diff --git a/policy/mls b/policy/mls index 9e0c245..53c2f8c 100644 --- a/policy/mls +++ b/policy/mls @@ -177,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg } (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index aa51ab2..2e75ec7 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -126,3 +126,22 @@ interface(`sudo_exec',` can_exec($1, sudo_exec_t) ') + +###################################### +## +## Allow to manage sudo database in called domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sudo_manage_db',` + gen_require(` + type sudo_db_t; + ') + + manage_dirs_pattern($1, sudo_db_t, sudo_db_t) + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 9a8ff3e..423b99a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -61,6 +61,8 @@ ifdef(`distro_redhat',` /etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0) + /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) @@ -482,6 +484,9 @@ ifdef(`distro_suse', ` /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 75c7b9d..6842334 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1685,6 +1685,25 @@ interface(`fs_cifs_entry_type',` domain_entry_file($1, cifs_t) ') +######################################## +## +## Make general progams in CIFS an entrypoint for +## the specified domain. +## +## +## +## The domain for which cifs_t is an entrypoint. +## +## +# +interface(`fs_cifs_entrypoint',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:file entrypoint; +') + ####################################### ## ## Create, read, write, and delete dirs @@ -2326,6 +2345,44 @@ interface(`fs_exec_fusefs_files',` ######################################## ## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. +## +## +## +## The domain for which fusefs_t is an entrypoint. +## +## +# +interface(`fs_fusefs_entry_type',` + gen_require(` + type fusefs_t; + ') + + domain_entry_file($1, fusefs_t) +') + +######################################## +## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. +## +## +## +## The domain for which fusefs_t is an entrypoint. +## +## +# +interface(`fs_fusefs_entrypoint',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:file entrypoint; +') + +######################################## +## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## @@ -3049,6 +3106,25 @@ interface(`fs_nfs_entry_type',` ######################################## ## +## Make general progams in NFS an entrypoint for +## the specified domain. +## +## +## +## The domain for which nfs_t is an entrypoint. +## +## +# +interface(`fs_nfs_entrypoint',` + gen_require(` + type nfs_t; + ') + + allow $1 nfs_t:file entrypoint; +') + +######################################## +## ## Append files ## on a NFS filesystem. ## diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index 947af6c..59fe535 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -12,6 +12,8 @@ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) /usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) /usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 2ef9dc6..7e306f4 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -56,6 +56,7 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) mls_trusted_object(sshd_t) mls_process_write_all_levels(sshd_t) +mls_dbus_send_all_levels(sshd_t) type sshd_initrc_exec_t; init_script_file(sshd_initrc_exec_t) @@ -512,6 +513,10 @@ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) userdom_use_user_terminals(ssh_keygen_t) optional_policy(` + glusterd_manage_lib_files(ssh_keygen_t) +') + +optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index b88e8a2..b13579d 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -2602,7 +2602,7 @@ interface(`init_rw_tcp_sockets',` type init_t; ') - allow $1 init_t:tcp_socket { read write }; + allow $1 init_t:tcp_socket { read write getattr getopt setopt }; ') ######################################## diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index 12c7fa6..0cd667e 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -541,3 +541,22 @@ interface(`ipsec_mgmt_systemctl',` ps_process_pattern($1, ipsec_mgmt_t) ') + +######################################## +## +## Do not audit attempts to write the ipsec +## log files. +## +## +## +## Domain to not audit. +## +## +# +interface(`ipsec_dontaudit_write_log',` + gen_require(` + type ipsec_log_t; + ') + + dontaudit $1 ipsec_log_t:file rw_inherited_file_perms; +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index f0ed532..4080213 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -139,6 +139,10 @@ optional_policy(` ') optional_policy(` + ctdbd_read_lib_files(iptables_t) +') + +optional_policy(` neutron_rw_inherited_pipes(iptables_t) neutron_sigchld(iptables_t) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 077c808..a9691cb 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,14 @@ gen_tunable(logging_syslogd_can_sendmail, false) ## gen_tunable(logging_syslogd_use_tty, true) +## +##

+## Allow syslogd the ability to call nagios plugins. It is +## turned on by omprog rsyslog plugin. +##

+## +gen_tunable(logging_syslogd_run_nagios_plugins, false) + attribute logfile; type auditctl_t; @@ -505,6 +513,12 @@ tunable_policy(`logging_syslogd_can_sendmail',` corenet_tcp_connect_smtp_port(syslogd_t) ') +optional_policy(` + tunable_policy(`logging_syslogd_run_nagios_plugins',` + nagios_domtrans_unconfined_plugins(syslogd_t) + ') +') + dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) dev_read_rand(syslogd_t) diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index ca1b2bc..b3417f5 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -447,6 +447,7 @@ optional_policy(` optional_policy(` ipsec_write_pid(ifconfig_t) ipsec_setcontext_default_spd(ifconfig_t) + ipsec_dontaudit_write_log(ifconfig_t) ') optional_policy(` diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index db531dc..7c2a68e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -96,6 +96,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms; mls_file_read_all_levels(systemd_logind_t) mls_file_write_all_levels(systemd_logind_t) +mls_dbus_send_all_levels(systemd_logind_t) files_delete_tmpfs_files(systemd_logind_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 05274ae..29b37bc 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -169,6 +169,7 @@ template(`userdom_base_user_template',` optional_policy(` ssh_rw_stream_sockets($1_usertype) + ssh_rw_dgram_sockets($1_usertype) ssh_delete_tmp($1_t) ssh_signal($1_t) ') @@ -718,8 +719,8 @@ template(`userdom_common_user_template',` application_getattr_socket($1_usertype) - ifdef(`enabled_mls',` - init_rw_tcp_sockets($1_usertype) + ifdef(`enable_mls',` + init_rw_tcp_sockets($1_t) ') logging_send_syslog_msg($1_t)