diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a0c5582..2c662e8 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -35708,10 +35708,10 @@ index 4e94884..7ab6191 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..aaf4124 100644 +index 59b04c1..0bdf67e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) +@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) # # Declarations # @@ -35730,10 +35730,18 @@ index 59b04c1..aaf4124 100644 +##

+## +gen_tunable(logging_syslogd_use_tty, true) ++ ++## ++##

++## Allow syslogd the ability to call nagios plugins. It is ++## turned on by omprog rsyslog plugin. ++##

++## ++gen_tunable(logging_syslogd_run_nagios_plugins, false) attribute logfile; -@@ -20,6 +35,7 @@ files_security_file(auditd_log_t) +@@ -20,6 +43,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; @@ -35741,7 +35749,7 @@ index 59b04c1..aaf4124 100644 files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) -@@ -33,6 +49,9 @@ init_script_file(auditd_initrc_exec_t) +@@ -33,6 +57,9 @@ init_script_file(auditd_initrc_exec_t) type auditd_var_run_t; files_pid_file(auditd_var_run_t) @@ -35751,7 +35759,7 @@ index 59b04c1..aaf4124 100644 type audisp_t; type audisp_exec_t; init_system_domain(audisp_t, audisp_exec_t) -@@ -64,6 +83,7 @@ files_config_file(syslog_conf_t) +@@ -64,6 +91,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -35759,7 +35767,7 @@ index 59b04c1..aaf4124 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t) +@@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) @@ -35775,7 +35783,7 @@ index 59b04c1..aaf4124 100644 type var_log_t; logging_log_file(var_log_t) -@@ -94,6 +118,8 @@ ifdef(`enable_mls',` +@@ -94,6 +126,8 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; @@ -35784,7 +35792,7 @@ index 59b04c1..aaf4124 100644 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; -@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +145,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -35795,7 +35803,7 @@ index 59b04c1..aaf4124 100644 init_dontaudit_use_fds(auditctl_t) -@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; +@@ -136,9 +172,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; @@ -35807,7 +35815,7 @@ index 59b04c1..aaf4124 100644 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +185,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -35815,7 +35823,7 @@ index 59b04c1..aaf4124 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +193,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -35825,7 +35833,7 @@ index 59b04c1..aaf4124 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +218,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -35847,7 +35855,7 @@ index 59b04c1..aaf4124 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +273,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -35879,7 +35887,7 @@ index 59b04c1..aaf4124 100644 ') ######################################## -@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +314,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -35887,7 +35895,7 @@ index 59b04c1..aaf4124 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +325,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -35907,7 +35915,7 @@ index 59b04c1..aaf4124 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +379,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -35915,7 +35923,7 @@ index 59b04c1..aaf4124 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +399,12 @@ optional_policy(` +@@ -355,13 +407,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -35932,7 +35940,7 @@ index 59b04c1..aaf4124 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +412,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +420,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -35949,7 +35957,7 @@ index 59b04c1..aaf4124 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +436,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +444,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -36000,7 +36008,7 @@ index 59b04c1..aaf4124 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +486,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +494,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -36009,7 +36017,7 @@ index 59b04c1..aaf4124 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +498,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +506,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -36023,6 +36031,12 @@ index 59b04c1..aaf4124 100644 + corenet_tcp_connect_smtp_port(syslogd_t) +') + ++optional_policy(` ++ tunable_policy(`logging_syslogd_run_nagios_plugins',` ++ nagios_domtrans_unconfined_plugins(syslogd_t) ++ ') ++') ++ dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) - @@ -36037,7 +36051,7 @@ index 59b04c1..aaf4124 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +531,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +545,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -36055,7 +36069,7 @@ index 59b04c1..aaf4124 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +553,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +567,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -36071,7 +36085,7 @@ index 59b04c1..aaf4124 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +585,7 @@ optional_policy(` +@@ -497,6 +599,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -36079,7 +36093,7 @@ index 59b04c1..aaf4124 100644 ') optional_policy(` -@@ -507,15 +596,40 @@ optional_policy(` +@@ -507,15 +610,40 @@ optional_policy(` ') optional_policy(` @@ -36120,7 +36134,7 @@ index 59b04c1..aaf4124 100644 ') optional_policy(` -@@ -526,3 +640,26 @@ optional_policy(` +@@ -526,3 +654,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -44854,7 +44868,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..769ce74 100644 +index 9dc60c6..a24e48e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -45855,7 +45869,7 @@ index 9dc60c6..769ce74 100644 userdom_change_password_template($1) -@@ -761,83 +1007,107 @@ template(`userdom_login_user_template', ` +@@ -761,82 +1007,109 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -45990,16 +46004,18 @@ index 9dc60c6..769ce74 100644 + oddjob_run_mkhomedir($1_t, $1_r) ') ++ optional_policy(` ++ ipa_run_helper($1_t, $1_r) ++ ') ++ optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + wine_filetrans_named_content($1_usertype) ') -+ ') - ####################################### -@@ -868,6 +1138,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1141,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -46012,7 +46028,7 @@ index 9dc60c6..769ce74 100644 ############################## # # Local policy -@@ -907,53 +1183,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1186,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -46168,7 +46184,7 @@ index 9dc60c6..769ce74 100644 ') ####################################### -@@ -987,27 +1347,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1350,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -46206,7 +46222,7 @@ index 9dc60c6..769ce74 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1384,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1387,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -46280,7 +46296,7 @@ index 9dc60c6..769ce74 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1449,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1452,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -46291,7 +46307,7 @@ index 9dc60c6..769ce74 100644 ') ') -@@ -1079,7 +1487,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1490,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -46302,7 +46318,7 @@ index 9dc60c6..769ce74 100644 ') ############################## -@@ -1095,6 +1505,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1508,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -46310,7 +46326,7 @@ index 9dc60c6..769ce74 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1516,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1519,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -46327,7 +46343,7 @@ index 9dc60c6..769ce74 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1533,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1536,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -46335,7 +46351,7 @@ index 9dc60c6..769ce74 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1551,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1554,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -46351,7 +46367,7 @@ index 9dc60c6..769ce74 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1570,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1573,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -46396,7 +46412,7 @@ index 9dc60c6..769ce74 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1613,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1616,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -46405,7 +46421,7 @@ index 9dc60c6..769ce74 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1622,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1625,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -46428,7 +46444,7 @@ index 9dc60c6..769ce74 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1672,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1675,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -46437,7 +46453,7 @@ index 9dc60c6..769ce74 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1682,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1685,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -46446,7 +46462,7 @@ index 9dc60c6..769ce74 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1696,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1699,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -46458,7 +46474,7 @@ index 9dc60c6..769ce74 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1710,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1713,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -46501,7 +46517,7 @@ index 9dc60c6..769ce74 100644 ') optional_policy(` -@@ -1357,14 +1795,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1798,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -46520,7 +46536,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -1397,12 +1838,51 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1841,51 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -46573,7 +46589,7 @@ index 9dc60c6..769ce74 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +1989,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -46605,7 +46621,7 @@ index 9dc60c6..769ce74 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2055,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -46620,7 +46636,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -1570,9 +2078,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -46632,7 +46648,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -1613,6 +2123,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2126,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -46657,7 +46673,7 @@ index 9dc60c6..769ce74 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2159,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2162,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -46717,7 +46733,7 @@ index 9dc60c6..769ce74 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2285,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2288,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -46732,7 +46748,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -1741,10 +2324,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2327,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -46747,7 +46763,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -1769,7 +2354,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2357,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -46756,7 +46772,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -1777,19 +2362,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2365,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -46780,7 +46796,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -1797,55 +2380,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2383,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -46851,7 +46867,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -1853,18 +2436,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2439,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -46879,7 +46895,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -1872,17 +2456,151 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,17 +2459,151 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -47035,7 +47051,7 @@ index 9dc60c6..769ce74 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2611,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2614,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -47053,7 +47069,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -1938,7 +2659,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2662,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -47062,7 +47078,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -1946,10 +2667,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2670,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -47075,7 +47091,7 @@ index 9dc60c6..769ce74 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2678,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2681,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -47084,7 +47100,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -1966,12 +2686,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2689,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -47153,7 +47169,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2007,8 +2781,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2784,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -47163,7 +47179,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2024,20 +2797,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2800,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -47188,7 +47204,7 @@ index 9dc60c6..769ce74 100644 ######################################## ## -@@ -2120,7 +2887,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2890,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -47197,7 +47213,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2128,19 +2895,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2898,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -47221,7 +47237,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2148,12 +2913,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2916,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -47237,7 +47253,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2388,18 +3153,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3156,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -47295,7 +47311,7 @@ index 9dc60c6..769ce74 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3215,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3218,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -47304,7 +47320,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2455,6 +3256,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3259,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -47330,7 +47346,7 @@ index 9dc60c6..769ce74 100644 ######################################## ## -@@ -2538,7 +3358,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3361,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -47339,7 +47355,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2546,19 +3366,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3369,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -47362,7 +47378,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2566,19 +3386,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3389,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -47385,7 +47401,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2586,19 +3406,60 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,19 +3409,60 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -47450,7 +47466,7 @@ index 9dc60c6..769ce74 100644 ## a specified private type. ## ## -@@ -2661,6 +3522,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3525,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -47472,7 +47488,7 @@ index 9dc60c6..769ce74 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3548,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3551,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -47494,7 +47510,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2692,19 +3563,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3566,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -47517,7 +47533,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2713,13 +3578,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3581,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -47578,7 +47594,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2814,6 +3722,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3725,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -47603,7 +47619,7 @@ index 9dc60c6..769ce74 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3758,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3761,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -47646,7 +47662,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -2856,14 +3794,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3797,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -47684,7 +47700,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2882,8 +3839,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3842,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -47714,7 +47730,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -2955,69 +3931,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3934,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -47815,7 +47831,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -3025,12 +4000,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +4003,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -47830,7 +47846,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -3094,7 +4069,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4072,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -47839,7 +47855,7 @@ index 9dc60c6..769ce74 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4085,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4088,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -47873,7 +47889,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -3214,7 +4173,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4176,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -47900,7 +47916,7 @@ index 9dc60c6..769ce74 100644 ') ######################################## -@@ -3269,12 +4246,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4249,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -47916,7 +47932,7 @@ index 9dc60c6..769ce74 100644 ## ## ## -@@ -3282,46 +4260,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,46 +4263,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -48052,7 +48068,7 @@ index 9dc60c6..769ce74 100644 ') allow $1 userdomain:process getattr; -@@ -3382,6 +4436,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4439,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -48095,7 +48111,7 @@ index 9dc60c6..769ce74 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4492,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4495,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -48156,7 +48172,7 @@ index 9dc60c6..769ce74 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4579,1691 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4582,1691 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index efe9698..e56d9f6 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -546,7 +546,7 @@ index 058d908..158acba 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..a0f044b 100644 +index eb50f07..d6d0e34 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -1054,7 +1054,7 @@ index eb50f07..a0f044b 100644 ####################################### # -@@ -404,25 +517,58 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +517,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1086,7 +1086,7 @@ index eb50f07..a0f044b 100644 # Upload watch local policy # -+allow abrt_upload_watch_t self:capability { dac_override chown }; ++allow abrt_upload_watch_t self:capability { dac_override chown fsetid }; + +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -1097,6 +1097,8 @@ index eb50f07..a0f044b 100644 + +manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t) + ++abrt_dbus_chat(abrt_upload_watch_t) ++ corecmd_exec_bin(abrt_upload_watch_t) +dev_read_urand(abrt_upload_watch_t) @@ -1115,7 +1117,7 @@ index eb50f07..a0f044b 100644 ') ####################################### -@@ -430,10 +576,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +578,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -5173,10 +5175,10 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..44258d7 100644 +index 6649962..fc23c8a 100644 --- a/apache.te +++ b/apache.te -@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) +@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) # Declarations # @@ -5251,6 +5253,13 @@ index 6649962..44258d7 100644 + +## +##

