From 0ddb744a3753773ed2715e60e82f73cdf38343ea Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 27 2014 08:30:27 +0000 Subject: - Add decl for cockip port - Allow sysadm_t to read all kernel proc - Allow logrotate to execute all executables - Allow lircd_t to use tty_device_t for use withmythtv - Make sure all zabbix files direcories in /var/log have the correct label - Allow bittlebee to create directories and files in /var/log with the correct label - Label /var/log/horizon as an apache log - Add squid directory in /var/run - Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label - Wronly labeled avahi_var_lib_t as a pid file - Fix labels on rabbitmq_var_run_t on file/dir creation - Allow neutron to create sock files - Allow postfix domains to getattr on all file systems - Label swift-proxy-server as swift_exec_t - Tighten SELinux capabilities to match docker capabilities - Add fixes for squid which is configured to run with more than one worker. - Allow cockpit to bind to its port --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6ef5bc2..eb63083 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3174,10 +3174,10 @@ index 1dc7a85..c6f4da0 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..b516b43 100644 +index 7590165..85186a9 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -3237,17 +3237,20 @@ index 7590165..b516b43 100644 - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) + fs_dontaudit_list_inotifyfs(seunshare_domain) -+ -+ optional_policy(` -+ gnome_dontaudit_rw_inherited_config(seunshare_domain) -+ ') optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) ++ gnome_dontaudit_rw_inherited_config(seunshare_domain) + ') ++ ++ optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_domain) + mozilla_plugin_dontaudit_leaks(seunshare_domain) - ') - ') ++ ') ++') ++optional_policy(` ++ rsync_exec(seunshare_domain) ++') + +tunable_policy(`use_nfs_home_dirs',` + fs_mounton_nfs(seunshare_domain) @@ -3259,7 +3262,7 @@ index 7590165..b516b43 100644 + +tunable_policy(`use_fusefs_home_dirs',` + fs_mounton_fusefs(seunshare_domain) -+') + ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 33e0f8d..d3434a9 100644 --- a/policy/modules/kernel/corecommands.fc @@ -5448,7 +5451,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..1463ef3 100644 +index b191055..e19170b 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5522,7 +5525,7 @@ index b191055..1463ef3 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5541,6 +5544,7 @@ index b191055..1463ef3 100644 network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) ++network_port(cockpit, udp,1001,s0) +network_port(collectd, udp,25826,s0) network_port(chronyd, udp,323,s0) network_port(clamd, tcp,3310,s0) @@ -5599,7 +5603,7 @@ index b191055..1463ef3 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5666,7 +5670,7 @@ index b191055..1463ef3 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5707,8 +5711,11 @@ index b191055..1463ef3 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,66 +268,74 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -213,68 +267,77 @@ network_port(postgrey, tcp,60000,s0) + network_port(pptp, tcp,1723,s0, udp,1723,s0) + network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) ++network_port(preupgrade, tcp, 8099, s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) -network_port(pulseaudio, tcp,4713,s0) @@ -5793,7 +5800,7 @@ index b191055..1463ef3 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +349,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +351,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5820,7 +5827,7 @@ index b191055..1463ef3 100644 ######################################## # -@@ -333,6 +398,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +400,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5829,7 +5836,7 @@ index b191055..1463ef3 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +412,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +414,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -18984,10 +18991,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..5307091 100644 +index 2522ca6..0ad95e4 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,86 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -19011,6 +19018,7 @@ index 2522ca6..5307091 100644 # Local policy # +kernel_read_fs_sysctls(sysadm_t) ++kernel_read_all_proc(sysadm_t) corecmd_exec_shell(sysadm_t) @@ -19084,7 +19092,7 @@ index 2522ca6..5307091 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +102,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -19099,7 +19107,7 @@ index 2522ca6..5307091 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +111,9 @@ optional_policy(` +@@ -71,9 +112,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -19110,7 +19118,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -87,6 +127,7 @@ optional_policy(` +@@ -87,6 +128,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -19118,7 +19126,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -110,11 +151,17 @@ optional_policy(` +@@ -110,11 +152,17 @@ optional_policy(` ') optional_policy(` @@ -19136,7 +19144,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -122,11 +169,19 @@ optional_policy(` +@@ -122,11 +170,19 @@ optional_policy(` ') optional_policy(` @@ -19158,7 +19166,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -140,6 +195,10 @@ optional_policy(` +@@ -140,6 +196,10 @@ optional_policy(` ') optional_policy(` @@ -19169,7 +19177,7 @@ index 2522ca6..5307091 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +215,10 @@ optional_policy(` +@@ -156,6 +216,10 @@ optional_policy(` ') optional_policy(` @@ -19180,7 +19188,7 @@ index 2522ca6..5307091 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -175,6 +238,13 @@ optional_policy(` +@@ -175,6 +239,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -19194,7 +19202,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -182,15 +252,20 @@ optional_policy(` +@@ -182,15 +253,20 @@ optional_policy(` ') optional_policy(` @@ -19218,7 +19226,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -210,22 +285,20 @@ optional_policy(` +@@ -210,22 +286,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -19247,7 +19255,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -237,14 +310,27 @@ optional_policy(` +@@ -237,14 +311,27 @@ optional_policy(` ') optional_policy(` @@ -19275,7 +19283,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -252,10 +338,20 @@ optional_policy(` +@@ -252,10 +339,20 @@ optional_policy(` ') optional_policy(` @@ -19296,7 +19304,7 @@ index 2522ca6..5307091 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +362,41 @@ optional_policy(` +@@ -266,35 +363,41 @@ optional_policy(` ') optional_policy(` @@ -19345,7 +19353,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -308,6 +410,7 @@ optional_policy(` +@@ -308,6 +411,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -19353,7 +19361,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -315,12 +418,20 @@ optional_policy(` +@@ -315,12 +419,20 @@ optional_policy(` ') optional_policy(` @@ -19375,7 +19383,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -345,7 +456,18 @@ optional_policy(` +@@ -345,7 +457,18 @@ optional_policy(` ') optional_policy(` @@ -19395,7 +19403,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -356,19 +478,11 @@ optional_policy(` +@@ -356,19 +479,11 @@ optional_policy(` ') optional_policy(` @@ -19416,7 +19424,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -380,10 +494,6 @@ optional_policy(` +@@ -380,10 +495,6 @@ optional_policy(` ') optional_policy(` @@ -19427,7 +19435,7 @@ index 2522ca6..5307091 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +501,9 @@ optional_policy(` +@@ -391,6 +502,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -19437,7 +19445,7 @@ index 2522ca6..5307091 100644 ') optional_policy(` -@@ -398,31 +511,34 @@ optional_policy(` +@@ -398,31 +512,34 @@ optional_policy(` ') optional_policy(` @@ -19478,7 +19486,7 @@ index 2522ca6..5307091 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +551,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +552,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19489,7 +19497,7 @@ index 2522ca6..5307091 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +571,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +572,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -29796,7 +29804,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..956662b 100644 +index 17eda24..fc94c2a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29966,7 +29974,7 @@ index 17eda24..956662b 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +202,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +202,22 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -29976,6 +29984,10 @@ index 17eda24..956662b 100644 corecmd_exec_bin(init_t) -dev_read_sysfs(init_t) ++corenet_all_recvfrom_netlabel(init_t) ++corenet_tcp_bind_all_ports(init_t) ++corenet_udp_bind_all_ports(init_t) ++ +dev_rw_sysfs(init_t) +dev_read_urand(init_t) +dev_read_raw_memory(init_t) @@ -29986,7 +29998,7 @@ index 17eda24..956662b 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +221,22 @@ domain_signal_all_domains(init_t) +@@ -139,14 +225,22 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -30009,7 +30021,7 @@ index 17eda24..956662b 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +246,53 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +250,53 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -30053,11 +30065,11 @@ index 