diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index a71bd47..36c832e 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
ifdef(`distro_debian',`
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
')
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index 9a8d2a0..c5cce45 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -97,3 +97,48 @@ interface(`apcupsd_cgi_script_domtrans',`
domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an apcupsd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the apcupsd domain.
+##
+##
+##
+#
+interface(`apcupsd_admin',`
+ gen_require(`
+ type apcupsd_t, apcupsd_tmp_t;
+ type apcupsd_log_t, apcupsd_lock_t;
+ type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+ ')
+
+ allow $1 apcupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, apcupsd_t)
+
+ init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apcupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, apcupsd_lock_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, apcupsd_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, apcupsd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, apcupsd_var_run_t)
+')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 9c01fa8..6d444ae 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
-policy_module(apcupsd, 1.3.1)
+policy_module(apcupsd, 1.3.2)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(apcupsd_t, apcupsd_exec_t)
type apcupsd_lock_t;
files_lock_file(apcupsd_lock_t)
+type apcupsd_initrc_exec_t;
+init_script_file(apcupsd_initrc_exec_t)
+
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -86,12 +89,18 @@ logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_unpriv_users_ttys(apcupsd_t)
+userdom_use_unpriv_users_ptys(apcupsd_t)
+
optional_policy(`
hostname_exec(apcupsd_t)
')
optional_policy(`
mta_send_mail(apcupsd_t)
+ mta_system_content(apcupsd_tmp_t)
')
########################################
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
index b9c9c53..0197980 100644
--- a/policy/modules/services/bitlbee.fc
+++ b/policy/modules/services/bitlbee.fc
@@ -1,3 +1,6 @@
-/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
+/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
index d2cc8ae..9e12e95 100644
--- a/policy/modules/services/bitlbee.if
+++ b/policy/modules/services/bitlbee.if
@@ -20,3 +20,40 @@ interface(`bitlbee_read_config',`
allow $1 bitlbee_conf_t:file { read getattr };
')
+########################################
+##
+## All of the rules required to administrate
+## an bitlbee environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the bitlbee domain.
+##
+##
+##
+#
+interface(`bitlbee_admin',`
+ gen_require(`
+ type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
+ type bitlbee_initrc_exec_t;
+ ')
+
+ allow $1 bitlbee_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bitlbee_t)
+
+ init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitlbee_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, bitlbee_conf_t)
+
+ files_list_var($1)
+ admin_pattern($1, bitlbee_var_t)
+')
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index 8a4006e..748608f 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -1,5 +1,5 @@
-policy_module(bitlbee, 1.0.0)
+policy_module(bitlbee, 1.0.1)
########################################
#
@@ -14,6 +14,12 @@ inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)
+type bitlbee_initrc_exec_t;
+init_script_file(bitlbee_initrc_exec_t)
+
+type bitlbee_tmp_t;
+files_tmp_file(bitlbee_tmp_t)
+
type bitlbee_var_t;
files_type(bitlbee_var_t)
@@ -26,9 +32,15 @@ files_type(bitlbee_var_t)
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:process signal;
bitlbee_read_config(bitlbee_t)
+# tmp files
+manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+
# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
@@ -54,6 +66,9 @@ corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
@@ -62,6 +77,8 @@ files_read_usr_files(bitlbee_t)
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)
+miscfiles_read_localization(bitlbee_t)
+
sysnet_dns_name_resolve(bitlbee_t)
optional_policy(`
diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
index 14c323c..5432d0e 100644
--- a/policy/modules/services/canna.fc
+++ b/policy/modules/services/canna.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
#
# /usr
diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if
index 2517e99..af2e6a0 100644
--- a/policy/modules/services/canna.if
+++ b/policy/modules/services/canna.if
@@ -18,3 +18,44 @@ interface(`canna_stream_connect',`
files_search_pids($1)
stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an canna environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the canna domain.
