diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e134722..4a010e7 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1035,7 +1035,7 @@ index 7a6f06f..bf04b0a 100644 -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/var/lib/os-prober(/.*)? gen_context(system_u:object_r:bootloader_var_lib_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index cc8df9d..5e914db 100644 +index cc8df9d..34c2a4e 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -1063,7 +1063,7 @@ index cc8df9d..5e914db 100644 ######################################## ## ## Execute bootloader interactively and do -@@ -38,30 +56,21 @@ interface(`bootloader_domtrans',` +@@ -38,16 +56,26 @@ interface(`bootloader_domtrans',` # interface(`bootloader_run',` gen_require(` @@ -1077,34 +1077,84 @@ index cc8df9d..5e914db 100644 + bootloader_domtrans($1) - roleattribute $2 bootloader_roles; --') ++ ++ role $2 types bootloader_t; ++ ++ ifdef(`distro_redhat',` ++ # for mke2fs ++ mount_run(bootloader_t, $2) ++ ') + ') --######################################## --## + ######################################## + ## -## Execute bootloader in the caller domain. --## --## --## --## Domain allowed access. --## --## --# ++## Read the bootloader configuration file. + ## + ## + ## +@@ -55,36 +83,37 @@ interface(`bootloader_run',` + ## + ## + # -interface(`bootloader_exec',` -- gen_require(` ++interface(`bootloader_read_config',` + gen_require(` - type bootloader_exec_t; -- ') -+ role $2 types bootloader_t; ++ type bootloader_etc_t; + ') - corecmd_search_bin($1) - can_exec($1, bootloader_exec_t) -+ ifdef(`distro_redhat',` -+ # for mke2fs -+ mount_run(bootloader_t, $2) -+ ') ++ allow $1 bootloader_etc_t:file read_file_perms; ') ######################################## -@@ -119,7 +128,7 @@ interface(`bootloader_rw_tmp_files',` + ## +-## Read the bootloader configuration file. ++## Read and write the bootloader ++## configuration file. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`bootloader_read_config',` ++interface(`bootloader_rw_config',` + gen_require(` + type bootloader_etc_t; + ') + +- allow $1 bootloader_etc_t:file read_file_perms; ++ allow $1 bootloader_etc_t:file rw_file_perms; + ') + + ######################################## + ## +-## Read and write the bootloader ++## Manage the bootloader + ## configuration file. + ## + ## +@@ -94,12 +123,12 @@ interface(`bootloader_read_config',` + ## + ## + # +-interface(`bootloader_rw_config',` ++interface(`bootloader_manage_config',` + gen_require(` + type bootloader_etc_t; + ') + +- allow $1 bootloader_etc_t:file rw_file_perms; ++ manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) + ') + + ######################################## +@@ -119,7 +148,7 @@ interface(`bootloader_rw_tmp_files',` ') files_search_tmp($1) @@ -1113,7 +1163,7 @@ index cc8df9d..5e914db 100644 ') ######################################## -@@ -141,3 +150,22 @@ interface(`bootloader_create_runtime_file',` +@@ -141,3 +170,24 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ') @@ -1133,8 +1183,10 @@ index cc8df9d..5e914db 100644 + type bootloader_etc_t; + ') + ++ files_etc_filetrans($1,bootloader_etc_t,file, "grub") + files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf") + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") ++ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index e3dbbb8..f766e86 100644 @@ -2965,7 +3017,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..5be2ae6 100644 +index 644d4d7..330ed39 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3023,7 +3075,17 @@ index 644d4d7..5be2ae6 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,10 +143,11 @@ ifdef(`distro_debian',` +@@ -116,6 +125,9 @@ ifdef(`distro_redhat',` + + /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++ ++/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0) ++ + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) +@@ -134,10 +146,11 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3036,7 +3098,7 @@ index 644d4d7..5be2ae6 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',` +@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -3045,7 +3107,7 @@ index 644d4d7..5be2ae6 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',` +@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3053,7 +3115,7 @@ index 644d4d7..5be2ae6 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',` +@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3112,7 +3174,7 @@ index 644d4d7..5be2ae6 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',` +@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3148,7 +3210,7 @@ index 644d4d7..5be2ae6 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',` +@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3164,7 +3226,7 @@ index 644d4d7..5be2ae6 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',` +@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3185,7 +3247,7 @@ index 644d4d7..5be2ae6 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3201,7 +3263,7 @@ index 644d4d7..5be2ae6 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -294,16 +348,22 @@ ifdef(`distro_gentoo',` +@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3226,7 +3288,7 @@ index 644d4d7..5be2ae6 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,20 +381,27 @@ ifdef(`distro_redhat', ` +@@ -321,20 +384,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3255,7 +3317,7 @@ index 644d4d7..5be2ae6 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +450,15 @@ ifdef(`distro_suse', ` +@@ -383,11 +453,15 @@ ifdef(`distro_suse', ` # # /var # @@ -3272,7 +3334,7 @@ index 644d4d7..5be2ae6 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +468,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +471,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -10806,10 +10868,10 @@ index 148d87a..822f6be 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..91a633a 100644 +index cda5588..3035829 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,3 +1,7 @@ +@@ -1,9 +1,13 @@ +# ecryptfs does not support xattr +HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) @@ -10817,6 +10879,13 @@ index cda5588..91a633a 100644 /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /cgroup/.* <> + /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) + /dev/hugepages(/.*)? <> +-/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) ++/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) + /dev/shm/.* <> + + /lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) @@ -14,3 +18,10 @@ # for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) @@ -12112,7 +12181,7 @@ index 8416beb..60b2ce1 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..6a95769 100644 +index 9e603f5..3c5f139 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); @@ -12181,15 +12250,16 @@ index 9e603f5..6a95769 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +181,7 @@ fs_type(tmpfs_t) +@@ -176,6 +181,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) +dev_associate(tmpfs_t) ++mls_trusted_object(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +261,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +262,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -12198,7 +12268,7 @@ index 9e603f5..6a95769 100644 files_mountpoint(removable_t) # -@@ -274,6 +282,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +283,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -26439,7 +26509,7 @@ index 5dfa44b..aa4d8fc 100644 optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..e96fdf3 100644 +index 73bb3c0..dbd708d 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -26599,7 +26669,7 @@ index 73bb3c0..e96fdf3 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +309,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +309,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -26612,6 +26682,9 @@ index 73bb3c0..e96fdf3 100644 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) ++/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++ +/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) @@ -28610,7 +28683,7 @@ index e8c59a5..ea56d23 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..d5fe55a 100644 +index 9fe8e01..06fa481 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -28641,17 +28714,23 @@ index 9fe8e01..d5fe55a 100644 /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -77,8 +74,9 @@ ifdef(`distro_redhat',` +@@ -77,7 +74,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) - + -+/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0) + /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) - /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) +@@ -90,6 +87,7 @@ ifdef(`distro_debian',` + ') + + ifdef(`distro_redhat',` ++/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index fc28bc3..2f33076 100644 --- a/policy/modules/system/miscfiles.if @@ -35242,7 +35321,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..6c2548e 100644 +index 3c5dba7..ba7a400 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -36038,7 +36117,12 @@ index 3c5dba7..6c2548e 100644 ') optional_policy(` -@@ -646,19 +814,16 @@ template(`userdom_common_user_template',` +@@ -642,23 +810,21 @@ template(`userdom_common_user_template',` + optional_policy(` + mpd_manage_user_data_content($1_t) + mpd_relabel_user_data_content($1_t) ++ mpd_stream_connect($1_t) + ') # for running depmod as part of the kernel packaging process optional_policy(` @@ -36062,7 +36146,7 @@ index 3c5dba7..6c2548e 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +836,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +837,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -36071,7 +36155,7 @@ index 3c5dba7..6c2548e 100644 ') optional_policy(` -@@ -680,9 +845,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +846,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -36084,7 +36168,7 @@ index 3c5dba7..6c2548e 100644 ') ') -@@ -693,32 +858,36 @@ template(`userdom_common_user_template',` +@@ -693,32 +859,36 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -36132,7 +36216,7 @@ index 3c5dba7..6c2548e 100644 ') ') -@@ -743,17 +912,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +913,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -36170,7 +36254,7 @@ index 3c5dba7..6c2548e 100644 userdom_change_password_template($1) -@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` +@@ -761,82 +947,99 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -36306,7 +36390,7 @@ index 3c5dba7..6c2548e 100644 ') ') -@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -36319,7 +36403,7 @@ index 3c5dba7..6c2548e 100644 ############################## # # Local policy -@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -36430,7 +36514,7 @@ index 3c5dba7..6c2548e 100644 ') optional_policy(` -@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -36461,7 +36545,7 @@ index 3c5dba7..6c2548e 100644 ') ####################################### -@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -36499,7 +36583,7 @@ index 3c5dba7..6c2548e 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1308,59 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -36569,7 +36653,7 @@ index 3c5dba7..6c2548e 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1369,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -36580,7 +36664,7 @@ index 3c5dba7..6c2548e 100644 ') ') -@@ -1082,7 +1407,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36589,7 +36673,7 @@ index 3c5dba7..6c2548e 100644 ') ############################## -@@ -1109,6 +1434,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -36597,7 +36681,7 @@ index 3c5dba7..6c2548e 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1443,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36607,7 +36691,7 @@ index 3c5dba7..6c2548e 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1460,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36615,7 +36699,7 @@ index 3c5dba7..6c2548e 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1478,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -36630,7 +36714,7 @@ index 3c5dba7..6c2548e 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1496,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -36673,7 +36757,7 @@ index 3c5dba7..6c2548e 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1537,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -36682,7 +36766,7 @@ index 3c5dba7..6c2548e 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1546,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -36701,7 +36785,7 @@ index 3c5dba7..6c2548e 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1602,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36710,7 +36794,7 @@ index 3c5dba7..6c2548e 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1616,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -36722,7 +36806,7 @@ index 3c5dba7..6c2548e 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1630,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -36765,7 +36849,7 @@ index 3c5dba7..6c2548e 100644 ') optional_policy(` -@@ -1360,14 +1715,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -36784,7 +36868,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1408,6 +1766,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -36836,7 +36920,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1915,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -36868,7 +36952,7 @@ index 3c5dba7..6c2548e 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1981,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -36883,7 +36967,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1573,9 +2004,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -36895,7 +36979,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1632,6 +2065,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -36938,7 +37022,7 @@ index 3c5dba7..6c2548e 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2180,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -36947,7 +37031,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1744,10 +2215,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -36962,7 +37046,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1772,7 +2245,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -36971,7 +37055,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -1780,19 +2253,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -36995,7 +37079,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -1800,31 +2271,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -37035,7 +37119,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1848,6 +2319,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -37061,7 +37145,7 @@ index 3c5dba7..6c2548e 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2368,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -37099,7 +37183,7 @@ index 3c5dba7..6c2548e 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2408,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -37117,7 +37201,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -1941,7 +2456,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -37144,7 +37228,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -1951,17 +2484,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -37165,7 +37249,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -1969,12 +2500,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -37216,7 +37300,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -2010,8 +2577,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -37226,7 +37310,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -2027,20 +2593,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -37251,7 +37335,7 @@ index 3c5dba7..6c2548e 100644 ######################################## ## -@@ -2123,7 +2683,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -37260,7 +37344,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -2131,19 +2691,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -37284,7 +37368,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -2151,12 +2709,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -37300,7 +37384,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -2393,11 +2951,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -37315,7 +37399,7 @@ index 3c5dba7..6c2548e 100644 files_search_tmp($1) ') -@@ -2417,7 +2975,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -37324,7 +37408,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -2664,6 +3222,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -37350,7 +37434,7 @@ index 3c5dba7..6c2548e 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3257,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -37366,7 +37450,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -2707,7 +3285,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -37375,7 +37459,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -2715,19 +3293,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -37398,7 +37482,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -2735,25 +3311,43 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -37448,7 +37532,7 @@ index 3c5dba7..6c2548e 100644 gen_require(` type user_tty_device_t; ') -@@ -2817,6 +3411,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -37473,7 +37557,7 @@ index 3c5dba7..6c2548e 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3447,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -37516,7 +37600,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -2859,14 +3483,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -37554,7 +37638,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -2885,8 +3528,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -37584,7 +37668,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -2958,69 +3620,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -37685,7 +37769,7 @@ index 3c5dba7..6c2548e 100644 ## ## ## -@@ -3028,12 +3689,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -37700,7 +37784,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -3097,7 +3758,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -37709,7 +37793,7 @@ index 3c5dba7..6c2548e 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3774,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -37743,7 +37827,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -3217,7 +3862,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -37752,7 +37836,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -3272,7 +3917,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -37818,7 +37902,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -3290,7 +3992,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -37827,7 +37911,7 @@ index 3c5dba7..6c2548e 100644 ') ######################################## -@@ -3309,6 +4011,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -37835,7 +37919,7 @@ index 3c5dba7..6c2548e 100644 kernel_search_proc($1) ') -@@ -3385,6 +4088,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -37878,7 +37962,7 @@ index 3c5dba7..6c2548e 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4144,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -37903,7 +37987,7 @@ index 3c5dba7..6c2548e 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4196,1355 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4197,1355 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 