++## Allow httpd processes to run IPA helper. ++##

++## ++gen_tunable(httpd_run_ipa, false) ++ ++## ++##

+## Allow httpd to use built in scripting (usually php) +##

+## @@ -5306,22 +5315,22 @@ index 6649962..44258d7 100644 +##

+## Allow HTTPD scripts and modules to connect to databases over the network. +##

++## ++gen_tunable(httpd_can_network_connect_db, false) ++ ++## ++##

++## Allow httpd to connect to memcache server ++##

## -gen_tunable(httpd_can_network_connect_memcache, false) -+gen_tunable(httpd_can_network_connect_db, false) ++gen_tunable(httpd_can_network_memcache, false) ## -##

-## Determine whether httpd can act as a relay. -##

+##

-+## Allow httpd to connect to memcache server -+##

-+## -+gen_tunable(httpd_can_network_memcache, false) -+ -+## -+##

+## Allow httpd to act as a relay +##

## @@ -5662,7 +5671,7 @@ index 6649962..44258d7 100644 type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) -@@ -286,15 +345,35 @@ init_script_file(httpd_initrc_exec_t) +@@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t) type httpd_keytab_t; files_type(httpd_keytab_t) @@ -5698,7 +5707,7 @@ index 6649962..44258d7 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -302,10 +381,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5711,7 +5720,7 @@ index 6649962..44258d7 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -314,9 +391,19 @@ role system_r types httpd_suexec_t; +@@ -314,9 +398,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5734,7 +5743,7 @@ index 6649962..44258d7 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -324,14 +411,21 @@ files_tmp_file(httpd_tmp_t) +@@ -324,14 +418,21 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) @@ -5757,7 +5766,7 @@ index 6649962..44258d7 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -346,33 +440,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -346,33 +447,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5809,7 +5818,7 @@ index 6649962..44258d7 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -381,30 +482,39 @@ allow httpd_t self:shm create_shm_perms; +@@ -381,30 +489,39 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5854,7 +5863,7 @@ index 6649962..44258d7 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,14 +529,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5876,7 +5885,7 @@ index 6649962..44258d7 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5944,7 +5953,7 @@ index 6649962..44258d7 100644 +fs_read_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) - ++ +application_exec_all(httpd_t) + +# execute perl @@ -5953,7 +5962,7 @@ index 6649962..44258d7 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) -+ + +files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -6116,7 +6125,7 @@ index 6649962..44258d7 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6176,7 +6185,7 @@ index 6649962..44258d7 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +804,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6269,7 +6278,7 @@ index 6649962..44258d7 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +853,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6290,17 +6299,17 @@ index 6649962..44258d7 100644 - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) --') -- ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_files(httpd_t) - fs_manage_cifs_symlinks(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - +-') +- -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') @@ -6350,7 +6359,7 @@ index 6649962..44258d7 100644 ') optional_policy(` -@@ -749,24 +899,32 @@ optional_policy(` +@@ -749,24 +906,32 @@ optional_policy(` ') optional_policy(` @@ -6389,7 +6398,7 @@ index 6649962..44258d7 100644 ') optional_policy(` -@@ -775,6 +933,10 @@ optional_policy(` +@@ -775,6 +940,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6400,7 +6409,7 @@ index 6649962..44258d7 100644 ') optional_policy(` -@@ -786,35 +948,60 @@ optional_policy(` +@@ -786,35 +955,60 @@ optional_policy(` ') optional_policy(` @@ -6474,10 +6483,22 @@ index 6649962..44258d7 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1009,18 @@ optional_policy(` +@@ -822,8 +1016,30 @@ optional_policy(` ') optional_policy(` ++ tunable_policy(`httpd_run_ipa',` ++ oddjob_dbus_chat(httpd_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`httpd_run_ipa',` ++ ipa_domtrans_helper(httpd_t) ++ ') ++') ++ ++optional_policy(` + munin_read_config(httpd_t) +') + @@ -6493,7 +6514,7 @@ index 6649962..44258d7 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1029,8 @@ optional_policy(` +@@ -832,6 +1048,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6502,7 +6523,7 @@ index 6649962..44258d7 100644 ') optional_policy(` -@@ -842,20 +1041,40 @@ optional_policy(` +@@ -842,20 +1060,40 @@ optional_policy(` ') optional_policy(` @@ -6537,19 +6558,19 @@ index 6649962..44258d7 100644 - ') +optional_policy(` + puppet_read_lib(httpd_t) -+') -+ -+optional_policy(` -+ pwauth_domtrans(httpd_t) ') optional_policy(` - puppet_read_lib_files(httpd_t) ++ pwauth_domtrans(httpd_t) ++') ++ ++optional_policy(` + rpm_dontaudit_read_db(httpd_t) ') optional_policy(` -@@ -863,16 +1082,31 @@ optional_policy(` +@@ -863,16 +1101,31 @@ optional_policy(` ') optional_policy(` @@ -6583,7 +6604,7 @@ index 6649962..44258d7 100644 ') optional_policy(` -@@ -883,65 +1117,189 @@ optional_policy(` +@@ -883,65 +1136,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6672,10 +6693,11 @@ index 6649962..44258d7 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -6734,11 +6756,10 @@ index 6649962..44258d7 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6795,7 +6816,7 @@ index 6649962..44258d7 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1327,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6950,7 +6971,7 @@ index 6649962..44258d7 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1392,107 @@ optional_policy(` +@@ -1083,172 +1411,107 @@ optional_policy(` ') ') @@ -6972,11 +6993,11 @@ index 6649962..44258d7 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -+allow httpd_sys_script_t self:process getsched; - +- -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -7133,7 +7154,8 @@ index 6649962..44258d7 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -7141,8 +7163,7 @@ index 6649962..44258d7 100644 -apache_domtrans_rotatelogs(httpd_sys_script_t) - -auth_use_nsswitch(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) - corenet_tcp_connect_smtp_port(httpd_sys_script_t) @@ -7188,7 +7209,7 @@ index 6649962..44258d7 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1519,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7285,7 +7306,7 @@ index 6649962..44258d7 100644 ######################################## # -@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1594,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7302,7 +7323,7 @@ index 6649962..44258d7 100644 ') ######################################## -@@ -1330,49 +1591,38 @@ optional_policy(` +@@ -1330,49 +1610,38 @@ optional_policy(` # User content local policy # @@ -7367,7 +7388,7 @@ index 6649962..44258d7 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1632,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1651,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -25135,10 +25156,10 @@ index 0000000..457d4dd +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..1e0a31f +index 0000000..6d795fe --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,74 @@ +@@ -0,0 +1,81 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -25156,6 +25177,9 @@ index 0000000..1e0a31f +type dnssec_trigger_var_run_t; +files_pid_file(dnssec_trigger_var_run_t) + ++type dnssec_trigger_tmp_t; ++files_tmp_file(dnssec_trigger_tmp_t) ++ +######################################## +# +# dnssec_trigger local policy @@ -25171,6 +25195,10 @@ index 0000000..1e0a31f +manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) +files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file }) + ++manage_files_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) ++manage_dirs_pattern(dnssec_trigger_t,dnssec_trigger_tmp_t,dnssec_trigger_tmp_t) ++files_tmp_filetrans(dnssec_trigger_t,dnssec_trigger_tmp_t,{ file dir }) ++ +kernel_read_system_state(dnssec_trigger_t) + +corecmd_exec_bin(dnssec_trigger_t) @@ -28721,7 +28749,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..a422d04 100644 +index 36838c2..a09e8b2 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -28767,22 +28795,7 @@ index 36838c2..a422d04 100644 ## ##