+##
+##
+##
+#
+interface(`canna_admin',`
+ gen_require(`
+ type canna_t, canna_log_t, canna_var_lib_t;
+ type canna_var_run_t, canna_initrc_exec_t;
+ ')
+
+ allow $1 canna_t:process { ptrace signal_perms };
+ ps_process_pattern($1, canna_t)
+
+ init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 canna_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, canna_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, canna_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, canna_var_run_t)
+')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 030d785..5bd8f66 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
-policy_module(canna, 1.7.0)
+policy_module(canna, 1.7.1)
########################################
#
@@ -10,6 +10,9 @@ type canna_t;
type canna_exec_t;
init_daemon_domain(canna_t, canna_exec_t)
+type canna_initrc_exec_t;
+init_script_file(canna_initrc_exec_t)
+
type canna_log_t;
logging_log_file(canna_log_t)
diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc
index 606d2d2..083c135 100644
--- a/policy/modules/services/ddclient.fc
+++ b/policy/modules/services/ddclient.fc
@@ -1,5 +1,6 @@
/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
index 06d54c7..c1e04ce 100644
--- a/policy/modules/services/ddclient.if
+++ b/policy/modules/services/ddclient.if
@@ -18,3 +18,51 @@ interface(`ddclient_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, ddclient_exec_t, ddclient_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an ddclient environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ddclient domain.
+##
+##
+##
+#
+interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+ type ddclient_var_t, ddclient_var_lib_t;
+ type ddclient_var_run_t, ddclient_initrc_exec_t;
+ ')
+
+ allow $1 ddclient_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ddclient_t)
+
+ init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ddclient_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ddclient_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ddclient_log_t)
+
+ files_list_var($1)
+ admin_pattern($1, ddclient_var_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, ddclient_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ddclient_var_run_t)
+')
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index fc73399..14b19da 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
-policy_module(ddclient, 1.5.0)
+policy_module(ddclient, 1.5.1)
########################################
#
@@ -11,7 +11,10 @@ type ddclient_exec_t;
init_daemon_domain(ddclient_t, ddclient_exec_t)
type ddclient_etc_t;
-files_type(ddclient_etc_t)
+files_config_file(ddclient_etc_t)
+
+type ddclient_initrc_exec_t;
+init_script_file(ddclient_initrc_exec_t)
type ddclient_log_t;
logging_log_file(ddclient_log_t)
diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc
index 1907af7..54f88c8 100644
--- a/policy/modules/services/dictd.fc
+++ b/policy/modules/services/dictd.fc
@@ -1,6 +1,9 @@
+/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if
index 43f1ea3..a0d23ce 100644
--- a/policy/modules/services/dictd.if
+++ b/policy/modules/services/dictd.if
@@ -14,3 +14,44 @@
interface(`dictd_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+##
+## All of the rules required to administrate
+## an dictd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the dictd domain.
+##
+##
+##
+#
+interface(`dictd_admin',`
+ gen_require(`
+ type dictd_t, dictd_etc_t, dictd_var_lib_t;
+ type dictd_var_run_t, dictd_initrc_exec_t;
+ ')
+
+ allow $1 dictd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dictd_t)
+
+ init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dictd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dictd_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dictd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dictd_var_run_t)
+')
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index b9e3ca2..f413643 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -1,5 +1,5 @@
-policy_module(dictd, 1.5.0)
+policy_module(dictd, 1.5.1)
########################################
#
@@ -13,9 +13,15 @@ init_daemon_domain(dictd_t, dictd_exec_t)
type dictd_etc_t;
files_config_file(dictd_etc_t)
+type dictd_initrc_exec_t;
+init_script_file(dictd_initrc_exec_t)
+
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
########################################
#
# Local policy
@@ -34,6 +40,9 @@ files_search_etc(dictd_t)
allow dictd_t dictd_var_lib_t:dir list_dir_perms;
allow dictd_t dictd_var_lib_t:file read_file_perms;
+manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
+files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc
index 96a4623..c886ef5 100644
--- a/policy/modules/services/fail2ban.fc
+++ b/policy/modules/services/fail2ban.fc
@@ -3,5 +3,4 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
-/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
-/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index d78cb8f..fced310 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -78,3 +78,41 @@ interface(`fail2ban_read_pid_files',`
files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms;
')
+
+########################################
+##
+## All of the rules required to administrate
+## an fail2ban environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the fail2ban domain.