0c2bc63..867dc4d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9389,7 +9389,7 @@ index 5ded72d..f6b854c 100644 domain_system_change_exemption($1) role_transition $2 ccs_initrc_exec_t system_r; diff --git a/ccs.te b/ccs.te -index b85b53b..a37eebd 100644 +index b85b53b..476aaa3 100644 --- a/ccs.te +++ b/ccs.te @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) @@ -9426,6 +9426,16 @@ index b85b53b..a37eebd 100644 sysnet_dns_name_resolve(ccs_t) userdom_manage_unpriv_user_shared_mem(ccs_t) +@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',` + ') + + optional_policy(` +- aisexec_stream_connect(ccs_t) +- corosync_stream_connect(ccs_t) ++ rhcs_stream_connect_cluster(ccs_t) + ') + + optional_policy(` diff --git a/cdrecord.te b/cdrecord.te index 55fb26a..a7555c0 100644 --- a/cdrecord.te @@ -10985,18 +10995,20 @@ index b59c592..4b8cddc 100644 optional_policy(` daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) diff --git a/clogd.te b/clogd.te -index 29782b8..c614d47 100644 +index 29782b8..685edff 100644 --- a/clogd.te +++ b/clogd.te -@@ -41,8 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) +@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) logging_send_syslog_msg(clogd_t) -miscfiles_read_localization(clogd_t) - optional_policy(` - aisexec_stream_connect(clogd_t) - corosync_stream_connect(clogd_t) +- aisexec_stream_connect(clogd_t) +- corosync_stream_connect(clogd_t) ++ rhcs_stream_connect_cluster(clogd_t) + ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 index 0000000..8a40857 @@ -11584,7 +11596,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..4704562 100644 +index 6471fa8..45f1622 100644 --- a/collectd.te +++ b/collectd.te @@ -26,6 +26,9 @@ files_type(collectd_var_lib_t) @@ -11597,7 +11609,18 @@ index 6471fa8..4704562 100644 apache_content_template(collectd) ######################################## -@@ -57,13 +60,9 @@ dev_read_sysfs(collectd_t) +@@ -48,21 +51,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file) + + domain_use_interactive_fds(collectd_t) + +-kernel_read_network_state(collectd_t) +-kernel_read_net_sysctls(collectd_t) +-kernel_read_system_state(collectd_t) ++kernel_read_all_sysctls(collectd_t) ++kernel_read_all_proc(collectd_t) + + dev_read_rand(collectd_t) + dev_read_sysfs(collectd_t) dev_read_urand(collectd_t) files_getattr_all_dirs(collectd_t) @@ -11607,13 +11630,16 @@ index 6471fa8..4704562 100644 fs_getattr_all_fs(collectd_t) -miscfiles_read_localization(collectd_t) -- ++init_read_utmp(collectd_t) + logging_send_syslog_msg(collectd_t) - sysnet_dns_name_resolve(collectd_t) -@@ -88,3 +87,4 @@ optional_policy(` +@@ -87,4 +87,7 @@ optional_policy(` + read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) ++ ++ auth_read_passwd(httpd_collectd_script_t) ') + diff --git a/colord.fc b/colord.fc @@ -20586,7 +20612,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..9697f9d 100644 +index a7bfaf0..d16e5e8 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -20779,14 +20805,14 @@ index a7bfaf0..9697f9d 100644 -userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_use_user_terminals(dovecot_t) -- ++logging_send_syslog_msg(dovecot_t) + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) -') -+logging_send_syslog_msg(dovecot_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) @@ -20836,7 +20862,7 @@ index a7bfaf0..9697f9d 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +213,57 @@ optional_policy(` +@@ -221,46 +213,59 @@ optional_policy(` ######################################## # @@ -20856,6 +20882,8 @@ index a7bfaf0..9697f9d 100644 +read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) + ++manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) ++ manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) @@ -20904,7 +20932,7 @@ index a7bfaf0..9697f9d 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -272,14 +275,21 @@ optional_policy(` +@@ -272,14 +277,21 @@ optional_policy(` optional_policy(` postfix_manage_private_sockets(dovecot_auth_t) @@ -20927,7 +20955,7 @@ index a7bfaf0..9697f9d 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +299,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +301,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -20986,7 +21014,7 @@ index a7bfaf0..9697f9d 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +342,6 @@ optional_policy(` +@@ -326,5 +344,6 @@ optional_policy(` ') optional_policy(` @@ -22131,16 +22159,33 @@ index 0872e50..d49f5ad 100644 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) diff --git a/fcoe.te b/fcoe.te -index 79b9273..dc7e983 100644 +index 79b9273..76b7ed5 100644 --- a/fcoe.te +++ b/fcoe.te -@@ -31,7 +31,6 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t) + # Local policy + # + +-allow fcoemon_t self:capability { dac_override kill net_admin }; ++allow fcoemon_t self:capability { net_admin net_raw dac_override }; + allow fcoemon_t self:fifo_file rw_fifo_file_perms; + allow fcoemon_t self:unix_stream_socket { accept listen }; + allow fcoemon_t self:netlink_socket create_socket_perms; + allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; ++allow fcoemon_t self:packet_socket create_socket_perms; ++allow fcoemon_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) -files_read_etc_files(fcoemon_t) +- +-dev_read_sysfs(fcoemon_t) ++dev_rw_sysfs(fcoemon_t) - dev_read_sysfs(fcoemon_t) + logging_send_syslog_msg(fcoemon_t) diff --git a/fetchmail.fc b/fetchmail.fc index 2486e2a..ea07c4f 100644 @@ -29820,7 +29865,7 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..fb73b38 100644 +index e7f5c81..8ff6f51 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,4 +1,4 @@ @@ -29829,7 +29874,7 @@ index e7f5c81..fb73b38 100644 ######################################## # -@@ -7,61 +7,65 @@ policy_module(kdumpgui, 1.1.4) +@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4) type kdumpgui_t; type kdumpgui_exec_t; @@ -29900,19 +29945,20 @@ index e7f5c81..fb73b38 100644 init_dontaudit_read_all_script_files(kdumpgui_t) +init_access_check(kdumpgui_t) -+ + +-optional_policy(` +- bootloader_exec(kdumpgui_t) +- bootloader_rw_config(kdumpgui_t) +-') +userdom_dontaudit_search_admin_dir(kdumpgui_t) optional_policy(` - bootloader_exec(kdumpgui_t) -@@ -69,15 +73,7 @@ optional_policy(` +- consoletype_exec(kdumpgui_t) ++ bootloader_exec(kdumpgui_t) ++ bootloader_manage_config(kdumpgui_t) ') optional_policy(` -- consoletype_exec(kdumpgui_t) --') -- --optional_policy(` dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) - - optional_policy(` @@ -34764,10 +34810,10 @@ index 89409eb..64ac6f0 100644 /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) diff --git a/milter.if b/milter.if -index cba62db..bdf319a 100644 +index cba62db..562833a 100644 --- a/milter.if +++ b/milter.if -@@ -1,47 +1,59 @@ +@@ -1,47 +1,43 @@ -## Milter mail filters. +## Milter mail filters @@ -34811,29 +34857,13 @@ index cba62db..bdf319a 100644 - # Policy - # + # Allow communication with MTA over a unix-domain socket -+ # Note: usage with TCP sockets requires additional policy ++ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) -- manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) -+ allow $1_milter_t self:fifo_file rw_fifo_file_perms; -+ -+ # Allow communication with MTA over a TCP socket -+ allow $1_milter_t self:tcp_socket create_stream_socket_perms; -+ -+ # Allow communication with MTA over a unix-domain socket - manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) ++ # Create other data files and directories in the data directory + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) +- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - auth_use_nsswitch($1_milter_t) -+ # Create other data files and directories in the data directory -+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) -+ -+ kernel_dontaudit_read_system_state($1_milter_t) -+ -+ corenet_tcp_bind_generic_node($1_milter_t) -+ corenet_tcp_bind_milter_port($1_milter_t) -+ -+ files_read_etc_files($1_milter_t) -+ -+ + logging_send_syslog_msg($1_milter_t) ') @@ -34845,7 +34875,7 @@ index cba62db..bdf319a 100644 ## ## ## -@@ -55,12 +67,13 @@ interface(`milter_stream_connect_all',` +@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',` ') files_search_pids($1) @@ -34860,7 +34890,7 @@ index cba62db..bdf319a 100644 ## ## ## -@@ -73,13 +86,31 @@ interface(`milter_getattr_all_sockets',` +@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',` attribute milter_data_type; ') @@ -34894,7 +34924,7 @@ index cba62db..bdf319a 100644 ## ## ## -@@ -97,3 +128,22 @@ interface(`milter_manage_spamass_state',` +@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',` manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) ') @@ -34918,10 +34948,10 @@ index cba62db..bdf319a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 92508b2..38c718c 100644 +index 92508b2..db83591 100644 --- a/milter.te +++ b/milter.te -@@ -1,77 +1,96 @@ +@@ -1,77 +1,110 @@ -policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) @@ -34952,38 +34982,59 @@ index 92508b2..38c718c 100644 type spamass_milter_state_t; files_type(spamass_milter_state_t) ++ ####################################### # -# Common local policy -+# dkim-milter local policy ++# milter domains local policy # --allow milter_domains self:fifo_file rw_fifo_file_perms; ++# Allow communication with MTA over a unix-domain socket ++# Note: usage with TCP sockets requires additional policy ++ + allow milter_domains self:fifo_file rw_fifo_file_perms; -allow milter_domains self:tcp_socket { accept listen }; -+allow dkim_milter_t self:capability { kill setgid setuid }; -+allow dkim_milter_t self:process signal; -+allow dkim_milter_t