From 7e4bbf3dc3bb42ac6e685a9d36c660f83038b432 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 04 2013 18:03:07 +0000 Subject: - Add interface for postgesql_filetrans_name_content to make sure lo - Allow logwatch to getattr on all dirs - gems seems to be placed in lots of places - Add labeling for HOME_DIR/irclogs - Add labeling for /usr/bin/pg_ctl - Dontaudit attempts by openshift to read apache logs - Fix passenger labeling - Looks like apache is sending sinal to openshift_initrc_t now - Add openshift_initrc_signal() interface - Allow logrotate to transition to openvswitch domain - Change oddjob to transition to a ranged openshift_initr_exec_t whe - Backport passenger policy from F17 - Allow passenger to create and append puppet log files --- diff --git a/policy-F16.patch b/policy-F16.patch index d14ef34..71ad09e 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1496,7 +1496,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te -index 75ce30f..63310a1 100644 +index 75ce30f..bddf2ec 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t) @@ -1530,7 +1530,11 @@ index 75ce30f..63310a1 100644 files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -@@ -70,6 +80,8 @@ fs_getattr_all_fs(logwatch_t) +@@ -67,9 +77,12 @@ files_dontaudit_search_boot(logwatch_t) + files_dontaudit_search_all_dirs(logwatch_t) + + fs_getattr_all_fs(logwatch_t) ++fs_getattr_all_dirs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) @@ -1539,7 +1543,7 @@ index 75ce30f..63310a1 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -92,11 +104,14 @@ sysnet_dns_name_resolve(logwatch_t) +@@ -92,11 +105,14 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -1555,7 +1559,7 @@ index 75ce30f..63310a1 100644 files_getattr_all_file_type_fs(logwatch_t) ') -@@ -145,3 +160,24 @@ optional_policy(` +@@ -145,3 +161,24 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -1934,6 +1938,19 @@ index e0791b9..faaa201 100644 + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') +diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc +index 545518d..6ceac8b 100644 +--- a/policy/modules/admin/passenger.fc ++++ b/policy/modules/admin/passenger.fc +@@ -5,7 +5,6 @@ + + /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + +-/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) +-/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) ++/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) + + /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if index f68b573..8fb9cd3 100644 --- a/policy/modules/admin/passenger.if @@ -2049,30 +2066,42 @@ index f68b573..8fb9cd3 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) +') diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te -index 3470036..41f736e 100644 +index 3470036..aad13e8 100644 --- a/policy/modules/admin/passenger.te +++ b/policy/modules/admin/passenger.te -@@ -1,4 +1,4 @@ --policy_module(passanger, 1.0.0) -+policy_module(passenger, 1.0.0) - - ######################################## +@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t) + # passanger local policy # -@@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) + +-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice }; ++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; + allow passenger_t self:process { setpgid setsched sigkill signal }; + allow passenger_t self:fifo_file rw_fifo_file_perms; + allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) +#needed by puppet +manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) -+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir }) ++manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) ++files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file }) + kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) -@@ -64,9 +69,12 @@ corecmd_exec_shell(passenger_t) + corenet_all_recvfrom_netlabel(passenger_t) +-corenet_all_recvfrom_unlabeled(passenger_t) + corenet_tcp_sendrecv_generic_if(passenger_t) + corenet_tcp_sendrecv_generic_node(passenger_t) + corenet_tcp_connect_http_port(passenger_t) +@@ -63,10 +68,15 @@ corecmd_exec_shell(passenger_t) + dev_read_urand(passenger_t) ++domain_read_all_domains_state(passenger_t) ++ files_read_etc_files(passenger_t) +files_read_usr_files(passenger_t) @@ -2083,16 +2112,32 @@ index 3470036..41f736e 100644 miscfiles_read_localization(passenger_t) userdom_dontaudit_use_user_terminals(passenger_t) -@@ -75,3 +83,9 @@ optional_policy(` +@@ -75,3 +85,25 @@ optional_policy(` apache_append_log(passenger_t) apache_read_sys_content(passenger_t) ') + +optional_policy(` ++ hostname_exec(passenger_t) ++') ++ ++optional_policy(` ++ mta_send_mail(passenger_t) ++') ++ ++optional_policy(` + puppet_manage_lib(passenger_t) -+ puppet_search_log(passenger_t) ++ puppet_append_log(passenger_t) ++ puppet_create_log(passenger_t) ++ puppet_read_config(passenger_t) ++ puppet_read_log(passenger_t) + puppet_search_pid(passenger_t) +') ++ ++optional_policy(` ++ rpm_exec(passenger_t) ++ rpm_read_db(passenger_t) ++') diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc new file mode 100644 index 0000000..6e6a8fc @@ -7827,14 +7872,15 @@ index 9050e8c..52672b6 100644 + miscfiles_manage_public_files(gpg_web_t) ') diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc -index 65ece18..6bfdfd3 100644 +index 65ece18..5ff4455 100644 --- a/policy/modules/apps/irc.fc +++ b/policy/modules/apps/irc.fc -@@ -2,10 +2,14 @@ +@@ -2,10 +2,15 @@ # /home # HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) +HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0) ++HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irssi_home_t,s0) + +/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0) @@ -13217,7 +13263,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..1334cc8 100644 +index 3fae11a..15093ea 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -46,6 +46,7 @@ ifdef(`distro_redhat',` @@ -13463,7 +13509,7 @@ index 3fae11a..1334cc8 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +397,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +397,10 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13471,11 +13517,12 @@ index 3fae11a..1334cc8 100644 -/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +408,12 @@ ifdef(`distro_suse', ` +@@ -385,3 +409,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -16941,7 +16988,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..b062dce 100644 +index fae1ab1..f9ab769 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -17040,7 +17087,7 @@ index fae1ab1..b062dce 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -158,5 +200,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +200,226 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -17116,6 +17163,10 @@ index fae1ab1..b062dce 100644 +') + +optional_policy(` ++ postgresql_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + postfix_filetrans_named_content(unconfined_domain_type) +') + @@ -22435,7 +22486,7 @@ index 2be17d2..2825cdf 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..eee5d0c 100644 +index e14b961..91bd8b1 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,52 @@ ifndef(`enable_mls',` @@ -22580,14 +22631,14 @@ index e14b961..eee5d0c 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -22671,7 +22722,7 @@ index e14b961..eee5d0c 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,31 +336,32 @@ optional_policy(` +@@ -253,31 +336,36 @@ optional_policy(` ') optional_policy(` @@ -22681,37 +22732,41 @@ index e14b961..eee5d0c 100644 optional_policy(` - quota_run(sysadm_t, sysadm_r) -+ prelink_run(sysadm_t, sysadm_r) ++ postgresql_admin(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) -+ puppet_run_puppetca(sysadm_t, sysadm_r) ++ prelink_run(sysadm_t, sysadm_r) ') optional_policy(` - razor_role(sysadm_r, sysadm_t) -+ quota_run(sysadm_t, sysadm_r) ++ puppet_run_puppetca(sysadm_t, sysadm_r) ') optional_policy(` - rpc_domtrans_nfsd(sysadm_t) -+ raid_domtrans_mdadm(sysadm_t) ++ quota_run(sysadm_t, sysadm_r) ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) -+ rpc_domtrans_nfsd(sysadm_t) ++ raid_domtrans_mdadm(sysadm_t) ') optional_policy(` - rssh_role(sysadm_r, sysadm_t) ++ rpc_domtrans_nfsd(sysadm_t) ++') ++ ++optional_policy(` + rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') optional_policy(` -@@ -302,12 +386,18 @@ optional_policy(` +@@ -302,12 +390,18 @@ optional_policy(` ') optional_policy(` @@ -22731,7 +22786,7 @@ index e14b961..eee5d0c 100644 ') optional_policy(` -@@ -332,7 +422,10 @@ optional_policy(` +@@ -332,7 +426,10 @@ optional_policy(` ') optional_policy(` @@ -22743,7 +22798,7 @@ index e14b961..eee5d0c 100644 ') optional_policy(` -@@ -343,19 +436,15 @@ optional_policy(` +@@ -343,19 +440,15 @@ optional_policy(` ') optional_policy(` @@ -22765,7 +22820,7 @@ index e14b961..eee5d0c 100644 ') optional_policy(` -@@ -367,45 +456,45 @@ optional_policy(` +@@ -367,45 +460,45 @@ optional_policy(` ') optional_policy(` @@ -22822,7 +22877,7 @@ index e14b961..eee5d0c 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +507,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +511,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22833,7 +22888,7 @@ index e14b961..eee5d0c 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +524,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +528,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -22841,7 +22896,7 @@ index e14b961..eee5d0c 100644 ') optional_policy(` -@@ -446,11 +532,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +536,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22864,9 +22919,8 @@ index e14b961..eee5d0c 100644 + + optional_policy(` + mplayer_role(sysadm_r, sysadm_t) - ') --') - ++ ') ++ + optional_policy(` + pyzor_role(sysadm_r, sysadm_t) + ') @@ -22893,8 +22947,9 @@ index e14b961..eee5d0c 100644 + + optional_policy(` + uml_role(sysadm_r, sysadm_t) -+ ') -+ + ') +-') + + optional_policy(` + userhelper_role_template(sysadm, sysadm_r, sysadm_t) + ') @@ -25809,7 +25864,7 @@ index 9e39aa5..12333a8 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..eeb2953 100644 +index 6480167..d8a6173 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -26116,7 +26171,35 @@ index 6480167..eeb2953 100644 ## Allow the specified domain to read ## apache configuration files. ## -@@ -699,7 +775,7 @@ interface(`apache_dontaudit_append_log',` +@@ -639,6 +715,27 @@ interface(`apache_run_helper',` + role $2 types httpd_helper_t; + ') + ++####################################### ++## ++## dontaudit