-@@ -50,14 +57,6 @@ gen_tunable(ftpd_connect_db, false) - - ## - ##

--## Determine whether ftpd can bind to all --## unreserved ports for passive mode. --##

--## --gen_tunable(ftpd_use_passive_mode, false) -- --## --##

- ## Determine whether ftpd can connect to - ## all unreserved ports. - ##

-@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) +@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -28792,7 +28805,7 @@ index 36838c2..a422d04 100644 type ftpd_keytab_t; files_type(ftpd_keytab_t) -@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; +@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -28802,7 +28815,7 @@ index 36838c2..a422d04 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -28829,7 +28842,7 @@ index 36838c2..a422d04 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -28843,7 +28856,7 @@ index 36838c2..a422d04 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -28851,7 +28864,7 @@ index 36838c2..a422d04 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,37 +263,47 @@ sysnet_use_ldap(ftpd_t) +@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -28898,18 +28911,18 @@ index 36838c2..a422d04 100644 - files_manage_non_auth_files(ftpd_t) + files_manage_non_security_dirs(ftpd_t) + files_manage_non_security_files(ftpd_t) - ') - --tunable_policy(`ftpd_use_passive_mode',` -- corenet_sendrecv_all_server_packets(ftpd_t) -- corenet_tcp_bind_all_unreserved_ports(ftpd_t) ++') ++ ++tunable_policy(`ftpd_use_passive_mode',` ++ corenet_tcp_bind_all_unreserved_ports(ftpd_t) ++') + +tunable_policy(`ftpd_connect_all_unreserved',` + corenet_tcp_connect_all_unreserved_ports(ftpd_t) ') - tunable_policy(`ftpd_connect_all_unreserved',` -@@ -304,22 +318,19 @@ tunable_policy(`ftpd_connect_db',` + tunable_policy(`ftpd_use_passive_mode',` +@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -28937,7 +28950,7 @@ index 36838c2..a422d04 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -363,9 +374,8 @@ optional_policy(` +@@ -363,9 +390,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -28948,7 +28961,7 @@ index 36838c2..a422d04 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +426,20 @@ optional_policy(` +@@ -416,21 +442,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -28972,7 +28985,7 @@ index 36838c2..a422d04 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +452,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -29013,7 +29026,7 @@ index 36838c2..a422d04 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +501,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -36212,24 +36225,26 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..877a747 +index 0000000..db194ec --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + ++/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) ++ +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..789b3e8 +index 0000000..de83173 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,112 @@ +@@ -0,0 +1,150 @@ +## Policy for IPA services. + +######################################## @@ -36270,6 +36285,44 @@ index 0000000..789b3e8 + +######################################## +## ++## Execute ipa-helper in the ipa_helper domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipa_domtrans_helper',` ++ gen_require(` ++ type ipa_helper_t, ipa_helper_exec_t; ++ ') ++ ++ domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t) ++') ++ ++######################################## ++## ++## Execute ipa-helper in the ipa_helper domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipa_run_helper',` ++ gen_require(` ++ type ipa_helper_t; ++ attribute_role ipa_helper_roles; ++ ') ++ ++ ipa_domtrans_helper($1) ++ roleattribute $2 ipa_helper_roles; ++') ++ ++######################################## ++## +## Allow domain to manage ipa lib files/dirs. +## +## @@ -36344,10 +36397,10 @@ index 0000000..789b3e8 + diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..a7f09d25 +index 0000000..7d70dcb --- /dev/null +++ b/ipa.