self:tcp_socket create_stream_socket_perms; -+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; ++ ++# Allow communication with MTA over a TCP socket ++allow milter_domains self:tcp_socket create_stream_socket_perms; --kernel_dontaudit_read_system_state(milter_domains) -+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + kernel_dontaudit_read_system_state(milter_domains) -corenet_all_recvfrom_unlabeled(milter_domains) -corenet_all_recvfrom_netlabel(milter_domains) -corenet_tcp_sendrecv_generic_if(milter_domains) -corenet_tcp_sendrecv_generic_node(milter_domains) --corenet_tcp_bind_generic_node(milter_domains) -+kernel_read_kernel_sysctls(dkim_milter_t) - --corenet_tcp_bind_milter_port(milter_domains) + corenet_tcp_bind_generic_node(milter_domains) +- + corenet_tcp_bind_milter_port(milter_domains) -corenet_tcp_sendrecv_all_ports(milter_domains) -+auth_use_nsswitch(dkim_milter_t) -miscfiles_read_localization(milter_domains) -+sysnet_dns_name_resolve(dkim_milter_t) ++dev_read_rand(milter_domains) ++dev_read_urand(milter_domains) ++ ++mta_read_config(milter_domains) ++ ++sysnet_read_config(greylist_milter_t) ++ ++####################################### ++# ++# dkim-milter local policy ++# ++ ++allow dkim_milter_t self:capability { kill setgid setuid }; ++allow dkim_milter_t self:process signal; ++allow dkim_milter_t self:tcp_socket create_stream_socket_perms; ++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; -logging_send_syslog_msg(milter_domains) -+mta_read_config(dkim_milter_t) ++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) ++ ++kernel_read_kernel_sysctls(dkim_milter_t) ++ ++auth_use_nsswitch(dkim_milter_t) ++ ++sysnet_dns_name_resolve(dkim_milter_t) ######################################## # @@ -35015,9 +35066,7 @@ index 92508b2..38c718c 100644 -corenet_sendrecv_kismet_server_packets(greylist_milter_t) -corenet_tcp_bind_kismet_port(greylist_milter_t) -corenet_tcp_sendrecv_kismet_port(greylist_milter_t) -+dev_read_rand(greylist_milter_t) -+dev_read_urand(greylist_milter_t) - +- corecmd_exec_bin(greylist_milter_t) corecmd_exec_shell(greylist_milter_t) @@ -35033,20 +35082,15 @@ index 92508b2..38c718c 100644 +# The milter runs from /var/lib/milter-greylist and maintains files there files_search_var_lib(greylist_milter_t) +-mta_read_config(greylist_milter_t) +- +-miscfiles_read_localization(greylist_milter_t) +# Look up username for dropping privs +auth_use_nsswitch(greylist_milter_t) -+ -+# Config is in /etc/mail/greylist.conf - mta_read_config(greylist_milter_t) - --miscfiles_read_localization(greylist_milter_t) -+ -+sysnet_read_config(greylist_milter_t) -+ optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +98,48 @@ optional_policy(` +@@ -79,30 +112,45 @@ optional_policy(` ######################################## # @@ -35063,11 +35107,9 @@ index 92508b2..38c718c 100644 +# The milter's socket directory lives under /var/spool files_search_spool(regex_milter_t) +-mta_read_config(regex_milter_t) +# Look up username for dropping privs +auth_use_nsswitch(regex_milter_t) -+ -+# Config is in /etc/mail/milter-regex.conf - mta_read_config(regex_milter_t) ######################################## # @@ -37585,11 +37627,47 @@ index 6a306ee..7131f6f 100644 +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(mozilla_plugin_t) ') +diff --git a/mpd.fc b/mpd.fc +index 313ce52..6aa46d2 100644 +--- a/mpd.fc ++++ b/mpd.fc +@@ -9,3 +9,5 @@ + /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) + + /var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) ++ ++/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0) diff --git a/mpd.if b/mpd.if -index 5fa77c7..a0e8661 100644 +index 5fa77c7..2e01c7d 100644 --- a/mpd.if +++ b/mpd.if -@@ -344,9 +344,13 @@ interface(`mpd_admin',` +@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',` + + ######################################## + ## ++## Connect to mpd over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mpd_stream_connect',` ++ gen_require(` ++ type mpd_t, mpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an mpd environment. + ## +@@ -344,9 +363,13 @@ interface(`mpd_admin',` type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; ') @@ -37605,10 +37683,20 @@ index 5fa77c7..a0e8661 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..200cec1 100644 +index 7c8afcc..0f46305 100644 --- a/mpd.te +++ b/mpd.te -@@ -74,6 +74,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; +@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t) + type mpd_user_data_t; + userdom_user_home_content(mpd_user_data_t) # customizable + ++type mpd_var_run_t; ++files_pid_file(mpd_var_run_t) ++ + ######################################## + # + # Local policy +@@ -74,6 +77,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; allow mpd_t self:unix_dgram_socket sendto; allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -37616,7 +37704,19 @@ index 7c8afcc..200cec1 100644 allow mpd_t mpd_data_t:dir manage_dir_perms; allow mpd_t mpd_data_t:file manage_file_perms; -@@ -110,7 +111,6 @@ kernel_read_kernel_sysctls(mpd_t) +@@ -104,13 +108,18 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) + manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) + files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) + ++manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) ++files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file }) ++ + kernel_getattr_proc(mpd_t) + kernel_read_system_state(mpd_t) + kernel_read_kernel_sysctls(mpd_t) corecmd_exec_bin(mpd_t) @@ -37624,7 +37724,7 @@ index 7c8afcc..200cec1 100644 corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -139,7 +139,6 @@ dev_read_sound(mpd_t) +@@ -139,7 +148,6 @@ dev_read_sound(mpd_t) dev_write_sound(mpd_t) dev_read_sysfs(mpd_t) @@ -37632,7 +37732,7 @@ index 7c8afcc..200cec1 100644 fs_getattr_all_fs(mpd_t) fs_list_inotifyfs(mpd_t) -@@ -150,7 +149,9 @@ auth_use_nsswitch(mpd_t) +@@ -150,7 +158,9 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) @@ -37643,7 +37743,7 @@ index 7c8afcc..200cec1 100644 tunable_policy(`mpd_enable_homedirs',` userdom_search_user_home_dirs(mpd_t) -@@ -199,6 +200,16 @@ optional_policy(` +@@ -199,6 +209,16 @@ optional_policy(` ') optional_policy(` @@ -39848,10 +39948,18 @@ index b744fe3..4c1b6a8 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index 97370e4..d5f13d8 100644 +index 97370e4..f076c38 100644 --- a/munin.te +++ b/munin.te -@@ -45,7 +45,7 @@ munin_plugin_template(unconfined) +@@ -40,12 +40,15 @@ munin_plugin_template(services) + munin_plugin_template(system) + munin_plugin_template(unconfined) + ++type httpd_munin_script_tmp_t; ++files_tmp_file(httpd_munin_script_tmp_t) ++ + ################################ + # # Common munin plugin local policy # @@ -39860,7 +39968,7 @@ index 97370e4..d5f13d8 100644 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; -@@ -58,24 +58,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; +@@ -58,24 +61,16 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) @@ -39885,7 +39993,7 @@ index 97370e4..d5f13d8 100644 optional_policy(` nscd_use(munin_plugin_domain) ') -@@ -114,7 +106,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -114,7 +109,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) @@ -39894,7 +40002,7 @@ index 97370e4..d5f13d8 100644 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -@@ -130,7 +122,6 @@ kernel_read_all_sysctls(munin_t) +@@ -130,7 +125,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) @@ -39902,7 +40010,7 @@ index 97370e4..d5f13d8 100644 corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) -@@ -153,7 +144,6 @@ domain_use_interactive_fds(munin_t) +@@ -153,7 +147,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) files_read_etc_runtime_files(munin_t) @@ -39910,7 +40018,7 @@ index 97370e4..d5f13d8 100644 files_list_spool(munin_t) fs_getattr_all_fs(munin_t) -@@ -165,7 +155,6 @@ logging_send_syslog_msg(munin_t) +@@ -165,7 +158,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) @@ -39918,19 +40026,21 @@ index 97370e4..d5f13d8 100644 miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) -@@ -179,6 +168,11 @@ optional_policy(` - manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - apache_search_sys_content(munin_t) -+ -+ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) -+ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) -+ -+ files_search_var_lib(httpd_munin_script_t) - ') +@@ -173,13 +165,6 @@ sysnet_exec_ifconfig(munin_t) + userdom_dontaudit_use_unpriv_user_fds(munin_t) + userdom_dontaudit_search_user_home_dirs(munin_t) + +-optional_policy(` +- apache_content_template(munin) +- +- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +- apache_search_sys_content(munin_t) +-') optional_policy(` -@@ -213,7 +207,6 @@ optional_policy(` + cron_system_entry(munin_t, munin_exec_t) +@@ -213,7 +198,6 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -39938,7 +40048,7 @@ index 97370e4..d5f13d8 100644 ') optional_policy(` -@@ -246,17 +239,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) +@@ -246,17 +230,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) @@ -39960,7 +40070,7 @@ index 97370e4..d5f13d8 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -275,27 +268,36 @@ optional_policy(` +@@ -275,27 +259,36 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -40001,7 +40111,7 @@ index 97370e4..d5f13d8 100644 ') optional_policy(` -@@ -353,7 +355,11 @@ optional_policy(` +@@ -353,7 +346,11 @@ optional_policy(` ') optional_policy(` @@ -40014,11 +40124,37 @@ index 97370e4..d5f13d8 100644 ') optional_policy(` -@@ -413,3 +419,4 @@ optional_policy(` +@@ -413,3 +410,30 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') + ++ ++####################################### ++# ++# Munin CGI script local policy ++# ++ ++apache_content_template(munin) ++ ++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++ ++manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) ++manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) ++ ++read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) ++read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) ++ ++allow httpd_munin_script_t munin_log_t:file read_file_perms; ++ ++files_search_var_lib(httpd_munin_script_t) ++ ++auth_read_passwd(httpd_munin_script_t) ++ ++optional_policy(` ++ apache_search_sys_content(munin_t) ++') diff --git a/mysql.fc b/mysql.fc index c48dc17..43f60de 100644 --- a/mysql.fc @@ -49745,7 +49881,7 @@ index d2fc677..22b745a 100644 + logging_send_syslog_msg(pegasus_openlmi_$1_t) ') diff --git a/pegasus.te b/pegasus.te -index 7bcf327..0ff4cb5 100644 +index 7bcf327..850de84 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -49905,7 +50041,7 @@ index 7bcf327..0ff4cb5 100644 +') + +optional_policy(` -+ corosync_stream_connect(pegasus_t) ++ rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` @@ -56910,7 +57046,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index d447152..6f83f03 100644 +index d447152..5940a04 100644 --- a/procmail.te +++ b/procmail.te @@ -1,4 +1,4 @@ @@ -56945,12 +57081,13 @@ index d447152..6f83f03 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,59 +44,71 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,59 +44,72 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) -can_exec(procmail_t, procmail_exec_t) - ++kernel_read_network_state(procmail_t) kernel_read_system_state(procmail_t) kernel_read_kernel_sysctls(procmail_t) @@ -57044,7 +57181,7 @@ index d447152..6f83f03 100644 ') optional_policy(` -@@ -100,12 +116,7 @@ optional_policy(` +@@ -100,12 +117,7 @@ optional_policy(` ') optional_policy(` @@ -57058,7 +57195,7 @@ index d447152..6f83f03 100644 ') optional_policy(` -@@ -113,16 +124,17 @@ optional_policy(` +@@ -113,16 +125,17 @@ optional_policy(` ') optional_policy(` @@ -57081,7 +57218,7 @@ index d447152..6f83f03 100644 ') optional_policy(` -@@ -131,6 +143,8 @@ optional_policy(` +@@ -131,6 +144,8 @@ optional_policy(` ') optional_policy(` @@ -60879,7 +61016,7 @@ index cd51b96..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 76f5b39..599b6cd 100644 +index 76f5b39..53f9a64 100644 --- a/qpid.te +++ b/qpid.te @@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) @@ -60929,7 +61066,8 @@ index 76f5b39..599b6cd 100644 sysnet_dns_name_resolve(qpidd_t) optional_policy(` - corosync_stream_connect(qpidd_t) +- corosync_stream_connect(qpidd_t) ++ rhcs_stream_connect_cluster(qpidd_t) ') + diff --git a/quantum.fc b/quantum.fc @@ -63522,10 +63660,10 @@ index b418d1c..1ad9c12 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..d022603 100644 +index 47de2d6..1f5dbf8 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,31 @@ +@@ -1,31 +1,74 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -63580,8 +63718,51 @@ index 47de2d6..d022603 100644 +/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) ++ ++# cluster administrative domains file spec ++/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++ ++/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++ ++/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++ ++/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0) ++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0) ++ ++/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index 56bc01f..aee7ba7 100644 +index 56bc01f..f0a05e8 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -63943,7 +64124,7 @@ index 56bc01f..aee7ba7 100644 ') ###################################### -@@ -446,52 +456,77 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +456,303 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -63991,31 +64172,104 @@ index 56bc01f..aee7ba7 100644 - allow $1 cluster_domain:process { ptrace signal_perms }; - ps_process_pattern($1, cluster_domain) -- ++ files_search_var_lib($1) ++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') ++ ++##################################### ++## ++## Allow domain to manage cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') + - init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; - allow $2 system_r; -- ++#################################### ++## ++## Allow domain to relabel cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_relabel_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') + - files_search_pids($1) - admin_pattern($1, cluster_pid) -- ++###################################### ++## ++## Execute a domain transition to run cluster administrative domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_domtrans_cluster',` ++ gen_require(` ++ type cluster_t, cluster_exec_t; ++ ') + - files_search_locks($1) - admin_pattern($1, fenced_lock_t) -- ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cluster_exec_t, cluster_t) ++') + - files_search_tmp($1) - admin_pattern($1, fenced_tmp_t) -- - files_search_var_lib($1) ++####################################### ++## ++## Execute cluster init scripts in ++## the init script domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_initrc_domtrans_cluster',` ++ gen_require(` ++ type cluster_initrc_exec_t; ++ ') + +- files_search_var_lib($1) - admin_pattern($1, qdiskd_var_lib_t) -+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++ init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') - fs_search_tmpfs($1) - admin_pattern($1, cluster_tmpfs) +##################################### +## -+## Allow domain to manage cluster lib files ++## Execute cluster in the caller domain. +## +## +## @@ -64023,20 +64277,18 @@ index 56bc01f..aee7ba7 100644 +## +## +# -+interface(`rhcs_manage_cluster_lib_files',` ++interface(`rhcs_exec_cluster',` + gen_require(` -+ type cluster_var_lib_t; ++ type cluster_exec_t; + ') - -- logging_search_logs($1) -- admin_pattern($1, cluster_log) -+ files_search_var_lib($1) -+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++ ++ corecmd_search_bin($1) ++ can_exec($1, cluster_exec_t) +') + -+#################################### ++###################################### +## -+## Allow domain to relabel cluster lib files ++## Read cluster log files. +## +## +## @@ -64044,53 +64296,464 @@ index 56bc01f..aee7ba7 100644 +## +## +# -+interface(`rhcs_relabel_cluster_lib_files',` ++interface(`rhcs_read_log_cluster',` + gen_require(` -+ type cluster_var_lib_t; ++ type cluster_var_log_t; + ') + -+ files_search_var_lib($1) -+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) -+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++ logging_search_logs($1) ++ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t) ++ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t) ++') ++ ++###################################### ++## ++## Setattr cluster log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_setattr_log_cluster',` ++ gen_require(` ++ type cluster_var_log_t; ++ ') ++ ++ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t) ++') ++ ++##################################### ++## ++## Allow manage cluster tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_tmp_files',` ++ gen_require(` ++ type cluster_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t) ++') ++ ++##################################### ++## ++## Allow the specified domain to read/write cluster's tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_cluster_tmpfs',` ++ gen_require(` ++ type cluster_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) ++') ++ ++##################################### ++## ++## Allow manage cluster tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_tmpfs_files',` ++ gen_require(` ++ type rgmanager_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) ++') ++ ++####################################### ++## ++## Execute cluster server in the cluster domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_systemctl_cluster',` ++ gen_require(` ++ type cluster_t; ++ type cluster_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 cluster_unit_file_t:file read_file_perms; ++ allow $1 cluster_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cluster_t) ++') ++ ++##################################### ++## ++## All of the rules required to administrate ++## an cluster environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rgmanager domain. ++## ++## ++## ++# ++interface(`rhcs_admin_cluster',` ++ gen_require(` ++ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t; ++ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t; ++ type cluster_unit_file_t; ++ ') ++ ++ allow $1 cluster_t:process signal_perms; ++ ps_process_pattern($1, cluster_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cluster_t:process ptrace; ++ ') ++ ++ init_labeled_script_domtrans($1, cluster_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 cluster_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, cluster_tmp_t) ++ ++ admin_pattern($1, cluster_tmpfs_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, cluster_var_log_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, cluster_var_run_t) + +- logging_search_logs($1) +- admin_pattern($1, cluster_log) ++ rhcs_systemctl_cluster($1) ++ admin_pattern($1, cluster_unit_file_t) ++ allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..d8bf297 100644 +index 2c2de9a..a1461c9 100644 --- a/rhcs.te +++ b/rhcs.te -@@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd) +@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) + ## + gen_tunable(fenced_can_ssh, false) + ++## ++##

