From b707bc7be7a5d2e62f742df49c61391fef149b00 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 15 2010 17:38:26 +0000 Subject: - Allow mysqld-safe to send system log messages - Add dirsrv and dirsrv-admin policy - Allow nagios plugins to read usr files --- diff --git a/modules-targeted.conf b/modules-targeted.conf index f17558d..4f68a1a 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -195,6 +195,20 @@ bind = module bugzilla = module # Layer: services +# Module: dirsrv +# +# An 309 directory server +# +dirsrv = module + +# Layer: services +# Module: dirsrv-admin +# +# An 309 directory admin server +# +dirsrv-admin = module + +# Layer: services # Module: dnsmasq # # A lightweight DHCP and caching DNS server. diff --git a/policy-F13.patch b/policy-F13.patch index 558a15e..b777f7c 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -21329,6 +21329,613 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.fc serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.fc +--- nsaserefpolicy/policy/modules/services/dirsrv-admin.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.fc 2010-11-15 14:19:02.503399070 +0100 +@@ -0,0 +1,11 @@ ++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) ++ ++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) ++ ++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) ++ ++/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.if serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.if +--- nsaserefpolicy/policy/modules/services/dirsrv-admin.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.if 2010-11-15 14:19:02.504398934 +0100 +@@ -0,0 +1,95 @@ ++## Administration Server for Directory Server, dirsrv-admin. ++ ++######################################## ++## ++## Exec dirsrv-admin programs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_run_exec',` ++ gen_require(` ++ type dirsrvadmin_exec_t; ++ ') ++ ++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms; ++ can_exec($1, dirsrvadmin_exec_t) ++') ++ ++######################################## ++## ++## Exec cgi programs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_run_httpd_script_exec',` ++ gen_require(` ++ type httpd_dirsrvadmin_script_exec_t; ++ ') ++ ++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; ++ can_exec($1, httpd_dirsrvadmin_script_exec_t) ++') ++ ++######################################## ++## ++## Manage dirsrv-adminserver configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_read_config',` ++ gen_require(` ++ type dirsrvadmin_config_t; ++ ') ++ ++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t) ++') ++ ++######################################## ++## ++## Manage dirsrv-adminserver configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_manage_config',` ++ gen_require(` ++ type dirsrvadmin_config_t; ++ ') ++ ++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms; ++ allow $1 dirsrvadmin_config_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Manage dirsrv-adminserver tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrvadmin_manage_tmp',` ++ gen_require(` ++ type dirsrvadmin_tmp_t; ++ ') ++ ++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.te serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.te +--- nsaserefpolicy/policy/modules/services/dirsrv-admin.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.te 2010-11-15 14:19:02.523147846 +0100 +@@ -0,0 +1,92 @@ ++policy_module(dirsrv-admin,1.0.0) ++ ++######################################## ++# ++# Declarations for the daemon ++# ++ ++type dirsrvadmin_t; ++type dirsrvadmin_exec_t; ++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t) ++role system_r types dirsrvadmin_t; ++ ++type dirsrvadmin_config_t; ++files_type(dirsrvadmin_config_t) ++ ++type dirsrvadmin_tmp_t; ++files_tmp_file(dirsrvadmin_tmp_t) ++ ++######################################## ++# ++# Local policy for the daemon ++# ++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; ++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config }; ++ ++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir }) ++ ++kernel_read_system_state(dirsrvadmin_t) ++ ++corecmd_exec_bin(dirsrvadmin_t) ++corecmd_read_bin_symlinks(dirsrvadmin_t) ++corecmd_search_bin(dirsrvadmin_t) ++corecmd_shell_entry_type(dirsrvadmin_t) ++ ++files_exec_etc_files(dirsrvadmin_t) ++ ++logging_search_logs(dirsrvadmin_t) ++ ++miscfiles_read_localization(dirsrvadmin_t) ++ ++# Needed for stop and restart scripts ++dirsrv_read_var_run(dirsrvadmin_t) ++ ++apache_domtrans(dirsrvadmin_t) ++apache_signal(dirsrvadmin_t) ++ ++######################################## ++# ++# Local policy for the CGIs ++# ++# ++# ++# Create a domain for the CGI scripts ++apache_content_template(dirsrvadmin) ++ ++allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; ++allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; ++allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; ++allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; ++allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; ++allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; ++ ++kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) ++ ++corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t) ++corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) ++corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) ++corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) ++ ++files_search_var_lib(httpd_dirsrvadmin_script_t) ++ ++sysnet_read_config(httpd_dirsrvadmin_script_t) ++ ++manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) ++files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) ++ ++# The CGI scripts must be able to manage dirsrv-admin ++dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) ++dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) ++dirsrv_domtrans(httpd_dirsrvadmin_script_t) ++dirsrv_signal(httpd_dirsrvadmin_script_t) ++dirsrv_signull(httpd_dirsrvadmin_script_t) ++dirsrv_manage_log(httpd_dirsrvadmin_script_t) ++dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) ++dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) ++dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) ++dirsrv_manage_config(httpd_dirsrvadmin_script_t) ++dirsrv_read_share(httpd_dirsrvadmin_script_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.fc serefpolicy-3.7.19/policy/modules/services/dirsrv.fc +--- nsaserefpolicy/policy/modules/services/dirsrv.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.fc 2010-11-15 14:19:02.524147919 +0100 +@@ -0,0 +1,20 @@ ++/etc/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0) ++ ++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) ++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) ++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) ++ ++/usr/share/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0) ++ ++/var/run/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) ++ ++/var/lib/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0) ++ ++/var/lock/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0) ++ ++/var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0) ++ ++/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.if serefpolicy-3.7.19/policy/modules/services/dirsrv.if +--- nsaserefpolicy/policy/modules/services/dirsrv.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.if 2010-11-15 14:19:02.524147919 +0100 +@@ -0,0 +1,193 @@ ++## policy for dirsrv ++ ++######################################## ++## ++## Execute a domain transition to run dirsrv. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dirsrv_domtrans',` ++ gen_require(` ++ type dirsrv_t, dirsrv_exec_t; ++ ') ++ ++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit dirsrv_t $1:socket_class_set { read write }; ++ ') ++') ++ ++ ++######################################## ++## ++## Allow caller to signal dirsrv. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_signal',` ++ gen_require(` ++ type dirsrv_t; ++ ') ++ ++ allow $1 dirsrv_t:process signal; ++') ++ ++ ++######################################## ++## ++## Send a null signal to dirsrv. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_signull',` ++ gen_require(` ++ type dirsrv_t; ++ ') ++ ++ allow $1 dirsrv_t:process signull; ++') ++ ++####################################### ++## ++## Allow a domain to manage dirsrv logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_log',` ++ gen_require(` ++ type dirsrv_var_log_t; ++ ') ++ ++ allow $1 dirsrv_var_log_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_log_t:file manage_file_perms; ++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; ++') ++ ++####################################### ++## ++## Allow a domain to manage dirsrv /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_var_lib',` ++ gen_require(` ++ type dirsrv_var_lib_t; ++ ') ++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_lib_t:file manage_file_perms; ++') ++ ++####################################### ++## ++## Allow a domain to manage dirsrv /var/run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_var_run',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ allow $1 dirsrv_var_run_t:dir manage_dir_perms; ++ allow $1 dirsrv_var_run_t:file manage_file_perms; ++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms; ++') ++ ++###################################### ++## ++## Allow a domain to create dirsrv pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_pid_filetrans',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ # Allow creating a dir in /var/run with this type ++ files_pid_filetrans($1, dirsrv_var_run_t, dir) ++') ++ ++####################################### ++## ++## Allow a domain to read dirsrv /var/run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_read_var_run',` ++ gen_require(` ++ type dirsrv_var_run_t; ++ ') ++ allow $1 dirsrv_var_run_t:dir list_dir_perms; ++ allow $1 dirsrv_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage dirsrv configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_manage_config',` ++ gen_require(` ++ type dirsrv_config_t; ++ ') ++ ++ allow $1 dirsrv_config_t:dir manage_dir_perms; ++ allow $1 dirsrv_config_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read dirsrv share files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dirsrv_read_share',` ++ gen_require(` ++ type dirsrv_share_t; ++ ') ++ ++ allow $1 dirsrv_share_t:dir list_dir_perms; ++ allow $1 dirsrv_share_t:file read_file_perms; ++ allow $1 dirsrv_share_t:lnk_file read; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te +--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2010-11-15 14:19:02.524147919 +0100 +@@ -0,0 +1,172 @@ ++policy_module(dirsrv,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++# main daemon ++type dirsrv_t; ++type dirsrv_exec_t; ++domain_type(dirsrv_t) ++init_daemon_domain(dirsrv_t, dirsrv_exec_t) ++ ++type dirsrv_snmp_t; ++type dirsrv_snmp_exec_t; ++domain_type(dirsrv_snmp_t) ++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t) ++ ++type dirsrv_var_lib_t; ++files_type(dirsrv_var_lib_t) ++ ++type dirsrv_var_log_t; ++logging_log_file(dirsrv_var_log_t) ++ ++type dirsrv_snmp_var_log_t; ++logging_log_file(dirsrv_snmp_var_log_t) ++ ++type dirsrv_var_run_t; ++files_pid_file(dirsrv_var_run_t) ++ ++type dirsrv_snmp_var_run_t; ++files_pid_file(dirsrv_snmp_var_run_t) ++ ++type dirsrv_var_lock_t; ++files_lock_file(dirsrv_var_lock_t) ++ ++type dirsrv_config_t; ++files_type(dirsrv_config_t) ++ ++type dirsrv_tmp_t; ++files_tmp_file(dirsrv_tmp_t) ++ ++type dirsrv_tmpfs_t; ++files_tmpfs_file(dirsrv_tmpfs_t) ++ ++type dirsrv_share_t; ++files_type(dirsrv_share_t); ++ ++######################################## ++# ++# dirsrv local policy ++# ++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; ++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; ++allow dirsrv_t self:fifo_file rw_fifo_file_perms; ++allow dirsrv_t self:sem create_sem_perms; ++allow dirsrv_t self:tcp_socket create_stream_socket_perms; ++ ++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) ++ ++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) ++ ++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) ++allow dirsrv_t dirsrv_var_log_t:dir { setattr }; ++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) ++ ++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) ++ ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++ ++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) ++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file }) ++ ++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++ ++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) ++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) ++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) ++ ++kernel_read_system_state(dirsrv_t) ++ ++corecmd_search_sbin(dirsrv_t) ++ ++corenet_all_recvfrom_unlabeled(dirsrv_t) ++corenet_all_recvfrom_netlabel(dirsrv_t) ++corenet_tcp_sendrecv_generic_if(dirsrv_t) ++corenet_tcp_sendrecv_generic_node(dirsrv_t) ++corenet_tcp_sendrecv_all_ports(dirsrv_t) ++corenet_tcp_bind_all_nodes(dirsrv_t) ++corenet_tcp_bind_ldap_port(dirsrv_t) ++corenet_tcp_bind_all_rpc_ports(dirsrv_t) ++corenet_udp_bind_all_rpc_ports(dirsrv_t) ++corenet_tcp_connect_all_ports(dirsrv_t) ++corenet_sendrecv_ldap_server_packets(dirsrv_t) ++corenet_sendrecv_all_client_packets(dirsrv_t) ++ ++dev_read_urand(dirsrv_t) ++ ++files_read_etc_files(dirsrv_t) ++files_read_usr_symlinks(dirsrv_t) ++ ++fs_getattr_all_fs(dirsrv_t) ++ ++miscfiles_read_localization(dirsrv_t) ++ ++sysnet_dns_name_resolve(dirsrv_t) ++ ++optional_policy(` ++ apache_dontaudit_leaks(dirsrv_t) ++') ++ ++optional_policy(` ++ kerberos_read_config(dirsrv_t) ++ kerberos_dontaudit_write_config(dirsrv_t) ++') ++ ++######################################## ++# ++# dirsrv-snmp local policy ++# ++allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; ++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; ++ ++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) ++ ++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++ ++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) ++ ++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) ++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) ++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++ ++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); ++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file) ++ ++corenet_tcp_connect_agentx_port(dirsrv_snmp_t) ++ ++dev_read_rand(dirsrv_snmp_t) ++dev_read_urand(dirsrv_snmp_t) ++ ++domain_use_interactive_fds(dirsrv_snmp_t) ++ ++#files_manage_var_files(dirsrv_snmp_t) ++files_read_etc_files(dirsrv_snmp_t) ++files_read_usr_files(dirsrv_snmp_t) ++ ++fs_getattr_tmpfs(dirsrv_snmp_t) ++fs_search_tmpfs(dirsrv_snmp_t) ++ ++miscfiles_read_localization(dirsrv_snmp_t) ++ ++sysnet_read_config(dirsrv_snmp_t) ++sysnet_dns_name_resolve(dirsrv_snmp_t) ++ ++optional_policy(` ++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_append_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_stream_connect(dirsrv_snmp_t) ++') ++ ++optional_policy(` ++ rpcbind_stream_connect(initrc_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.19/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/djbdns.if 2010-05-28 09:42:00.101610733 +0200 @@ -25552,7 +26159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-06-21 15:32:41.673073820 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-11-15 10:41:35.381147405 +0100 @@ -65,6 +65,7 @@ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -25577,6 +26184,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) +@@ -184,6 +187,8 @@ + + hostname_exec(mysqld_safe_t) + ++logging_send_syslog_msg(mysqld_safe_t) ++ + miscfiles_read_localization(mysqld_safe_t) + + mysql_manage_db_files(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.19/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/nagios.fc 2010-05-28 09:42:00.131610831 +0200 @@ -25677,7 +26293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.19/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-09-23 15:05:10.602684332 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-11-15 15:07:11.971147348 +0100 @@ -64,8 +64,8 @@ ######################################## @@ -25706,7 +26322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') ######################################## -@@ -99,3 +100,155 @@ +@@ -99,3 +100,157 @@ domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') @@ -25808,6 +26424,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; + dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; + ++ files_read_usr_files(nagios_$1_plugin_t) ++ + miscfiles_read_localization(nagios_$1_plugin_t) +') + @@ -34050,7 +34668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-10-05 16:29:21.802651275 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-11-15 14:09:31.283147945 +0100 @@ -73,6 +73,7 @@ files_read_etc_runtime_files(fsdaemon_t) # for config @@ -34059,12 +34677,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) -@@ -83,6 +84,8 @@ +@@ -83,6 +84,9 @@ storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) +storage_read_scsi_generic(fsdaemon_t) +storage_write_scsi_generic(fsdaemon_t) ++storage_create_fixed_disk_dev(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) @@ -34097,8 +34716,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-09-16 16:46:09.199637062 +0200 -@@ -62,6 +62,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-11-15 17:53:35.780147148 +0100 +@@ -62,11 +62,32 @@ type snmpd_var_lib_t; ') @@ -34106,7 +34725,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow $1 snmpd_var_lib_t:dir list_dir_perms; read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -@@ -83,7 +84,7 @@ + ') + ++####################################### ++## ++## Append snmpd libraries. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_append_snmp_var_lib_files',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 snmpd_var_lib_t:dir list_dir_perms; ++ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++') ++ + ######################################## + ## + ## dontaudit Read snmpd libraries. +@@ -83,7 +104,7 @@ ') dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; dontaudit $1 snmpd_var_lib_t:file read_file_perms; @@ -34115,7 +34759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') ######################################## -@@ -128,7 +129,7 @@ +@@ -128,7 +149,7 @@ type snmpd_initrc_exec_t; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9c10af7..446580a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -318,6 +318,7 @@ Conflicts: audispd-plugins <= 1.7.7-1 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit +Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 %description targeted SELinux Reference policy targeted base module. @@ -469,6 +470,11 @@ exit 0 %endif %changelog +* Mon Nov 15 2010 Miroslav Grepl 3.7.19-72 +- Allow mysqld-safe to send system log messages +- Add dirsrv and dirsrv-admin policy +- Allow nagios plugins to read usr files + * Fri Nov 12 2010 Miroslav Grepl 3.7.19-71 - Add label for libvideo_filter_wrapper_plugin.so - Fixes for corosync policy