From 82aa2eb0d2885b832e97c01f7f6126e3518589f1 Mon Sep 17 00:00:00 2001 From: rhatdan Date: Oct 10 2012 13:05:12 +0000 Subject: Merge branch 'master_contrib' of ssh://git.fedorahosted.org/git/selinux-policy into master_contrib --- diff --git a/amavis.fc b/amavis.fc index 33c0147..2346f65 100644 --- a/amavis.fc +++ b/amavis.fc @@ -11,7 +11,6 @@ ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) ') -/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) /var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0) diff --git a/amavis.te b/amavis.te index 44121c2..c578780 100644 --- a/amavis.te +++ b/amavis.te @@ -170,6 +170,10 @@ tunable_policy(`amavis_use_jit',` ') optional_policy(` + antivirus_domain_template(amavis_t) +') + +optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) clamav_read_state_clamd(amavis_t) @@ -211,6 +215,7 @@ optional_policy(` optional_policy(` snmp_manage_var_lib_files(amavis_t) + snmp_manage_var_lib_dirs(amavis_t) ') optional_policy(` diff --git a/antivirus.fc b/antivirus.fc new file mode 100644 index 0000000..e9a09f0 --- /dev/null +++ b/antivirus.fc @@ -0,0 +1 @@ +/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) diff --git a/antivirus.if b/antivirus.if new file mode 100644 index 0000000..fe0cdf0 --- /dev/null +++ b/antivirus.if @@ -0,0 +1,20 @@ +## SELinux policy for antivirus programs. + +###################################### +## +## Creates types and rules for a basic +## antivirus domain. +## +## +## +## Prefix for the domain. +## +## +# +interface(`antivirus_domain_template',` + gen_require(` + attribute antivirus_domain; + ') + + typeattribute $1 antivirus_domain; +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 index 0000000..d37aa42 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,32 @@ +policy_module(antivirus, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Allow antivirus programs to read non security files on a system +##

+## +gen_tunable(antivirus_can_scan_system, false) + +attribute antivirus_domain; + +type antivirus_db_t; +files_type(antivirus_db_t) + +######################################## +# +# antivirus domain local policy +# + +manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) + +tunable_policy(`antivirus_can_scan_system',` + files_read_non_security_files(antivirus_domain) + files_getattr_all_pipes(antivirus_domain) + files_getattr_all_sockets(antivirus_domain) +') diff --git a/clamav.te b/clamav.te index 7ebd38b..cf360c2 100644 --- a/clamav.te +++ b/clamav.te @@ -180,6 +180,18 @@ tunable_policy(`clamd_use_jit',` dontaudit clamscan_t self:process execmem; ') +optional_policy(` + antivirus_domain_template(clamd_t) +') + +optional_policy(` + antivirus_domain_template(clamscan_t) +') + +optional_policy(` + antivirus_domain_template(freshclam_t) +') + ######################################## # # Freshclam local policy @@ -307,6 +319,10 @@ tunable_policy(`clamscan_can_scan_system',` files_read_non_security_files(clamscan_t) files_getattr_all_pipes(clamscan_t) files_getattr_all_sockets(clamscan_t) + + files_read_non_security_files(clamd_t) + files_getattr_all_pipes(clamd_t) + files_getattr_all_sockets(clamd_t) ') kernel_read_kernel_sysctls(clamscan_t) diff --git a/corosync.te b/corosync.te index fb6fe25..7ba4458 100644 --- a/corosync.te +++ b/corosync.te @@ -83,6 +83,7 @@ corecmd_exec_bin(corosync_t) corecmd_exec_shell(corosync_t) corenet_udp_bind_netsupport_port(corosync_t) +corenet_tcp_connect_saphostctrl_port(corosync_t) dev_read_urand(corosync_t) diff --git a/rhcs.te b/rhcs.te index f8548d0..1f44a24 100644 --- a/rhcs.te +++ b/rhcs.te @@ -272,6 +272,8 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t) files_dontaudit_getattr_all_sockets(qdiskd_t) files_dontaudit_getattr_all_pipes(qdiskd_t) +files_read_usr_files(qdiskd_t) + fs_list_hugetlbfs(qdiskd_t) storage_raw_read_removable_device(qdiskd_t) diff --git a/spamassassin.te b/spamassassin.te index 697843c..583a704 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -387,6 +387,9 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; +# needed by razor +rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) + can_exec(spamd_t, spamd_compiled_t) manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) diff --git a/tuned.te b/tuned.te index 3a15a1c..805473b 100644 --- a/tuned.te +++ b/tuned.te @@ -30,7 +30,7 @@ files_pid_file(tuned_var_run_t) # allow tuned_t self:capability { sys_admin sys_nice }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process signal; +allow tuned_t self:process { setsched signal }; allow tuned_t self:fifo_file rw_fifo_file_perms; allow tuned_t self:udp_socket create_socket_perms; @@ -67,8 +67,9 @@ dev_rw_netcontrol(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) +files_list_tmp(tuned_t) -fs_getattr_xattr_fs(tuned_t) +fs_getattr_all_fs(tuned_t) auth_use_nsswitch(tuned_t) diff --git a/virt.fc b/virt.fc index 4c2a0fd..40b350a 100644 --- a/virt.fc +++ b/virt.fc @@ -71,3 +71,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv /usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) /usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) /usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) + +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.te b/virt.te index b5b693c..ad97e84 100644 --- a/virt.te +++ b/virt.te @@ -161,6 +161,17 @@ type virt_bridgehelper_exec_t; domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) role system_r types virt_bridgehelper_t; +# policy for qemu_ga +type virt_qemu_ga_t; +type virt_qemu_ga_exec_t; +init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +type virt_qemu_ga_var_run_t; +files_pid_file(virt_qemu_ga_var_run_t) + +type virt_qemu_ga_log_t; +logging_log_file(virt_qemu_ga_log_t) + ######################################## # # Declarations @@ -1153,3 +1164,29 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) userdom_use_inherited_user_ptys(virt_bridgehelper_t) + +####################################### +# +# virt_qemu_ga local policy +# + +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +filetrans_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t,{ dir file } ) + +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file ) + +files_read_etc_files(virt_qemu_ga_t) + +term_use_virtio_console(virt_qemu_ga_t) + +logging_send_syslog_msg(virt_qemu_ga_t) + +miscfiles_read_localization(virt_qemu_ga_t) + +sysnet_dns_name_resolve(virt_qemu_ga_t) + diff --git a/vmware.te b/vmware.te index f716978..453fdb9 100644 --- a/vmware.te +++ b/vmware.te @@ -68,6 +68,7 @@ ifdef(`enable_mcs',` # VMWare host local policy # +allow vmware_host_t self:capability { net_admin sys_module }; allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms };