the rules required to administrate -## an exim environment. +## Read exim var lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_read_var_lib_files',` + gen_require(` + type exim_var_lib_t; + ') + + read_files_pattern($1, exim_var_lib_t, exim_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Create, read, and write exim var lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_manage_var_lib_files',` + gen_require(` + type exim_var_lib_t; + ') + + manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## All of the rules required to +## administrate an exim environment. ## ## ## @@ -257,8 +295,9 @@ interface(`exim_manage_spool_files',` # interface(`exim_admin',` gen_require(` - type exim_t, exim_initrc_exec_t, exim_log_t; - type exim_tmp_t, exim_spool_t, exim_var_run_t; + type exim_t, exim_spool_t, exim_log_t; + type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; + type exim_keytab_t; ') allow $1 exim_t:process signal_perms; @@ -273,6 +312,9 @@ interface(`exim_admin',` role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; + files_search_etc($1) + admin_pattern($1, exim_keytab_t) + files_search_spool($1) admin_pattern($1, exim_spool_t) diff --git a/exim.te b/exim.te index 3e86b12..5495c90 100644 --- a/exim.te +++ b/exim.te @@ -1,4 +1,4 @@ -policy_module(exim, 1.5.4) +policy_module(exim, 1.6.1) ######################################## # @@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t) type exim_initrc_exec_t; init_script_file(exim_initrc_exec_t) +type exim_var_lib_t; +files_type(exim_var_lib_t) + type exim_log_t; logging_log_file(exim_log_t) @@ -57,6 +60,10 @@ files_tmp_file(exim_tmp_t) type exim_var_run_t; files_pid_file(exim_var_run_t) +ifdef(`distro_debian',` + init_daemon_run_dir(exim_var_run_t, "exim4") +') + ######################################## # # Local policy @@ -68,6 +75,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket { accept listen }; allow exim_t self:tcp_socket { accept listen }; +manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t) + append_files_pattern(exim_t, exim_log_t, exim_log_t) create_files_pattern(exim_t, exim_log_t, exim_log_t) setattr_files_pattern(exim_t, exim_log_t, exim_log_t) @@ -88,6 +97,7 @@ files_pid_filetrans(exim_t, exim_var_run_t, { dir file }) can_exec(exim_t, exim_exec_t) +kernel_read_crypto_sysctls(exim_t) kernel_read_kernel_sysctls(exim_t) kernel_read_network_state(exim_t) kernel_read_system_state(exim_t) @@ -122,6 +132,7 @@ corenet_tcp_connect_spamd_port(exim_t) dev_read_rand(exim_t) dev_read_urand(exim_t) +dev_read_sysfs(exim_t) domain_use_interactive_fds(exim_t) @@ -134,6 +145,7 @@ fs_getattr_xattr_fs(exim_t) fs_list_inotifyfs(exim_t) auth_use_nsswitch(exim_t) +auth_domtrans_chk_passwd(exim_t) logging_send_syslog_msg(exim_t) @@ -175,6 +187,7 @@ optional_policy(` optional_policy(` cron_read_pipes(exim_t) cron_rw_system_job_pipes(exim_t) + cron_use_system_job_fds(exim_t) ') optional_policy(` @@ -186,7 +199,7 @@ optional_policy(` ') optional_policy(` - kerberos_keytab_template(exim, exim_t) + kerberos_keytab_template(exim, exim_t) ') optional_policy(` diff --git a/fprintd.te b/fprintd.te index ed04b9e..72b7712 100644 --- a/fprintd.te +++ b/fprintd.te @@ -33,6 +33,8 @@ dev_read_sysfs(fprintd_t) dev_read_urand(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) +files_dontaudit_list_tmp(fprintd_t) + fs_getattr_all_fs(fprintd_t) auth_use_nsswitch(fprintd_t) diff --git a/freeipmi.te b/freeipmi.te index 8071a76..0710d79 100644 --- a/freeipmi.te +++ b/freeipmi.te @@ -40,6 +40,7 @@ files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir }) dev_read_rand(freeipmi_domain) dev_read_urand(freeipmi_domain) +dev_rw_ipmi_dev(freeipmi_domain) sysnet_dns_name_resolve(freeipmi_domain) @@ -50,7 +51,6 @@ sysnet_dns_name_resolve(freeipmi_domain) files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid") -dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t) allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms; diff --git a/gear.fc b/gear.fc index 5eabf35..98c012c 100644 --- a/gear.fc +++ b/gear.fc @@ -1,7 +1,7 @@ /usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) -/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0) - -/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) +/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0) +/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) +/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0) /var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) diff --git a/gear.te b/gear.te index 6c32f79..cb68ca9 100644 --- a/gear.te +++ b/gear.te @@ -25,11 +25,15 @@ systemd_unit_file(gear_unit_file_t) # # gear local policy # +allow gear_t self:capability { chown net_admin fowner dac_override }; +allow gear_t self:capability2 block_suspend; allow gear_t self:process { getattr signal_perms }; allow gear_t self:fifo_file rw_fifo_file_perms; allow gear_t self:unix_stream_socket create_stream_socket_perms; allow gear_t self:tcp_socket create_stream_socket_perms; +allow gear_t gear_unit_file_t:dir { relabelfrom relabelto }; + manage_dirs_pattern(gear_t, gear_log_t, gear_log_t) manage_files_pattern(gear_t, gear_log_t, gear_log_t) manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t) @@ -43,6 +47,7 @@ manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file }) +allow gear_t gear_var_lib_t:dir { relabelfrom relabelto }; manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t) manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) @@ -56,6 +61,7 @@ kernel_read_all_sysctls(gear_t) kernel_rw_net_sysctls(gear_t) domain_use_interactive_fds(gear_t) +domain_read_all_domains_state(gear_t) corecmd_exec_bin(gear_t) corecmd_exec_shell(gear_t) @@ -66,6 +72,11 @@ corenet_tcp_sendrecv_generic_node(gear_t) corenet_tcp_sendrecv_generic_port(gear_t) corenet_tcp_bind_gear_port(gear_t) +dev_mounton_sysfs(gear_t) +dev_mount_sysfs_fs(gear_t) +dev_unmount_sysfs_fs(gear_t) + +files_mounton_rootfs(gear_t) files_read_etc_files(gear_t) fs_read_cgroup_files(gear_t) @@ -75,6 +86,9 @@ auth_use_nsswitch(gear_t) init_read_state(gear_t) init_dbus_chat(gear_t) +init_enable_services(gear_t) + +iptables_domtrans(gear_t) logging_send_audit_msgs(gear_t) logging_send_syslog_msg(gear_t) @@ -87,8 +101,25 @@ seutil_read_default_contexts(gear_t) sysnet_dns_name_resolve(gear_t) +sysnet_exec_ifconfig(gear_t) +sysnet_manage_ifconfig_run(gear_t) + systemd_manage_all_unit_files(gear_t) optional_policy(` + hostname_exec(gear_t) +') + +optional_policy(` + dbus_system_bus_client(gear_t) +') + +optional_policy(` docker_stream_connect(gear_t) ') + +optional_policy(` + openshift_manage_lib_dirs(gear_t) + openshift_manage_lib_files(gear_t) + openshift_relabelfrom_lib(gear_t) +') diff --git a/glance.te b/glance.te index 16dcb5b..2d17fe6 100644 --- a/glance.te +++ b/glance.te @@ -5,6 +5,13 @@ policy_module(glance, 1.0.2) # Declarations # +## +##

+## Allow glance domain to manage fuse files +##

+##
+gen_tunable(glance_use_fusefs, false) + attribute glance_domain; glance_basic_types_template(glance_registry) @@ -77,6 +84,19 @@ libs_exec_ldconfig(glance_domain) sysnet_dns_name_resolve(glance_domain) +tunable_policy(`glance_use_fusefs',` + fs_manage_fusefs_dirs(glance_domain) + fs_manage_fusefs_files(glance_domain) + fs_read_fusefs_symlinks(glance_domain) + fs_getattr_fusefs(glance_domain) +') + + + +optional_policy(` + mysql_read_db_lnk_files(glance_domain) +') + ######################################## # # Registry local policy @@ -122,6 +142,8 @@ corenet_tcp_connect_mysqld_port(glance_api_t) corenet_tcp_connect_http_port(glance_api_t) corenet_tcp_connect_all_ephemeral_ports(glance_api_t) +corenet_tcp_connect_commplex_main_port(glance_api_t) +corenet_tcp_connect_http_cache_port(glance_api_t) corenet_sendrecv_hplip_server_packets(glance_api_t) corenet_tcp_bind_hplip_port(glance_api_t) diff --git a/gnome.te b/gnome.te index 5314f96..ea1115c 100644 --- a/gnome.te +++ b/gnome.te @@ -226,7 +226,6 @@ allow gkeyringd_domain gconf_home_t:dir create_dir_perms; filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share") filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") -filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings") manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t) diff --git a/iscsi.if b/iscsi.if index 2ea1241..a7e1562 100644 --- a/iscsi.if +++ b/iscsi.if @@ -117,6 +117,28 @@ interface(`iscsi_filetrans_named_content',` files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") ') +######################################## +## +## Execute iscsi server in the iscsi domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`iscsi_systemctl',` + gen_require(` + type iscsid_t; + type iscsi_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 iscsi_unit_file_t:file read_file_perms; + allow $1 iscsi_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, iscsid_t) +') ######################################## ## diff --git a/iscsi.te b/iscsi.te index 56d45ec..b25cfd0 100644 --- a/iscsi.te +++ b/iscsi.te @@ -90,6 +90,9 @@ corenet_sendrecv_winshadow_client_packets(iscsid_t) corenet_tcp_connect_winshadow_port(iscsid_t) corenet_tcp_sendrecv_winshadow_port(iscsid_t) +corecmd_exec_bin(iscsid_t) +corecmd_exec_shell(iscsid_t) + dev_read_urand(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -108,5 +111,9 @@ logging_send_syslog_msg(iscsid_t) modutils_read_module_config(iscsid_t) optional_policy(` + iscsi_systemctl(iscsid_t) +') + +optional_policy(` tgtd_manage_semaphores(iscsid_t) ') diff --git a/keepalived.te b/keepalived.te index 535f79b..dc5c775 100644 --- a/keepalived.te +++ b/keepalived.te @@ -33,6 +33,9 @@ files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file }) kernel_read_system_state(keepalived_t) kernel_read_network_state(keepalived_t) +corecmd_exec_bin(keepalived_t) +corecmd_exec_shell(keepalived_t) + auth_use_nsswitch(keepalived_t) corenet_tcp_connect_connlcli_port(keepalived_t) diff --git a/keystone.te b/keystone.te index a82637c..c21beab 100644 --- a/keystone.te +++ b/keystone.te @@ -78,6 +78,7 @@ libs_exec_ldconfig(keystone_t) optional_policy(` mysql_stream_connect(keystone_t) mysql_tcp_connect(keystone_t) + mysql_read_db_lnk_files(keystone_t) ') optional_policy(` diff --git a/logrotate.te b/logrotate.te index f8c5464..17ea89c 100644 --- a/logrotate.te +++ b/logrotate.te @@ -38,7 +38,7 @@ files_type(logrotate_var_lib_t) # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; -dontaudit logrotate_t self:capability sys_resource; +dontaudit logrotate_t self:capability { sys_resource net_admin }; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff --git a/logwatch.te b/logwatch.te index 7569cd9..aea48db 100644 --- a/logwatch.te +++ b/logwatch.te @@ -187,6 +187,8 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) mta_read_home(logwatch_mail_t) +mta_filetrans_home_content(logwatch_mail_t) +mta_filetrans_admin_home_content(logwatch_mail_t) optional_policy(` cron_use_system_job_fds(logwatch_mail_t) diff --git a/mock.if b/mock.if index 6568bfe..f5b98e6 100644 --- a/mock.if +++ b/mock.if @@ -53,6 +53,7 @@ interface(`mock_read_lib_files',` ') files_search_var_lib($1) + list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) ') diff --git a/mock.te b/mock.te index fc64201..1bf717f 100644 --- a/mock.te +++ b/mock.te @@ -192,7 +192,7 @@ optional_policy(` # # mock_build local policy # -allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner sys_ptrace }; dontaudit mock_build_t self:capability audit_write; allow mock_build_t self:process { fork setsched setpgid signal_perms }; allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; @@ -269,6 +269,7 @@ init_dontaudit_stream_connect(mock_build_t) libs_exec_ldconfig(mock_build_t) +term_use_all_inherited_terms(mock_build_t) userdom_use_inherited_user_ptys(mock_build_t) tunable_policy(`mock_enable_homedirs',` diff --git a/motion.te