+##
+##
+##
+#
+interface(`fail2ban_admin',`
+ gen_require(`
+ type fail2ban_t, fail2ban_log_t;
+ type fail2ban_var_run_t, fail2ban_initrc_exec_t;
+ ')
+
+ allow $1 fail2ban_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fail2ban_t)
+
+ init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fail2ban_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, fail2ban_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
+')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index b1be911..918f5b5 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -1,5 +1,5 @@
-policy_module(fail2ban, 1.1.1)
+policy_module(fail2ban, 1.1.2)
########################################
#
@@ -37,9 +37,10 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
# pid file
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
kernel_read_system_state(fail2ban_t)
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
index 85dc7b3..ee9dbf6 100644
--- a/policy/modules/services/inn.fc
+++ b/policy/modules/services/inn.fc
@@ -4,6 +4,7 @@
#
/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
+/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
#
# /usr
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index 55ff9e4..c390f23 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -54,8 +54,7 @@ interface(`inn_manage_log',`
')
logging_rw_generic_log_dirs($1)
- allow $1 innd_log_t:dir search;
- allow $1 innd_log_t:file manage_file_perms;
+ manage_files_pattern($1, innd_log_t, innd_log_t)
')
########################################
@@ -176,3 +175,51 @@ interface(`inn_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, innd_exec_t, innd_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an inn environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the inn domain.
+##
+##
+##
+#
+interface(`inn_admin',`
+ gen_require(`
+ type innd_t, innd_etc_t, innd_log_t;
+ type news_spool_t, innd_var_lib_t;
+ type innd_var_run_t, innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, innd_t)
+
+ init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 innd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, innd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, innd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, innd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, innd_var_run_t)
+
+ files_list_spool($1)
+ admin_pattern($1, news_spool_t)
+')
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 8cdce84..31e66c5 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
-policy_module(inn, 1.6.0)
+policy_module(inn, 1.6.1)
########################################
#
@@ -12,6 +12,9 @@ init_daemon_domain(innd_t, innd_exec_t)
type innd_etc_t;
files_config_file(innd_etc_t)
+type innd_initrc_exec_t;
+init_script_file(innd_initrc_exec_t)
+
type innd_log_t;
logging_log_file(innd_log_t)
@@ -22,7 +25,7 @@ type innd_var_run_t;
files_pid_file(innd_var_run_t)
type news_spool_t;
-files_type(news_spool_t)
+files_mountpoint(news_spool_t)
########################################
#
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 06ea746..4c9acec 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
index 4d1a931..9878499 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -13,3 +13,44 @@
interface(`jabber_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+##
+## All of the rules required to administrate
+## an jabber environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the jabber domain.
+##
+##
+##
+#
+interface(`jabber_admin',`
+ gen_require(`
+ type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+ type jabberd_var_run_t, jabberd_initrc_exec_t;
+ ')
+
+ allow $1 jabberd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_t)
+
+ init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 jabberd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, jabberd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, jabberd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, jabberd_var_run_t)
+')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index e152dbc..3e4e036 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
-policy_module(jabber, 1.5.0)
+policy_module(jabber, 1.5.1)
########################################
#
@@ -10,6 +10,9 @@ type jabberd_t;
type jabberd_exec_t;
init_daemon_domain(jabberd_t, jabberd_exec_t)
+type jabberd_initrc_exec_t;
+init_script_file(jabberd_initrc_exec_t)
+
type jabberd_log_t;
logging_log_file(jabberd_log_t)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 06bf2ea..87dbda3 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -53,3 +53,47 @@ interface(`ntp_domtrans_ntpdate',`
corecmd_search_bin($1)
domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
')
+
+########################################
+##
+## All of the rules required to administrate
+## an ntp environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the ntp domain.
+##
+##
+##
+#
+interface(`ntp_admin',`
+ gen_require(`
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+ type ntpd_key_t, ntpd_var_lib_t, ntpd_var_run_t;
+ type ntpd_initrc_exec_t;
+ ')
+
+ allow $1 ntpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, ntpd_t)
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ntpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, ntpd_key_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ntpd_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, ntpd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ntpd_var_run_t)
+')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c5acc6f..bfd2b7e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp, 1.6.2)
+policy_module(ntp, 1.6.3)
########################################
#
diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc
index 945acea..4361cb6 100644
--- a/policy/modules/services/postfixpolicyd.fc
+++ b/policy/modules/services/postfixpolicyd.fc
@@ -1,4 +1,5 @@
/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
index bafa81c..feae93b 100644
--- a/policy/modules/services/postfixpolicyd.if
+++ b/policy/modules/services/postfixpolicyd.if
@@ -1 +1,40 @@
## Postfix policy server
+
+########################################
+##
+## All of the rules required to administrate
+## an postfixpolicyd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the postfixpolicyd domain.
