From aba88ad09b916546f1fd229e71403b25eb3ada98 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 20 2012 21:57:28 +0000 Subject: * Fri Apr 20 2012 Miroslav Grepl 3.10.0 - Add ~/.orc as a gstreamer_home_t - Allow mcelog to exec shel - Allow systemd_tmpfiles to manage printer devices - Add definitions for jboss_messaging ports - Fix labeling of log files for postgresql - Allow firewalld to execute shell - Fix /etc/wicd content files to get created with the corre - tmpreaper should be able to list all file system labeled - Allow sambagui to use ldap - Lot of fixes for cfengine - Allow pads to create socket --- diff --git a/policy-F16.patch b/policy-F16.patch index eba5b86..441c676 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1591,7 +1591,7 @@ index 56c43c0..409bbfc 100644 + +/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..034908d 100644 +index 5671977..48c8303 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0) @@ -1610,7 +1610,7 @@ index 5671977..034908d 100644 ######################################## # -@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t) +@@ -17,10 +23,23 @@ cron_system_entry(mcelog_t, mcelog_exec_t) allow mcelog_t self:capability sys_admin; @@ -1625,6 +1625,7 @@ index 5671977..034908d 100644 + kernel_read_system_state(mcelog_t) ++corecmd_exec_shell(mcelog_t) +corecmd_exec_bin(mcelog_t) + dev_read_raw_memory(mcelog_t) @@ -1633,7 +1634,7 @@ index 5671977..034908d 100644 files_read_etc_files(mcelog_t) -@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t) +@@ -30,3 +49,7 @@ mls_file_read_all_levels(mcelog_t) logging_send_syslog_msg(mcelog_t) miscfiles_read_localization(mcelog_t) @@ -4134,7 +4135,7 @@ index d5aaf0e..6b16aef 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..65681da 100644 +index 6a5004b..c687f14 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -4145,7 +4146,7 @@ index 6a5004b..65681da 100644 application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; -@@ -18,6 +19,8 @@ role system_r types tmpreaper_t; +@@ -18,18 +19,25 @@ role system_r types tmpreaper_t; allow tmpreaper_t self:process { fork sigchld }; allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; @@ -4154,7 +4155,8 @@ index 6a5004b..65681da 100644 dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) -@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t) ++fs_list_all(tmpreaper_t) + files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) @@ -4170,7 +4172,7 @@ index 6a5004b..65681da 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t) +@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -4192,7 +4194,7 @@ index 6a5004b..65681da 100644 ') optional_policy(` -@@ -52,7 +63,9 @@ optional_policy(` +@@ -52,7 +64,9 @@ optional_policy(` ') optional_policy(` @@ -4202,7 +4204,7 @@ index 6a5004b..65681da 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +79,13 @@ optional_policy(` +@@ -66,9 +80,13 @@ optional_policy(` ') optional_policy(` @@ -5655,10 +5657,10 @@ index 6e4add5..10a2ce4 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(giftd_t) diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc -index 00a19e3..9f6139c 100644 +index 00a19e3..ade1224 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc -@@ -1,9 +1,45 @@ +@@ -1,9 +1,46 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) @@ -5668,6 +5670,7 @@ index 00a19e3..9f6139c 100644 HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) +HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) @@ -5707,7 +5710,7 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..eeeebbb 100644 +index f5afe78..5bd094e 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,879 @@ @@ -6799,7 +6802,7 @@ index f5afe78..eeeebbb 100644 ## ## ## -@@ -140,51 +1046,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1046,303 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -7026,6 +7029,9 @@ index f5afe78..eeeebbb 100644 + userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") + userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") + userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") + # ~/.color/icc: legacy @@ -7066,6 +7072,7 @@ index f5afe78..eeeebbb 100644 + userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") + userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") + userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") ++ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") + # /root/.color/icc: legacy @@ -10530,10 +10537,10 @@ index 4c091ca..a58f123 100644 + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index f594e12..2025c1f 100644 +index f594e12..e8f731d 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te -@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t) +@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -10547,7 +10554,14 @@ index f594e12..2025c1f 100644 logging_send_syslog_msg(sambagui_t) -@@ -56,6 +58,7 @@ optional_policy(` + miscfiles_read_localization(sambagui_t) + ++sysnet_use_ldap(sambagui_t) ++ + optional_policy(` + consoletype_exec(sambagui_t) + ') +@@ -56,6 +60,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -14652,7 +14666,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..8c780d2 100644 +index 99b71cb..688d361 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14794,7 +14808,7 @@ index 99b71cb..8c780d2 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +173,29 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14802,7 +14816,9 @@ index 99b71cb..8c780d2 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0) ++network_port(jboss_debug, tcp,8787,s0) ++network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0) ++network_port(jboss_management, tcp,4712,s0, tcp,4447,s0, udp,4712,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -14825,7 +14841,7 @@ index 99b71cb..8c780d2 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +205,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14858,7 +14874,7 @@ index 99b71cb..8c780d2 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,34 +240,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +242,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14905,7 +14921,7 @@ index 99b71cb..8c780d2 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +283,12 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +285,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14919,7 +14935,7 @@ index 99b71cb..8c780d2 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +300,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +302,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14927,7 +14943,7 @@ index 99b71cb..8c780d2 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +310,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +312,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14940,7 +14956,7 @@ index 99b71cb..8c780d2 100644 ######################################## # -@@ -282,9 +360,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +362,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -15069,7 +15085,7 @@ index 6cf8784..c384d6f 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..2cad8ee 100644 +index f820f3b..0060905 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -15507,32 +15523,33 @@ index f820f3b..2cad8ee 100644 ') ######################################## -@@ -3210,24 +3466,6 @@ interface(`dev_rw_printer',` +@@ -3210,7 +3466,7 @@ interface(`dev_rw_printer',` ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) --## --## --## --## Domain allowed access. --## --## --# ++## Read and write the printer device. + ## + ## + ## +@@ -3218,12 +3474,13 @@ interface(`dev_rw_printer',` + ## + ## + # -interface(`dev_read_printk',` -- gen_require(` ++interface(`dev_manage_printer',` + gen_require(` - type device_t, printk_device_t; -- ') -- ++ type device_t, printer_device_t; + ') + - read_chr_files_pattern($1, device_t, printk_device_t) --') -- --######################################## --## - ## Get the attributes of the QEMU - ## microcode and id interfaces. - ## -@@ -3811,6 +4049,42 @@ interface(`dev_getattr_sysfs_dirs',` ++ manage_chr_files_pattern($1, device_t, printer_device_t) ++ dev_filetrans_printer_named_dev($1) + ') + + ######################################## +@@ -3811,6 +4068,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -15575,7 +15592,7 @@ index f820f3b..2cad8ee 100644 ## Search the sysfs directories. ## ## -@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',` +@@ -3860,6 +4153,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -15583,7 +15600,7 @@ index f820f3b..2cad8ee 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3902,25 +4177,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3902,25 +4196,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -15609,7 +15626,7 @@ index f820f3b..2cad8ee 100644 ## Read hardware state information. ## ## -@@ -3972,6 +4228,42 @@ interface(`dev_rw_sysfs',` +@@ -3972,6 +4247,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -15629,6 +15646,26 @@ index f820f3b..2cad8ee 100644 + relabel_dirs_pattern($1, sysfs_t, sysfs_t) +') + ++####################################### ++## ++## Relabel hardware state files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_all_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++') ++ +######################################## +## +## Allow caller to modify hardware state information. @@ -15652,7 +15689,7 @@ index f820f3b..2cad8ee 