b/motion.te index b694afc..c7f4eb5 100644 --- a/motion.te +++ b/motion.te @@ -26,7 +26,7 @@ files_type(motion_data_t) # motion local policy # allow motion_t self:udp_socket { create connect getattr }; -allow motion_t self:tcp_socket { bind create setopt listen }; +allow motion_t self:tcp_socket create_stream_socket_perms; allow motion_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(motion_t, motion_log_t, motion_log_t) @@ -43,6 +43,7 @@ files_var_filetrans(motion_t, motion_data_t, { dir file }) corenet_tcp_bind_http_cache_port(motion_t) corenet_tcp_bind_transproxy_port(motion_t) +corenet_tcp_bind_us_cli_port(motion_t) corenet_tcp_connect_http_port(motion_t) corenet_tcp_bind_generic_node(motion_t) diff --git a/mozilla.te b/mozilla.te index e76899c..a4f86f5 100644 --- a/mozilla.te +++ b/mozilla.te @@ -442,6 +442,7 @@ dev_dontaudit_read_mtrr(mozilla_plugin_t) xserver_dri_domain(mozilla_plugin_t) dev_dontaudit_getattr_all(mozilla_plugin_t) +dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t) domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) @@ -458,6 +459,10 @@ fs_read_noxattr_fs_files(mozilla_plugin_t) fs_read_hugetlbfs_files(mozilla_plugin_t) fs_exec_hugetlbfs_files(mozilla_plugin_t) +storage_raw_read_removable_device(mozilla_plugin_t) +fs_read_removable_files(mozilla_plugin_t) +fs_read_removable_symlinks(mozilla_plugin_t) + application_exec(mozilla_plugin_t) application_dontaudit_signull(mozilla_plugin_t) diff --git a/mta.fc b/mta.fc index cb2791a..1e1a679 100644 --- a/mta.fc +++ b/mta.fc @@ -1,7 +1,7 @@ -HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) @@ -17,10 +17,10 @@ ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') -/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) /root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) /root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) /root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0) +/root/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) /root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -42,3 +42,4 @@ ifdef(`distro_redhat',` /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if index e968c28..8f217ea 100644 --- a/mta.if +++ b/mta.if @@ -1174,6 +1174,7 @@ interface(`mta_filetrans_admin_home_content',` userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") ') ######################################## @@ -1198,6 +1199,7 @@ interface(`mta_filetrans_home_content',` userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") ') ######################################## diff --git a/mysql.if b/mysql.if index 404ed6d..a77dc09 100644 --- a/mysql.if +++ b/mysql.if @@ -233,6 +233,24 @@ interface(`mysql_append_db_files',` files_search_var_lib($1) append_files_pattern($1, mysqld_db_t, mysqld_db_t) ') +####################################### +## +## Read and write to the MySQL database directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_read_db_lnk_files',` + gen_require(` + type mysqld_db_t; + ') + + files_search_var_lib($1) + read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t) +') ####################################### ## diff --git a/mysql.te b/mysql.te index 699587e..6e73360 100644 --- a/mysql.te +++ b/mysql.te @@ -132,6 +132,7 @@ auth_use_nsswitch(mysqld_t) logging_send_syslog_msg(mysqld_t) sysnet_read_config(mysqld_t) +sysnet_exec_ifconfig(mysqld_t) ifdef(`distro_redhat',` filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) diff --git a/nova.te b/nova.te index d5b54e5..2d9ab86 100644 --- a/nova.te +++ b/nova.te @@ -46,6 +46,7 @@ files_pid_file(nova_var_run_t) # nova general domain local policy # +allow nova_domain self:process signal_perms; allow nova_domain self:fifo_file rw_fifo_file_perms; allow nova_domain self:tcp_socket create_stream_socket_perms; allow nova_domain self:unix_stream_socket create_stream_socket_perms; @@ -76,6 +77,11 @@ fs_getattr_xattr_fs(nova_domain) libs_exec_ldconfig(nova_domain) optional_policy(` + mysql_stream_connect(nova_domain) + mysql_read_db_lnk_files(nova_domain) +') + +optional_policy(` sysnet_read_config(nova_domain) sysnet_exec_ifconfig(nova_domain) ') @@ -142,10 +148,6 @@ auth_use_nsswitch(nova_cert_t) miscfiles_read_certs(nova_cert_t) optional_policy(` - mysql_stream_connect(nova_cert_t) -') - -optional_policy(` postgresql_stream_connect(nova_cert_t) ') @@ -176,10 +178,6 @@ allow nova_console_t self:udp_socket create_socket_perms; auth_use_nsswitch(nova_console_t) -optional_policy(` - mysql_stream_connect(nova_console_t) -') - ####################################### # # nova direct local policy @@ -270,6 +268,8 @@ optional_policy(` allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; allow nova_scheduler_t self:udp_socket create_socket_perms; +auth_read_passwd(nova_scheduler_t) + #optional_policy(` # unconfined_domain(nova_scheduler_t) #') diff --git a/openshift.fc b/openshift.fc index 1d4e039..95b6381 100644 --- a/openshift.fc +++ b/openshift.fc @@ -5,7 +5,7 @@ /var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) /var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) -/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) +/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) /var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0) /var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0) diff --git a/openshift.if b/openshift.if index 9451b83..a472b52 100644 --- a/openshift.if +++ b/openshift.if @@ -362,6 +362,26 @@ interface(`openshift_manage_content',` manage_sock_files_pattern($1, openshift_file_type, openshift_file_type) ') +######################################## +## +## Relabel openshift library files +## +## +## +## Domain allowed access. +## +## +# +interface(`openshift_relabelfrom_lib',` + gen_require(` + type openshift_var_lib_t; + ') + + files_search_var_lib($1) + relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) + relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) +') + ####################################### ## ## Create private objects in the @@ -416,7 +436,6 @@ interface(`openshift_read_pid_files',` allow $1 openshift_var_run_t:file read_file_perms; ') - ######################################## ## ## All of the rules required to administrate diff --git a/openshift.te b/openshift.te index ebd0c68..93fd0ea 100644 --- a/openshift.te +++ b/openshift.te @@ -321,6 +321,10 @@ optional_policy(` ') optional_policy(` + gear_search_lib(openshift_domain) +') + +optional_policy(` gpg_entry_type(openshift_domain) ') diff --git a/openvpn.te b/openvpn.te index 265896b..fcda1bc 100644 --- a/openvpn.te +++ b/openvpn.te @@ -26,7 +26,7 @@ gen_tunable(openvpn_enable_homedirs, false) ## connect to the TCP network. ##

## -gen_tunable(openvpn_can_network_connect, false) +gen_tunable(openvpn_can_network_connect, true) attribute_role openvpn_roles; diff --git a/openwsman.te b/openwsman.te index 49dc5ef..3bcd32c 100644 --- a/openwsman.te +++ b/openwsman.te @@ -9,6 +9,12 @@ type openwsman_t; type openwsman_exec_t; init_daemon_domain(openwsman_t, openwsman_exec_t) +type openwsman_tmp_t; +files_tmp_file(openwsman_tmp_t) + +type openwsman_tmpfs_t; +files_tmpfs_file(openwsman_tmpfs_t) + type openwsman_log_t; logging_log_file(openwsman_log_t) @@ -22,10 +28,21 @@ systemd_unit_file(openwsman_unit_file_t) # # openwsman local policy # + +allow openwsman_t self:capability setuid; + allow openwsman_t self:process { fork }; allow openwsman_t self:fifo_file rw_fifo_file_perms; allow openwsman_t self:unix_stream_socket create_stream_socket_perms; -allow openwsman_t self:tcp_socket { create_socket_perms listen }; +allow openwsman_t self:tcp_socket { create_socket_perms accept listen }; + +manage_files_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t) +files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file }) + +manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) +manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t) +fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file }) manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t) logging_log_filetrans(openwsman_t, openwsman_log_t, { file }) @@ -34,10 +51,24 @@ manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t) files_pid_filetrans(openwsman_t, openwsman_run_t, { file }) auth_use_nsswitch(openwsman_t) +auth_domtrans_chkpwd(openwsman_t) +corenet_tcp_connect_pegasus_https_port(openwsman_t) corenet_tcp_bind_vnc_port(openwsman_t) +corenet_tcp_bind_http_port(openwsman_t) dev_read_urand(openwsman_t) logging_send_syslog_msg(openwsman_t) +logging_send_audit_msgs(openwsman_t) + +optional_policy(` + sblim_stream_connect_sfcbd(openwsman_t) + sblim_rw_semaphores_sfcbd(openwsman_t) + sblim_getattr_exec_sfcbd(openwsman_t) +') + +optional_policy(` + unconfined_domain(openwsman_t) +') diff --git a/passenger.if b/passenger.if index 0ec51d4..2d8335f 100644 --- a/passenger.if +++ b/passenger.if @@ -159,3 +159,22 @@ interface(`passenger_manage_tmp_files',` manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') + +######################################## +## +## Send kill signals to passenger. +## +## +## +## Domain allowed access. +## +## +# +interface(`passenger_kill',` + gen_require(` + type passenger_t; + ') + + allow $1 passenger_t:process sigkill; +') + diff --git a/pegasus.te b/pegasus.te index 6c3afa0..37539ec 100644 --- a/pegasus.te +++ b/pegasus.te @@ -203,6 +203,8 @@ optional_policy(` # pegasus openlmi service local policy # +fs_getattr_all_fs(pegasus_openlmi_admin_t) + init_manage_transient_unit(pegasus_openlmi_admin_t) init_disable_services(pegasus_openlmi_admin_t) init_enable_services(pegasus_openlmi_admin_t) @@ -217,6 +219,9 @@ systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t) allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; +logging_read_syslog_pid(pegasus_openlmi_admin_t) +logging_read_generic_logs(pegasus_openlmi_admin_t) + optional_policy(` dbus_system_bus_client(pegasus_openlmi_admin_t) diff --git a/puppet.fc b/puppet.fc index 8c0b242..cad91e2 100644 --- a/puppet.fc +++ b/puppet.fc @@ -1,11 +1,19 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0) /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +#helper scripts +/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) diff --git a/puppet.te b/puppet.te index a375475..0903e67 100644 --- a/puppet.te +++ b/puppet.te @@ -1,4 +1,4 @@ -policy_module(puppet, 1.3.0) +policy_module(puppet, 1.4.0) ######################################## # @@ -11,7 +11,7 @@ policy_module(puppet, 1.3.0) ## types. ##

## -gen_tunable(puppet_manage_all_files, false) +gen_tunable(puppetagent_manage_all_files, false) ## ##

@@ -20,15 +20,18 @@ gen_tunable(puppet_manage_all_files, false) ## gen_tunable(puppetmaster_use_db, false) -type puppet_t; -type puppet_exec_t; -init_daemon_domain(puppet_t, puppet_exec_t) +type puppetagent_t; +type puppetagent_exec_t; +typealias puppetagent_exec_t alias puppet_exec_t; +typealias puppetagent_t alias puppet_t; +init_daemon_domain(puppetagent_t, puppetagent_exec_t) type puppet_etc_t; files_config_file(puppet_etc_t) -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) +type puppetagent_initrc_exec_t; +typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t; +init_script_file(puppetagent_initrc_exec_t) type puppet_log_t; logging_log_file(puppet_log_t) @@ -62,205 +65,142 @@ files_tmp_file(puppetmaster_tmp_t) # Puppet personal policy # -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; -allow puppet_t self:process { signal signull getsched setsched }; -allow puppet_t self:fifo_file rw_fifo_file_perms; -allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:tcp_socket create_stream_socket_perms; -allow puppet_t self:udp_socket create_socket_perms; +allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; +allow puppetagent_t self:process { signal signull getsched setsched }; +allow puppetagent_t self:fifo_file rw_fifo_file_perms; +allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms; +allow puppetagent_t self:tcp_socket create_stream_socket_perms; +allow puppetagent_t self:udp_socket create_socket_perms; -read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) +read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t) -manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -files_search_var_lib(puppet_t) +manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t) +files_search_var_lib(puppetagent_t) -manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) +manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir }) -create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) -create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) +create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t) +create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t) +append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir }) -manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) +manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t) +manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t) +files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir }) -kernel_dontaudit_search_sysctl(puppet_t) -kernel_dontaudit_search_kernel_sysctl(puppet_t) -kernel_read_system_state(puppet_t) -kernel_read_crypto_sysctls(puppet_t) -kernel_read_kernel_sysctls(puppet_t) +kernel_dontaudit_search_sysctl(puppetagent_t) +kernel_dontaudit_search_kernel_sysctl(puppetagent_t) +kernel_read_system_state(puppetagent_t) +kernel_read_crypto_sysctls(puppetagent_t) +kernel_read_kernel_sysctls(puppetagent_t) -corecmd_read_all_executables(puppet_t) -corecmd_dontaudit_access_all_executables(puppet_t) -corecmd_exec_bin(puppet_t) -corecmd_exec_shell(puppet_t) +corecmd_read_all_executables(puppetagent_t) +corecmd_dontaudit_access_all_executables(puppetagent_t) +corecmd_exec_bin(puppetagent_t) +corecmd_exec_shell(puppetagent_t) -corenet_all_recvfrom_netlabel(puppet_t) -corenet_tcp_sendrecv_generic_if(puppet_t) -corenet_tcp_sendrecv_generic_node(puppet_t) -corenet_tcp_bind_generic_node(puppet_t) -corenet_tcp_connect_puppet_port(puppet_t) -corenet_sendrecv_puppet_client_packets(puppet_t) +corenet_all_recvfrom_netlabel(puppetagent_t) +corenet_tcp_sendrecv_generic_if(puppetagent_t) +corenet_tcp_sendrecv_generic_node(puppetagent_t) +corenet_tcp_bind_generic_node(puppetagent_t) +corenet_tcp_connect_puppet_port(puppetagent_t) +corenet_sendrecv_puppet_client_packets(puppetagent_t) -dev_read_rand(puppet_t) -dev_read_sysfs(puppet_t) -dev_read_urand(puppet_t) +dev_read_rand(puppetagent_t) +dev_read_sysfs(puppetagent_t) +dev_read_urand(puppetagent_t) -domain_read_all_domains_state(puppet_t) -domain_interactive_fd(puppet_t) +domain_read_all_domains_state(puppetagent_t) +domain_interactive_fd(puppetagent_t) +domain_named_filetrans(puppetagent_t) -files_manage_config_files(puppet_t) -files_manage_config_dirs(puppet_t) -files_manage_etc_dirs(puppet_t) -files_manage_etc_files(puppet_t) -files_read_usr_symlinks(puppet_t) -files_relabel_config_dirs(puppet_t) -files_relabel_config_files(puppet_t) +files_manage_config_files(puppetagent_t) +files_manage_config_dirs(puppetagent_t) +files_manage_etc_dirs(puppetagent_t) +files_manage_etc_files(puppetagent_t) +files_read_usr_symlinks(puppetagent_t) +files_relabel_config_dirs(puppetagent_t) +files_relabel_config_files(puppetagent_t) -selinux_set_all_booleans(puppet_t) -selinux_set_generic_booleans(puppet_t) -selinux_validate_context(puppet_t) +selinux_set_all_booleans(puppetagent_t) +selinux_set_generic_booleans(puppetagent_t) +selinux_validate_context(puppetagent_t) -term_dontaudit_getattr_unallocated_ttys(puppet_t) -term_dontaudit_getattr_all_ttys(puppet_t) +term_dontaudit_getattr_unallocated_ttys(puppetagent_t) +term_dontaudit_getattr_all_ttys(puppetagent_t) -auth_use_nsswitch(puppet_t) +auth_use_nsswitch(puppetagent_t) -init_all_labeled_script_domtrans(puppet_t) -init_domtrans_script(puppet_t) -init_read_utmp(puppet_t) -init_signull_script(puppet_t) +init_all_labeled_script_domtrans(puppetagent_t) +init_domtrans_script(puppetagent_t) +init_read_utmp(puppetagent_t) +init_signull_script(puppetagent_t) -logging_send_syslog_msg(puppet_t) +logging_send_syslog_msg(puppetagent_t) -miscfiles_read_hwdata(puppet_t) +miscfiles_read_hwdata(puppetagent_t) -seutil_domtrans_setfiles(puppet_t) -seutil_domtrans_semanage(puppet_t) -seutil_read_file_contexts(puppet_t) +seutil_domtrans_setfiles(puppetagent_t) +seutil_domtrans_semanage(puppetagent_t) +seutil_read_file_contexts(puppetagent_t) -sysnet_run_ifconfig(puppet_t, system_r) +sysnet_run_ifconfig(puppetagent_t, system_r) -usermanage_access_check_groupadd(puppet_t) -usermanage_access_check_passwd(puppet_t) -usermanage_access_check_useradd(puppet_t) +usermanage_access_check_groupadd(puppetagent_t) +usermanage_access_check_passwd(puppetagent_t) +usermanage_access_check_useradd(puppetagent_t) -tunable_policy(`puppet_manage_all_files',` - files_manage_non_security_files(puppet_t) +tunable_policy(`puppetagent_manage_all_files',` + files_manage_non_security_files(puppetagent_t) ') optional_policy(` - cfengine_read_lib_files(puppet_t) + mysql_stream_connect(puppetagent_t) ') optional_policy(` - consoletype_exec(puppet_t) + postgresql_stream_connect(puppetagent_t) ') optional_policy(` - hostname_exec(puppet_t) + cfengine_read_lib_files(puppetagent_t) ') optional_policy(` - mount_domtrans(puppet_t) + consoletype_exec(puppetagent_t) ') optional_policy(` - mta_send_mail(puppet_t) + hostname_exec(puppetagent_t) ') optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) - portage_domtrans_gcc_config(puppet_t) + mount_domtrans(puppetagent_t) ') optional_policy(` - files_rw_var_files(puppet_t) - - rpm_domtrans(puppet_t) - rpm_manage_db(puppet_t) - rpm_manage_log(puppet_t) -') - -optional_policy(` - unconfined_domain(puppet_t) -') - -optional_policy(` - auth_filetrans_named_content(puppet_t) -') - -optional_policy(` - alsa_filetrans_named_content(puppet_t) -') - -optional_policy(` - bootloader_filetrans_config(puppet_t) -') - -optional_policy(` - devicekit_filetrans_named_content(puppet_t) -') - -optional_policy(` - dnsmasq_filetrans_named_content(puppet_t) -') - -optional_policy(` - kerberos_filetrans_named_content(puppet_t) -') - -optional_policy(` - libs_filetrans_named_content(puppet_t) -') - -optional_policy(` - miscfiles_filetrans_named_content(puppet_t) -') - -optional_policy(` - mta_filetrans_named_content(puppet_t) -') - -optional_policy(` - modules_filetrans_named_content(puppet_t) -') - -optional_policy(` - networkmanager_filetrans_named_content(puppet_t) -') - -optional_policy(` - nx_filetrans_named_content(puppet_t) -') - -optional_policy(` - postfix_filetrans_named_content(puppet_t) -') - -optional_policy(` - openshift_initrc_domtrans(puppet_t) + mta_send_mail(puppetagent_t) ') optional_policy(` - quota_filetrans_named_content(puppet_t) + portage_domtrans(puppetagent_t) + portage_domtrans_fetch(puppetagent_t) + portage_domtrans_gcc_config(puppetagent_t) ') optional_policy(` - sysnet_filetrans_named_content(puppet_t) -') + files_rw_var_files(puppetagent_t) -optional_policy(` - virt_filetrans_home_content(puppet_t) + rpm_domtrans(puppetagent_t) + rpm_manage_db(puppetagent_t) + rpm_manage_log(puppetagent_t) ') optional_policy(` - ssh_filetrans_admin_home_content(puppet_t) + unconfined_domain_noaudit(puppetagent_t) ') ######################################## diff --git a/quantum.te b/quantum.te index 52bad99..156e9af 100644 --- a/quantum.te +++ b/quantum.te @@ -29,13 +29,17 @@ systemd_unit_file(neutron_unit_file_t) # Local policy # -allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw }; -allow neutron_t self:process { setsched setrlimit }; +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + allow neutron_t self:fifo_file rw_fifo_file_perms; allow neutron_t self:key manage_key_perms; allow neutron_t self:tcp_socket { accept listen }; allow neutron_t self:unix_stream_socket { accept listen }; allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; +allow neutron_t self:rawip_socket create_socket_perms; +allow neutron_t self:packet_socket create_socket_perms; manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) @@ -44,18 +48,21 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) logging_log_filetrans(neutron_t, neutron_log_t, dir) manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -files_tmp_filetrans(neutron_t, neutron_tmp_t, file) +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir }) manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) can_exec(neutron_t, neutron_tmp_t) -kernel_read_kernel_sysctls(neutron_t) kernel_read_system_state(neutron_t) kernel_read_network_state(neutron_t) kernel_request_load_module(neutron_t) +kernel_rw_kernel_sysctl(neutron_t) +kernel_rw_net_sysctls(neutron_t) corecmd_exec_shell(neutron_t) corecmd_exec_bin(neutron_t) @@ -71,7 +78,9 @@ corenet_tcp_bind_neutron_port(neutron_t) corenet_tcp_connect_keystone_port(neutron_t) corenet_tcp_connect_amqp_port(neutron_t) corenet_tcp_connect_mysqld_port(neutron_t) +corenet_tcp_connect_osapi_compute_port(neutron_t) +domain_read_all_domains_state(neutron_t) domain_named_filetrans(neutron_t) dev_read_sysfs(neutron_t) @@ -82,6 +91,8 @@ dev_unmount_sysfs_fs(neutron_t) files_mounton_non_security(neutron_t) +fs_getattr_all_fs(neutron_t) + auth_use_nsswitch(neutron_t) libs_exec_ldconfig(neutron_t) @@ -89,6 +100,9 @@ libs_exec_ldconfig(neutron_t) logging_send_audit_msgs(neutron_t) logging_send_syslog_msg(neutron_t) +netutils_exec(neutron_t) + +# need to stay in neutron sysnet_exec_ifconfig(neutron_t) sysnet_manage_ifconfig_run(neutron_t) sysnet_filetrans_named_content_ifconfig(neutron_t) @@ -109,16 +123,19 @@ optional_policy(` ') optional_policy(` + modutils_domtrans_insmod(neutron_t) +') + +optional_policy(` mysql_stream_connect(neutron_t) + mysql_read_db_lnk_files(neutron_t) mysql_read_config(neutron_t) - mysql_tcp_connect(neutron_t) ') optional_policy(` postgresql_stream_connect(neutron_t) postgresql_unpriv_client(neutron_t) - postgresql_tcp_connect(neutron_t) ') @@ -129,4 +146,8 @@ optional_policy(` optional_policy(` sudo_exec(neutron_t) +') + +optional_policy(` + udev_domtrans(neutron_t) ') diff --git a/rabbitmq.te b/rabbitmq.te index 7d5630f..9fb98a1 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -87,6 +87,7 @@ corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) +corenet_tcp_connect_http_port(rabbitmq_beam_t) domain_read_all_domains_state(rabbitmq_beam_t) @@ -127,7 +128,7 @@ allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; -allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; +allow rabbitmq_epmd_t rabbitmq_var_log_t:file manage_file_perms; manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) diff --git a/rhcs.te b/rhcs.te index 4fd3b77..503838b 100644 --- a/rhcs.te +++ b/rhcs.te @@ -593,6 +593,7 @@ logging_send_syslog_msg(groupd_t) allow haproxy_t self:capability { dac_override kill }; allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource }; +allow haproxy_t self:capability2 block_suspend; allow haproxy_t self:process { fork setrlimit signal_perms }; allow haproxy_t self:fifo_file rw_fifo_file_perms; allow haproxy_t self:unix_stream_socket create_stream_socket_perms; diff --git a/rhsmcertd.te b/rhsmcertd.te index d193f7a..87038e7 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -53,6 +53,7 @@ kernel_read_system_state(rhsmcertd_t) kernel_read_sysctl(rhsmcertd_t) corenet_tcp_connect_http_port(rhsmcertd_t) +corenet_tcp_connect_http_cache_port(rhsmcertd_t) corenet_tcp_connect_squid_port(rhsmcertd_t) corecmd_exec_bin(rhsmcertd_t) diff --git a/rsync.te b/rsync.te index d7db2d9..7a6ca6c 100644 --- a/rsync.te +++ b/rsync.te @@ -170,4 +170,6 @@ auth_can_read_shadow_passwords(rsync_t) optional_policy(` swift_manage_data_files(rsync_t) + swift_manage_lock(rsync_t) + swift_filetrans_named_lock(rsync_t) ') diff --git a/sandbox.if b/sandbox.if index 89bc443..a2cb772 100644 --- a/sandbox.if +++ b/sandbox.if @@ -22,14 +22,42 @@ interface(`sandbox_transition',` attribute sandbox_domain; ') - allow $1 sandbox_domain:process transition; - dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; - role $2 types sandbox_domain; - allow sandbox_domain $1:process { sigchld signull }; - allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; - dontaudit sandbox_domain $1:process signal; - dontaudit sandbox_domain $1:key { link read search view }; - dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; + sandbox_dyntransition($1) #885288 + allow $1 sandbox_domain:process transition; + dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; + + role $2 types sandbox_domain; + + allow sandbox_domain $1:process { sigchld signull }; + allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; + + dontaudit sandbox_domain $1:process signal; + dontaudit sandbox_domain $1:key { link read search view }; + dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; +') + +######################################## +##

+## Execute sandbox in the sandbox domain, and +## allow the specified role the sandbox domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the sandbox domain. +## +## +# +interface(`sandbox_dyntransition',` + gen_require(` + attribute sandbox_domain; + ') + + allow $1 sandbox_domain:process dyntransition; ') ######################################## diff --git a/sandboxX.if b/sandboxX.if index 3258f45..03bdcef 100644 --- a/sandboxX.if +++ b/sandboxX.if @@ -26,6 +26,7 @@ interface(`sandbox_x_transition',` ') allow $1 sandbox_x_domain:process { signal_perms transition }; + allow $1 sandbox_x_domain:process dyntransition; dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; allow sandbox_x_domain $1:process { sigchld signull }; allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; diff --git a/sblim.if b/sblim.if index d4aa009..562666e 100644 --- a/sblim.if +++ b/sblim.if @@ -86,6 +86,84 @@ interface(`sblim_filetrans_named_content',` ######################################## ## +## Connect to sblim_sfcb over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`sblim_stream_connect_sfcbd',` + gen_require(` + type sblim_sfcb_t, sblim_var_lib_t; + type sblim_tmp_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t) + stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t) +') + +####################################### +## +## Getattr on sblim executable. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`sblim_getattr_exec_sfcbd',` + gen_require(` + type sblim_sfcbd_exec_t; + ') + + allow $1 sblim_sfcbd_exec_t:file getattr; +') + + +######################################## +## +## Connect to sblim_sfcb over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`sblim_stream_connect_sfcb',` + gen_require(` + type sblim_sfcb_t, sblim_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t) +') + +####################################### +## +## Allow read and write access to sblim semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`sblim_rw_semaphores_sfcbd',` + gen_require(` + type sblim_sfcbd_t; + ') + + allow $1 sblim_sfcbd_t:sem rw_sem_perms; +') + + +######################################## +## ## All of the rules required to administrate ## an gatherd environment ## diff --git a/sblim.te b/sblim.te index 20f5040..21c15bb 100644 --- a/sblim.te +++ b/sblim.te @@ -157,9 +157,19 @@ auth_use_nsswitch(sblim_sfcbd_t) corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t) corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t) +corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) +corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t) + +corecmd_exec_shell(sblim_sfcbd_t) +corecmd_exec_bin(sblim_sfcbd_t) dev_read_rand(sblim_sfcbd_t) dev_read_urand(sblim_sfcbd_t) domain_read_all_domains_state(sblim_sfcbd_t) domain_use_interactive_fds(sblim_sfcbd_t) + +optional_policy(` + rpm_exec(sblim_sfcbd_t) + rpm_dontaudit_manage_db(sblim_sfcbd_t) +') diff --git a/sensord.fc b/sensord.fc index 97926d2..9be989a 100644 --- a/sensord.fc +++ b/sensord.fc @@ -4,6 +4,6 @@ /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) -/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0) +/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0) /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/slocate.te b/slocate.te index 8417705..669d253 100644 --- a/slocate.te +++ b/slocate.te @@ -61,3 +61,8 @@ ifdef(`enable_mls',` optional_policy(` cron_system_entry(locate_t, locate_exec_t) ') + +optional_policy(` + mock_getattr_lib(locate_t) +') + diff --git a/snapper.fc b/snapper.fc index 660fcd2..d1d72f2 100644 --- a/snapper.fc +++ b/snapper.fc @@ -6,3 +6,5 @@ HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0) /etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) + +/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) diff --git a/spamassassin.te b/spamassassin.te index 32f670e..e8531d9 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -275,12 +275,17 @@ manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t) manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) userdom_append_user_home_content_files(spamc_t) +spamassassin_filetrans_home_content(spamc_t) +spamassassin_filetrans_admin_home_content(spamc_t) # for /root/.pyzor allow spamc_t self:capability dac_override; list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t) +list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t) + # Allow connecting to a local spamd allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; diff --git a/sssd.te b/sssd.te index fb39837..eb8bb88 100644 --- a/sssd.te +++ b/sssd.te @@ -68,6 +68,7 @@ kernel_request_load_module(sssd_t) corenet_udp_bind_generic_port(sssd_t) corenet_dontaudit_udp_bind_all_ports(sssd_t) corenet_tcp_connect_kerberos_password_port(sssd_t) +corenet_tcp_connect_smbd_port(sssd_t) corecmd_exec_bin(sssd_t) diff --git a/stapserver.te b/stapserver.te index e472397..6aeecac 100644 --- a/stapserver.te +++ b/stapserver.te @@ -72,6 +72,7 @@ files_list_tmp(stapserver_t) files_search_kernel_modules(stapserver_t) fs_search_cgroup_dirs(stapserver_t) +fs_getattr_all_fs(stapserver_t) auth_use_nsswitch(stapserver_t) diff --git a/swift.fc b/swift.fc index 744f0ce..b07d112 100644 --- a/swift.fc +++ b/swift.fc @@ -15,8 +15,11 @@ /usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) /usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-proxy-server -- gen_context(system_u:object_r:swift_exec_t,s0) + /usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) +/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0) /var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) /var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) diff --git a/swift.if b/swift.if index df82c36..6a1f575 100644 --- a/swift.if +++ b/swift.if @@ -59,6 +59,43 @@ interface(`swift_manage_data_files',` manage_dirs_pattern($1, swift_data_t, swift_data_t) ') +##################################### +## +## Read and write swift lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`swift_manage_lock',` + gen_require(` + type swift_lock_t; + ') + + files_search_locks($1) + manage_files_pattern($1, swift_lock_t, swift_lock_t) +') + +####################################### +## +## Transition content labels to swift named content +## +## +## +## Domain allowed access. +## +## +# +interface(`swift_filetrans_named_lock',` + gen_require(` + type swift_lock_t; + ') + + files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock") +') + ######################################## ## ## Execute swift server in the swift domain. diff --git a/swift.te b/swift.te index 7bef550..7fce837 100644 --- a/swift.te +++ b/swift.te @@ -9,8 +9,14 @@ type swift_t; type swift_exec_t; init_daemon_domain(swift_t, swift_exec_t) +type swift_lock_t; +files_lock_file(swift_lock_t) + type swift_tmp_t; -files_tmpfs_file(swift_tmp_t) +files_tmp_file(swift_tmp_t) + +type swift_tmpfs_t; +files_tmpfs_file(swift_tmpfs_t) type swift_var_cache_t; files_type(swift_var_cache_t) @@ -36,10 +42,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms; allow swift_t self:unix_stream_socket create_stream_socket_perms; allow swift_t self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t) +manage_files_pattern(swift_t, swift_lock_t, swift_lock_t) +files_lock_filetrans(swift_t, swift_lock_t, { dir file }) + manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t) manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t) files_tmp_filetrans(swift_t, swift_tmp_t, { dir file }) +manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t) +manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t) +fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file }) + manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) @@ -59,7 +73,12 @@ kernel_dgram_send(swift_t) kernel_read_system_state(swift_t) kernel_read_network_state(swift_t) +# bug in swift +corenet_tcp_bind_xserver_port(swift_t) +corenet_tcp_bind_http_cache_port(swift_t) + corecmd_exec_shell(swift_t) +corecmd_exec_bin(swift_t) dev_read_urand(swift_t) @@ -67,6 +86,8 @@ domain_use_interactive_fds(swift_t) files_dontaudit_search_home(swift_t) +fs_getattr_all_fs(swift_t) + auth_use_nsswitch(swift_t) libs_exec_ldconfig(swift_t) @@ -77,4 +98,5 @@ userdom_dontaudit_search_user_home_dirs(swift_t) optional_policy(` rpm_exec(swift_t) + rpm_dontaudit_manage_db(swift_t) ') diff --git a/tgtd.te b/tgtd.te index 60f4ce9..704a0e2 100644 --- a/tgtd.te +++ b/tgtd.te @@ -56,6 +56,7 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) +kernel_read_network_state(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) corenet_tcp_sendrecv_generic_if(tgtd_t) diff --git a/ulogd.te b/ulogd.te index bd23e7f..022c367 100644 --- a/ulogd.te +++ b/ulogd.te @@ -44,7 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - +kernel_request_load_module(ulogd_t) sysnet_dns_name_resolve(ulogd_t) diff --git a/virt.te b/virt.te index 57af4d0..1df2084 100644 --- a/virt.te +++ b/virt.te @@ -522,7 +522,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` - fs_manage_nfs_files(virtd_t) + fs_manage_cifs_dirs(virtd_t) fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') @@ -1168,6 +1168,7 @@ allow svirt_sandbox_domain self:msgq create_msgq_perms; allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; allow svirt_sandbox_domain self:passwd rootok; +allow svirt_sandbox_domain self:filesystem associate; tunable_policy(`deny_ptrace',`',` allow svirt_sandbox_domain self:process ptrace; @@ -1256,11 +1257,16 @@ optional_policy(` docker_manage_lib_files(svirt_lxc_net_t) docker_manage_lib_dirs(svirt_lxc_net_t) docker_read_share_files(svirt_sandbox_domain) + docker_exec_lib(svirt_sandbox_domain) docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) docker_use_ptys(svirt_sandbox_domain) ') optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ') @@ -1283,8 +1289,8 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` - fs_manage_nfs_files(svirt_sandbox_domain) fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_dirs(svirt_sandbox_domain) fs_read_cifs_symlinks(svirt_sandbox_domain) ') @@ -1671,5 +1677,3 @@ optional_policy(` optional_policy(` systemd_dbus_chat_logind(sandbox_net_domain) ') - - diff --git a/zabbix.te b/zabbix.te index 614e66c..551c4e9 100644 --- a/zabbix.te +++ b/zabbix.te @@ -125,9 +125,9 @@ zabbix_agent_tcp_connect(zabbix_t) logging_send_syslog_msg(zabbix_t) tunable_policy(`zabbix_can_network',` - corenet_sendrecv_all_client_packets(zabbix_t) - corenet_tcp_connect_all_ports(zabbix_t) - corenet_tcp_sendrecv_all_ports(zabbix_t) + corenet_sendrecv_all_client_packets(zabbix_domain) + corenet_tcp_connect_all_ports(zabbix_domain) + corenet_tcp_sendrecv_all_ports(zabbix_domain) ') optional_policy(`