+##
+##
+##
+#
+interface(`postfixpolicyd_admin',`
+ gen_require(`
+ type postfix_policyd_t, postfix_policyd_conf_t;
+ type postfix_policyd_var_run_t;
+ type postfix_policyd_initrc_exec_t;
+ ')
+
+ allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_policyd_t)
+
+ init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_policyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, postfix_policyd_conf_t)
+
+ files_list_pids($1)
+ admin_pattern($1, postfix_policyd_var_run_t)
+')
diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
index b9d8665..95f2ae2 100644
--- a/policy/modules/services/postfixpolicyd.te
+++ b/policy/modules/services/postfixpolicyd.te
@@ -1,5 +1,5 @@
-policy_module(postfixpolicyd, 1.0.0)
+policy_module(postfixpolicyd, 1.0.1)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
type postfix_policyd_conf_t;
files_config_file(postfix_policyd_conf_t)
+type postfix_policyd_initrc_exec_t;
+init_script_file(postfix_policyd_initrc_exec_t)
+
type postfix_policyd_var_run_t;
files_pid_file(postfix_policyd_var_run_t)
diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc
index 6f48bb0..cf707fb 100644
--- a/policy/modules/services/radius.fc
+++ b/policy/modules/services/radius.fc
@@ -1,6 +1,7 @@
/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index b8a1477..9a78598 100644
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -24,28 +24,39 @@ interface(`radius_use',`
## Domain allowed access.
##
##
+##
+##
+## Role allowed access.
+##
+##
##
#
interface(`radius_admin',`
gen_require(`
type radiusd_t, radiusd_etc_t, radiusd_log_t;
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+ type radiusd_initrc_exec_t;
')
allow $1 radiusd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, radiusd_t)
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 radiusd_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_etc($1)
- manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
+ admin_pattern($1, radiusd_etc_t)
logging_list_logs($1)
- manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
+ admin_pattern($1, radiusd_log_t)
- manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
+ admin_pattern($1, radiusd_etc_rw_t)
files_list_var_lib($1)
- manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
+ admin_pattern($1, radiusd_var_lib_t)
files_list_pids($1)
- manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
+ admin_pattern($1, radiusd_var_run_t)
')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index c280a52..61f8edf 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius, 1.8.0)
+policy_module(radius, 1.8.1)
########################################
#
@@ -16,6 +16,9 @@ files_config_file(radiusd_etc_t)
type radiusd_etc_rw_t;
files_type(radiusd_etc_rw_t)
+type radiusd_initrc_exec_t;
+init_script_file(radiusd_initrc_exec_t)
+
type radiusd_log_t;
logging_log_file(radiusd_log_t)
@@ -34,12 +37,11 @@ files_pid_file(radiusd_var_run_t)
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { setsched signal };
+allow radiusd_t self:process { getsched setsched sigkill signal };
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;
allow radiusd_t self:udp_socket create_socket_perms;
-allow radiusd_t self:netlink_route_socket r_netlink_socket_perms;
allow radiusd_t radiusd_etc_t:dir list_dir_perms;
read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
@@ -74,8 +76,12 @@ corenet_udp_sendrecv_all_ports(radiusd_t)
corenet_udp_bind_all_nodes(radiusd_t)
corenet_udp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
+corenet_tcp_connect_mysqld_port(radiusd_t)
+corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_sendrecv_mysqld_client_packets(radiusd_t)
+corenet_sendrecv_snmp_client_packets(radiusd_t)
# for RADIUS proxy port
corenet_udp_bind_generic_port(radiusd_t)
corenet_dontaudit_udp_bind_all_ports(radiusd_t)
@@ -86,9 +92,6 @@ dev_read_sysfs(radiusd_t)
fs_getattr_all_fs(radiusd_t)
fs_search_auto_mountpoints(radiusd_t)
-auth_read_shadow(radiusd_t)
-auth_domtrans_chk_passwd(radiusd_t)
-
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
@@ -98,6 +101,10 @@ files_read_usr_files(radiusd_t)
files_read_etc_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t)
+auth_use_nsswitch(radiusd_t)
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
libs_use_ld_so(radiusd_t)
libs_use_shared_libs(radiusd_t)
libs_exec_lib_files(radiusd_t)
@@ -107,8 +114,6 @@ logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
miscfiles_read_certs(radiusd_t)
-sysnet_read_config(radiusd_t)
-
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
sysadm_dontaudit_search_home_dirs(radiusd_t)
@@ -123,7 +128,8 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(radiusd_t)
+ mysql_read_config(radiusd_t)
+ mysql_stream_connect(radiusd_t)
')
optional_policy(`
diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc
index c699ccd..cc98d83 100644
--- a/policy/modules/services/radvd.fc
+++ b/policy/modules/services/radvd.fc
@@ -1,5 +1,5 @@
-
/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
+/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index 596e3f4..be05bff 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