17eda24..956662b 100644 seutil_read_config(init_t) +seutil_read_module_store(init_t) - --miscfiles_read_localization(init_t) ++ +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) -+ + +-miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) @@ -30066,7 +30078,7 @@ index 17eda24..956662b 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +301,236 @@ ifdef(`distro_gentoo',` +@@ -186,29 +305,236 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -30098,15 +30110,14 @@ index 17eda24..956662b 100644 + +optional_policy(` + chronyd_read_keys(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + kdump_read_crash(init_t) + kdump_read_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + gnome_filetrans_home_content(init_t) + gnome_manage_data(init_t) +') @@ -30276,13 +30287,14 @@ index 17eda24..956662b 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -30298,21 +30310,21 @@ index 17eda24..956662b 100644 + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` -+ networkmanager_stream_connect(init_t) ') optional_policy(` - nscd_use(init_t) ++ networkmanager_stream_connect(init_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) ') optional_policy(` -@@ -216,7 +538,31 @@ optional_policy(` +@@ -216,7 +542,31 @@ optional_policy(` ') optional_policy(` @@ -30344,7 +30356,7 @@ index 17eda24..956662b 100644 ') ######################################## -@@ -225,9 +571,9 @@ optional_policy(` +@@ -225,9 +575,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30356,7 +30368,7 @@ index 17eda24..956662b 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +604,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +608,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30373,7 +30385,7 @@ index 17eda24..956662b 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +629,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +633,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30416,7 +30428,7 @@ index 17eda24..956662b 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +666,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +670,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30428,7 +30440,7 @@ index 17eda24..956662b 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +678,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +682,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30439,7 +30451,7 @@ index 17eda24..956662b 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +689,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +693,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30449,7 +30461,7 @@ index 17eda24..956662b 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +698,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +702,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30457,7 +30469,7 @@ index 17eda24..956662b 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +705,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +709,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30465,7 +30477,7 @@ index 17eda24..956662b 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +713,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +717,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30483,7 +30495,7 @@ index 17eda24..956662b 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +731,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +735,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30497,7 +30509,7 @@ index 17eda24..956662b 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +746,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +750,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30511,7 +30523,7 @@ index 17eda24..956662b 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +759,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +763,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30522,7 +30534,7 @@ index 17eda24..956662b 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +772,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +776,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30530,7 +30542,7 @@ index 17eda24..956662b 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +791,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +795,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30554,7 +30566,7 @@ index 17eda24..956662b 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +824,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +828,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30562,7 +30574,7 @@ index 17eda24..956662b 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +858,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +862,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30573,7 +30585,7 @@ index 17eda24..956662b 