##
## Enable extra rules in the cron domain
## to support fcron.
@@ -404,6 +412,12 @@ manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
# for this purpose.
allow system_cronjob_t system_cron_spool_t:file entrypoint;
+tunable_policy(`cron_system_cronjob_use_shares',`
+ fs_fusefs_entrypoint(system_cronjob_t)
+ fs_nfs_entrypoint(system_cronjob_t)
+ fs_cifs_entrypoint(system_cronjob_t)
+')
+
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
diff --git a/ctdb.if b/ctdb.if
index e99c5c6..ffc5497 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -38,6 +38,23 @@ interface(`ctdbd_initrc_domtrans',`
init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
')
+#######################################
+##
+## Allow domain to signal ctdbd.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_signal',`
+ gen_require(`
+ type ctdbd_t;
+ ')
+ allow $1 ctdbd_t:process signal;
+')
+
########################################
##
## Read ctdbd's log files.
@@ -100,26 +117,26 @@ interface(`ctdbd_manage_log',`
########################################
##
-## Search ctdbd lib directories.
+## Manage ctdbd lib files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
-interface(`ctdbd_search_lib',`
- gen_require(`
- type ctdbd_var_lib_t;
- ')
+interface(`ctdbd_manage_var_files',`
+ gen_require(`
+ type ctdbd_var_t;
+ ')
- allow $1 ctdbd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
')
########################################
##
-## Read ctdbd lib files.
+## Search ctdbd lib directories.
##
##
##
@@ -127,18 +144,18 @@ interface(`ctdbd_search_lib',`
##
##
#
-interface(`ctdbd_read_lib_files',`
+interface(`ctdbd_search_lib',`
gen_require(`
type ctdbd_var_lib_t;
')
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
- read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
########################################
##
-## Manage ctdbd lib files.
+## Read ctdbd lib files.
##
##
##
@@ -146,13 +163,13 @@ interface(`ctdbd_read_lib_files',`
##
##
#
-interface(`ctdbd_manage_lib_files',`
+interface(`ctdbd_read_lib_files',`
gen_require(`
type ctdbd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
########################################
@@ -165,13 +182,13 @@ interface(`ctdbd_manage_lib_files',`
##
##
#
-interface(`ctdbd_manage_var_files',`
+interface(`ctdbd_manage_lib_files',`
gen_require(`
- type ctdbd_var_t;
+ type ctdbd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
########################################
diff --git a/ctdb.te b/ctdb.te
index 2ab29db..4a84c8b 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -44,6 +44,7 @@ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
allow ctdbd_t self:packet_socket create_socket_perms;
allow ctdbd_t self:tcp_socket create_stream_socket_perms;
allow ctdbd_t self:udp_socket create_socket_perms;
+allow ctdbd_t self:rawip_socket create_socket_perms;
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -75,6 +76,8 @@ manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+can_exec(ctdbd_t, ctdbd_exec_t)
+
kernel_read_network_state(ctdbd_t)
kernel_read_system_state(ctdbd_t)
kernel_rw_net_sysctls(ctdbd_t)
@@ -89,6 +92,7 @@ corenet_udp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_bind_smbd_port(ctdbd_t)
corenet_tcp_connect_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
@@ -110,6 +114,8 @@ logging_send_syslog_msg(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
+userdom_home_manager(ctdbd_t)
+
optional_policy(`
consoletype_exec(ctdbd_t)
')
@@ -123,6 +129,7 @@ optional_policy(`
')
optional_policy(`
+ samba_signull_smbd(ctdbd_t)
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -130,5 +137,10 @@ optional_policy(`
')
optional_policy(`
+ samba_signull_winbind(ctdbd_t)
+ samba_signull_unconfined_net(ctdbd_t)
+')
+
+optional_policy(`
sysnet_domtrans_ifconfig(ctdbd_t)
')
diff --git a/glusterd.if b/glusterd.if
index c62ad86..fc9bf19 100644
--- a/glusterd.if
+++ b/glusterd.if
@@ -117,7 +117,84 @@ interface(`glusterd_manage_log',`
manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
')
-########################################
+######################################
+##
+## Allow the specified domain to execute gluster's lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gluster_execute_lib',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 glusterd_var_lib_t:dir search_dir_perms;
