From 737a3cdcb3d7623fc926fde5c26c2f75a9b56c8a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 30 2013 21:57:53 +0000 Subject: - Add more aliases in pegasus.te - Add more fixes for *_admin interfaces - Add interface fixes - Allow nscd to stream connect to nmbd - Allow gnupg apps to write to pcscd socket - Add more fixes for openlmi provides. Fix naming and support for addit - Allow fetchmail to resolve host names - Allow firewalld to interact also with lnk files labeled as firewalld_ - Add labeling for cmpiLMI_Fan-cimprovagt - Allow net_admin for glusterd - Allow telepathy domain to create dconf with correct labeling in /home - Add pegasus_openlmi_system_t - Fix puppet_domtrans_master() to make all puppet calling working in pa - Fix corecmd_exec_chroot() - Fix logging_relabel_syslog_pid_socket interface - Fix typo in unconfineduser.te - Allow system_r to access unconfined_dbusd_t to run hp_chec --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index 930ffa4..831a640 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -3381,7 +3381,7 @@ index 644d4d7..51181b8 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..979f47f 100644 +index 9e9263a..43cdcb9 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -3508,7 +3508,15 @@ index 9e9263a..979f47f 100644 mmap_files_pattern($1, bin_t, bin_t) ') -@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',` +@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',` + interface(`corecmd_exec_chroot',` + gen_require(` + type chroot_exec_t; ++ type bin_t; + ') + + read_lnk_files_pattern($1, bin_t, bin_t) +@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',` ######################################## ## @@ -3533,7 +3541,7 @@ index 9e9263a..979f47f 100644 ## Get the attributes of all executable files. ## ## -@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',` +@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -3544,7 +3552,7 @@ index 9e9263a..979f47f 100644 ') ######################################## -@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -3552,7 +3560,7 @@ index 9e9263a..979f47f 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') @@ -18330,10 +18338,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..c8f13da +index 0000000..a52f369 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,329 @@ +@@ -0,0 +1,330 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18521,6 +18529,7 @@ index 0000000..c8f13da + +optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) ++ role system_r types unconfined_dbusd_t; + + optional_policy(` + unconfined_domain(unconfined_dbusd_t) @@ -30192,7 +30201,7 @@ index b50c5fe..2faaaf2 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..55d2481 100644 +index 4e94884..9b82ed0 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -30354,7 +30363,7 @@ index 4e94884..55d2481 100644 +# +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` -+ type devlog_t; ++ type syslogd_var_run_t; + ') + + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; @@ -34806,7 +34815,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..431d2f1 100644 +index b7686d5..a5086e8 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -35022,7 +35031,18 @@ index b7686d5..431d2f1 100644 ') optional_policy(` -@@ -259,12 +302,21 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -228,6 +271,10 @@ optional_policy(` + ') + + optional_policy(` ++ virt_manage_pid_files(dhcpc_t) ++') ++ ++optional_policy(` + vmware_append_log(dhcpc_t) + ') + +@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -35044,7 +35064,7 @@ index b7686d5..431d2f1 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +326,29 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -35074,7 +35094,7 @@ index b7686d5..431d2f1 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +361,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -35102,7 +35122,7 @@ index b7686d5..431d2f1 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +385,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -35125,7 +35145,7 @@ index b7686d5..431d2f1 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +411,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -35139,7 +35159,7 @@ index b7686d5..431d2f1 100644 ') optional_policy(` -@@ -339,7 +424,15 @@ optional_policy(` +@@ -339,7 +428,15 @@ optional_policy(` ') optional_policy(` @@ -35156,7 +35176,7 @@ index b7686d5..431d2f1 100644 ') optional_policy(` -@@ -360,3 +453,13 @@ optional_policy(` +@@ -360,3 +457,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 40fdab0..236a048 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -8266,7 +8266,7 @@ index 866a1e2..6c2dbe4 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..e3dbd11 100644 +index 076ffee..9977c4d 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -8307,7 +8307,15 @@ index 076ffee..e3dbd11 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -170,6 +173,11 @@ tunable_policy(`named_write_master_zones',` +@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t) + dev_read_sysfs(named_t) + dev_read_rand(named_t) + dev_read_urand(named_t) ++dev_dontaudit_write_urand(named_t) + + domain_use_interactive_fds(named_t) + +@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -8319,7 +8327,7 @@ index 076ffee..e3dbd11 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -183,6 +191,7 @@ optional_policy(` +@@ -183,6 +192,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(named, named_t) @@ -8327,7 +8335,7 @@ index 076ffee..e3dbd11 100644 ') optional_policy(` -@@ -209,7 +218,8 @@ optional_policy(` +@@ -209,7 +219,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -8337,7 +8345,7 @@ index 076ffee..e3dbd11 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -223,10 +233,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -8349,7 +8357,7 @@ index 076ffee..e3dbd11 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +260,7 @@ init_use_script_ptys(ndc_t) +@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -9763,10 +9771,15 @@ index 4ec0626..88e7e89 100644 userdom_dontaudit_use_unpriv_user_fds(canna_t) diff --git a/ccs.if b/ccs.if -index 5ded72d..c1b4d35 100644 +index 5ded72d..cb94e5e 100644 --- a/ccs.if +++ b/ccs.if -@@ -102,16 +102,20 @@ interface(`ccs_admin',` +@@ -98,20 +98,24 @@ interface(`ccs_manage_config',` + interface(`ccs_admin',` + gen_require(` + type ccs_t, ccs_initrc_exec_t, cluster_conf_t; +- type ccs_var_lib_t_t, ccs_var_log_t; ++ type ccs_var_lib_t, ccs_var_log_t; type ccs_var_run_t, ccs_tmp_t; ') @@ -12622,7 +12635,7 @@ index 23dc348..7cc536b 100644 /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) diff --git a/condor.if b/condor.if -index 3fe3cb8..b8e08c6 100644 +index 3fe3cb8..5fe84a6 100644 --- a/condor.if +++ b/condor.if @@ -1,81 +1,397 @@ @@ -13035,7 +13048,7 @@ index 3fe3cb8..b8e08c6 100644 +interface(`condor_admin',` + gen_require(` + attribute condor_domain; -+ type condor_initrc_exec_config_t, condor_log_t; ++ type condor_initrc_exec_t, condor_log_t; + type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; + type condor_var_run_t, condor_startd_tmp_t; + type condor_unit_file_t; @@ -20887,7 +20900,7 @@ index 23ab808..4a801b5 100644 /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..531cf03 100644 +index 19aa0b8..1e8b244 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -21096,11 +21109,12 @@ index 19aa0b8..531cf03 100644 ') ######################################## -@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; ++ type dnsmasq_var_log_t; + type dnsmasq_initrc_exec_t; + type dnsmasq_unit_file_t; ') @@ -21116,7 +21130,7 @@ index 19aa0b8..531cf03 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',` +@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) @@ -23351,7 +23365,7 @@ index c3f7916..cab3954 100644 admin_pattern($1, fetchmail_etc_t) diff --git a/fetchmail.te b/fetchmail.te -index f0388cb..fd440f8 100644 +index f0388cb..7d63acb 100644 --- a/fetchmail.te +++ b/fetchmail.te @@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen }; @@ -23383,7 +23397,7 @@ index f0388cb..fd440f8 100644 corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) corenet_tcp_sendrecv_generic_node(fetchmail_t) -@@ -84,15 +86,17 @@ fs_search_auto_mountpoints(fetchmail_t) +@@ -84,15 +86,19 @@ fs_search_auto_mountpoints(fetchmail_t) domain_use_interactive_fds(fetchmail_t) @@ -23395,6 +23409,8 @@ index f0388cb..fd440f8 100644 -miscfiles_read_localization(fetchmail_t) miscfiles_read_generic_certs(fetchmail_t) ++sysnet_dns_name_resolve(fetchmail_t) ++ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) -userdom_search_user_home_dirs(fetchmail_t) + @@ -23581,7 +23597,7 @@ index 5cf6ac6..0fc685b 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..64e18e1 100644 +index c8014f8..2888d51 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -23606,7 +23622,15 @@ index c8014f8..64e18e1 100644 dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; -@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; +@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms; + + manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) + manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) ++manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) + + allow firewalld_t firewalld_var_log_t:file append_file_perms; + allow firewalld_t firewalld_var_log_t:file create_file_perms; +@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; allow firewalld_t firewalld_var_log_t:file setattr_file_perms; logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) @@ -23628,7 +23652,7 @@ index c8014f8..64e18e1 100644 corecmd_exec_bin(firewalld_t) corecmd_exec_shell(firewalld_t) -@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t) +@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -23654,7 +23678,7 @@ index c8014f8..64e18e1 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -85,6 +101,10 @@ optional_policy(` +@@ -85,6 +102,10 @@ optional_policy(` ') optional_policy(` @@ -25026,10 +25050,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..cbe51a9 +index 0000000..3156ad4 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,164 @@ +@@ -0,0 +1,166 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25087,7 +25111,7 @@ index 0000000..cbe51a9 +# Local policy +# + -+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid }; ++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid net_admin }; +allow glusterd_t self:capability2 block_suspend; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; +allow glusterd_t self:fifo_file rw_fifo_file_perms; @@ -25162,6 +25186,8 @@ index 0000000..cbe51a9 + +fs_getattr_all_fs(glusterd_t) + ++files_mounton_mnt(glusterd_t) ++ +storage_rw_fuse(glusterd_t) + +auth_use_nsswitch(glusterd_t) @@ -25474,7 +25500,7 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..567f963 100644 +index d03fd43..e334392 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,155 @@ @@ -26556,15 +26582,13 @@ index d03fd43..567f963 100644 ## ## ## -@@ -704,12 +795,811 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # -interface(`gnome_stream_connect_all_gkeyringd',` +interface(`gnome_exec_gconf',` - gen_require(` -- attribute gkeyringd_domain; -- type gnome_keyring_tmp_t; ++ gen_require(` + type gconfd_exec_t; + ') + @@ -26647,10 +26671,9 @@ index d03fd43..567f963 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; - ') - - files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ ') ++ ++ files_search_tmp($1) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + @@ -27116,11 +27139,14 @@ index d03fd43..567f963 100644 +## +# +interface(`gnome_dbus_chat_gkeyringd',` -+ gen_require(` -+ attribute gkeyringd_domain; + gen_require(` + attribute gkeyringd_domain; +- type gnome_keyring_tmp_t; + class dbus send_msg; -+ ') -+ + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) + allow $1 gkeyringd_domain:dbus send_msg; + allow gkeyringd_domain $1:dbus send_msg; +') @@ -27293,6 +27319,25 @@ index d03fd43..567f963 100644 + +######################################## +## ++## Create gnome dconf dir in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_filetrans_config_home_content',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ gnome_cache_filetrans($1, config_home_t, dir, "dconf") ++') ++ ++######################################## ++## +## Create gnome directory in the /root directory +## with an correct label. +## @@ -28214,7 +28259,7 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 44cf341..b04d02c 100644 +index 44cf341..8aa9dd9 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ @@ -28557,7 +28602,7 @@ index 44cf341..b04d02c 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -28600,7 +28645,17 @@ index 44cf341..b04d02c 100644 ') optional_policy(` -@@ -277,8 +300,17 @@ optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_agent_t) + ') + ++optional_policy(` ++ pcscd_stream_connect(gpg_agent_t) ++') ++ + ############################## + # + # Pinentry local policy +@@ -277,8 +304,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -28619,7 +28674,7 @@ index 44cf341..b04d02c 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -28807,10 +28862,10 @@ index 0000000..f4659d1 +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 -index 0000000..28263c7 +index 0000000..4bd5abf --- /dev/null +++ b/gssproxy.if -@@ -0,0 +1,204 @@ +@@ -0,0 +1,203 @@ + +## policy for gssproxy + @@ -28945,7 +29000,6 @@ index 0000000..28263c7 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) + allow $1 gssproxy_unit_file_t:file read_file_perms; + allow $1 gssproxy_unit_file_t:service manage_service_perms; + @@ -29883,6 +29937,21 @@ index ecad9c7..86d790f 100644 optional_policy(` seutil_use_newrole_fds(irc_t) ') +diff --git a/ircd.if b/ircd.if +index ade9803..3620c9a 100644 +--- a/ircd.if ++++ b/ircd.if +@@ -33,8 +33,8 @@ interface(`ircd_admin',` + + files_search_etc($1) + admin_pattern($1, ircd_etc_t) +- +- logging_search_log($1) ++ ++ logging_search_logs($1) + admin_pattern($1, ircd_log_t) + + files_search_var_lib($1) diff --git a/ircd.te b/ircd.te index e9f746e..40e440c 100644 --- a/ircd.te @@ -36791,9 +36860,18 @@ index 1d4eb19..650014e 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 4926208..293e577 100644 +index 4926208..018a640 100644 --- a/memcached.te +++ b/memcached.te +@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) + # Local policy + # + +-allow memcached_t self:capability { setuid setgid }; ++allow memcached_t self:capability { setuid setgid sys_resource }; + dontaudit memcached_t self:capability sys_tty_config; + allow memcached_t self:process { setrlimit signal_perms }; + allow memcached_t self:tcp_socket { accept listen }; @@ -57,4 +57,3 @@ term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) @@ -37785,7 +37863,7 @@ index a83894c..481dca3 100644 + +/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) diff --git a/modemmanager.if b/modemmanager.if -index b1ac8b5..90ca430 100644 +index b1ac8b5..d65017f 100644 --- a/modemmanager.if +++ b/modemmanager.if @@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` @@ -37807,7 +37885,7 @@ index b1ac8b5..90ca430 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 modemmanager_unit_file_t:file read_file_perms; + allow $1 modemmanager_unit_file_t:service manage_service_perms; + @@ -37985,6 +38063,19 @@ index d287fe9..3dc493c 100644 init_dbus_chat_script(mono_t) +diff --git a/monop.if b/monop.if +index 8fdaece..5440757 100644 +--- a/monop.if ++++ b/monop.if +@@ -31,7 +31,7 @@ interface(`monop_admin',` + role_transition $2 monopd_initrc_exec_t system_r; + allow $2 system_r; + +- logging_search_etc($1) ++ logging_search_logs($1) + admin_pattern($1, monopd_etc_t) + + files_search_pids($1) diff --git a/monop.te b/monop.te index 4462c0e..84944d1 100644 --- a/monop.te @@ -45991,10 +46082,10 @@ index 0000000..cf8f660 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..061a689 +index 0000000..fc9f771 --- /dev/null +++ b/nova.te -@@ -0,0 +1,329 @@ +@@ -0,0 +1,328 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -46056,6 +46147,7 @@ index 0000000..061a689 +corecmd_exec_shell(nova_domain) +corenet_tcp_connect_mysqld_port(nova_domain) + ++dev_read_sysfs(nova_domain) +dev_read_urand(nova_domain) + +fs_getattr_xattr_fs(nova_domain) @@ -46157,8 +46249,6 @@ index 0000000..061a689 + +dev_read_rand(nova_compute_t) + -+dev_read_sysfs(nova_compute_t) -+ +optional_policy(` + virt_getattr_exec(nova_compute_t) + virt_stream_connect(nova_compute_t) @@ -46649,7 +46739,7 @@ index 8f2ab09..7b8f5ad 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index df4c10f..2814186 100644 +index df4c10f..8c09c68 100644 --- a/nscd.te +++ b/nscd.te @@ -1,36 +1,37 @@ @@ -46799,7 +46889,7 @@ index df4c10f..2814186 