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +882,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +886,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30582,7 +30594,7 @@ index 17eda24..956662b 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +897,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +901,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30590,7 +30602,7 @@ index 17eda24..956662b 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +918,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +922,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30598,7 +30610,7 @@ index 17eda24..956662b 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +928,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +932,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30643,7 +30655,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -559,14 +973,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +977,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30675,7 +30687,7 @@ index 17eda24..956662b 100644 ') ') -@@ -577,6 +1008,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1012,39 @@ ifdef(`distro_suse',` ') ') @@ -30715,7 +30727,7 @@ index 17eda24..956662b 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1053,8 @@ optional_policy(` +@@ -589,6 +1057,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30724,7 +30736,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -610,6 +1076,7 @@ optional_policy(` +@@ -610,6 +1080,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30732,7 +30744,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -626,6 +1093,17 @@ optional_policy(` +@@ -626,6 +1097,17 @@ optional_policy(` ') optional_policy(` @@ -30750,7 +30762,7 @@ index 17eda24..956662b 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1120,13 @@ optional_policy(` +@@ -642,9 +1124,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30764,7 +30776,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -657,15 +1139,11 @@ optional_policy(` +@@ -657,15 +1143,11 @@ optional_policy(` ') optional_policy(` @@ -30782,7 +30794,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -686,6 +1164,15 @@ optional_policy(` +@@ -686,6 +1168,15 @@ optional_policy(` ') optional_policy(` @@ -30798,7 +30810,7 @@ index 17eda24..956662b 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1213,7 @@ optional_policy(` +@@ -726,6 +1217,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30806,7 +30818,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -743,7 +1231,13 @@ optional_policy(` +@@ -743,7 +1235,13 @@ optional_policy(` ') optional_policy(` @@ -30821,7 +30833,7 @@ index 17eda24..956662b 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1260,10 @@ optional_policy(` +@@ -766,6 +1264,10 @@ optional_policy(` ') optional_policy(` @@ -30832,7 +30844,7 @@ index 17eda24..956662b 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1273,20 @@ optional_policy(` +@@ -775,10 +1277,20 @@ optional_policy(` ') optional_policy(` @@ -30853,7 +30865,7 @@ index 17eda24..956662b 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1295,10 @@ optional_policy(` +@@ -787,6 +1299,10 @@ optional_policy(` ') optional_policy(` @@ -30864,7 +30876,7 @@ index 17eda24..956662b 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1320,6 @@ optional_policy(` +@@ -808,8 +1324,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30873,7 +30885,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -818,6 +1328,10 @@ optional_policy(` +@@ -818,6 +1332,10 @@ optional_policy(` ') optional_policy(` @@ -30884,7 +30896,7 @@ index 17eda24..956662b 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1341,12 @@ optional_policy(` +@@ -827,10 +1345,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30897,7 +30909,7 @@ index 17eda24..956662b 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1373,60 @@ optional_policy(` +@@ -857,21 +1377,60 @@ optional_policy(` ') optional_policy(` @@ -30959,7 +30971,7 @@ index 17eda24..956662b 100644 ') optional_policy(` -@@ -887,6 +1442,10 @@ optional_policy(` +@@ -887,6 +1446,10 @@ optional_policy(` ') optional_policy(` @@ -30970,7 +30982,7 @@ index 17eda24..956662b 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1456,218 @@ optional_policy(` +@@ -897,3 +1460,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f767c7a..0034c9a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3231,10 +3231,10 @@ index 0000000..83590aa + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..0d9db0a 100644 +index 7caefc3..7e70f67 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,202 @@ +@@ -1,162 +1,203 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3482,6 +3482,7 @@ index 7caefc3..0d9db0a 100644 +/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/horizon(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -5036,7 +5037,7 @@ index f6eb485..61f36b6 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..da729da 100644 +index 6649962..2a768b5 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -6438,7 +6439,7 @@ index 6649962..da729da 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1108,183 @@ optional_policy(` +@@ -883,65 +1108,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6516,15 +6517,22 @@ index 6649962..da729da 100644 + ') +') + ++optional_policy(` ++ tunable_policy(`httpd_run_preupgrade', ` ++ corenet_tcp_bind_preupgrade_port(httpd_t) ++ ') ++') ++ tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_helper_t) -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -6583,11 +6591,10 @@ index 6649962..da729da 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6644,7 +6651,7 @@ index 6649962..da729da 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1293,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1299,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6799,7 +6806,7 @@ index 6649962..da729da 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1377,106 @@ optional_policy(` +@@ -1083,172 +1383,106 @@ optional_policy(` ') ') @@ -6971,7 +6978,8 @@ index 6649962..da729da 100644 -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; @@ -6989,8 +6997,7 @@ index 6649962..da729da 100644 -apache_domtrans_rotatelogs(httpd_sys_script_t) - -auth_use_nsswitch(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -tunable_policy(`httpd_can_sendmail',` - corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) - corenet_tcp_connect_smtp_port(httpd_sys_script_t) @@ -7036,7 +7043,7 @@ index 6649962..da729da 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1484,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1490,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7133,7 +7140,7 @@ index 6649962..da729da 100644 ######################################## # -@@ -1321,8 +1559,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1565,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7150,7 +7157,7 @@ index 6649962..da729da 100644 ') ######################################## -@@ -1330,49 +1575,38 @@ optional_policy(` +@@ -1330,49 +1581,38 @@ optional_policy(` # User content local policy # @@ -7215,7 +7222,7 @@ index 6649962..da729da 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1616,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1622,101 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -8483,10 +8490,15 @@ index 9078c3d..bca0ac9 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index b8355b3..844e45b 100644 +index b8355b3..ad2aa45 100644 --- a/avahi.te +++ b/avahi.te -@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) +@@ -13,10 +13,14 @@ type avahi_initrc_exec_t; + init_script_file(avahi_initrc_exec_t) + + type avahi_var_lib_t; +-files_pid_file(avahi_var_lib_t) ++files_type(avahi_var_lib_t) type avahi_var_run_t; files_pid_file(avahi_var_run_t) @@ -9186,6 +9198,19 @@ index 1d60c27..f8bb700 100644 logging_send_syslog_msg(bird_t) +diff --git a/bitlbee.fc b/bitlbee.fc +index e9708d6..61362d0 100644 +--- a/bitlbee.fc ++++ b/bitlbee.fc +@@ -7,7 +7,7 @@ + + /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) + +-/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) ++/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0) + + /var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) + /var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/bitlbee.if b/bitlbee.if index e73fb79..2badfc0 100644 --- a/bitlbee.if @@ -9206,7 +9231,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..49eff68 100644 +index f5c1a48..7d8669f 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) @@ -9224,15 +9249,17 @@ index f5c1a48..49eff68 100644 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; allow bitlbee_t bitlbee_conf_t:file read_file_perms; -@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; +@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) ++logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file }) manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) @@ -9242,7 +9269,7 @@ index f5c1a48..49eff68 100644 corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) -@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) +@@ -109,16 +114,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -13430,10 +13457,10 @@ index 0000000..25e3237 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..ede96a7 +index 0000000..589262d --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,95 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -13472,6 +13499,8 @@ index 0000000..ede96a7 +corecmd_exec_bin(cockpit_t) +corecmd_exec_shell(cockpit_t) + ++corenet_tcp_bind_cockpit_port(cockpit_t) ++ +dev_read_sysfs(cockpit_t) + +domain_use_interactive_fds(cockpit_t) @@ -39938,7 +39967,7 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87b..af0698b 100644 +index 483c87b..62ca3e4 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -39958,11 +39987,12 @@ index 483c87b..af0698b 100644 read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) -@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t) +@@ -64,9 +65,9 @@ files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) term_use_ptmx(lircd_t) +term_use_usb_ttys(lircd_t) ++term_use_unallocated_ttys(lircd_t) logging_send_syslog_msg(lircd_t) @@ -40261,7 +40291,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..9321951 100644 +index be0ab84..f4550f1 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -40383,7 +40413,16 @@ index be0ab84..9321951 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -103,24 +131,39 @@ init_all_labeled_script_domtrans(logrotate_t) +@@ -95,6 +123,8 @@ mls_process_write_to_clearance(logrotate_t) + selinux_get_fs_mount(logrotate_t) + selinux_get_enforce_mode(logrotate_t) + ++application_exec_all(logrotate_t) ++ + auth_manage_login_records(logrotate_t) + auth_use_nsswitch(logrotate_t) + +@@ -103,24 +133,39 @@ init_all_labeled_script_domtrans(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) @@ -40429,7 +40468,7 @@ index be0ab84..9321951 100644 ') optional_policy(` -@@ -135,16 +178,17 @@ optional_policy(` +@@ -135,16 +180,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -40449,7 +40488,7 @@ index be0ab84..9321951 100644 ') optional_policy(` -@@ -170,6 +214,10 @@ optional_policy(` +@@ -170,6 +216,10 @@ optional_policy(` ') optional_policy(` @@ -40460,7 +40499,7 @@ index be0ab84..9321951 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +226,7 @@ optional_policy(` +@@ -178,7 +228,7 @@ optional_policy(` ') optional_policy(` @@ -40469,7 +40508,7 @@ index be0ab84..9321951 100644 ') optional_policy(` -@@ -198,21 +246,26 @@ optional_policy(` +@@ -198,21 +248,26 @@ optional_policy(` ') optional_policy(` @@ -40483,24 +40522,24 @@ index be0ab84..9321951 100644 - openvswitch_read_pid_files(logrotate_t) - openvswitch_domtrans(logrotate_t) + polipo_named_filetrans_log_files(logrotate_t) -+') -+ -+optional_policy(` -+ psad_domtrans(logrotate_t) ') optional_policy(` - polipo_log_filetrans_log(logrotate_t, file, "polipo") -+ rabbitmq_domtrans_beam(logrotate_t) ++ psad_domtrans(logrotate_t) ') optional_policy(` - psad_domtrans(logrotate_t) ++ rabbitmq_domtrans_beam(logrotate_t) ++') ++ ++optional_policy(` + raid_domtrans_mdadm(logrotate_t) ') optional_policy(` -@@ -228,10 +281,21 @@ optional_policy(` +@@ -228,10 +283,21 @@ optional_policy(` ') optional_policy(` @@ -40522,7 +40561,7 @@ index be0ab84..9321951 100644 su_exec(logrotate_t) ') -@@ -241,13 +305,11 @@ optional_policy(` +@@ -241,13 +307,11 @@ optional_policy(` ####################################### # @@ -65920,7 +65959,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..7a242df 100644 +index 5cfb83e..b028333 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -66016,9 +66055,8 @@ index 5cfb83e..7a242df 100644 ######################################## # -# Common postfix domain local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_domain self:capability { sys_nice sys_chroot }; -dontaudit postfix_domain self:capability sys_tty_config; -allow postfix_domain self:process { signal_perms setpgid setsched }; @@ -66106,8 +66144,9 @@ index 5cfb83e..7a242df 100644 -######################################## -# -# Master local policy --# -- ++# Postfix master process local policy + # + -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -66712,7 +66751,7 @@ index 5cfb83e..7a242df 100644 ') optional_policy(` -@@ -730,29 +669,30 @@ optional_policy(` +@@ -730,28 +669,28 @@ optional_policy(` ######################################## # @@ -66740,18 +66779,17 @@ index 5cfb83e..7a242df 100644 - corecmd_exec_bin(postfix_smtpd_t) +-fs_getattr_all_dirs(postfix_smtpd_t) +-fs_getattr_all_fs(postfix_smtpd_t) +# for OpenSSL certificates -+ -+# postfix checks the size of all mounted file systems - fs_getattr_all_dirs(postfix_smtpd_t) - fs_getattr_all_fs(postfix_smtpd_t) -mta_read_aliases(postfix_smtpd_t) -- ++# postfix checks the size of all mounted file systems ++fs_getattr_all_dirs(postfix_smtpd_t) + optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) - dovecot_stream_connect(postfix_smtpd_t) -@@ -764,6 +704,7 @@ optional_policy(` +@@ -764,6 +703,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -66759,7 +66797,7 @@ index 5cfb83e..7a242df 100644 ') optional_policy(` -@@ -774,31 +715,100 @@ optional_policy(` +@@ -774,31 +714,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -66836,7 +66874,7 @@ index 5cfb83e..7a242df 100644 +dev_read_urand(postfix_domain) + +fs_search_auto_mountpoints(postfix_domain) -+fs_getattr_xattr_fs(postfix_domain) ++fs_getattr_all_fs(postfix_domain) +fs_rw_anon_inodefs_files(postfix_domain) + +term_dontaudit_use_console(postfix_domain) @@ -73689,10 +73727,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..4398f8e 100644 +index 8644d8b..f7958c0 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,137 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,138 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -73766,6 +73804,7 @@ index 8644d8b..4398f8e 100644 -logging_log_filetrans(quantum_t, quantum_log_t, dir) +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) @@ -74329,7 +74368,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..1bd0827 100644 +index dc3b0ed..20f9ced 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -74342,7 +74381,7 @@ index dc3b0ed..1bd0827 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t) +@@ -30,20 +33,29 @@ files_pid_file(rabbitmq_var_run_t) # Beam local policy # @@ -74351,14 +74390,17 @@ index dc3b0ed..1bd0827 100644 allow rabbitmq_beam_t self:process { setsched signal signull }; allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_beam_t self:tcp_socket { accept listen }; -@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) + + manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) ++files_var_lib_filetrans(rabbitmq_beam_t, rabbitmq_var_lib_t, { dir file }) manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++logging_log_filetrans(rabbitmq_beam_t, rabbitmq_var_log_t, { dir file }) + +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t) @@ -74366,13 +74408,13 @@ index dc3b0ed..1bd0827 100644 manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) - -+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) ++files_pid_filetrans(rabbitmq_beam_t, rabbitmq_var_run_t, { dir file }) + ++ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t) + can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) - domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -@@ -55,57 +64,73 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) +@@ -55,57 +67,73 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -74463,7 +74505,7 @@ index dc3b0ed..1bd0827 100644 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) -@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -117,8 +145,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -92907,10 +92949,10 @@ index b38b8b1..eb36653 100644 userdom_dontaudit_search_user_home_dirs(speedmgmt_t) diff --git a/squid.fc b/squid.fc -index 0a8b0f7..5b066d3 100644 +index 0a8b0f7..20a2ecc 100644 --- a/squid.fc +++ b/squid.fc -@@ -1,12 +1,15 @@ +@@ -1,20 +1,24 @@ -/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) @@ -92929,9 +92971,11 @@ index 0a8b0f7..5b066d3 100644 /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -@@ -15,6 +18,7 @@ + /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) + /var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) - /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +-/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) ++/var/run/squid.* gen_context(system_u:object_r:squid_var_run_t,s0) -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) @@ -92976,7 +93020,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 03472ed..4ade5f1 100644 +index 03472ed..48b5633 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -92988,19 +93032,19 @@ index 03472ed..4ade5f1 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t) +@@ -37,15 +37,22 @@ init_script_file(squid_initrc_exec_t) type squid_log_t; logging_log_file(squid_log_t) --type squid_tmp_t; --files_tmp_file(squid_tmp_t) -- - type squid_tmpfs_t; - files_tmpfs_file(squid_tmpfs_t) - -+type squid_tmp_t; -+files_tmp_file(squid_tmp_t) ++type squid_tmpfs_t; ++files_tmpfs_file(squid_tmpfs_t) + + type squid_tmp_t; + files_tmp_file(squid_tmp_t) + +-type squid_tmpfs_t; +-files_tmpfs_file(squid_tmpfs_t) + type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -93013,12 +93057,13 @@ index 03472ed..4ade5f1 100644 ######################################## # # Local policy -@@ -78,13 +84,13 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t) +@@ -78,15 +85,18 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t) manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) logging_log_filetrans(squid_t, squid_log_t, { file dir }) +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) ++manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) ++fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file }) + manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) @@ -93027,10 +93072,15 @@ index 03472ed..4ade5f1 100644 -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) - ++manage_dirs_pattern(squid_t, squid_var_run_t, squid_var_run_t) manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) - files_pid_filetrans(squid_t, squid_var_run_t, file) +-files_pid_filetrans(squid_t, squid_var_run_t, file) ++manage_sock_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) ++files_pid_filetrans(squid_t, squid_var_run_t, { dir file sock_file }) + + can_exec(squid_t, squid_exec_t) -@@ -94,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t) +@@ -94,7 +104,6 @@ kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_read_network_state(squid_t) @@ -93038,7 +93088,7 @@ index 03472ed..4ade5f1 100644 corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -132,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) +@@ -132,6 +141,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) corenet_udp_sendrecv_gopher_port(squid_t) corenet_sendrecv_squid_server_packets(squid_t) @@ -93046,7 +93096,7 @@ index 03472ed..4ade5f1 100644 corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) corenet_tcp_sendrecv_squid_port(squid_t) -@@ -154,7 +160,6 @@ dev_read_urand(squid_t) +@@ -154,7 +164,6 @@ dev_read_urand(squid_t) domain_use_interactive_fds(squid_t) files_read_etc_runtime_files(squid_t) @@ -93054,7 +93104,7 @@ index 03472ed..4ade5f1 100644 files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) -@@ -176,7 +181,6 @@ libs_exec_lib_files(squid_t) +@@ -176,7 +185,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -93062,7 +93112,7 @@ index 03472ed..4ade5f1 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -197,28 +201,31 @@ tunable_policy(`squid_use_tproxy',` +@@ -197,28 +205,31 @@ tunable_policy(`squid_use_tproxy',` optional_policy(` apache_content_template(squid) @@ -93108,7 +93158,7 @@ index 03472ed..4ade5f1 100644 ') optional_policy(` -@@ -236,3 +243,24 @@ optional_policy(` +@@ -236,3 +247,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -94199,10 +94249,10 @@ index 49d688d..f07cc80 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..a4ec18a +index 0000000..b07d112 --- /dev/null +++ b/swift.fc -@@ -0,0 +1,30 @@ +@@ -0,0 +1,32 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -94220,6 +94270,8 @@ index 0000000..a4ec18a +/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) + ++/usr/bin/swift-proxy-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++ +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) + +/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0) @@ -101544,7 +101596,7 @@ index facdee8..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..0b4a6fa 100644 +index f03dcf5..f74be5f 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,212 @@ @@ -103285,7 +103337,7 @@ index f03dcf5..0b4a6fa 100644 +typeattribute svirt_lxc_net_t sandbox_net_domain; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; @@ -106792,7 +106844,7 @@ index 2695db2..123c042 100644 userdom_search_user_home_dirs(yam_t) diff --git a/zabbix.fc b/zabbix.fc -index c3b5a81..52c1586 100644 +index c3b5a81..6ebb8d6 100644 --- a/zabbix.fc +++ b/zabbix.fc @@ -4,12 +4,17 @@ @@ -106810,8 +106862,9 @@ index c3b5a81..52c1586 100644 +/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) +-/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) +/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) - /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) ++/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0) /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/zabbix.if b/zabbix.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 748e0ef..5ba021b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 54%{?dist} +Release: 55%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue May 27 2014 Miroslav Grepl 3.13.1-55 +- Add decl for cockip port +- Allow sysadm_t to read all kernel proc +- Allow logrotate to execute all executables +- Allow lircd_t to use tty_device_t for use withmythtv +- Make sure all zabbix files direcories in /var/log have the correct label +- Allow bittlebee to create directories and files in /var/log with the correct label +- Label /var/log/horizon as an apache log +- Add squid directory in /var/run +- Add transition rules to allow rabbitmq to create log files and var_lib files with the correct label +- Wronly labeled avahi_var_lib_t as a pid file +- Fix labels on rabbitmq_var_run_t on file/dir creation +- Allow neutron to create sock files +- Allow postfix domains to getattr on all file systems +- Label swift-proxy-server as swift_exec_t +- Tighten SELinux capabilities to match docker capabilities +- Add fixes for squid which is configured to run with more than one worker. +- Allow cockpit to bind to its port + * Tue May 20 2014 Miroslav Grepl 3.13.1-54 - geard seems to do a lot of relabeling - Allow system_mail_t to append to munin_var_lib_t