@@ -10,20 +10,30 @@
## Domain allowed access.
##
##
+##
+##
+## Role allowed access.
+##
+##
##
#
interface(`radvd_admin',`
gen_require(`
type radvd_t, radvd_etc_t;
- type radvd_var_run_t;
+ type radvd_var_run_t, radvd_initrc_exec_t;
')
- allow $1 radvd_t:process { ptrace signal_perms getattr };
+ allow $1 radvd_t:process { ptrace signal_perms };
ps_process_pattern($1, radvd_t)
+ init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 radvd_initrc_exec_t system_r;
+ allow $2 system_r;
+
files_list_etc($1)
- manage_files_pattern($1, radvd_etc_t, radvd_etc_t)
+ admin_pattern($1, radvd_etc_t)
files_list_pids($1)
- manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
+ admin_pattern($1, radvd_var_run_t)
')
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 2a32e53..6c8904b 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd, 1.8.0)
+policy_module(radvd, 1.8.1)
########################################
#
@@ -9,6 +9,9 @@ type radvd_t;
type radvd_exec_t;
init_daemon_domain(radvd_t, radvd_exec_t)
+type radvd_initrc_exec_t;
+init_script_file(radvd_initrc_exec_t)
+
type radvd_var_run_t;
files_pid_file(radvd_var_run_t)
@@ -27,6 +30,7 @@ allow radvd_t self:unix_stream_socket create_socket_perms;
allow radvd_t self:rawip_socket create_socket_perms;
allow radvd_t self:tcp_socket create_stream_socket_perms;
allow radvd_t self:udp_socket create_socket_perms;
+allow radvd_t self:fifo_file rw_file_perms;
allow radvd_t radvd_etc_t:file read_file_perms;
diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc
index 7aa6ae0..bc048ce 100644
--- a/policy/modules/services/rwho.fc
+++ b/policy/modules/services/rwho.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+
/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 523086e..7da7060 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -126,19 +126,30 @@ interface(`rwho_manage_spool_files',`
## Domain allowed access.
##
##
+##
+##
+## The role allowed access.
+##
+##
##
#
interface(`rwho_admin',`
gen_require(`
type rwho_t, rwho_log_t, rwho_spool_t;
+ type rwho_initrc_exec_t;
')
- allow $1 rwho_t:process { ptrace signal_perms getattr };
+ allow $1 rwho_t:process { ptrace signal_perms };
ps_process_pattern($1, rwho_t)
-
+
+ init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rwho_initrc_exec_t system_r;
+ allow $2 system_r;
+
logging_list_logs($1)
- manage_files_pattern($1, rwho_log_t, rwho_log_t)
+ admin_pattern($1, rwho_log_t)
files_list_spool($1)
- manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+ admin_pattern($1, rwho_spool_t)
')
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index 21c9fd2..a5de93e 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -1,5 +1,5 @@
-policy_module(rwho, 1.4.0)
+policy_module(rwho, 1.4.1)
########################################
#
@@ -10,6 +10,9 @@ type rwho_t;
type rwho_exec_t;
init_daemon_domain(rwho_t, rwho_exec_t)
+type rwho_initrc_exec_t;
+init_script_file(rwho_initrc_exec_t)
+
type rwho_log_t;
files_type(rwho_log_t)
diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc
index b930d5f..d89b2cb 100644
--- a/policy/modules/services/soundserver.fc
+++ b/policy/modules/services/soundserver.fc
@@ -1,4 +1,5 @@
/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
@@ -6,5 +7,7 @@
/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
index 4d862d9..93fe7bf 100644
--- a/policy/modules/services/soundserver.if
+++ b/policy/modules/services/soundserver.if
@@ -13,3 +13,45 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+##
+## All of the rules required to administrate
+## an soundd environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the soundd domain.