+ can_exec($1, glusterd_var_lib_t)
+')
+
+######################################
+##
+## Read glusterd's config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_read_conf',`
+ gen_require(`
+ type glusterd_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
+')
+
+######################################
+##
+## Read and write /var/lib/glusterd files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_rw_lib',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
+##
+## Read and write /var/lib/glusterd files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterd_manage_lib_files',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
+')
+
+######################################
##
## All of the rules required to administrate
## an glusterd environment
diff --git a/glusterd.te b/glusterd.te
index fbc6a67..b974353 100644
--- a/glusterd.te
+++ b/glusterd.te
@@ -31,6 +31,7 @@ gen_tunable(gluster_export_all_rw, true)
type glusterd_t;
type glusterd_exec_t;
init_daemon_domain(glusterd_t, glusterd_exec_t)
+domain_obj_id_change_exemption(glusterd_t)
type glusterd_conf_t;
files_type(glusterd_conf_t)
@@ -58,13 +59,16 @@ files_type(glusterd_brick_t)
# Local policy
#
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin };
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
allow glusterd_t self:capability2 block_suspend;
-allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
+allow glusterd_t self:sem create_sem_perms;
allow glusterd_t self:fifo_file rw_fifo_file_perms;
allow glusterd_t self:tcp_socket { accept listen };
allow glusterd_t self:unix_stream_socket { accept listen connectto };
+allow glusterd_t self:rawip_socket create_socket_perms;
+allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
@@ -97,9 +101,13 @@ manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+relabel_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
can_exec(glusterd_t, glusterd_exec_t)
@@ -121,6 +129,7 @@ corenet_tcp_sendrecv_all_ports(glusterd_t)
corenet_udp_sendrecv_all_ports(glusterd_t)
corenet_tcp_bind_generic_node(glusterd_t)
corenet_udp_bind_generic_node(glusterd_t)
+corenet_raw_bind_generic_node(glusterd_t)
corenet_tcp_connect_gluster_port(glusterd_t)
corenet_tcp_bind_gluster_port(glusterd_t)
@@ -141,11 +150,15 @@ corenet_tcp_bind_all_unreserved_ports(glusterd_t)
corenet_tcp_connect_all_unreserved_ports(glusterd_t)
corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
corenet_tcp_connect_ssh_port(glusterd_t)
+corenet_tcp_connect_all_rpc_ports(glusterd_t)
+corenet_tcp_connect_all_ports(glusterd_t)
dev_read_sysfs(glusterd_t)
dev_read_urand(glusterd_t)
+dev_read_rand(glusterd_t)
domain_read_all_domains_state(glusterd_t)
+domain_getattr_all_sockets(glusterd_t)
domain_use_interactive_fds(glusterd_t)
@@ -155,13 +168,30 @@ fs_getattr_all_fs(glusterd_t)
files_mounton_non_security(glusterd_t)
+files_dontaudit_read_security_files(glusterd_t)
+files_dontaudit_list_security_dirs(glusterd_t)
+
storage_rw_fuse(glusterd_t)
+#needed by /usr/sbin/xfs_db
+storage_raw_read_fixed_disk(glusterd_t)
+storage_raw_write_fixed_disk(glusterd_t)
auth_use_nsswitch(glusterd_t)
fs_getattr_all_fs(glusterd_t)
+init_domtrans_script(glusterd_t)
+init_initrc_domain(glusterd_t)
+init_read_script_state(glusterd_t)
+init_rw_script_tmp_files(glusterd_t)
+init_manage_script_status_files(glusterd_t)
+
+systemd_config_systemd_services(glusterd_t)
+systemd_signal_passwd_agent(glusterd_t)
+
logging_send_syslog_msg(glusterd_t)
+logging_dontaudit_search_audit_logs(glusterd_t)
+
libs_exec_ldconfig(glusterd_t)
miscfiles_read_localization(glusterd_t)
@@ -169,8 +199,15 @@ miscfiles_read_public_files(glusterd_t)
userdom_manage_user_home_dirs(glusterd_t)
userdom_filetrans_home_content(glusterd_t)
+userdom_read_user_tmp_files(glusterd_t)
+userdom_delete_user_tmp_files(glusterd_t)
+userdom_rw_user_tmp_files(glusterd_t)
+userdom_kill_all_users(glusterd_t)
mount_domtrans(glusterd_t)
+
+fstools_domtrans(glusterd_t)
+
tunable_policy(`gluster_anon_write',`
miscfiles_manage_public_files(glusterd_t)
')
@@ -178,6 +215,8 @@ tunable_policy(`gluster_anon_write',`
tunable_policy(`gluster_export_all_ro',`
fs_read_noxattr_fs_files(glusterd_t)
files_read_non_security_files(glusterd_t)