++## Allow cluster administrative domains to connect to the network using TCP. ++##

++##
++gen_tunable(cluster_can_network_connect, false) ++ ++## ++##

++## Allow cluster administrative domains to manage all files on a system. ++##

++##
++gen_tunable(cluster_manage_all_files, false) ++ ++## ++##

++## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory ++##

++##
++gen_tunable(cluster_use_execmem, false) ++ + attribute cluster_domain; + attribute cluster_log; + attribute cluster_pid; +@@ -50,28 +71,259 @@ rhcs_domain_template(qdiskd) type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) -+# type for cluster lib files ++# cluster_t is a new domain for administrative generic cluster services ++# (rgmanager, corosync, hearbeat, cman, pacemaker) ++rhcs_domain_template(cluster) ++ ++typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t }; ++typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t }; ++typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t }; ++typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t }; ++typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t }; ++ ++type cluster_initrc_exec_t; ++typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker rgmanager_initrc_exec_t }; ++init_script_file(cluster_initrc_exec_t) ++ ++type cluster_tmp_t; ++typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t }; ++files_tmp_file(cluster_tmp_t) ++ +type cluster_var_lib_t; ++typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t }; +files_type(cluster_var_lib_t) + ++type cluster_unit_file_t; ++typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t }; ++systemd_unit_file(cluster_unit_file_t) ++ ##################################### # # Common cluster domains local policy -@@ -62,10 +66,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms; + # + + allow cluster_domain self:capability sys_nice; +-allow cluster_domain self:process setsched; ++allow cluster_domain self:process { signal setsched }; + allow cluster_domain self:sem create_sem_perms; + allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_dgram_socket create_socket_perms; -logging_send_syslog_msg(cluster_domain) -- ++optional_policy(` ++ ccs_stream_connect(cluster_domain) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(cluster_domain) ++') ++ ++##################################### ++# ++# cluster domain local policy ++# + -miscfiles_read_localization(cluster_domain) -- ++allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner }; ++# for hearbeat ++allow cluster_t self:capability { net_raw chown }; ++allow cluster_t self:capability2 block_suspend; ++allow cluster_t self:process { setpgid setrlimit setsched signull }; ++ ++allow cluster_t self:tcp_socket create_stream_socket_perms; ++allow cluster_t self:shm create_shm_perms; ++ ++manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t) ++manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t) ++files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir }) ++ ++can_exec(cluster_t, cluster_var_lib_t) ++manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t) ++files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file }) ++ ++can_exec(cluster_t, cluster_exec_t) ++ ++kernel_kill(cluster_t) ++kernel_read_all_sysctls(cluster_t) ++kernel_read_system_state(cluster_t) ++kernel_rw_rpc_sysctls(cluster_t) ++kernel_search_debugfs(cluster_t) ++kernel_search_network_state(cluster_t) ++ ++corecmd_exec_bin(cluster_t) ++corecmd_exec_shell(cluster_t) ++ ++corenet_all_recvfrom_unlabeled(cluster_t) ++corenet_all_recvfrom_netlabel(cluster_t) ++corenet_udp_sendrecv_generic_if(cluster_t) ++corenet_udp_sendrecv_generic_node(cluster_t) ++corenet_udp_bind_generic_node(cluster_t) ++ ++corenet_sendrecv_netsupport_server_packets(cluster_t) ++corenet_udp_bind_netsupport_port(cluster_t) ++corenet_udp_sendrecv_netsupport_port(cluster_t) ++ ++corenet_sendrecv_cluster_server_packets(cluster_t) ++corenet_udp_bind_cluster_port(cluster_t) ++corenet_udp_sendrecv_cluster_port(cluster_t) ++ ++# need to write to /dev/misc/dlm-contro ++dev_rw_dlm_control(cluster_t) ++dev_setattr_dlm_control(cluster_t) ++dev_read_sysfs(cluster_t) ++dev_read_rand(cluster_t) ++dev_read_urand(cluster_t) ++ ++domain_read_all_domains_state(cluster_t) ++ ++fs_getattr_xattr_fs(cluster_t) ++fs_getattr_all_fs(cluster_t) ++ ++storage_raw_read_fixed_disk(cluster_t) ++ ++term_getattr_pty_fs(cluster_t) ++ ++files_manage_mounttab(cluster_t) ++# needed by resources scripts ++files_read_non_security_files(cluster_t) ++auth_dontaudit_getattr_shadow(cluster_t) ++ ++init_domtrans_script(cluster_t) ++init_initrc_domain(cluster_t) ++init_read_script_state(cluster_t) ++init_rw_script_tmp_files(cluster_t) ++init_manage_script_status_files(cluster_t) ++ ++userdom_read_user_tmp_files(cluster_t) ++userdom_delete_user_tmpfs_files(cluster_t) ++userdom_rw_user_tmpfs_files(cluster_t) ++userdom_kill_all_users(cluster_t) ++ ++tunable_policy(`cluster_can_network_connect',` ++ corenet_tcp_connect_all_ports(cluster_t) ++') ++ ++tunable_policy(`cluster_manage_all_files',` ++ files_create_var_run_dirs(cluster_t) ++ files_getattr_all_symlinks(cluster_t) ++ files_list_all(cluster_t) ++ files_manage_mnt_dirs(cluster_t) ++ files_manage_mnt_files(cluster_t) ++ files_manage_mnt_symlinks(cluster_t) ++ files_manage_isid_type_files(cluster_t) ++ files_manage_isid_type_dirs(cluster_t) ++ fs_manage_tmpfs_files(cluster_t) ++') + optional_policy(` - ccs_stream_connect(cluster_domain) - ') -@@ -74,6 +74,10 @@ optional_policy(` - corosync_stream_connect(cluster_domain) +- ccs_stream_connect(cluster_domain) ++ ccs_read_config(cluster_t) ') + optional_policy(` +- corosync_stream_connect(cluster_domain) ++ cmirrord_rw_shm(cluster_t) ++') ++ +optional_policy(` -+ dbus_system_bus_client(cluster_domain) ++ consoletype_exec(cluster_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(cluster_t) ++ lvm_rw_clvmd_tmpfs_files(cluster_t) ++ lvm_delete_clvmd_tmpfs_files(cluster_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(cluster_t) ++') ++ ++ ++optional_policy(` ++ hostname_exec(cluster_t) ++') ++ ++optional_policy(` ++ ccs_manage_config(cluster_t) ++ ccs_stream_connect(cluster_t) ++') ++ ++optional_policy(` ++ ldap_systemctl(cluster_t) ++') ++ ++optional_policy(` ++ mount_domtrans(cluster_t) ++') ++ ++optional_policy(` ++ mysql_domtrans_mysql_safe(cluster_t) ++ mysql_stream_connect(cluster_t) ++') ++ ++optional_policy(` ++ netutils_domtrans(cluster_t) ++ netutils_domtrans_ping(cluster_t) ++') ++ ++optional_policy(` ++ postgresql_signal(cluster_t) +') + ++optional_policy(` ++ rhcs_getattr_fenced(cluster_t) ++ rhcs_rw_cluster_shm(cluster_t) ++ rhcs_rw_cluster_semaphores(cluster_t) ++ rhcs_stream_connect_cluster(cluster_t) ++ rhcs_relabel_cluster_lib_files(cluster_t) ++') ++ ++optional_policy(` ++ rdisc_exec(cluster_t) ++') ++ ++optional_policy(` ++ ricci_dontaudit_rw_modcluster_pipes(cluster_t) ++') ++ ++optional_policy(` ++ rpc_systemctl_nfsd(cluster_t) ++ rpc_systemctl_rpcd(cluster_t) ++ ++ rpc_domtrans_nfsd(cluster_t) ++ rpc_domtrans_rpcd(cluster_t) ++ rpc_manage_nfs_state_data(cluster_t) ++') ++ ++optional_policy(` ++ samba_manage_var_files(cluster_t) ++ samba_rw_config(cluster_t) ++ samba_signal_smbd(cluster_t) ++ samba_signal_nmbd(cluster_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(cluster_t) ++') ++ ++optional_policy(` ++ udev_read_db(cluster_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(cluster_t) ++') ++ ++optional_policy(` ++ unconfined_domain(cluster_t) ++') ++ ++optional_policy(` ++ wdmd_rw_tmpfs(cluster_t) ++') ++ ++optional_policy(` ++ xen_domtrans_xm(cluster_t) + ') + ##################################### - # - # dlm_controld local policy -@@ -98,6 +102,12 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,6 +350,12 