From 3a4dba88c0609e448b77b3017b4eea838ead6bd7 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 11 2011 15:20:32 +0000 Subject: +- Allow sa-update to update rules +- Allow sa-update to read spamd tmp file +- Allow screen to read all domain state +- Allow sa-update to execute shell +- More fixes for sa-update running out of cron job +- Allow initrc to manage cron system spool +- Fixes for collectd policy +- Fixes added during clean up bugzillas +- Dontaudit fail2ban_client_t sys_tty_config capability +- Fix for puppet which does execute check on passwd +- ricci_modservice send syslog msgs +- Fix dev_dontaudit_write_mtrr() interface --- diff --git a/policy-F15.patch b/policy-F15.patch index 3bad313..1ccd846 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -480,6 +480,22 @@ index 2c2cdb6..73b3814 100644 + brctl_domtrans($1) + role $2 types brctl_t; +') +diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te +index 9a62a1d..eb017ef 100644 +--- a/policy/modules/admin/brctl.te ++++ b/policy/modules/admin/brctl.te +@@ -20,6 +20,11 @@ allow brctl_t self:unix_stream_socket create_stream_socket_perms; + allow brctl_t self:unix_dgram_socket create_socket_perms; + allow brctl_t self:tcp_socket create_socket_perms; + ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit brctl_t self:capability sys_module; ++') ++ + kernel_request_load_module(brctl_t) + kernel_read_network_state(brctl_t) + kernel_read_sysctl(brctl_t) diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te index 9de382b..682e78e 100644 --- a/policy/modules/admin/certwatch.te @@ -2671,7 +2687,7 @@ index 74354da..0852738 100644 + modutils_read_module_deps(usbmodules_t) +') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 81fb26f..fa853d7 100644 +index 81fb26f..a0a1ab6 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',` @@ -2718,7 +2734,7 @@ index 81fb26f..fa853d7 100644 + ') + + corecmd_search_bin($1) -+ allow $1 passwd_exec_t:file { getattr_file_perms audit_access }; ++ allow $1 passwd_exec_t:file { getattr_file_perms execute audit_access }; +') + +######################################## @@ -3076,10 +3092,10 @@ index 0000000..e921f24 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..df2b2a9 +index 0000000..701cd5d --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,125 @@ +@@ -0,0 +1,126 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3148,6 +3164,7 @@ index 0000000..df2b2a9 + +files_read_etc_files(chrome_sandbox_t) +files_read_usr_files(chrome_sandbox_t) ++files_exec_usr_files(chrome_sandbox_t) + +fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + @@ -9020,7 +9037,7 @@ index 1f2cde4..b73334e 100644 /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index 320df26..9889ff2 100644 +index 320df26..90537ed 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -50,7 +50,7 @@ template(`screen_role_template',` @@ -9070,14 +9087,16 @@ index 320df26..9889ff2 100644 manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) kernel_read_system_state($1_screen_t) -@@ -112,6 +118,7 @@ template(`screen_role_template',` +@@ -112,7 +118,9 @@ template(`screen_role_template',` # for SSP dev_read_urand($1_screen_t) + domain_sigchld_interactive_fds($1_screen_t) domain_use_interactive_fds($1_screen_t) ++ domain_read_all_domains_state($1_screen_t) files_search_tmp($1_screen_t) + files_search_home($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..787df80 100644 --- a/policy/modules/apps/seunshare.if @@ -11748,7 +11767,7 @@ index 6cf8784..e244a9d 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..97fbf5b 100644 +index e9313fb..78ef672 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11979,6 +11998,17 @@ index e9313fb..97fbf5b 100644 ## Delete all block device files. ## ## +@@ -2913,8 +3023,8 @@ interface(`dev_dontaudit_write_mtrr',` + type mtrr_device_t; + ') + +- dontaudit $1 mtrr_device_t:file write; +- dontaudit $1 mtrr_device_t:chr_file write; ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## @@ -3192,24 +3302,6 @@ interface(`dev_rw_printer',` ######################################## @@ -18149,7 +18179,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..5d66681 100644 +index 30861ec..a86043f 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -18236,16 +18266,18 @@ index 30861ec..5d66681 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,8 +121,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) +files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) ++kernel_read_network_state(abrt_t) kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t) + kernel_rw_kernel_sysctl(abrt_t) +@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -18253,7 +18285,7 @@ index 30861ec..5d66681 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -18263,7 +18295,7 @@ index 30861ec..5d66681 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -18272,7 +18304,7 @@ index 30861ec..5d66681 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +175,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -18281,7 +18313,7 @@ index 30861ec..5d66681 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +184,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -18298,7 +18330,7 @@ index 30861ec..5d66681 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +203,11 @@ optional_policy(` +@@ -150,6 +204,11 @@ optional_policy(` ') optional_policy(` @@ -18310,7 +18342,7 @@ index 30861ec..5d66681 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +225,7 @@ optional_policy(` +@@ -167,6 +226,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -18318,7 +18350,7 @@ index 30861ec..5d66681 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +237,18 @@ optional_policy(` +@@ -178,12 +238,18 @@ optional_policy(` ') optional_policy(` @@ -18338,7 +18370,7 @@ index 30861ec..5d66681 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,9 +266,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -18351,7 +18383,7 @@ index 30861ec..5d66681 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +285,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -18361,7 +18393,7 @@ index 30861ec..5d66681 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +294,131 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -24006,10 +24038,10 @@ index 0000000..ed13d1e + diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 -index 0000000..979ed78 +index 0000000..3eb4655 --- /dev/null +++ b/policy/modules/services/collectd.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,80 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -24017,6 +24049,14 @@ index 0000000..979ed78 +# Declarations +# + ++## ++##

++## Allow collectd to connect to the ++## network using TCP. ++##

++## ++gen_tunable(collectd_can_network_connect, false) ++ +type collectd_t; +type collectd_exec_t; +init_daemon_domain(collectd_t, collectd_exec_t) @@ -24052,10 +24092,12 @@ index 0000000..979ed78 +domain_use_interactive_fds(collectd_t) + +kernel_read_network_state(collectd_t) ++kernel_read_net_sysctls(collectd_t) +kernel_read_system_state(collectd_t) + +dev_read_sysfs(collectd_t) + ++files_getattr_all_dirs(collectd_t) +files_read_etc_files(collectd_t) +files_read_usr_files(collectd_t) + @@ -24067,6 +24109,12 @@ index 0000000..979ed78 + +sysnet_dns_name_resolve(collectd_t) + ++tunable_policy(`collectd_can_network_connect',` ++ corenet_tcp_connect_all_ports(collectd_t) ++ corenet_tcp_sendrecv_all_ports(collectd_t) ++ corenet_sendrecv_all_client_packets(collectd_t) ++') ++ +optional_policy(` + apache_content_template(collectd) + permissive httpd_collectd_script_t; @@ -24153,7 +24201,7 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..3d9234d +index 0000000..76bf893 --- /dev/null +++ b/policy/modules/services/colord.te @@ -0,0 +1,132 @@ @@ -24210,7 +24258,7 @@ index 0000000..3d9234d +kernel_request_load_module(colord_t) + +# reads *.ini files -+corecmd_read_bin_files(colord_t) ++corecmd_exec_bin(colord_t) + +corenet_udp_bind_generic_node(colord_t) +corenet_udp_bind_ipp_port(colord_t) @@ -24649,10 +24697,10 @@ index 13d2f63..a048c53 100644 type cpuspeed_t; type cpuspeed_exec_t; diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 2eefc08..34ab5ce 100644 +index 2eefc08..aa1c934 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc -@@ -14,9 +14,10 @@ +@@ -14,14 +14,15 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -24664,6 +24712,12 @@ index 2eefc08..34ab5ce 100644 /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) + +-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) + /var/spool/cron/[^/]* -- <> + @@ -45,3 +46,5 @@ ifdef(`distro_suse', ` /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -24671,7 +24725,7 @@ index 2eefc08..34ab5ce 100644 + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..a75e22c 100644 +index 35241ed..372d2c1 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -12,6 +12,11 @@ @@ -24958,7 +25012,7 @@ index 35241ed..a75e22c 100644 ') ######################################## -@@ -627,7 +678,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +678,66 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -25005,9 +25059,28 @@ index 35241ed..a75e22c 100644 + + files_search_var_lib($1) + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++') ++ ++####################################### ++## ++## Search the directory containing user cron tables. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_manage_system_spool',` ++ gen_require(` ++ type cron_system_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..20a0261 100644 +index f7583ab..319de67 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -25348,7 +25421,7 @@ index f7583ab..20a0261 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +536,24 @@ optional_policy(` +@@ -456,15 +536,25 @@ optional_policy(` ') optional_policy(` @@ -25368,12 +25441,13 @@ index f7583ab..20a0261 100644 ') optional_policy(` ++ mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) + mta_system_content(system_cron_spool_t) ') optional_policy(` -@@ -480,7 +569,7 @@ optional_policy(` +@@ -480,7 +570,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -25382,7 +25456,7 @@ index f7583ab..20a0261 100644 ') optional_policy(` -@@ -495,6 +584,7 @@ optional_policy(` +@@ -495,6 +585,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -25390,7 +25464,7 @@ index f7583ab..20a0261 100644 ') optional_policy(` -@@ -502,7 +592,13 @@ optional_policy(` +@@ -502,7 +593,13 @@ optional_policy(` ') optional_policy(` @@ -25404,7 +25478,7 @@ index f7583ab..20a0261 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +691,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +692,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -28436,7 +28510,7 @@ index 6bef7f8..885cd43 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..4e8fb56 100644 +index f28f64b..0523d8a 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -28501,7 +28575,18 @@ index f28f64b..4e8fb56 100644 files_getattr_all_mountpoints(exim_t) fs_getattr_xattr_fs(exim_t) -@@ -171,6 +175,10 @@ optional_policy(` +@@ -162,6 +166,10 @@ optional_policy(` + ') + + optional_policy(` ++ dovecot_stream_connect(exim_t) ++') ++ ++optional_policy(` + kerberos_keytab_template(exim, exim_t) + ') + +@@ -171,6 +179,10 @@ optional_policy(` ') optional_policy(` @@ -28512,7 +28597,7 @@ index f28f64b..4e8fb56 100644 tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') -@@ -184,6 +192,7 @@ optional_policy(` +@@ -184,6 +196,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -28645,7 +28730,7 @@ index f590a1f..26a6299 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..7b33bda 100644 +index 2a69e5e..aae90fa 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t) @@ -28702,7 +28787,7 @@ index 2a69e5e..7b33bda 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +110,34 @@ optional_policy(` +@@ -94,5 +110,36 @@ optional_policy(` ') optional_policy(` @@ -28722,6 +28807,8 @@ index 2a69e5e..7b33bda 100644 +# fail2ban client local policy +# + ++dontaudit fail2ban_client_t self:capability sys_tty_config; ++ +domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + +stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) @@ -29045,7 +29132,7 @@ index bc27421..a65582e 100644 ## ## Allow domain dyntransition to sftpd_anon domain. diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..f947224 100644 +index 8a74a83..9348f18 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -29129,7 +29216,15 @@ index 8a74a83..f947224 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t) +@@ -212,13 +231,11 @@ fs_search_auto_mountpoints(ftpd_t) + fs_getattr_all_fs(ftpd_t) + fs_search_fusefs(ftpd_t) + +-auth_use_nsswitch(ftpd_t) +-auth_domtrans_chk_passwd(ftpd_t) +-# Append to /var/log/wtmp. +-auth_append_login_records(ftpd_t) ++auth_use_pam(ftpd_t) #kerberized ftp requires the following auth_write_login_records(ftpd_t) auth_rw_faillog(ftpd_t) @@ -29137,7 +29232,7 @@ index 8a74a83..f947224 100644 init_rw_utmp(ftpd_t) -@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',` +@@ -270,10 +287,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -29155,7 +29250,7 @@ index 8a74a83..f947224 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -316,6 +339,25 @@ optional_policy(` +@@ -316,6 +336,25 @@ optional_policy(` ') optional_policy(` @@ -29181,7 +29276,7 @@ index 8a74a83..f947224 100644 inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -347,10 +389,11 @@ optional_policy(` +@@ -347,10 +386,11 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -29194,7 +29289,7 @@ index 8a74a83..f947224 100644 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files -@@ -368,15 +411,30 @@ files_read_etc_files(sftpd_t) +@@ -368,15 +408,30 @@ files_read_etc_files(sftpd_t) # allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) @@ -38641,7 +38736,7 @@ index 46bee12..c22af86 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..fb683ea 100644 +index 06e37d4..4781d16 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,10 +1,18 @@ @@ -38768,7 +38863,7 @@ index 06e37d4..fb683ea 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +241,15 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -38780,12 +38875,14 @@ index 06e37d4..fb683ea 100644 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) -+allow postfix_bounce_t postfix_spool_maildrop_t:dir search_dir_perms; ++manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -249,6 +272,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) +@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) @@ -38796,7 +38893,7 @@ index 06e37d4..fb683ea 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,8 +291,8 @@ optional_policy(` +@@ -264,8 +293,8 @@ optional_policy(` # Postfix local local policy # @@ -38806,7 +38903,7 @@ index 06e37d4..fb683ea 100644 # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -273,6 +300,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -38815,7 +38912,7 @@ index 06e37d4..fb683ea 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +315,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -38834,7 +38931,7 @@ index 06e37d4..fb683ea 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -304,9 +338,22 @@ optional_policy(` +@@ -304,9 +340,22 @@ optional_policy(` ') optional_policy(` @@ -38857,7 +38954,7 @@ index 06e37d4..fb683ea 100644 ######################################## # # Postfix map local policy -@@ -372,6 +419,7 @@ optional_policy(` +@@ -372,6 +421,7 @@ optional_policy(` # Postfix pickup local policy # @@ -38865,7 +38962,7 @@ index 06e37d4..fb683ea 100644 allow postfix_pickup_t self:tcp_socket create_socket_perms; stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -379,19 +427,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,19 +429,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -38893,7 +38990,7 @@ index 06e37d4..fb683ea 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +456,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +458,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -38902,7 +38999,7 @@ index 06e37d4..fb683ea 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +477,7 @@ optional_policy(` +@@ -420,6 +479,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -38910,7 +39007,7 @@ index 06e37d4..fb683ea 100644 ') optional_policy(` -@@ -436,11 +494,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +496,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -38928,7 +39025,7 @@ index 06e37d4..fb683ea 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -507,6 +571,8 @@ optional_policy(` +@@ -507,6 +573,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -38937,7 +39034,7 @@ index 06e37d4..fb683ea 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +585,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -38950,7 +39047,7 @@ index 06e37d4..fb683ea 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +609,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -38961,7 +39058,7 @@ index 06e37d4..fb683ea 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +637,10 @@ optional_policy(` +@@ -565,6 +639,10 @@ optional_policy(` ') optional_policy(` @@ -38972,7 +39069,7 @@ index 06e37d4..fb683ea 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +664,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +666,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -38989,7 +39086,7 @@ index 06e37d4..fb683ea 100644 ') optional_policy(` -@@ -611,8 +693,8 @@ optional_policy(` +@@ -611,8 +695,8 @@ optional_policy(` # Postfix virtual local policy # @@ -38999,7 +39096,7 @@ index 06e37d4..fb683ea 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +712,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +714,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -41651,10 +41748,10 @@ index 00fa514..0f49245 100644 mysql_stream_connect(rgmanager_t) ') diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc -index c2ba53b..853eeb5 100644 +index c2ba53b..1f935bf 100644 --- a/policy/modules/services/rhcs.fc +++ b/policy/modules/services/rhcs.fc -@@ -1,14 +1,18 @@ +@@ -1,20 +1,25 @@ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -41673,6 +41770,13 @@ index c2ba53b..853eeb5 100644 /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) + /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) + + /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) + /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) + /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) + /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index de37806..229a3c7 100644 --- a/policy/modules/services/rhcs.if @@ -42319,7 +42423,7 @@ index f7826f9..3128dd8 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..b71d193 100644 +index 33e72e8..bf98758 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -42450,7 +42554,7 @@ index 33e72e8..b71d193 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t) +@@ -394,10 +415,10 @@ files_search_usr(ricci_modservice_t) # Needed for running chkconfig files_manage_etc_symlinks(ricci_modservice_t) @@ -42458,8 +42562,12 @@ index 33e72e8..b71d193 100644 - init_domtrans_script(ricci_modservice_t) ++logging_send_syslog_msg(ricci_modservice_t) ++ miscfiles_read_localization(ricci_modservice_t) -@@ -405,6 +424,10 @@ optional_policy(` + + optional_policy(` +@@ -405,6 +426,10 @@ optional_policy(` ') optional_policy(` @@ -42470,7 +42578,7 @@ index 33e72e8..b71d193 100644 nscd_dontaudit_search_pid(ricci_modservice_t) ') -@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -444,22 +469,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -42499,7 +42607,7 @@ index 33e72e8..b71d193 100644 optional_policy(` aisexec_stream_connect(ricci_modstorage_t) corosync_stream_connect(ricci_modstorage_t) -@@ -471,11 +492,27 @@ optional_policy(` +@@ -471,11 +494,27 @@ optional_policy(` ') optional_policy(` @@ -44698,7 +44806,7 @@ index c954f31..7f57f22 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..37677b9 100644 +index ec1eb1e..b4c21bd 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,54 +6,101 @@ policy_module(spamassassin, 2.4.0) @@ -45102,7 +45210,7 @@ index ec1eb1e..37677b9 100644 ') optional_policy(` -@@ -451,3 +559,43 @@ optional_policy(` +@@ -451,3 +559,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -45124,7 +45232,15 @@ index ec1eb1e..37677b9 100644 +manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + ++allow spamd_update_t spamd_tmp_t:file read_file_perms; ++ ++kernel_read_system_state(spamd_update_t) ++ ++# for updating rules ++corenet_tcp_connect_http_port(spamd_update_t) ++ +corecmd_exec_bin(spamd_update_t) ++corecmd_exec_shell(spamd_update_t) + +dev_read_urand(spamd_update_t) + @@ -47014,10 +47130,10 @@ index 0000000..7647279 + diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 -index 0000000..9fb3ea7 +index 0000000..4fd2377 --- /dev/null +++ b/policy/modules/services/vdagent.te -@@ -0,0 +1,48 @@ +@@ -0,0 +1,54 @@ +policy_module(vdagent,1.0.0) + +######################################## @@ -47040,6 +47156,8 @@ index 0000000..9fb3ea7 +# vdagent local policy +# + ++dontaudit vdagent_t self:capability sys_admin; ++ +allow vdagent_t self:fifo_file rw_fifo_file_perms; +allow vdagent_t self:unix_stream_socket create_stream_socket_perms; + @@ -47053,6 +47171,10 @@ index 0000000..9fb3ea7 +logging_log_filetrans(vdagent_t, vdagent_log_t, { file }) + +dev_rw_input_dev(vdagent_t) ++dev_read_sysfs(vdagent_t) ++dev_dontaudit_write_mtrr(vdagent_t) ++ ++files_read_etc_files(vdagent_t) + +term_use_virtio_console(vdagent_t) + @@ -47628,7 +47750,7 @@ index 7c5d8d8..03cc7aee 100644 + allow $1 virt_tmpfs_type:file manage_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..931dbce 100644 +index 3eca020..e78e1e4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -47792,16 +47914,21 @@ index 3eca020..931dbce 100644 corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) corenet_udp_sendrecv_all_ports(svirt_t) -@@ -133,6 +157,8 @@ dev_list_sysfs(svirt_t) +@@ -133,6 +157,13 @@ dev_list_sysfs(svirt_t) userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) +append_files_pattern(svirt_t, virt_home_t, virt_home_t) +stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t) ++ ++#676372 ++allow svirt_t virt_home_t:dir { add_name write }; ++allow svirt_t virt_home_t:sock_file manage_sock_file_perms; ++allow svirt_t virt_home_t:file rw_inherited_file_perms; tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +173,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +178,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -47817,7 +47944,7 @@ index 3eca020..931dbce 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +190,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +195,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -47840,7 +47967,7 @@ index 3eca020..931dbce 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +215,33 @@ optional_policy(` +@@ -174,21 +220,33 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -47878,7 +48005,7 @@ index 3eca020..931dbce 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +253,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +258,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -47896,7 +48023,7 @@ index 3eca020..931dbce 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +280,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +285,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -47904,7 +48031,7 @@ index 3eca020..931dbce 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +300,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +305,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -47937,7 +48064,7 @@ index 3eca020..931dbce 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +332,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +337,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -47956,14 +48083,14 @@ index 3eca020..931dbce 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +367,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +372,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -47987,7 +48114,7 @@ index 3eca020..931dbce 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +409,10 @@ optional_policy(` +@@ -313,6 +414,10 @@ optional_policy(` ') optional_policy(` @@ -47998,7 +48125,7 @@ index 3eca020..931dbce 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,6 +429,10 @@ optional_policy(` +@@ -329,6 +434,10 @@ optional_policy(` ') optional_policy(` @@ -48009,7 +48136,7 @@ index 3eca020..931dbce 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +469,8 @@ optional_policy(` +@@ -365,6 +474,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -48018,7 +48145,7 @@ index 3eca020..931dbce 100644 ') optional_policy(` -@@ -394,14 +500,26 @@ optional_policy(` +@@ -394,14 +505,26 @@ optional_policy(` # virtual domains common policy # @@ -48047,7 +48174,7 @@ index 3eca020..931dbce 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +540,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +545,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -48055,7 +48182,7 @@ index 3eca020..931dbce 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +548,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +553,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -48068,7 +48195,7 @@ index 3eca020..931dbce 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +561,14 @@ files_search_all(virt_domain) +@@ -440,6 +566,14 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -48083,7 +48210,7 @@ index 3eca020..931dbce 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +586,117 @@ optional_policy(` +@@ -457,8 +591,118 @@ optional_policy(` ') optional_policy(` @@ -48162,6 +48289,7 @@ index 3eca020..931dbce 100644 +optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_append_log(virsh_t) ++ xen_domtrans(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) +') @@ -51537,7 +51665,7 @@ index 2952cef..4892b2a 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 42b4f0f..1bc48bc 100644 +index 42b4f0f..7282768 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -51560,7 +51688,20 @@ index 42b4f0f..1bc48bc 100644 ') optional_policy(` -@@ -91,9 +97,12 @@ interface(`auth_use_pam',` +@@ -76,6 +82,12 @@ interface(`auth_use_pam',` + optional_policy(` + nis_authenticate($1) + ') ++ ++ optional_policy(` ++ systemd_dbus_chat_logind($1) ++ systemd_use_fds_logind($1) ++ systemd_write_inherited_logind_sessions_pipes($1) ++ ') + ') + + ######################################## +@@ -91,9 +103,12 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -51573,7 +51714,7 @@ index 42b4f0f..1bc48bc 100644 domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -101,14 +110,17 @@ interface(`auth_login_pgm_domain',` +@@ -101,14 +116,17 @@ interface(`auth_login_pgm_domain',` # Needed for pam_selinux_permit to cleanup properly domain_read_all_domains_state($1) @@ -51591,7 +51732,7 @@ index 42b4f0f..1bc48bc 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -119,13 +131,19 @@ interface(`auth_login_pgm_domain',` +@@ -119,13 +137,19 @@ interface(`auth_login_pgm_domain',` # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) @@ -51612,7 +51753,7 @@ index 42b4f0f..1bc48bc 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -141,6 +159,8 @@ interface(`auth_login_pgm_domain',` +@@ -141,6 +165,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -51621,7 +51762,7 @@ index 42b4f0f..1bc48bc 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -151,13 +171,68 @@ interface(`auth_login_pgm_domain',` +@@ -151,9 +177,86 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -51666,12 +51807,14 @@ index 42b4f0f..1bc48bc 100644 + ssh_agent_exec($1) + ssh_read_user_home_files($1) + userdom_read_user_home_content_files($1) - ') - ') - - ######################################## - ## -+## Read and write a authlogin unnamed pipe. ++ ') ++ ++ ++') ++ ++######################################## ++## ++## Read authlogin state files. +## +## +## @@ -51679,20 +51822,36 @@ index 42b4f0f..1bc48bc 100644 +## +## +# -+interface(`authlogin_rw_pipes',` ++interface(`authlogin_read_state',` + gen_require(` + attribute polydomain; + ') + -+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; ++ kernel_search_proc($1) ++ ps_process_pattern($1, polydomain) ++ +') + +######################################## +## - ## Use the login program as an entry point program. - ## - ## -@@ -361,17 +436,18 @@ interface(`auth_domtrans_chk_passwd',` ++## Read and write a authlogin unnamed pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`authlogin_rw_pipes',` ++ gen_require(` ++ attribute polydomain; + ') ++ ++ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -361,17 +464,18 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` kerberos_read_keytab($1) @@ -51713,7 +51872,7 @@ index 42b4f0f..1bc48bc 100644 ') ######################################## -@@ -418,6 +494,25 @@ interface(`auth_run_chk_passwd',` +@@ -418,6 +522,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -51739,7 +51898,7 @@ index 42b4f0f..1bc48bc 100644 ') ######################################## -@@ -694,7 +789,7 @@ interface(`auth_relabel_shadow',` +@@ -694,7 +817,7 @@ interface(`auth_relabel_shadow',` ') files_search_etc($1) @@ -51748,7 +51907,7 @@ index 42b4f0f..1bc48bc 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -733,7 +828,47 @@ interface(`auth_rw_faillog',` +@@ -733,7 +856,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -51797,7 +51956,7 @@ index 42b4f0f..1bc48bc 100644 ') ####################################### -@@ -874,6 +1009,46 @@ interface(`auth_exec_pam',` +@@ -874,6 +1037,46 @@ interface(`auth_exec_pam',` ######################################## ## @@ -51844,7 +52003,7 @@ index 42b4f0f..1bc48bc 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -889,9 +1064,30 @@ interface(`auth_manage_var_auth',` +@@ -889,9 +1092,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -51878,7 +52037,7 @@ index 42b4f0f..1bc48bc 100644 ') ######################################## -@@ -1093,6 +1289,24 @@ interface(`auth_delete_pam_console_data',` +@@ -1093,6 +1317,24 @@ interface(`auth_delete_pam_console_data',` ######################################## ## @@ -51903,7 +52062,7 @@ index 42b4f0f..1bc48bc 100644 ## Read all directories on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1326,6 +1540,25 @@ interface(`auth_setattr_login_records',` +@@ -1326,6 +1568,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -51929,7 +52088,7 @@ index 42b4f0f..1bc48bc 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1500,28 +1733,36 @@ interface(`auth_manage_login_records',` +@@ -1500,28 +1761,36 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -51973,7 +52132,7 @@ index 42b4f0f..1bc48bc 100644 optional_policy(` kerberos_use($1) ') -@@ -1531,7 +1772,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1800,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -53286,7 +53445,7 @@ index cc83689..fc87c2c 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..5219266 100644 +index ea29513..a8e892b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -53894,7 +54053,7 @@ index ea29513..5219266 100644 ') optional_policy(` -@@ -589,6 +856,15 @@ optional_policy(` +@@ -589,6 +856,17 @@ optional_policy(` ') optional_policy(` @@ -53904,13 +54063,15 @@ index ea29513..5219266 100644 + +optional_policy(` + cron_read_pipes(initrc_t) ++ # managing /etc/cron.d/mailman content ++ cron_manage_system_spool(initrc_t) +') + +optional_policy(` dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +881,13 @@ optional_policy(` +@@ -605,9 +883,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -53924,7 +54085,7 @@ index ea29513..5219266 100644 ') optional_policy(` -@@ -649,6 +929,11 @@ optional_policy(` +@@ -649,6 +931,11 @@ optional_policy(` ') optional_policy(` @@ -53936,7 +54097,7 @@ index ea29513..5219266 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +991,13 @@ optional_policy(` +@@ -706,7 +993,13 @@ optional_policy(` ') optional_policy(` @@ -53950,7 +54111,7 @@ index ea29513..5219266 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1020,10 @@ optional_policy(` +@@ -729,6 +1022,10 @@ optional_policy(` ') optional_policy(` @@ -53961,7 +54122,7 @@ index ea29513..5219266 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1033,20 @@ optional_policy(` +@@ -738,10 +1035,20 @@ optional_policy(` ') optional_policy(` @@ -53982,7 +54143,7 @@ index ea29513..5219266 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1055,10 @@ optional_policy(` +@@ -750,6 +1057,10 @@ optional_policy(` ') optional_policy(` @@ -53993,7 +54154,7 @@ index ea29513..5219266 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1080,6 @@ optional_policy(` +@@ -771,8 +1082,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -54002,7 +54163,7 @@ index ea29513..5219266 100644 ') optional_policy(` -@@ -781,14 +1088,21 @@ optional_policy(` +@@ -781,14 +1090,21 @@ optional_policy(` ') optional_policy(` @@ -54024,7 +54185,7 @@ index ea29513..5219266 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1114,6 @@ optional_policy(` +@@ -800,7 +1116,6 @@ optional_policy(` ') optional_policy(` @@ -54032,7 +54193,7 @@ index ea29513..5219266 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1123,24 @@ optional_policy(` +@@ -810,11 +1125,24 @@ optional_policy(` ') optional_policy(` @@ -54058,7 +54219,7 @@ index ea29513..5219266 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1150,25 @@ optional_policy(` +@@ -824,6 +1152,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -54084,7 +54245,7 @@ index ea29513..5219266 100644 ') optional_policy(` -@@ -849,3 +1194,42 @@ optional_policy(` +@@ -849,3 +1196,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -58484,10 +58645,10 @@ index 0000000..c7476cb + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..da83870 +index 0000000..fe2a3fd --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,264 @@ +@@ -0,0 +1,322 @@ +## SELinux policy for systemd components + +####################################### @@ -58541,6 +58702,64 @@ index 0000000..da83870 + can_exec($1, systemd_systemctl_exec_t) +') + ++##################################### ++## ++## Write inherited logind sessions pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_write_inherited_logind_sessions_pipes',` ++ gen_require(` ++ type systemd_logind_sessions_t; ++ ') ++ ++ allow $1 systemd_logind_sessions_t:fifo_file write; ++') ++ ++####################################### ++## ++## Send and receive messages from ++## systemd logind over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_logind',` ++ gen_require(` ++ type systemd_logind_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_logind_t:dbus send_msg; ++ allow systemd_logind_t $1:dbus send_msg; ++') ++ ++##################################### ++## ++## Use and and inherited systemd ++## logind file descriptors. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_use_fds_logind',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow $1 systemd_logind_t:fd use; ++') ++ +####################################### +## +## Create a file type used for systemd unit files. diff --git a/selinux-policy.spec b/selinux-policy.spec index bf2e153..41b7857 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 42%{?dist} +Release: 43%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,20 @@ exit 0 %endif %changelog +* Tue Oct 11 2011 Miroslav Grepl 3.9.16-43 +- Allow sa-update to update rules +- Allow sa-update to read spamd tmp file +- Allow screen to read all domain state +- Allow sa-update to execute shell +- More fixes for sa-update running out of cron job +- Allow initrc to manage cron system spool +- Fixes for collectd policy +- Fixes added during clean up bugzillas +- Dontaudit fail2ban_client_t sys_tty_config capability +- Fix for puppet which does execute check on passwd +- ricci_modservice send syslog msgs +- Fix dev_dontaudit_write_mtrr() interface + * Thu Sep 27 2011 Miroslav Grepl 3.9.16-42 - Make mta_role() active - Add additional gitweb file context labeling