+ files_getattr_all_pipes(glusterd_t)
+ files_getattr_all_sockets(glusterd_t)
')
tunable_policy(`gluster_export_all_rw',`
@@ -185,6 +224,45 @@ tunable_policy(`gluster_export_all_rw',`
files_manage_non_security_dirs(glusterd_t)
files_manage_non_security_files(glusterd_t)
files_relabel_base_file_types(glusterd_t)
+ files_getattr_all_pipes(glusterd_t)
+ files_getattr_all_sockets(glusterd_t)
+')
+
+optional_policy(`
+ ctdbd_domtrans(glusterd_t)
+ ctdbd_signal(glusterd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(glusterd_t)
+ dbus_connect_system_bus(glusterd_t)
+
+ optional_policy(`
+ policykit_dbus_chat(glusterd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(glusterd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(glusterd_t)
+')
+
+optional_policy(`
+ mount_domtrans_showmount(glusterd_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(glusterd_t)
+ samba_systemctl(glusterd_t)
+ samba_signal_smbd(glusterd_t)
+ samba_manage_config(glusterd_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(glusterd_t)
')
optional_policy(`
@@ -197,5 +275,21 @@ optional_policy(`
')
optional_policy(`
+ rpc_systemctl_nfsd(glusterd_t)
+ rpc_systemctl_rpcd(glusterd_t)
+
+ rpc_domtrans_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
+')
+
+optional_policy(`
+ rhcs_dbus_chat_cluster(glusterd_t)
+ rhcs_domtrans_cluster(glusterd_t)
+ rhcs_systemctl_cluster(glusterd_t)
+ rhcs_stream_connect_cluster(glusterd_t)
+')
+
+optional_policy(`
ssh_exec(glusterd_t)
')
diff --git a/mongodb.fc b/mongodb.fc
index 91adcaf..e9e6bc5 100644
--- a/mongodb.fc
+++ b/mongodb.fc
@@ -1,9 +1,15 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
diff --git a/mongodb.te b/mongodb.te
index dec8a95..d3fdae4 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)
+type mongod_unit_file_t;
+systemd_unit_file(mongod_unit_file_t)
+
type mongod_log_t;
logging_log_file(mongod_log_t)
@@ -30,7 +33,7 @@ files_tmp_file(mongod_tmp_t)
#
-allow mongod_t self:process { setsched signal };
+allow mongod_t self:process { setsched signal execmem };
allow mongod_t self:fifo_file rw_fifo_file_perms;
allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
@@ -69,6 +72,8 @@ corenet_tcp_connect_mongod_port(mongod_t)
corenet_tcp_bind_mongod_port(mongod_t)
corenet_tcp_bind_generic_node(mongod_t)
+auth_use_nsswitch(mongod_t)
+
dev_read_sysfs(mongod_t)
dev_read_urand(mongod_t)
diff --git a/mysql.fc b/mysql.fc
index 4a315d5..c2c13aa 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -14,6 +14,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
#
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
@@ -24,6 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
diff --git a/mysql.te b/mysql.te
index e14423d..976d57e 100644
--- a/mysql.te
+++ b/mysql.te
@@ -132,7 +132,7 @@ files_search_var_lib(mysqld_t)
files_search_pids(mysqld_t)
files_getattr_all_sockets(mysqld_t)
-auth_use_nsswitch(mysqld_t)
+auth_use_pam(mysqld_t)
logging_send_syslog_msg(mysqld_t)
diff --git a/nagios.if b/nagios.if
index cad402c..438eeb3 100644
--- a/nagios.if
+++ b/nagios.if
@@ -34,6 +34,26 @@ template(`nagios_plugin_template',`
########################################
##
+## Execute the nagios unconfined plugins with
+## a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_domtrans_unconfined_plugins',`
+ gen_require(`
+ type nagios_unconfined_plugin_t;
+ type nagios_unconfined_plugin_exec_t;
+ ')
+
+ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
+')
+
+########################################
+##
## Do not audit attempts to read or write nagios
## unnamed pipes.
##
@@ -72,6 +92,25 @@ interface(`nagios_read_config',`
allow $1 nagios_etc_t:file read_file_perms;
files_search_etc($1)
')
+######################################
+##
+## Read nagios lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_read_lib',`
+ gen_require(`
+ type nagios_var_lib_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+')
######################################
##
diff --git a/nagios.te b/nagios.te
index 75ed416..e4b8c8a 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
# Declarations
#
+##
+##
+## Allow nagios/nrpe to call sudo from NRPE utils scripts.
+##
+##
+gen_tunable(nagios_run_sudo, false)
+
+##
+##
+## Allow nagios run in conjunction with PNP4Nagios.