attempts to read ++## apache log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_dontaudit_read_log',` ++ gen_require(` ++ type httpd_log_t; ++ ') ++ ++ dontaudit $1 httpd_log_t:file read_file_perms; ++ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; ++') ++ + ######################################## + ## + ## Allow the specified domain to read +@@ -699,7 +796,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') @@ -26125,7 +26208,7 @@ index 6480167..eeb2953 100644 ') ######################################## -@@ -745,6 +821,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -745,6 +842,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -26151,7 +26234,7 @@ index 6480167..eeb2953 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -761,6 +856,7 @@ interface(`apache_list_modules',` +@@ -761,6 +877,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -26159,7 +26242,7 @@ index 6480167..eeb2953 100644 ') ######################################## -@@ -802,6 +898,43 @@ interface(`apache_domtrans_rotatelogs',` +@@ -802,6 +919,43 @@ interface(`apache_domtrans_rotatelogs',` domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') @@ -26203,7 +26286,7 @@ index 6480167..eeb2953 100644 ######################################## ## ## Allow the specified domain to list -@@ -819,6 +952,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +973,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -26211,7 +26294,7 @@ index 6480167..eeb2953 100644 files_search_var($1) ') -@@ -846,6 +980,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +1001,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -26286,7 +26369,7 @@ index 6480167..eeb2953 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1064,12 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1085,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -26300,7 +26383,7 @@ index 6480167..eeb2953 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1128,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1149,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -26312,7 +26395,7 @@ index 6480167..eeb2953 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1158,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1179,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -26321,7 +26404,7 @@ index 6480167..eeb2953 100644 ') ######################################## -@@ -1091,6 +1299,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1320,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -26347,7 +26430,7 @@ index 6480167..eeb2953 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1334,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1355,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -26356,7 +26439,7 @@ index 6480167..eeb2953 100644 ') ######################################## -@@ -1150,12 +1377,6 @@ interface(`apache_cgi_domain',` +@@ -1150,12 +1398,6 @@ interface(`apache_cgi_domain',` ## ## All of the rules required to administrate an apache environment ## @@ -26369,7 +26452,7 @@ index 6480167..eeb2953 100644 ## ## ## Domain allowed access. -@@ -1170,17 +1391,15 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1412,15 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -26392,7 +26475,7 @@ index 6480167..eeb2953 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1410,10 @@ interface(`apache_admin',` +@@ -1191,10 +1431,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -26405,7 +26488,7 @@ index 6480167..eeb2953 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1424,91 @@ interface(`apache_admin',` +@@ -1205,14 +1445,91 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -26503,7 +26586,7 @@ index 6480167..eeb2953 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..2042513 100644 +index 3136c6a..28c388f 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,253 @@ policy_module(apache, 2.2.1) @@ -27280,7 +27363,7 @@ index 3136c6a..2042513 100644 ') optional_policy(` -@@ -576,6 +892,55 @@ optional_policy(` +@@ -576,6 +892,56 @@ optional_policy(` openca_kill(httpd_t) ') @@ -27317,6 +27400,7 @@ index 3136c6a..2042513 100644 + +optional_policy(` + openshift_initrc_signull(httpd_t) ++ openshift_initrc_signal(httpd_t) +') + +optional_policy(` @@ -27336,7 +27420,7 @@ index 3136c6a..2042513 100644 optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -591,6 +956,11 @@ optional_policy(` +@@ -591,6 +957,11 @@ optional_policy(` ') optional_policy(` @@ -27348,7 +27432,7 @@ index 3136c6a..2042513 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +973,12 @@ optional_policy(` +@@ -603,6 +974,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -27361,7 +27445,7 @@ index 3136c6a..2042513 100644 ######################################## # # Apache helper local policy -@@ -616,7 +992,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +993,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -27374,7 +27458,7 @@ index 3136c6a..2042513 100644 ######################################## # -@@ -654,28 +1034,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1035,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27418,7 +27502,7 @@ index 3136c6a..2042513 100644 ') ######################################## -@@ -685,6 +1067,8 @@ optional_policy(` +@@ -685,6 +1068,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27427,7 +27511,7 @@ index 3136c6a..2042513 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1083,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1084,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27453,7 +27537,7 @@ index 3136c6a..2042513 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1129,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1130,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27486,7 +27570,7 @@ index 3136c6a..2042513 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1176,25 @@ optional_policy(` +@@ -769,6 +1177,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27512,7 +27596,7 @@ index 3136c6a..2042513 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1215,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1216,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27530,7 +27614,7 @@ index 3136c6a..2042513 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1234,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1235,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27587,7 +27671,7 @@ index 3136c6a..2042513 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1285,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1286,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27628,7 +27712,7 @@ index 3136c6a..2042513 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1330,20 @@ optional_policy(` +@@ -842,10 +1331,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27649,7 +27733,7 @@ index 3136c6a..2042513 100644 ') ######################################## -@@ -891,11 +1389,49 @@ optional_policy(` +@@ -891,11 +1390,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -49760,7 +49844,7 @@ index bdf8c89..0132b08 100644 /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if -index bd76ec2..ca6517b 100644 +index bd76ec2..329a0c7 100644 --- a/policy/modules/services/oddjob.if +++ b/policy/modules/services/oddjob.if @@ -9,9 +9,9 @@ @@ -49834,6 +49918,49 @@ index bd76ec2..ca6517b 100644 ######################################## ## ## Execute a domain transition to run oddjob_mkhomedir. +@@ -109,3 +147,42 @@ interface(`oddjob_run_mkhomedir',` + oddjob_domtrans_mkhomedir($1) + role $2 types oddjob_mkhomedir_t; + ') ++ ++######################################## ++## ++## Create a domain which can be started by init, ++## with a range transition. ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## ++## ++## ++## ++## Range for the domain. ++## ++## ++# ++interface(`oddjob_ranged_domain',` ++ gen_require(` ++ type oddjob_t; ++ ') ++ ++ oddjob_system_entry($1, $2) ++ ++ ifdef(`enable_mcs',` ++ range_transition oddjob_t $2:process $3; ++ ') ++ ++ ifdef(`enable_mls',` ++ range_transition oddjob_t $2:process $3; ++ mls_rangetrans_target($1) ++ ') ++') ++ diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index cadfc63..e056e78 100644 --- a/policy/modules/services/oddjob.te @@ -50085,10 +50212,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/policy/modules/services/openshift.if b/policy/modules/services/openshift.if new file mode 100644 -index 0000000..71d6f47 +index 0000000..e66e073 --- /dev/null +++ b/policy/modules/services/openshift.if -@@ -0,0 +1,574 @@ +@@ -0,0 +1,592 @@ + +## policy for openshift + @@ -50129,6 +50256,24 @@ index 0000000..71d6f47 + allow $1 openshift_initrc_t:process signull; +') + ++####################################### ++## ++## Send a signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signal',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signal; ++') ++ +######################################## +## +## Search openshift cache directories. @@ -50665,10 +50810,10 @@ index 0000000..71d6f47 +') diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te new file mode 100644 -index 0000000..10019d7 +index 0000000..f74ac64 --- /dev/null +++ b/policy/modules/services/openshift.te -@@ -0,0 +1,370 @@ +@@ -0,0 +1,371 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -50695,7 +50840,7 @@ index 0000000..10019d7 +type openshift_initrc_exec_t; +init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t) +init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) -+oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t) ++oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh) +domain_obj_id_change_exemption(openshift_initrc_t) + +type openshift_initrc_tmp_t; @@ -50917,6 +51062,7 @@ index 0000000..10019d7 + apache_read_sys_content(openshift_domain) + apache_exec_sys_script(openshift_domain) + apache_entrypoint(openshift_domain) ++ apache_dontaudit_read_log(openshift_domain) +') + +optional_policy(` @@ -54207,12 +54353,14 @@ index 7257526..7d73656 100644 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index f03fad4..d693956 100644 +index f03fad4..5d8306f 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc -@@ -11,9 +11,9 @@ +@@ -10,10 +10,11 @@ + # /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) -/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) -/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) @@ -54223,17 +54371,18 @@ index f03fad4..d693956 100644 ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) -@@ -30,7 +30,7 @@ ifdef(`distro_redhat', ` +@@ -30,7 +31,8 @@ ifdef(`distro_redhat', ` /var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 09aeffa..f8a0d88 100644 +index 09aeffa..3b42575 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,7 +10,7 @@ @@ -54344,7 +54493,37 @@ index 09aeffa..f8a0d88 100644 ') ######################################## -@@ -531,13 +533,10 @@ interface(`postgresql_unconfined',` +@@ -515,6 +517,29 @@ interface(`postgresql_unconfined',` + + ######################################## + ## ++## Transition to postgresql named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_filetrans_named_content',` ++ gen_require(` ++ type postgresql_db_t; ++ type postgresql_log_t; ++ ') ++ ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql") ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres") ++ files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql") ++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile") ++ filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log") ++') ++ ++######################################## ++## + ## All of the rules required to administrate an postgresql environment + ## + ## +@@ -531,13 +556,10 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -54362,7 +54541,7 @@ index 09aeffa..f8a0d88 100644 ') typeattribute $1 sepgsql_admin_type; -@@ -550,14 +549,19 @@ interface(`postgresql_admin',` +@@ -550,16 +572,22 @@ interface(`postgresql_admin',` role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; @@ -54382,8 +54561,11 @@ index 09aeffa..f8a0d88 100644 admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) + postgresql_stream_connect($1) ++ postgresql_filetrans_named_content($1) + ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 4a5387a..b75ab1c 100644 +index 4a5387a..ed32dfb 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,16 +19,16 @@ gen_require(` @@ -54418,7 +54600,14 @@ index 4a5387a..b75ab1c 100644 allow postgresql_t self:netlink_selinux_socket create_socket_perms; allow postgresql_t sepgsql_database_type:db_database *; -@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms; +@@ -235,13 +235,13 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) +-files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) ++postgresql_filetrans_named_content(postgresql_t) + + allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) @@ -55320,7 +55509,7 @@ index 2f1e529..8c0b242 100644 /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if -index 2855a44..58bb459 100644 +index 2855a44..ae8754a 100644 --- a/policy/modules/services/puppet.if +++ b/policy/modules/services/puppet.if @@ -8,6 +8,53 @@ @@ -55377,7 +55566,7 @@ index 2855a44..58bb459 100644 ################################################ ## ## Read / Write to Puppet temp files. Puppet uses -@@ -21,11 +68,87 @@ +@@ -21,11 +68,164 @@ ## ## # @@ -55451,6 +55640,83 @@ index 2855a44..58bb459 100644 + +##################################### +## ++## Allow the specified domain to read puppet's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_read_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, puppet_log_t, puppet_log_t) ++') ++ ++##################################### ++## ++## Allow the specified domain to create puppet's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_create_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') ++ ++ logging_search_logs($1) ++ create_files_pattern($1, puppet_log_t, puppet_log_t) ++') ++ ++#################################### ++## ++## Allow the specified domain to append puppet's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_append_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, puppet_log_t, puppet_log_t) ++') ++ ++#################################### ++## ++## Allow the specified domain to read puppet's config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_read_config',` ++ gen_require(` ++ type puppet_etc_t; ++ ') ++ ++ logging_search_logs($1) ++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) ++ read_files_pattern($1, puppet_etc_t, puppet_etc_t) ++') ++ ++##################################### ++## +## Allow the specified domain to search puppet's pid files. +## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 0b44950..446e43c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 97%{?dist} +Release: 98%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jan 4 2013 Miroslav Grepl 3.10.0-98 +- Fix puppet interfaces +- Fix logrotate +- Add interface for postgesql_filetrans_name_content to make sure log directories get created with the correct label. +- Allow logwatch to getattr on all dirs +- gems seems to be placed in lots of places +- Add labeling for HOME_DIR/irclogs +- Add labeling for /usr/bin/pg_ctl +- Dontaudit attempts by openshift to read apache logs +- Fix passenger labeling +- Looks like apache is sending sinal to openshift_initrc_t now +- Add openshift_initrc_signal() interface +- Allow logrotate to transition to openvswitch domain +- Change oddjob to transition to a ranged openshift_initr_exec_t when run from oddjob +- Backport passenger policy from F17 +- Allow passenger to create and append puppet log files + * Thu Nov 15 2012 Miroslav Grepl 3.10.0-97 - Backport openshift fixes from F18