+##
+##
+##
+#
+interface(`soundserver_admin',`
+ gen_require(`
+ type soundd_t, soundd_etc_t;
+ type soundd_tmp_t, soundd_var_run_t;
+ type soundd_initrc_exec_t;
+ ')
+
+ allow $1 soundd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, soundd_t)
+
+ init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 soundd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, soundd_etc_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, soundd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, soundd_var_run_t)
+')
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 7c41c35..c13f000 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
-policy_module(soundserver, 1.5.0)
+policy_module(soundserver, 1.5.1)
########################################
#
@@ -11,7 +11,10 @@ type soundd_exec_t;
init_daemon_domain(soundd_t, soundd_exec_t)
type soundd_etc_t alias etc_soundd_t;
-files_type(soundd_etc_t)
+files_config_file(soundd_etc_t)
+
+type soundd_initrc_exec_t;
+init_script_file(soundd_initrc_exec_t)
type soundd_state_t;
files_type(soundd_state_t)
@@ -31,16 +34,18 @@ files_pid_file(soundd_var_run_t)
# Declarations
#
+allow soundd_t self:capability dac_override;
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
allow soundd_t self:tcp_socket create_stream_socket_perms;
allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
# for yiff
allow soundd_t self:shm create_shm_perms;
-allow soundd_t soundd_etc_t:dir list_dir_perms;
-allow soundd_t soundd_etc_t:file read_file_perms;
-allow soundd_t soundd_etc_t:lnk_file { getattr read };
+read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
@@ -55,8 +60,10 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
-files_pid_filetrans(soundd_t, soundd_var_run_t, file)
+manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
@@ -100,6 +107,10 @@ userdom_dontaudit_use_unpriv_user_fds(soundd_t)
sysadm_dontaudit_search_home_dirs(soundd_t)
optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
index 48f46c5..80e894b 100644
--- a/policy/modules/services/squid.fc
+++ b/policy/modules/services/squid.fc
@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 64651a1..5b012ce 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -168,3 +168,48 @@ interface(`squid_manage_logs',`
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+##
+## All of the rules required to administrate
+## an squid environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed to manage the squid domain.
+##
+##
+##
+#
+interface(`squid_admin',`
+ gen_require(`
+ type squid_t, squid_cache_t, squid_conf_t;
+ type squid_log_t, squid_var_run_t;
+ type squid_initrc_exec_t;
+ ')
+
+ allow $1 squid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, squid_t)
+
+ init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 squid_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, squid_cache_t)
+
+ files_list_etc($1)
+ admin_pattern($1, squid_conf_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, squid_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, squid_var_run_t)
+')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index e4e3390..f72c6b1 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid, 1.6.1)
+policy_module(squid, 1.6.2)
########################################
#
@@ -156,6 +156,8 @@ sysadm_dontaudit_search_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
+ corenet_tcp_bind_all_ports(squid_t)
+ corenet_sendrecv_all_packets(squid_t)
')
optional_policy(`
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index ea34c2a..150f5c0 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -20,10 +20,10 @@ interface(`tftp_admin',`
allow $1 tftpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tftpd_t)
- manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ admin_pattern($1, tftpdir_rw_t)
- manage_files_pattern($1, tftpdir_t, tftpdir_t)
+ admin_pattern($1, tftpdir_t)
files_list_pids($1)
- manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
+ admin_pattern($1, tftpd_var_run_t)
')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 00c2052..a47d936 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp, 1.8.0)
+policy_module(tftp, 1.8.1)
########################################
#
@@ -37,7 +37,6 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
@@ -80,6 +79,8 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
+auth_use_nsswitch(tftpd_t)
+
libs_use_ld_so(tftpd_t)
libs_use_shared_libs(tftpd_t)
@@ -88,11 +89,7 @@ logging_send_syslog_msg(tftpd_t)
miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
-sysnet_read_config(tftpd_t)
-sysnet_use_ldap(tftpd_t)
-
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-
sysadm_dontaudit_use_ttys(tftpd_t)
sysadm_dontaudit_search_home_dirs(tftpd_t)
@@ -105,14 +102,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(tftpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(tftpd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(tftpd_t)
')
diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
index 8190cc6..4e786ae 100644
--- a/policy/modules/services/tor.fc
+++ b/policy/modules/services/tor.fc
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 95b88c6..904f13e 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -28,26 +28,37 @@ interface(`tor_domtrans',`
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the tor domain.