+##
+##
+gen_tunable(nagios_run_pnp4nagios, false)
+
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
+')
+
attribute nagios_plugin_domain;
type nagios_t;
@@ -124,7 +143,8 @@ files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file })
+manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file })
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -168,6 +188,35 @@ mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)
+tunable_policy(`nagios_run_sudo',`
+ allow nagios_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nagios_t self:process { setrlimit setsched };
+
+ allow nagios_t self:key write;
+
+ allow nagios_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(nagios_t)
+ auth_rw_faillog(nagios_t)
+
+ auth_domtrans_chkpwd(nagios_t)
+
+ selinux_compute_access_vector(nagios_t)
+
+ logging_send_audit_msgs(nagios_t)
+')
+
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nagios_t)
+ sudo_manage_db(nagios_t)
+ ')
+')
+
+tunable_policy(`nagios_run_pnp4nagios',`
+ allow nagios_t nagios_log_t:file execute;
+')
+
optional_policy(`
netutils_kill_ping(nagios_t)
')
@@ -222,7 +271,7 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { setuid setgid kill };
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
@@ -272,6 +321,32 @@ logging_send_syslog_msg(nrpe_t)
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+tunable_policy(`nagios_run_sudo',`
+ allow nrpe_t self:capability { setuid setgid sys_resource sys_ptrace };
+ allow nrpe_t self:process { setrlimit setsched };
+
+ allow nrpe_t self:key write;
+
+ allow nrpe_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(nrpe_t)
+ auth_rw_faillog(nrpe_t)
+
+ auth_domtrans_chkpwd(nrpe_t)
+
+ selinux_compute_access_vector(nrpe_t)
+
+ logging_send_audit_msgs(nrpe_t)
+')
+
+optional_policy(`
+ tunable_policy(`nagios_run_sudo',`
+ sudo_exec(nrpe_t)
+ sudo_manage_db(nrpe_t)
+ ')
+')
+
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -434,6 +509,7 @@ kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
+corecmd_getattr_all_executables(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
diff --git a/passenger.te b/passenger.te
index 231f2e2..56fba2e 100644
--- a/passenger.te
+++ b/passenger.te
@@ -32,7 +32,7 @@ allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid
allow passenger_t self:capability2 block_suspend;
allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:tcp_socket listen;
+allow passenger_t self:tcp_socket { accept listen };
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
can_exec(passenger_t, passenger_exec_t)
diff --git a/rhcs.if b/rhcs.if
index bf60580..29df561 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -864,6 +864,29 @@ interface(`rhcs_systemctl_cluster',`
ps_process_pattern($1, cluster_t)
')
+########################################
+##
+## Send and receive messages from
+## a cluster service over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rhcs_dbus_chat_cluster',`
+ gen_require(`
+ type cluster_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cluster_t:dbus send_msg;
+ allow cluster_t $1:dbus send_msg;
+')
+
+
+
#####################################
##
## All of the rules required to administrate
diff --git a/rhcs.te b/rhcs.te
index 25c0f70..0706417 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -218,6 +218,8 @@ init_read_script_state(cluster_t)
init_rw_script_tmp_files(cluster_t)
init_manage_script_status_files(cluster_t)
+systemd_dbus_chat_logind(cluster_t)
+
userdom_delete_user_tmp_files(cluster_t)
userdom_rw_user_tmp_files(cluster_t)
userdom_kill_all_users(cluster_t)
diff --git a/samba.if b/samba.if
index 59296a2..7662d37 100644
--- a/samba.if
+++ b/samba.if
@@ -622,6 +622,23 @@ interface(`samba_signal_smbd',`
allow $1 smbd_t:process signal;
')
+######################################
+##
+## Allow domain to signull samba
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_signull_smbd',`
+ gen_require(`
+ type smbd_t;
+ ')
+ allow $1 smbd_t:process signull;
+')
+
########################################
##
## Do not audit attempts to use file descriptors from samba.
@@ -758,6 +775,40 @@ interface(`samba_read_winbind_pid',`
allow $1 winbind_var_run_t:file read_file_perms;
')
+######################################
+##
+## Allow domain to signull winbind
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_signull_winbind',`
+ gen_require(`
+ type winbind_t;
+ ')
+ allow $1 winbind_t:process signull;
+')
+
+######################################
+##
+## Allow domain to signull samba_unconfined_net
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_signull_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+ allow $1 samba_unconfined_net_t:process signull;
+')
+
########################################
##
## Connect to winbind.
diff --git a/samba.te b/samba.te
index 13c975b..9249311 100644
--- a/samba.te
+++ b/samba.te
@@ -80,6 +80,13 @@ gen_tunable(samba_share_nfs, false)
##
gen_tunable(samba_share_fusefs, false)
+##