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4361,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4400,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -15678,7 +15715,7 @@ index f820f3b..2cad8ee 100644 ## Getattr generic the USB devices. ## ## -@@ -4103,6 +4414,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4103,6 +4453,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -15703,7 +15740,7 @@ index f820f3b..2cad8ee 100644 ######################################## ## ## Read generic the USB devices. -@@ -4495,6 +4824,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4863,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -15728,7 +15765,7 @@ index f820f3b..2cad8ee 100644 ## Read and write VMWare devices. ## ## -@@ -4695,6 +5042,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4695,6 +5081,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -15755,7 +15792,7 @@ index f820f3b..2cad8ee 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5151,843 @@ interface(`dev_unconfined',` +@@ -4784,3 +5190,861 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -15789,6 +15826,64 @@ index f820f3b..2cad8ee 100644 +## +## +# ++interface(`dev_filetrans_printer_named_dev',` ++ ++ gen_require(` ++ type printer_device_t; ++ ++ ') ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") ++ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") ++') ++ ++######################################## ++## ++## Create all named devices with the correct label ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_filetrans_all_named_dev',` + +gen_require(` @@ -15810,7 +15905,6 @@ index f820f3b..2cad8ee 100644 + type random_device_t; + type dri_device_t; + type ipmi_device_t; -+ type printer_device_t; + type memory_device_t; + type kmsg_device_t; + type qemu_device_t; @@ -15837,6 +15931,7 @@ index f820f3b..2cad8ee 100644 + type mtrr_device_t; +') + ++ dev_filetrans_printer_named_dev($1) + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") @@ -16074,16 +16169,6 @@ index f820f3b..2cad8ee 100644 + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") @@ -16132,16 +16217,6 @@ index f820f3b..2cad8ee 100644 + filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") @@ -16205,16 +16280,6 @@ index f820f3b..2cad8ee 100644 + filetrans_pattern($1, device_t, null_device_t, chr_file, "null") + filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") + filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") @@ -16320,16 +16385,6 @@ index f820f3b..2cad8ee 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") -+ filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") + filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") @@ -26098,7 +26153,7 @@ index 6480167..e12bbc0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..ad1e64f 100644 +index 3136c6a..e8e4fa6 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,232 @@ policy_module(apache, 2.2.1) @@ -26517,7 +26572,7 @@ index 3136c6a..ad1e64f 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +501,16 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +501,17 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26527,6 +26582,7 @@ index 3136c6a..ad1e64f 100644 corenet_tcp_bind_http_cache_port(httpd_t) +corenet_tcp_bind_ntop_port(httpd_t) +corenet_tcp_bind_jboss_management_port(httpd_t) ++corenet_tcp_bind_jboss_messaging_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) +corenet_tcp_bind_puppet_port(httpd_t) # Signal self for shutdown @@ -26535,7 +26591,7 @@ index 3136c6a..ad1e64f 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +519,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +520,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26551,7 +26607,7 @@ index 3136c6a..ad1e64f 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +532,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +533,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26559,7 +26615,7 @@ index 3136c6a..ad1e64f 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +544,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +545,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26663,7 +26719,7 @@ index 3136c6a..ad1e64f 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -454,27 +649,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +650,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -26727,7 +26783,7 @@ index 3136c6a..ad1e64f 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +713,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +714,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26750,7 +26806,7 @@ index 3136c6a..ad1e64f 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +743,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +744,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26771,7 +26827,7 @@ index 3136c6a..ad1e64f 100644 ') optional_policy(` -@@ -513,7 +767,13 @@ optional_policy(` +@@ -513,7 +768,13 @@ optional_policy(` ') optional_policy(` @@ -26786,7 +26842,7 @@ index 3136c6a..ad1e64f 100644 ') optional_policy(` -@@ -528,7 +788,19 @@ optional_policy(` +@@ -528,7 +789,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26807,7 +26863,7 @@ index 3136c6a..ad1e64f 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +809,13 @@ optional_policy(` +@@ -537,8 +810,13 @@ optional_policy(` ') optional_policy(` @@ -26822,7 +26878,7 @@ index 3136c6a..ad1e64f 100644 ') ') -@@ -556,7 +833,21 @@ optional_policy(` +@@ -556,7 +834,21 @@ optional_policy(` ') optional_policy(` @@ -26844,7 +26900,7 @@ index 3136c6a..ad1e64f 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +858,7 @@ optional_policy(` +@@ -567,6 +859,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26852,7 +26908,7 @@ index 3136c6a..ad1e64f 100644 ') optional_policy(` -@@ -577,6 +869,20 @@ optional_policy(` +@@ -577,6 +870,20 @@ optional_policy(` ') optional_policy(` @@ -26873,7 +26929,7 @@ index 3136c6a..ad1e64f 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +897,11 @@ optional_policy(` +@@ -591,6 +898,11 @@ optional_policy(` ') optional_policy(` @@ -26885,7 +26941,7 @@ index 3136c6a..ad1e64f 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +914,12 @@ optional_policy(` +@@ -603,6 +915,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26898,7 +26954,7 @@ index 3136c6a..ad1e64f 100644 ######################################## # # Apache helper local policy -@@ -616,7 +933,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +934,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26911,7 +26967,7 @@ index 3136c6a..ad1e64f 100644 ######################################## # -@@ -654,28 +975,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +976,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26955,7 +27011,7 @@ index 3136c6a..ad1e64f 100644 ') ######################################## -@@ -685,6 +1008,8 @@ optional_policy(` +@@ -685,6 +1009,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26964,7 +27020,7 @@ index 3136c6a..ad1e64f 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1024,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1025,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -26990,7 +27046,7 @@ index 3136c6a..ad1e64f 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1070,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1071,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27023,7 +27079,7 @@ index 3136c6a..ad1e64f 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1117,25 @@ optional_policy(` +@@ -769,6 +1118,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27049,7 +27105,7 @@ index 3136c6a..ad1e64f 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1156,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1157,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27067,7 +27123,7 @@ index 3136c6a..ad1e64f 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1175,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1176,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27124,7 +27180,7 @@ index 3136c6a..ad1e64f 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1226,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1227,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27165,7 +27221,7 @@ index 3136c6a..ad1e64f 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1271,20 @@ optional_policy(` +@@ -842,10 +1272,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27186,7 +27242,7 @@ index 3136c6a..ad1e64f 100644 ') ######################################## -@@ -891,11 +1330,49 @@ optional_policy(` +@@ -891,11 +1331,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -29622,10 +29678,10 @@ index c3e3f79..3e78d4e 100644 + diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc new file mode 100644 -index 0000000..4ec83df +index 0000000..4c52fa3 --- /dev/null +++ b/policy/modules/services/cfengine.fc -@@ -0,0 +1,10 @@ +@@ -0,0 +1,12 @@ + +/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0) +/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0) @@ -29636,15 +29692,45 @@ index 0000000..4ec83df +/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) + +/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) ++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0) ++ diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if new file mode 100644 -index 0000000..883b697 +index 0000000..f076cff --- /dev/null +++ b/policy/modules/services/cfengine.if -@@ -0,0 +1,42 @@ +@@ -0,0 +1,145 @@ + +## policy for cfengine + ++###################################### ++## ++## Creates types and rules for a basic ++## cfengine init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`cfengine_domain_template',` ++ gen_require(` ++ attribute cfengine_domain; ++ ') ++ ++ ############################## ++ # ++ # Declarations ++ # ++ ++ type cfengine_$1_t, cfengine_domain; ++ type cfengine_$1_exec_t; ++ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) ++ ++ auth_use_nsswitch(cfengine_$1_t) ++ ++') + +######################################## +## @@ -29665,6 +29751,24 @@ index 0000000..883b697 + domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t) +') + ++####################################### ++## ++## Search cfengine lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_search_lib_files',` ++ gen_require(` ++ type cfengine_var_lib_t; ++ ') ++ ++ allow $1 cfengine_var_lib_t:dir search_dir_perms; ++') ++ +######################################## +## +## Read cfengine lib files. @@ -29684,12 +29788,69 @@ index 0000000..883b697 + read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) +') + ++###################################### ++## ++## Allow the specified domain to read cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_read_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ files_search_var_lib($1) ++ cfengine_search_lib_files($1) ++ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t) ++') ++ ++##################################### ++## ++## Allow the specified domain to append cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_append_inherited_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ cfengine_search_lib_files($1) ++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; ++') ++ ++#################################### ++## ++## Dontaudit the specified domain to write cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_dontaudit_write_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ dontaudit $1 cfengine_var_log_t:file write; ++') diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te new file mode 100644 -index 0000000..1ba0484 +index 0000000..65aa04c --- /dev/null +++ b/policy/modules/services/cfengine.te -@@ -0,0 +1,127 @@ +@@ -0,0 +1,94 @@ +policy_module(cfengine, 1.0.0) + +######################################## @@ -29697,9 +29858,11 @@ index 0000000..1ba0484 +# Declarations +# + -+type cfengine_serverd_t; -+type cfengine_serverd_exec_t; -+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t) ++attribute cfengine_domain; ++ ++cfengine_domain_template(serverd) ++cfengine_domain_template(execd) ++cfengine_domain_template(monitord) + +type cfengine_initrc_exec_t; +init_script_file(cfengine_initrc_exec_t) @@ -29707,116 +29870,81 @@ index 0000000..1ba0484 +type cfengine_var_lib_t; +files_type(cfengine_var_lib_t) + -+type cfengine_execd_t; -+type cfengine_execd_exec_t; -+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t) -+ -+type cfengine_monitord_t; -+type cfengine_monitord_exec_t; -+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t) ++type cfengine_var_log_t; ++logging_log_file(cfengine_var_log_t) + -+######################################## ++####################################### +# -+# cfengine-server local policy ++# cfengine domain local policy +# -+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_serverd_t self:process { fork setfscreate signal }; + -+allow cfengine_serverd_t self:fifo_file rw_fifo_file_perms; -+allow cfengine_serverd_t self:unix_stream_socket create_stream_socket_perms; ++allow cfengine_domain self:fifo_file rw_fifo_file_perms; ++allow cfengine_domain self:unix_stream_socket create_stream_socket_perms; + -+manage_dirs_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+files_var_lib_filetrans(cfengine_serverd_t, cfengine_var_lib_t, { dir file }) ++manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) ++manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) ++manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) ++files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file }) + -+kernel_read_system_state(cfengine_serverd_t) ++manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t) ++manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t) ++logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file }) + -+corecmd_exec_bin(cfengine_serverd_t) -+corecmd_exec_shell(cfengine_serverd_t) ++kernel_read_system_state(cfengine_domain) + -+dev_read_urand(cfengine_serverd_t) -+dev_read_sysfs(cfengine_serverd_t) ++corecmd_exec_bin(cfengine_domain) ++corecmd_exec_shell(cfengine_domain) + -+domain_use_interactive_fds(cfengine_serverd_t) ++dev_read_urand(cfengine_domain) ++dev_read_sysfs(cfengine_domain) + -+files_read_etc_files(cfengine_serverd_t) ++#auth_use_nsswitch(cfengine_domain) + -+auth_use_nsswitch(cfengine_serverd_t) ++logging_send_syslog_msg(cfengine_domain) + -+logging_send_syslog_msg(cfengine_serverd_t) ++miscfiles_read_localization(cfengine_domain) + -+miscfiles_read_localization(cfengine_serverd_t) ++sysnet_dns_name_resolve(cfengine_domain) ++sysnet_domtrans_ifconfig(cfengine_domain) + -+sysnet_dns_name_resolve(cfengine_serverd_t) -+sysnet_domtrans_ifconfig(cfengine_serverd_t) ++files_read_etc_files(cfengine_domain) + +######################################## +# -+# cfengine_exec local policy ++# cfengine-server local policy +# -+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_execd_t self:process { fork setfscreate signal }; -+ -+allow cfengine_execd_t self:fifo_file rw_fifo_file_perms; -+allow cfengine_execd_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+ -+domain_use_interactive_fds(cfengine_execd_t) + -+files_read_etc_files(cfengine_execd_t) -+ -+kernel_read_system_state(cfengine_execd_t) -+ -+corecmd_exec_bin(cfengine_execd_t) -+corecmd_exec_shell(cfengine_execd_t) -+ -+dev_read_urand(cfengine_execd_t) -+dev_read_sysfs(cfengine_execd_t) ++allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot }; ++allow cfengine_serverd_t self:process { fork setfscreate signal }; + -+auth_use_nsswitch(cfengine_execd_t) ++domain_use_interactive_fds(cfengine_serverd_t) + -+logging_send_syslog_msg(cfengine_execd_t) ++######################################## ++# ++# cfengine_exec local policy ++# + -+miscfiles_read_localization(cfengine_execd_t) ++allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot }; ++allow cfengine_execd_t self:process { fork setfscreate signal }; + -+sysnet_dns_name_resolve(cfengine_execd_t) -+sysnet_domtrans_ifconfig(cfengine_execd_t) ++domain_read_all_domains_state(cfengine_execd_t) ++domain_use_interactive_fds(cfengine_execd_t) + +######################################## +# +# cfengine_monitord local policy +# ++ +allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot }; +allow cfengine_monitord_t self:process { fork setfscreate signal }; + -+allow cfengine_monitord_t self:fifo_file rw_fifo_file_perms; -+allow cfengine_monitord_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t) -+ -+corecmd_exec_bin(cfengine_monitord_t) -+ -+dev_read_sysfs(cfengine_monitord_t) -+dev_read_urand(cfengine_monitord_t) ++kernel_read_hotplug_sysctls(cfengine_monitord_t) ++kernel_read_network_state(cfengine_monitord_t) + ++domain_read_all_domains_state(cfengine_monitord_t) +domain_use_interactive_fds(cfengine_monitord_t) + -+files_read_etc_files(cfengine_monitord_t) -+ -+auth_use_nsswitch(cfengine_monitord_t) -+ -+logging_send_syslog_msg(cfengine_monitord_t) -+ -+miscfiles_read_localization(cfengine_monitord_t) -+ -+sysnet_dns_name_resolve(cfengine_monitord_t) -+sysnet_domtrans_ifconfig(cfengine_monitord_t) ++fs_getattr_xattr_fs(cfengine_monitord_t) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index 33facaf..e5cbcef 100644 --- a/policy/modules/services/cgroup.if @@ -38582,10 +38710,10 @@ index 0000000..84d1768 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..8dcd6e4 +index 0000000..fa63e2d --- /dev/null +++ b/policy/modules/services/firewalld.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,69 @@ + +policy_module(firewalld,1.0.0) + @@ -38629,6 +38757,7 @@ index 0000000..8dcd6e4 +kernel_read_system_state(firewalld_t) + +corecmd_exec_bin(firewalld_t) ++corecmd_exec_shell(firewalld_t) + +domain_use_interactive_fds(firewalld_t) + @@ -47425,10 +47554,10 @@ index 74da57f..b94bb3b 100644 /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc -index 386543b..8e8f911 100644 +index 386543b..9cb5afa 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc -@@ -1,6 +1,15 @@ +@@ -1,6 +1,19 @@ /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -47437,6 +47566,10 @@ index 386543b..8e8f911 100644 +/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) +/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + ++/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++ +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) @@ -47445,7 +47578,7 @@ index 386543b..8e8f911 100644 /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -@@ -16,11 +25,13 @@ +@@ -16,11 +29,13 @@ /var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) /var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) @@ -49138,7 +49271,7 @@ index bd76ec2..ca6517b 100644 ## ## Execute a domain transition to run oddjob_mkhomedir. diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te -index cadfc63..c8f4d64 100644 +index cadfc63..e056e78 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -7,7 +7,6 @@ policy_module(oddjob, 1.7.0) @@ -49157,7 +49290,16 @@ index cadfc63..c8f4d64 100644 domain_obj_id_change_exemption(oddjob_mkhomedir_t) init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -@@ -99,8 +97,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) +@@ -53,6 +51,8 @@ selinux_compute_create_context(oddjob_t) + + files_read_etc_files(oddjob_t) + ++auth_use_nsswitch(oddjob_t) ++ + miscfiles_read_localization(oddjob_t) + + locallogin_dontaudit_use_fds(oddjob_t) +@@ -99,8 +99,6 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) @@ -49489,7 +49631,7 @@ index 8ac407e..8235fb6 100644 admin_pattern($1, pads_config_t) ') diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te -index b246bdd..07baada 100644 +index b246bdd..84afa7a 100644 --- a/policy/modules/services/pads.te +++ b/policy/modules/services/pads.te @@ -1,4 +1,4 @@ @@ -49506,7 +49648,7 @@ index b246bdd..07baada 100644 type pads_initrc_exec_t; init_script_file(pads_initrc_exec_t) -@@ -25,10 +24,10 @@ files_pid_file(pads_var_run_t) +@@ -25,10 +24,11 @@ files_pid_file(pads_var_run_t) # allow pads_t self:capability { dac_override net_raw }; @@ -49516,12 +49658,13 @@ index b246bdd..07baada 100644 -allow pads_t self:unix_dgram_socket { write create connect }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; +allow pads_t self:packet_socket create_socket_perms; ++allow pads_t self:socket create_socket_perms; +allow pads_t self:udp_socket create_socket_perms; +allow pads_t self:unix_dgram_socket create_socket_perms; allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) -@@ -48,6 +47,7 @@ corenet_tcp_connect_prelude_port(pads_t) +@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t) dev_read_rand(pads_t) dev_read_urand(pads_t) @@ -52406,7 +52549,7 @@ index 7257526..7d73656 100644 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index f03fad4..1865d8f 100644 +index f03fad4..d693956 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -11,9 +11,9 @@ @@ -52422,6 +52565,15 @@ index f03fad4..1865d8f 100644 ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) +@@ -30,7 +30,7 @@ ifdef(`distro_redhat', ` + + /var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) +-/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) + + /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 09aeffa..f8a0d88 100644 --- a/policy/modules/services/postgresql.if @@ -59362,7 +59514,7 @@ index 7e94c7c..5700fb8 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te -index 22dac1f..75081a5 100644 +index 22dac1f..e2f2d7d 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -59401,7 +59553,18 @@ index 22dac1f..75081a5 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -128,7 +129,14 @@ optional_policy(` +@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t) + mta_sendmail_exec(sendmail_t) + + optional_policy(` ++ cfengine_dontaudit_write_log(sendmail_t) ++') ++ ++optional_policy(` + cron_read_pipes(sendmail_t) + ') + +@@ -128,7 +133,14 @@ optional_policy(` ') optional_policy(` @@ -59416,7 +59579,7 @@ index 22dac1f..75081a5 100644 ') optional_policy(` -@@ -149,7 +157,9 @@ optional_policy(` +@@ -149,7 +161,9 @@ optional_policy(` ') optional_policy(` @@ -59426,7 +59589,7 @@ index 22dac1f..75081a5 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +178,13 @@ optional_policy(` +@@ -168,20 +182,13 @@ optional_policy(` ') optional_policy(` @@ -68300,10 +68463,10 @@ index 1b6619e..3aed6ad 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..41198a4 100644 +index c6fdab7..32f45fa 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te -@@ -6,6 +6,24 @@ attribute application_domain_type; +@@ -6,6 +6,28 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -68321,6 +68484,10 @@ index c6fdab7..41198a4 100644 +') + +optional_policy(` ++ cfengine_append_inherited_log(application_domain_type) ++') ++ ++optional_policy(` + cron_rw_inherited_user_spool_files(application_domain_type) + cron_sigchld(application_domain_type) +') @@ -70310,7 +70477,7 @@ index 94fd8dd..82d8769 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..f87bb28 100644 +index 29a9565..44fa94d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -70513,8 +70680,8 @@ index 29a9565..f87bb28 100644 optional_policy(` - auth_rw_login_records(init_t) + modutils_domtrans_insmod(init_t) -+') -+ + ') + +tunable_policy(`init_systemd',` + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; + allow init_t self:process { setsockcreate setfscreate setrlimit }; @@ -70617,30 +70784,30 @@ index 29a9565..f87bb28 100644 +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) + -+optional_policy(` + optional_policy(` + lvm_rw_pipes(init_t) +') + +optional_policy(` + consolekit_manage_log(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) - ') - - optional_policy(` -- nscd_socket_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') @@ -71147,7 +71314,7 @@ index 29a9565..f87bb28 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1172,26 @@ optional_policy(` +@@ -815,11 +1172,30 @@ optional_policy(` ') optional_policy(` @@ -71160,6 +71327,10 @@ index 29a9565..f87bb28 100644 +optional_policy(` + cron_rw_pipes(daemon) + cron_rw_inherited_user_spool_files(daemon) ++') ++ ++optional_policy(` ++ cfengine_append_inherited_log(daemon) ') optional_policy(` @@ -71175,7 +71346,7 @@ index 29a9565..f87bb28 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1201,25 @@ optional_policy(` +@@ -829,6 +1205,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -71201,7 +71372,7 @@ index 29a9565..f87bb28 100644 ') optional_policy(` -@@ -844,6 +1235,10 @@ optional_policy(` +@@ -844,6 +1239,10 @@ optional_policy(` ') optional_policy(` @@ -71212,7 +71383,7 @@ index 29a9565..f87bb28 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1249,157 @@ optional_policy(` +@@ -854,3 +1253,161 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -71344,6 +71515,10 @@ index 29a9565..f87bb28 100644 +') + +optional_policy(` ++ cfengine_append_inherited_log(systemprocess) ++') ++ ++optional_policy(` + cron_rw_pipes(systemprocess) +') + @@ -72689,7 +72864,7 @@ index a0b379d..bf90918 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..fe034f7 100644 +index 02f4c97..5ad8b48 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,13 @@ @@ -72706,7 +72881,12 @@ index 02f4c97..fe034f7 100644 /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -38,7 +45,7 @@ ifdef(`distro_suse', ` +@@ -34,11 +41,11 @@ ifdef(`distro_suse', ` + + /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -76036,7 +76216,7 @@ index ff80d0a..be800df 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..a9ce01d 100644 +index 34d0ec5..249c952 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -76262,7 +76442,7 @@ index 34d0ec5..a9ce01d 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +370,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +370,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -76271,6 +76451,10 @@ index 34d0ec5..a9ce01d 100644 +') + +optional_policy(` ++ cfengine_dontaudit_write_log(ifconfig_t) ++') ++ ++optional_policy(` + ctdbd_read_lib_files(ifconfig_t) +') + @@ -76281,7 +76465,7 @@ index 34d0ec5..a9ce01d 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +392,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -76296,7 +76480,7 @@ index 34d0ec5..a9ce01d 100644 ') optional_policy(` -@@ -335,6 +408,22 @@ optional_policy(` +@@ -335,6 +412,22 @@ optional_policy(` ') optional_policy(` @@ -76319,7 +76503,7 @@ index 34d0ec5..a9ce01d 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +445,9 @@ optional_policy(` +@@ -356,3 +449,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -76866,10 +77050,10 @@ index 0000000..1688a39 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..c52e7dc +index 0000000..75fc546 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,389 @@ +@@ -0,0 +1,391 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -77072,7 +77256,7 @@ index 0000000..c52e7dc +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -77080,6 +77264,8 @@ index 0000000..c52e7dc +kernel_read_network_state(systemd_tmpfiles_t) + +dev_write_kmsg(systemd_tmpfiles_t) ++dev_relabel_all_sysfs(systemd_tmpfiles_t) ++dev_manage_printer(systemd_tmpfiles_t) + +domain_obj_id_change_exemption(systemd_tmpfiles_t) + @@ -77187,7 +77373,7 @@ index 0000000..c52e7dc +# +# systemd_notify local policy +# -+allow systemd_notify_t self:capability { chown }; ++allow systemd_notify_t self:capability chown; +allow systemd_notify_t self:process { fork setfscreate setsockcreate }; + +allow systemd_notify_t self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 17a027c..d8628b2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 84%{?dist} +Release: 85%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 20 2012 Miroslav Grepl 3.10.0-85 +- Add ~/.orc as a gstreamer_home_t +- Allow mcelog to exec shel +- Allow systemd_tmpfiles to manage printer devices +- Add definitions for jboss_messaging ports +- Fix labeling of log files for postgresql +- Allow firewalld to execute shell +- Fix /etc/wicd content files to get created with the correct label +- tmpreaper should be able to list all file system labeled directories +- Allow sambagui to use ldap +- Lot of fixes for cfengine +- Allow pads to create socket + * Wed Apr 18 2012 Miroslav Grepl 3.10.0-84 - Make sure /var/spool/postfix/lib64 is labeled as /var/spool/postfix/lib - Nagios fixes