+##
+##
##
#
interface(`tor_admin',`
gen_require(`
type tor_t, tor_var_log_t, tor_etc_t;
type tor_var_lib_t, tor_var_run_t;
+ type tor_initrc_exec_t;
')
allow $1 tor_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, tor_t)
-
- logging_list_logs($1)
- manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
+
+ init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 tor_initrc_exec_t system_r;
+ allow $2 system_r;
files_list_etc($1)
- manage_files_pattern($1, tor_etc_t, tor_etc_t)
+ admin_pattern($1, tor_etc_t)
files_list_var_lib($1)
- manage_files_pattern($1, tor_var_lib_t, tor_var_lib_t)
+ admin_pattern($1, tor_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, tor_var_log_t)
files_list_pids($1)
- manage_files_pattern($1, tor_var_run_t, tor_var_run_t)
+ admin_pattern($1, tor_var_run_t)
')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 2d5ac0e..765ebb7 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
-policy_module(tor, 1.4.0)
+policy_module(tor, 1.4.1)
########################################
#
@@ -14,6 +14,9 @@ init_daemon_domain(tor_t, tor_exec_t)
type tor_etc_t;
files_config_file(tor_etc_t)
+type tor_initrc_exec_t;
+init_script_file(tor_initrc_exec_t)
+
# var/lib/tor
type tor_var_lib_t;
files_type(tor_var_lib_t)
@@ -31,6 +34,7 @@ files_pid_file(tor_var_run_t)
# tor local policy
#
+allow tor_t self:capability { setgid setuid };
allow tor_t self:fifo_file { read write };
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -86,13 +90,13 @@ domain_use_interactive_fds(tor_t)
files_read_etc_files(tor_t)
files_read_etc_runtime_files(tor_t)
+auth_use_nsswitch(tor_t)
+
libs_use_ld_so(tor_t)
libs_use_shared_libs(tor_t)
miscfiles_read_localization(tor_t)
-sysnet_dns_name_resolve(tor_t)
-
optional_policy(`
seutil_sigchld_newrole(tor_t)
')
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 92b58fe..7a9bb27 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -83,19 +83,19 @@ interface(`uucp_admin',`
allow $1 uucpd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, uucpd_t)
- files_list_tmp($1)
- manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
-
logging_list_logs($1)
- manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
+ admin_pattern($1, uucpd_log_t)
files_list_spool($1)
- manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+ admin_pattern($1, uucpd_spool_t)
- manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
+ admin_pattern($1, uucpd_ro_t)
- manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
+ admin_pattern($1, uucpd_rw_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, uucpd_tmp_t)
files_list_pids($1)
- manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
+ admin_pattern($1, uucpd_var_run_t)
')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 127887d..ac53fac 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -1,5 +1,5 @@
-policy_module(uucp, 1.7.0)
+policy_module(uucp, 1.7.1)
########################################
#
@@ -116,6 +116,8 @@ corecmd_exec_bin(uux_t)
files_read_etc_files(uux_t)
+fs_rw_anon_inodefs_files(uux_t)
+
libs_use_ld_so(uux_t)
libs_use_shared_libs(uux_t)
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
index ec24072..3102286 100644
--- a/policy/modules/services/zabbix.fc
+++ b/policy/modules/services/zabbix.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 7a83ada..c84cfe4 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -87,19 +87,30 @@ interface(`zabbix_read_pid_files',`
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the zabbix domain.