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,113 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -36357,6 +36410,9 @@ index 0000000..a7f09d25 + +attribute ipa_domain; + ++attribute_role ipa_helper_roles; ++roleattribute system_r ipa_helper_roles; ++ +type ipa_otpd_t, ipa_domain; +type ipa_otpd_exec_t; +init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) @@ -36370,6 +36426,13 @@ index 0000000..a7f09d25 +type ipa_var_run_t; +files_pid_file(ipa_var_run_t) + ++type ipa_helper_t; ++type ipa_helper_exec_t; ++domain_type(ipa_helper_t) ++domain_obj_id_change_exemption(ipa_helper_t) ++init_system_domain(ipa_helper_t, ipa_helper_exec_t) ++role ipa_helper_roles types ipa_helper_t; ++ +######################################## +# +# ipa_otpd local policy @@ -36398,6 +36461,59 @@ index 0000000..a7f09d25 +optional_policy(` + kerberos_use(ipa_otpd_t) +') ++ ++######################################## ++# ++# ipa-helper local policy ++# ++ ++ ++allow ipa_helper_t self:capability { dac_override chown }; ++ ++allow ipa_helper_t self:process setfscreate; ++allow ipa_helper_t self:fifo_file rw_fifo_file_perms; ++allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms; ++ ++kernel_read_system_state(ipa_helper_t) ++ ++corenet_tcp_connect_ldap_port(ipa_helper_t) ++corenet_tcp_connect_smbd_port(ipa_helper_t) ++ ++corecmd_exec_bin(ipa_helper_t) ++corecmd_exec_shell(ipa_helper_t) ++ ++dev_read_urand(ipa_helper_t) ++ ++auth_use_nsswitch(ipa_helper_t) ++ ++ipa_manage_pid_files(ipa_helper_t) ++ipa_read_lib(ipa_helper_t) ++ ++logging_send_syslog_msg(ipa_helper_t) ++ ++optional_policy(` ++ ldap_stream_connect(ipa_helper_t) ++') ++ ++optional_policy(` ++ libs_exec_ldconfig(ipa_helper_t) ++') ++ ++optional_policy(` ++ memcached_stream_connect(ipa_helper_t) ++') ++ ++optional_policy(` ++ oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t) ++') ++ ++optional_policy(` ++ samba_read_config(ipa_helper_t) ++') ++ ++optional_policy(` ++ sssd_manage_lib_files(ipa_helper_t) ++') diff --git a/irc.fc b/irc.fc index 48e7739..1bf0326 100644 --- a/irc.fc @@ -50280,7 +50396,7 @@ index f42896c..bd1eb52 100644 +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..80e6086 100644 +index ed81cac..ad452db 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -51236,7 +51352,7 @@ index ed81cac..80e6086 100644 ## ## ## -@@ -1081,3 +1067,201 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1067,204 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -51435,6 +51551,9 @@ index ed81cac..80e6086 100644 + mta_etc_filetrans_aliases($1, "aliases.db") + mta_etc_filetrans_aliases($1, "aliasesdb-stamp") + mta_etc_filetrans_aliases($1, "__db.aliases.db") ++ mta_etc_filetrans_aliases($1, "virtusertable.db") ++ mta_etc_filetrans_aliases($1, "access.db") ++ mta_etc_filetrans_aliases($1, "domaintable.db") + mta_filetrans_home_content($1) + mta_filetrans_admin_home_content($1) +') @@ -54225,7 +54344,7 @@ index d78dfc3..40e1c77 100644 -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if -index 0641e97..ed3394e 100644 +index 0641e97..438eeb3 100644 --- a/nagios.if +++ b/nagios.if @@ -1,12 +1,13 @@ @@ -54247,7 +54366,7 @@ index 0641e97..ed3394e 100644 ## ## # -@@ -16,38 +17,31 @@ template(`nagios_plugin_template',` +@@ -16,38 +17,51 @@ template(`nagios_plugin_template',` type nagios_t, nrpe_t; ') @@ -54280,6 +54399,26 @@ index 0641e97..ed3394e 100644 ## -## Do not audit attempts to read or -## write nagios unnamed pipes. ++## Execute the nagios unconfined plugins with ++## a domain transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_domtrans_unconfined_plugins',` ++ gen_require(` ++ type nagios_unconfined_plugin_t; ++ type nagios_unconfined_plugin_exec_t; ++ ') ++ ++ domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) ++') ++ ++######################################## ++## +## Do not audit attempts to read or write nagios +## unnamed pipes. ## @@ -54292,7 +54431,7 @@ index 0641e97..ed3394e 100644 # interface(`nagios_dontaudit_rw_pipes',` gen_require(` -@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',` +@@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',` ######################################## ## @@ -54302,7 +54441,7 @@ index 0641e97..ed3394e 100644 ## ## ## -@@ -73,15 +68,33 @@ interface(`nagios_read_config',` +@@ -73,15 +88,33 @@ interface(`nagios_read_config',` type nagios_etc_t; ') @@ -54339,7 +54478,7 @@ index 0641e97..ed3394e 100644 ## ## ## -@@ -100,8 +113,7 @@ interface(`nagios_read_log',` +@@ -100,8 +133,7 @@ interface(`nagios_read_log',` ######################################## ## @@ -54349,18 +54488,17 @@ index 0641e97..ed3394e 100644 ## ## ## -@@ -132,13 +144,33 @@ interface(`nagios_search_spool',` +@@ -132,13 +164,33 @@ interface(`nagios_search_spool',` type nagios_spool_t; ') - files_search_spool($1) allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) - ') - - ######################################## - ## --## Read nagios temporary files. ++') ++ ++######################################## ++## +## Append nagios spool files. +## +## @@ -54376,16 +54514,17 @@ index 0641e97..ed3394e 100644 + + allow $1 nagios_spool_t:file append_file_perms; + files_search_spool($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nagios temporary files. +## Allow the specified domain to read +## nagios temporary files. ## ## ## -@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',` +@@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',` type nagios_tmp_t; ') @@ -54422,7 +54561,7 @@ index 0641e97..ed3394e 100644 ## ## ## -@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',` +@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',` type nrpe_t, nrpe_exec_t; ') @@ -54439,7 +54578,7 @@ index 0641e97..ed3394e 100644 ## ## ## -@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',` +@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',` ## ## ## @@ -64947,10 +65086,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..7a3dc05 +index 0000000..15702ce --- /dev/null +++ b/pcp.te -@@ -0,0 +1,240 @@ +@@ -0,0 +1,241 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -65000,6 +65139,7 @@ index 0000000..7a3dc05 +allow pcp_domain self:tcp_socket create_stream_socket_perms; +allow pcp_domain self:udp_socket create_socket_perms; +allow pcp_domain self:netlink_route_socket create_socket_perms; ++allow pcp_domain self:unix_stream_socket connectto; + +corenet_tcp_connect_all_ephemeral_ports(pcp_domain) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 22fb027..1b2c317 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 134%{?dist} +Release: 135%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,30 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jul 09 2015 Lukas Vrabec 3.13.1-135 +- Update mta_filetrans_named_content() interface to cover more db files. +- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling." +- Allow pcp domains to connect to own process using unix_stream_socket. +- Typo in abrt.te +- Allow abrt-upload-watch service to dbus chat with ABRT daemon and fsetid capability to allow run reporter-upload correctly. +- Add nagios_domtrans_unconfined_plugins() interface. +- Add nagios_domtrans_unconfined_plugins() interface. +- Add new boolean - httpd_run_ipa to allow httpd process to run IPA helper and dbus chat with oddjob. +- Add support for oddjob based helper in FreeIPA. BZ(1238165) +- Allow dnssec_trigger_t create dnssec_trigger_tmp_t files in /var/tmp/ BZ(1240840) +- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) +- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission. +- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types. +- nrpe needs kill capability to make gluster moniterd nodes working. +- Revert "Dontaudit ctbd_t sending signull to smbd_t." +- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t) +- Allow prosody connect to postgresql port. +- Fix logging_syslogd_run_nagios_plugins calling in logging.te +- Add logging_syslogd_run_nagios_plugins boolean for rsyslog to allow transition to nagios unconfined plugins. +- Add support for oddjob based helper in FreeIPA. BZ(1238165) +- Add new interfaces +- Add fs_fusefs_entry_type() interface. + * Thu Jul 02 2015 Lukas Vrabec 3.13.1-134 - Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879) - Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.