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -64103,7 +64766,7 @@ index 2c2de9a..d8bf297 100644 ####################################### # # fenced local policy -@@ -105,9 +115,13 @@ init_rw_script_tmp_files(dlm_controld_t) +@@ -105,9 +363,13 @@ init_rw_script_tmp_files(dlm_controld_t) allow fenced_t self:capability { sys_rawio sys_resource }; allow fenced_t self:process { getsched signal_perms }; @@ -64118,7 +64781,7 @@ index 2c2de9a..d8bf297 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +132,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +380,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -64129,7 +64792,7 @@ index 2c2de9a..d8bf297 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +161,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +409,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -64140,7 +64803,7 @@ index 2c2de9a..d8bf297 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +171,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +419,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -64149,7 +64812,7 @@ index 2c2de9a..d8bf297 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -190,10 +201,6 @@ optional_policy(` +@@ -190,10 +449,6 @@ optional_policy(` ') optional_policy(` @@ -64160,7 +64823,7 @@ index 2c2de9a..d8bf297 100644 lvm_domtrans(fenced_t) lvm_read_config(fenced_t) ') -@@ -203,6 +210,13 @@ optional_policy(` +@@ -203,6 +458,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -64174,7 +64837,7 @@ index 2c2de9a..d8bf297 100644 ####################################### # # foghorn local policy -@@ -223,7 +237,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) +@@ -223,7 +485,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) dev_read_urand(foghorn_t) @@ -64184,7 +64847,7 @@ index 2c2de9a..d8bf297 100644 optional_policy(` dbus_connect_system_bus(foghorn_t) -@@ -257,6 +272,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +520,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -64193,7 +64856,7 @@ index 2c2de9a..d8bf297 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +292,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +540,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -64206,7 +64869,7 @@ index 2c2de9a..d8bf297 100644 ###################################### # # qdiskd local policy -@@ -321,6 +338,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +586,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -65218,7 +65881,7 @@ index 2ab3ed1..23d579c 100644 role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 9702ed2..fa21335 100644 +index 9702ed2..eeb9e48 100644 --- a/ricci.te +++ b/ricci.te @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) @@ -65246,20 +65909,31 @@ index 9702ed2..fa21335 100644 sysnet_dns_name_resolve(ricci_t) optional_policy(` -@@ -235,9 +231,9 @@ init_domtrans_script(ricci_modcluster_t) +@@ -235,13 +231,8 @@ init_domtrans_script(ricci_modcluster_t) logging_send_syslog_msg(ricci_modcluster_t) -miscfiles_read_localization(ricci_modcluster_t) - -ricci_stream_connect_modclusterd(ricci_modcluster_t) -+optional_policy(` +- + optional_policy(` +- aisexec_stream_connect(ricci_modcluster_t) +- corosync_stream_connect(ricci_modcluster_t) + ricci_stream_connect_modclusterd(ricci_modcluster_t) -+') + ') optional_policy(` - aisexec_stream_connect(ricci_modcluster_t) -@@ -336,8 +332,6 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) +@@ -271,7 +262,7 @@ optional_policy(` + ') + + optional_policy(` +- rgmanager_stream_connect(ricci_modcluster_t) ++ rhcs_stream_connect_cluster(ricci_modcluster_t) + ') + + ######################################## +@@ -336,23 +327,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) logging_send_syslog_msg(ricci_modclusterd_t) @@ -65268,7 +65942,23 @@ index 9702ed2..fa21335 100644 sysnet_domtrans_ifconfig(ricci_modclusterd_t) optional_policy(` -@@ -374,12 +368,10 @@ corecmd_exec_bin(ricci_modlog_t) +- aisexec_stream_connect(ricci_modclusterd_t) +- corosync_stream_connect(ricci_modclusterd_t) +-') +- +-optional_policy(` + ccs_domtrans(ricci_modclusterd_t) + ccs_stream_connect(ricci_modclusterd_t) + ccs_read_config(ricci_modclusterd_t) + ') + + optional_policy(` +- rgmanager_stream_connect(ricci_modclusterd_t) ++ rhcs_stream_connect_cluster(ricci_modclusterd_t) + ') + + optional_policy(` +@@ -374,12 +358,10 @@ corecmd_exec_bin(ricci_modlog_t) domain_read_all_domains_state(ricci_modlog_t) @@ -65281,7 +65971,7 @@ index 9702ed2..fa21335 100644 optional_policy(` nscd_dontaudit_search_pid(ricci_modlog_t) -@@ -401,9 +393,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) +@@ -401,9 +383,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) corecmd_exec_bin(ricci_modrpm_t) files_search_usr(ricci_modrpm_t) @@ -65292,7 +65982,7 @@ index 9702ed2..fa21335 100644 optional_policy(` oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) -@@ -428,14 +419,13 @@ kernel_read_system_state(ricci_modservice_t) +@@ -428,14 +409,13 @@ kernel_read_system_state(ricci_modservice_t) corecmd_exec_bin(ricci_modservice_t) corecmd_exec_shell(ricci_modservice_t) @@ -65308,7 +65998,7 @@ index 9702ed2..fa21335 100644 optional_policy(` ccs_read_config(ricci_modservice_t) -@@ -460,7 +450,6 @@ optional_policy(` +@@ -460,7 +440,6 @@ optional_policy(` allow ricci_modstorage_t self:capability { mknod sys_nice }; allow ricci_modstorage_t self:process { setsched signal }; @@ -65316,7 +66006,7 @@ index 9702ed2..fa21335 100644 allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; kernel_read_kernel_sysctls(ricci_modstorage_t) -@@ -480,16 +469,21 @@ domain_read_all_domains_state(ricci_modstorage_t) +@@ -480,21 +459,21 @@ domain_read_all_domains_state(ricci_modstorage_t) files_manage_etc_files(ricci_modstorage_t) files_read_etc_runtime_files(ricci_modstorage_t) @@ -65334,13 +66024,18 @@ index 9702ed2..fa21335 100644 term_dontaudit_use_console(ricci_modstorage_t) -logging_send_syslog_msg(ricci_modstorage_t) +- +-miscfiles_read_localization(ricci_modstorage_t) +auth_use_nsswitch(ricci_modstorage_t) --miscfiles_read_localization(ricci_modstorage_t) +-optional_policy(` +- aisexec_stream_connect(ricci_modstorage_t) +- corosync_stream_connect(ricci_modstorage_t) +-') +logging_send_syslog_msg(ricci_modstorage_t) optional_policy(` - aisexec_stream_connect(ricci_modstorage_t) + ccs_stream_connect(ricci_modstorage_t) diff --git a/rlogin.fc b/rlogin.fc index f111877..e361ee9 100644 --- a/rlogin.fc @@ -66099,7 +66794,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..37860b7 100644 +index e5212e6..699925d 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -66288,25 +66983,25 @@ index e5212e6..37860b7 100644 optional_policy(` - nis_read_ypserv_config(rpcd_t) + domain_unconfined_signal(rpcd_t) ++') ++ ++optional_policy(` ++ quota_manage_db(rpcd_t) ') optional_policy(` - quota_manage_db_files(rpcd_t) -+ quota_manage_db(rpcd_t) ++ nis_read_ypserv_config(rpcd_t) ') optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -+ nis_read_ypserv_config(rpcd_t) ++ quota_read_db(rpcd_t) ') optional_policy(` - unconfined_signal(rpcd_t) -+ quota_read_db(rpcd_t) -+') -+ -+optional_policy(` -+ rgmanager_manage_tmp_files(rpcd_t) ++ rhcs_manage_cluster_tmp_files(rpcd_t) ') ######################################## @@ -68164,7 +68859,7 @@ index f1140ef..c5bd83a 100644 + files_etc_filetrans($1, rsync_etc_t, $2, $3) ') diff --git a/rsync.te b/rsync.te -index e3e7c96..2574954 100644 +index e3e7c96..68cba2d 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -68173,7 +68868,7 @@ index e3e7c96..2574954 100644 ######################################## # -@@ -6,67 +6,60 @@ policy_module(rsync, 1.12.2) +@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2) # ## @@ -68182,12 +68877,12 @@ index e3e7c96..2574954 100644 -## cifs file systems. -##