+##
+##
##
#
interface(`zabbix_admin',`
gen_require(`
type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+ type zabbix_initrc_exec_t;
')
- allow $1 zabbix_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, zabbix_t, zabbix_t)
+ allow $1 zabbix_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zabbix_t)
+
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 zabbix_initrc_exec_t system_r;
+ allow $2 system_r;
logging_list_logs($1)
- manage_files_pattern($1, zabbix_log_t, zabbix_log_t)
+ admin_pattern($1, zabbix_log_t)
files_list_pids($1)
- manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t)
+ admin_pattern($1, zabbix_var_run_t)
')
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 370d5f2..8e4926e 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -1,5 +1,5 @@
-policy_module(zabbix, 1.1.0)
+policy_module(zabbix, 1.1.1)
########################################
#
@@ -10,6 +10,9 @@ type zabbix_t;
type zabbix_exec_t;
init_daemon_domain(zabbix_t, zabbix_exec_t)
+type zabbix_initrc_exec_t;
+init_script_file(zabbix_initrc_exec_t)
+
# log files
type zabbix_log_t;
logging_log_file(zabbix_log_t)
diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc
index 33c70f1..70f2267 100644
--- a/policy/modules/services/zebra.fc
+++ b/policy/modules/services/zebra.fc
@@ -1,3 +1,9 @@
+/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index bd9f6bc..0e19ff3 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -32,26 +32,37 @@ interface(`zebra_read_config',`
## Domain allowed access.
##
##
+##
+##
+## The role to be allowed to manage the zebra domain.
+##
+##
##
#
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
type zebra_conf_t, zebra_var_run_t;
+ type zebra_initrc_exec_t;
')
- allow $1 zebra_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, zebra_t, zebra_t)
-
- files_list_tmp($1)
- manage_files_pattern($1, zebra_tmp_t, zebra_tmp_t)
+ allow $1 zebra_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zebra_t)
+
+ init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 zebra_initrc_exec_t system_r;
+ allow $2 system_r;
+ files_list_etc($1)
+ admin_pattern($1, zebra_conf_t)
+
logging_list_logs($1)
- manage_files_pattern($1, zebra_log_t, zebra_log_t)
+ admin_pattern($1, zebra_log_t)
- files_list_etc($1)
- manage_files_pattern($1, zebra_conf_t, zebra_conf_t)
+ files_list_tmp($1)
+ admin_pattern($1, zebra_tmp_t)
files_list_pids($1)
- manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t)
+ admin_pattern($1, zebra_var_run_t)
')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 5b29a09..e4bb1ff 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra, 1.7.0)
+policy_module(zebra, 1.7.1)
########################################
#
@@ -21,6 +21,9 @@ init_daemon_domain(zebra_t, zebra_exec_t)
type zebra_conf_t;
files_type(zebra_conf_t)
+type zebra_initrc_exec_t;
+init_script_file(zebra_initrc_exec_t)
+
type zebra_log_t;
logging_log_file(zebra_log_t)
@@ -37,7 +40,7 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
-allow zebra_t self:process { signal_perms setcap };
+allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:file { ioctl read write getattr lock append };
allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -64,6 +67,7 @@ manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file })
kernel_read_system_state(zebra_t)
+kernel_read_network_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 54a9dac..bdd500c 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -537,3 +537,17 @@ define(`filetrans_pattern',`
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3;
')
+
+define(`admin_pattern',`
+ manage_dirs_pattern($1,$2,$2)
+ manage_files_pattern($1,$2,$2)
+ manage_lnk_files_pattern($1,$2,$2)
+ manage_fifo_files_pattern($1,$2,$2)
+ manage_sock_files_pattern($1,$2,$2)
+
+ relabel_dirs_pattern($1,$2,$2)
+ relabel_files_pattern($1,$2,$2)
+ relabel_lnk_files_pattern($1,$2,$2)
+ relabel_fifo_files_pattern($1,$2,$2)
+ relabel_sock_files_pattern($1,$2,$2)
+')