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +130,30 @@ optional_policy(` +@@ -121,20 +130,31 @@ optional_policy(` ') optional_policy(` @@ -46829,6 +46919,7 @@ index df4c10f..2814186 100644 - udev_read_db(nscd_t) + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) ++ samba_stream_connect_nmbd(nscd_t) ') optional_policy(` @@ -52549,10 +52640,10 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..6667b8a 100644 +index dfd46e4..2e04b85 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,20 @@ +@@ -1,15 +1,24 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -52561,26 +52652,30 @@ index dfd46e4..6667b8a 100644 -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++ ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - --/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) --/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) +-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) --/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) +#openlmi agents +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0) -+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + +-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52682,7 +52777,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..71ab12b 100644 +index 7bcf327..366eeaf 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52706,20 +52801,27 @@ index 7bcf327..71ab12b 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,196 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,216 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers ++pegasus_openlmi_domain_template(admin) ++typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; ++typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t; ++ ++ +pegasus_openlmi_domain_template(account) +pegasus_openlmi_domain_template(logicalfile) -+pegasus_openlmi_domain_template(networking) -+pegasus_openlmi_domain_template(service) ++pegasus_openlmi_domain_template(services) + +pegasus_openlmi_domain_template(storage) +type pegasus_openlmi_storage_tmp_t; +files_tmp_file(pegasus_openlmi_storage_tmp_t) + ++pegasus_openlmi_domain_template(system) ++typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t; ++typealias pegasus_openlmi_system_exec_t alias pegasus_openlmi_networking_exec_t; +pegasus_openlmi_domain_template(unconfined) + +####################################### @@ -52737,6 +52839,8 @@ index 7bcf327..71ab12b 100644 +corecmd_exec_bin(pegasus_openlmi_domain) +corecmd_exec_shell(pegasus_openlmi_domain) + ++dev_read_sysfs(pegasus_openlmi_domain) ++ +auth_read_passwd(pegasus_openlmi_domain) + +sysnet_read_config(pegasus_openlmi_domain) @@ -52806,26 +52910,38 @@ index 7bcf327..71ab12b 100644 + # so we want to have unconfined_domain attribute for filename rules + unconfined_domain(pegasus_openlmi_logicalfile_t) +') ++###################################### ++# ++# pegasus openlmi networking local policy ++# ++ ++optional_policy(` ++ dbus_system_bus_client(pegasus_openlmi_services_t) ++') ++ ++optional_policy(` ++ realmd_dbus_chat(pegasus_openlmi_services_t) ++') + +###################################### +# +# pegasus openlmi networking local policy +# + -+allow pegasus_openlmi_networking_t self:capability { net_admin }; ++allow pegasus_openlmi_system_t self:capability { net_admin }; + -+allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;; -+allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms; ++allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;; ++allow pegasus_openlmi_system_t self:udp_socket create_socket_perms; + -+dev_rw_sysfs(pegasus_openlmi_networking_t) -+dev_read_urand(pegasus_openlmi_networking_t) ++dev_rw_sysfs(pegasus_openlmi_system_t) ++dev_read_urand(pegasus_openlmi_system_t) + +optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_networking_t) ++ dbus_system_bus_client(pegasus_openlmi_system_t) ++') + -+ optional_policy(` -+ networkmanager_dbus_chat(pegasus_openlmi_networking_t) -+ ') ++optional_policy(` ++ networkmanager_dbus_chat(pegasus_openlmi_system_t) +') + +###################################### @@ -52833,20 +52949,19 @@ index 7bcf327..71ab12b 100644 +# pegasus openlmi service local policy +# + ++init_disable_services(pegasus_openlmi_admin_t) ++init_enable_services(pegasus_openlmi_admin_t) ++init_reload_services(pegasus_openlmi_admin_t) ++init_exec(pegasus_openlmi_admin_t) + -+init_disable_services(pegasus_openlmi_service_t) -+init_enable_services(pegasus_openlmi_service_t) -+init_reload_services(pegasus_openlmi_service_t) -+init_exec(pegasus_openlmi_service_t) -+ -+systemd_config_all_services(pegasus_openlmi_service_t) -+systemd_manage_all_unit_files(pegasus_openlmi_service_t) -+systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t) ++systemd_config_all_services(pegasus_openlmi_admin_t) ++systemd_manage_all_unit_files(pegasus_openlmi_admin_t) ++systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t) + +allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; + +optional_policy(` -+ dbus_system_bus_client(pegasus_openlmi_service_t) ++ dbus_system_bus_client(pegasus_openlmi_admin_t) +') + +###################################### @@ -52908,7 +53023,7 @@ index 7bcf327..71ab12b 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +229,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +249,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -52939,7 +53054,7 @@ index 7bcf327..71ab12b 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +255,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +275,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -52972,7 +53087,7 @@ index 7bcf327..71ab12b 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +283,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +303,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -52980,7 +53095,7 @@ index 7bcf327..71ab12b 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +298,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +318,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -53012,7 +53127,7 @@ index 7bcf327..71ab12b 100644 ') optional_policy(` -@@ -151,16 +328,24 @@ optional_policy(` +@@ -151,16 +348,24 @@ optional_policy(` ') optional_policy(` @@ -53041,7 +53156,7 @@ index 7bcf327..71ab12b 100644 ') optional_policy(` -@@ -168,7 +353,7 @@ optional_policy(` +@@ -168,7 +373,7 @@ optional_policy(` ') optional_policy(` @@ -53064,7 +53179,7 @@ index 0000000..7b54c39 +/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) diff --git a/pesign.if b/pesign.if new file mode 100644 -index 0000000..c20674c +index 0000000..26b1f0c --- /dev/null +++ b/pesign.if @@ -0,0 +1,103 @@ @@ -53125,7 +53240,7 @@ index 0000000..c20674c + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 pesign_unit_file_t:file read_file_perms; + allow $1 pesign_unit_file_t:service manage_service_perms; + @@ -56650,7 +56765,7 @@ index c0e8785..c0e0959 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/postfix.if b/postfix.if -index 2e23946..589bbf2 100644 +index 2e23946..e9ac366 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -57089,7 +57204,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -478,30 +479,84 @@ interface(`postfix_domtrans_postqueue',` +@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',` type postfix_postqueue_t, postfix_postqueue_exec_t; ') @@ -57142,6 +57257,7 @@ index 2e23946..589bbf2 100644 +interface(`postfix_domtrans_postgqueue',` + gen_require(` + type postfix_postgqueue_t; ++ type postfix_postgqueue_exec_t; + ') + domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t) +') @@ -57184,7 +57300,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',` +@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',` type postfix_postqueue_exec_t; ') @@ -57199,7 +57315,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',` +@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',` type postfix_private_t; ') @@ -57215,7 +57331,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',` +@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',` type postfix_private_t; ') @@ -57232,7 +57348,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',` +@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',` type postfix_smtp_t, postfix_smtp_exec_t; ') @@ -57248,7 +57364,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',` +@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',` ## ## # @@ -57257,7 +57373,7 @@ index 2e23946..589bbf2 100644 gen_require(` attribute postfix_spool_type; ') -@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',` +@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',` # interface(`postfix_search_spool',` gen_require(` @@ -57271,7 +57387,7 @@ index 2e23946..589bbf2 100644 ') ######################################## -@@ -626,11 +679,11 @@ interface(`postfix_search_spool',` +@@ -626,11 +680,11 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -57285,7 +57401,7 @@ index 2e23946..589bbf2 100644 ') ######################################## -@@ -645,17 +698,16 @@ interface(`postfix_list_spool',` +@@ -645,17 +699,16 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -57306,7 +57422,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -665,11 +717,31 @@ interface(`postfix_read_spool_files',` +@@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -57340,7 +57456,7 @@ index 2e23946..589bbf2 100644 ') ######################################## -@@ -693,8 +765,8 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',` ######################################## ## @@ -57351,7 +57467,7 @@ index 2e23946..589bbf2 100644 ## ## ## -@@ -710,37 +782,137 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` gen_require(` @@ -61783,7 +61899,7 @@ index 4ecda09..8c0b242 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..7c5c5fb 100644 +index 7cb8b1f..46650f0 100644 --- a/puppet.if +++ b/puppet.if @@ -1,4 +1,32 @@ @@ -61811,11 +61927,11 @@ index 7cb8b1f..7c5c5fb 100644 +# +interface(`puppet_domtrans_master',` + gen_require(` -+ type puppet_master_t, puppet_master_exec_t; ++ type puppetmaster_t, puppetmaster_t_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, puppet_master_exec_t, puppet_master_t) ++ domtrans_pattern($1, puppetmaster_t_exec_t, puppetmaster_t) +') ######################################## @@ -64768,10 +64884,10 @@ index 70ab68b..e97da31 100644 /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) diff --git a/quantum.if b/quantum.if -index afc0068..5fb7731 100644 +index afc0068..7b3cfad 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,292 @@ +@@ -2,41 +2,293 @@ ######################################## ## @@ -65000,6 +65116,7 @@ index afc0068..5fb7731 100644 +# +interface(`quantum_stream_connect',` + gen_require(` ++ type quantum_t; + type quantum_var_lib_t; + ') + @@ -80104,7 +80221,7 @@ index 0000000..92c3638 + +sysnet_dns_name_resolve(smsd_t) diff --git a/smstools.if b/smstools.if -index cbfe369..085ac13 100644 +index cbfe369..6594af3 100644 --- a/smstools.if +++ b/smstools.if @@ -1,5 +1,81 @@ @@ -80189,6 +80306,15 @@ index cbfe369..085ac13 100644 ######################################## ## ## All of the rules required to +@@ -32,7 +108,7 @@ interface(`smstools_admin',` + role_transition $2 smsd_initrc_exec_t system_r; + allow $2 system_r; + +- files_search_config($1) ++ files_search_etc($1) + admin_pattern($1, smsd_conf_t) + + files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 index 0000000..3f412d5 @@ -84299,7 +84425,7 @@ index 42946bc..3d30062 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index e9c0964..20a31da 100644 +index e9c0964..91c1898 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,29 +1,28 @@ @@ -84800,7 +84926,7 @@ index e9c0964..20a31da 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -452,31 +382,39 @@ optional_policy(` +@@ -452,31 +382,40 @@ optional_policy(` ####################################### # @@ -84839,6 +84965,7 @@ index e9c0964..20a31da 100644 optional_policy(` + gnome_read_generic_cache_files(telepathy_domain) + gnome_write_generic_cache_files(telepathy_domain) ++ gnome_filetrans_config_home_content(telepathy_domain) +') + +optional_policy(` @@ -94701,7 +94828,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..4dec288 100644 +index 46e4cd3..dea93eb 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3) @@ -94713,7 +94840,23 @@ index 46e4cd3..4dec288 100644 ## Determine whether zabbix can ## connect to all TCP ports ##