+##

-+## Allow rsync servers to share cifs files systems ++## Allow rsync to run as a client +##

##
- gen_tunable(rsync_use_cifs, false) - - ## +-gen_tunable(rsync_use_cifs, false) +- +-## -##

-## Determine whether rsync can -## use fuse file systems. @@ -68200,11 +68895,9 @@ index e3e7c96..2574954 100644 -## Determine whether rsync can use -## nfs file systems. -##

-+##

-+## Allow rsync servers to share nfs files systems -+##

- ##
- gen_tunable(rsync_use_nfs, false) +-##
+-gen_tunable(rsync_use_nfs, false) ++gen_tunable(rsync_client, false) ## -##

@@ -68212,10 +68905,11 @@ index e3e7c96..2574954 100644 -## run as a client -##

+##

-+## Allow rsync to run as a client ++## Allow rsync to export any files/directories read only. +##

##
- gen_tunable(rsync_client, false) +-gen_tunable(rsync_client, false) ++gen_tunable(rsync_export_all_ro, false) ## -##

@@ -68223,21 +68917,15 @@ index e3e7c96..2574954 100644 -## export all content read only. -##

+##

-+## Allow rsync to export any files/directories read only. -+##

- ##
- gen_tunable(rsync_export_all_ro, false) - - ## -+##

+## Allow rsync to modify public files +## used for public file transfer services. Files/Directories must be +## labeled public_content_rw_t. +##

-+##
+ ## +-gen_tunable(rsync_export_all_ro, false) +gen_tunable(rsync_anon_write, false) -+ -+## + + ## ##

-## Determine whether rsync can modify -## public files used for public file @@ -68268,7 +68956,7 @@ index e3e7c96..2574954 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +79,25 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -68299,7 +68987,7 @@ index e3e7c96..2574954 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +111,76 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +97,76 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -75129,7 +75817,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 81864ce..a56b827 100644 +index 81864ce..54a1bc6 100644 --- a/snmp.te +++ b/snmp.te @@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t) @@ -75195,6 +75883,15 @@ index 81864ce..a56b827 100644 seutil_dontaudit_search_config(snmpd_t) +@@ -131,7 +133,7 @@ optional_policy(` + ') + + optional_policy(` +- corosync_stream_connect(snmpd_t) ++ rhcs_stream_connect_cluster(snmpd_t) + ') + + optional_policy(` diff --git a/snort.if b/snort.if index 7d86b34..5f58180 100644 --- a/snort.if @@ -86819,18 +87516,23 @@ index 1e3aec0..d17ff39 100644 + ') diff --git a/wdmd.te b/wdmd.te -index ebbdaf6..63c53ba 100644 +index ebbdaf6..956f8f0 100644 --- a/wdmd.te +++ b/wdmd.te -@@ -51,8 +51,6 @@ auth_use_nsswitch(wdmd_t) +@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t) logging_send_syslog_msg(wdmd_t) -miscfiles_read_localization(wdmd_t) - optional_policy(` - corosync_initrc_domtrans(wdmd_t) - corosync_stream_connect(wdmd_t) +- corosync_initrc_domtrans(wdmd_t) +- corosync_stream_connect(wdmd_t) +- corosync_rw_tmpfs(wdmd_t) ++ rhcs_initrc_domtrans_cluster(wdmd_t) ++ rhcs_stream_connect_cluster(wdmd_t) ++ rhcs_rw_cluster_tmpfs(wdmd_t) + ') diff --git a/webadm.te b/webadm.te index 708254f..d26f598 100644 --- a/webadm.te diff --git a/selinux-policy.spec b/selinux-policy.spec index befc8b6..f57d117 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Feb 1 2013 Miroslav Grepl 3.12.1-17 +- Merge rgmanger, corosync,pacemaker,aisexec policies to cluster_t in rhcs.pp + * Wed Feb 27 2013 Miroslav Grepl 3.12.1-16 - Fix authconfig.py labeling - Make any domains that write homedir content do it correctly