-@@ -95,12 +95,8 @@ corecmd_exec_shell(zabbix_t) +@@ -52,11 +52,10 @@ allow zabbix_t self:sem create_sem_perms; + allow zabbix_t self:shm create_shm_perms; + allow zabbix_t self:tcp_socket create_stream_socket_perms; + +-allow zabbix_t zabbix_log_t:dir setattr_dir_perms; +-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +-logging_log_filetrans(zabbix_t, zabbix_log_t, file) ++manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) ++manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) ++manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) ++logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file }) + + manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) + manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +@@ -95,12 +94,8 @@ corecmd_exec_shell(zabbix_t) dev_read_urand(zabbix_t) @@ -94726,7 +94869,7 @@ index 46e4cd3..4dec288 100644 zabbix_agent_tcp_connect(zabbix_t) tunable_policy(`zabbix_can_network',` -@@ -110,12 +106,11 @@ tunable_policy(`zabbix_can_network',` +@@ -110,12 +105,11 @@ tunable_policy(`zabbix_can_network',` ') optional_policy(` @@ -94741,7 +94884,7 @@ index 46e4cd3..4dec288 100644 ') optional_policy(` -@@ -125,6 +120,7 @@ optional_policy(` +@@ -125,6 +119,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -94749,7 +94892,7 @@ index 46e4cd3..4dec288 100644 ') ######################################## -@@ -133,7 +129,7 @@ optional_policy(` +@@ -133,17 +128,14 @@ optional_policy(` # allow zabbix_agent_t self:capability { setuid setgid }; @@ -94758,7 +94901,27 @@ index 46e4cd3..4dec288 100644 allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; allow zabbix_agent_t self:sem create_sem_perms; allow zabbix_agent_t self:shm create_shm_perms; -@@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t) + allow zabbix_agent_t self:tcp_socket { accept listen }; + allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; + +-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) ++manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) + + rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) + fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -154,6 +146,8 @@ files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) + kernel_read_all_sysctls(zabbix_agent_t) + kernel_read_system_state(zabbix_agent_t) + ++corecmd_exec_shell(zabbix_agent_t) ++corecmd_exec_bin(zabbix_agent_t) + corecmd_read_all_executables(zabbix_agent_t) + + corenet_all_recvfrom_unlabeled(zabbix_agent_t) +@@ -182,7 +176,6 @@ domain_search_all_domains_state(zabbix_agent_t) files_getattr_all_dirs(zabbix_agent_t) files_getattr_all_files(zabbix_agent_t) files_read_all_symlinks(zabbix_agent_t) @@ -94766,14 +94929,20 @@ index 46e4cd3..4dec288 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,7 +185,6 @@ init_read_utmp(zabbix_agent_t) +@@ -190,8 +183,11 @@ init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) -miscfiles_read_localization(zabbix_agent_t) - +- sysnet_dns_name_resolve(zabbix_agent_t) + zabbix_tcp_connect(zabbix_agent_t) ++ ++optional_policy(` ++ hostname_exec(zabbix_agent_t) ++') ++ diff --git a/zarafa.fc b/zarafa.fc index faf99ed..a451e97 100644 --- a/zarafa.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 0ef0be5..c586d41 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 67%{?dist} +Release: 68%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jul 30 2013 Miroslav Grepl 3.12.1-68 +- Add more aliases in pegasus.te +- Add more fixes for *_admin interfaces +- Add interface fixes +- Allow nscd to stream connect to nmbd +- Allow gnupg apps to write to pcscd socket +- Add more fixes for openlmi provides. Fix naming and support for additionals +- Allow fetchmail to resolve host names +- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t +- Add labeling for cmpiLMI_Fan-cimprovagt +- Allow net_admin for glusterd +- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/ +- Add pegasus_openlmi_system_t +- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te +- Fix corecmd_exec_chroot() +- Fix logging_relabel_syslog_pid_socket interface +- Fix typo in unconfineduser.te +- Allow system_r to access unconfined_dbusd_t to run hp_chec + * Fri Jul 26 2013 Miroslav Grepl 3.12.1-67 - Add support for cmpiLMI_Service-cimprovagt - Allow pegasus domtrans to rpm_t to make pycmpiLMI_Software-cimprovagt running as rpm_t