From cb71de50e98b11f4682b13a887d5ea1862fa31fb Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 19 2011 16:12:32 +0000 Subject: - Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface - Allow shorewall to use inherited terms - Allow userhelper to getattr all chr_file devices - sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t - Fix labeling for ABRT Retrace Server --- diff --git a/policy-F16.patch b/policy-F16.patch index 94909b5..414e56d 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -925,14 +925,16 @@ index 4f7bd3c..b5c346f 100644 + #unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..2f3bab7 100644 +index 7090dae..1297962 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -116,17 +116,13 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +116,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) -userdom_use_user_terminals(logrotate_t) ++systemd_exec_systemctl(logrotate_t) ++ +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -949,7 +951,15 @@ index 7090dae..2f3bab7 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -166,6 +162,11 @@ optional_policy(` +@@ -162,10 +160,19 @@ optional_policy(` + ') + + optional_policy(` ++ callweaver_stream_connect(logrotate_t) ++') ++ ++optional_policy(` + consoletype_exec(logrotate_t) ') optional_policy(` @@ -961,7 +971,7 @@ index 7090dae..2f3bab7 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +204,6 @@ optional_policy(` +@@ -203,7 +210,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -969,7 +979,7 @@ index 7090dae..2f3bab7 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +228,14 @@ optional_policy(` +@@ -228,3 +234,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -2349,7 +2359,7 @@ index 0948921..f198119 100644 admin_pattern($1, shorewall_tmp_t) ') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te -index c17b6a6..d412305 100644 +index c17b6a6..8ddae98 100644 --- a/policy/modules/admin/shorewall.te +++ b/policy/modules/admin/shorewall.te @@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) @@ -2362,7 +2372,7 @@ index c17b6a6..d412305 100644 kernel_read_kernel_sysctls(shorewall_t) kernel_read_network_state(shorewall_t) -@@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t) +@@ -80,13 +83,20 @@ fs_getattr_all_fs(shorewall_t) init_rw_utmp(shorewall_t) @@ -2375,6 +2385,8 @@ index c17b6a6..d412305 100644 -userdom_dontaudit_list_user_home_dirs(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) ++userdom_use_inherited_user_ttys(shorewall_t) ++userdom_use_inherited_user_ptys(shorewall_t) + +optional_policy(` + brctl_domtrans(shorewall_t) @@ -5036,7 +5048,7 @@ index f5afe78..bf930fc 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..93e68ff 100644 +index 2505654..d27f79b 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) @@ -5111,7 +5123,7 @@ index 2505654..93e68ff 100644 ############################## # # Local Policy -@@ -75,3 +110,165 @@ optional_policy(` +@@ -75,3 +110,167 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -5186,6 +5198,8 @@ index 2505654..93e68ff 100644 +files_read_etc_files(gnomesystemmm_t) +files_read_usr_files(gnomesystemmm_t) + ++fs_getattr_xattr_fs(gnomesystemmm_t) ++ +miscfiles_read_localization(gnomesystemmm_t) + +userdom_read_all_users_state(gnomesystemmm_t) @@ -6413,7 +6427,7 @@ index 9a6d67d..c499e03 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..5f272f7 100644 +index 2a91fa8..85a9491 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -6502,7 +6516,7 @@ index 2a91fa8..5f272f7 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +289,194 @@ optional_policy(` +@@ -266,3 +289,198 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -6595,7 +6609,7 @@ index 2a91fa8..5f272f7 100644 + +miscfiles_read_localization(mozilla_plugin_t) +miscfiles_read_fonts(mozilla_plugin_t) -+miscfiles_read_certs(mozilla_plugin_t) ++miscfiles_read_generic_certs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) +miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) + @@ -6678,6 +6692,10 @@ index 2a91fa8..5f272f7 100644 +') + +optional_policy(` ++ pcscd_stream_connect(mozilla_plugin_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) @@ -7407,10 +7425,10 @@ index 0000000..37449c0 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..d3500a4 +index 0000000..24c9669 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,324 @@ +@@ -0,0 +1,328 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -7602,6 +7620,10 @@ index 0000000..d3500a4 +') + +optional_policy(` ++ gpm_getattr_gpmctl(nsplugin_t) ++') ++ ++optional_policy(` + mozilla_execute_user_home_files(nsplugin_t) + mozilla_read_user_home_files(nsplugin_t) + mozilla_write_user_home_files(nsplugin_t) @@ -8784,10 +8806,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..c06a38c +index 0000000..10e2b3e --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,484 @@ +@@ -0,0 +1,486 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8907,6 +8929,7 @@ index 0000000..c06a38c +# sandbox local policy +# + ++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:sem create_sem_perms; +allow sandbox_domain self:shm create_shm_perms; @@ -8964,7 +8987,7 @@ index 0000000..c06a38c + +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + -+allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem }; ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; +dontaudit sandbox_x_domain sandbox_x_domain:process signal; +dontaudit sandbox_x_domain sandbox_xserver_t:process signal; + @@ -8989,6 +9012,7 @@ index 0000000..c06a38c +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) ++kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain) + +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + @@ -9287,10 +9311,23 @@ index 1f2cde4..7227631 100644 # # /usr diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index 320df26..f505865 100644 +index 320df26..bd8db22 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if -@@ -64,6 +64,10 @@ template(`screen_role_template',` +@@ -50,7 +50,7 @@ template(`screen_role_template',` + allow $1_screen_t self:udp_socket create_socket_perms; + # Internal screen networking + allow $1_screen_t self:fd use; +- allow $1_screen_t self:unix_stream_socket create_socket_perms; ++ allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; + allow $1_screen_t self:unix_dgram_socket create_socket_perms; + + manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +@@ -61,9 +61,14 @@ template(`screen_role_template',` + # Create fifo + manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) + manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) ++ manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) files_pid_filetrans($1_screen_t, screen_var_run_t, dir) allow $1_screen_t screen_home_t:dir list_dir_perms; @@ -9301,15 +9338,18 @@ index 320df26..f505865 100644 read_files_pattern($1_screen_t, screen_home_t, screen_home_t) read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) -@@ -73,6 +77,7 @@ template(`screen_role_template',` +@@ -71,8 +76,10 @@ template(`screen_role_template',` + + domtrans_pattern($3, screen_exec_t, $1_screen_t) allow $3 $1_screen_t:process { signal sigchld }; ++ dontaudit $3 $1_screen_t:unix_stream_socket { read write }; allow $1_screen_t $3:process signal; + manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) manage_files_pattern($3, screen_home_t, screen_home_t) manage_lnk_files_pattern($3, screen_home_t, screen_home_t) -@@ -81,8 +86,6 @@ template(`screen_role_template',` +@@ -81,8 +88,6 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -9318,7 +9358,7 @@ index 320df26..f505865 100644 manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) kernel_read_system_state($1_screen_t) -@@ -112,6 +115,7 @@ template(`screen_role_template',` +@@ -112,6 +117,7 @@ template(`screen_role_template',` # for SSP dev_read_urand($1_screen_t) @@ -9326,15 +9366,6 @@ index 320df26..f505865 100644 domain_use_interactive_fds($1_screen_t) files_search_tmp($1_screen_t) -@@ -137,7 +141,7 @@ template(`screen_role_template',` - - seutil_read_config($1_screen_t) - -- userdom_use_user_terminals($1_screen_t) -+ userdom_use_inherited_user_terminals($1_screen_t) - userdom_create_user_pty($1_screen_t) - userdom_user_home_domtrans($1_screen_t, $3) - userdom_setattr_user_ptys($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..787df80 100644 --- a/policy/modules/apps/seunshare.if @@ -10243,10 +10274,10 @@ index ced285a..2e50976 100644 + ') +') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te -index 13b2cea..45731eb 100644 +index 13b2cea..bf46ac1 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te -@@ -6,9 +6,61 @@ policy_module(userhelper, 1.6.0) +@@ -6,9 +6,63 @@ policy_module(userhelper, 1.6.0) # attribute userhelper_type; @@ -10283,6 +10314,8 @@ index 13b2cea..45731eb 100644 + +corecmd_exec_bin(consolehelper_domain) + ++dev_getattr_all_chr_files(consolehelper_domain) ++ +files_read_config_files(consolehelper_domain) +files_read_usr_files(consolehelper_domain) + @@ -10648,7 +10681,7 @@ index 223ad43..d400ef6 100644 # Reading dotfiles... # cjp: ? diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..0d54b2c 100644 +index 34c9d01..1240d65 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -10857,9 +10890,12 @@ index 34c9d01..0d54b2c 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -373,7 +381,6 @@ ifdef(`distro_suse', ` +@@ -372,8 +380,9 @@ ifdef(`distro_suse', ` + /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -11274,7 +11310,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..1d51170 100644 +index e9313fb..a09c590 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11438,174 +11474,7 @@ index e9313fb..1d51170 100644 ') ######################################## -@@ -841,6 +896,166 @@ interface(`dev_manage_all_dev_nodes',` - - ######################################## - ## -+## Check generic block device nodes -+## for read permission. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_check_read_generic_blk_dev_nodes',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ allow $1 { device_t device_node }:blk_file read; -+') -+ -+######################################## -+## -+## Check generic block device nodes -+## for write permission. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_check_write_generic_blk_dev_nodes',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ allow $1 { device_t device_node }:blk_file write; -+') -+ -+######################################## -+## -+## Check all character device nodes -+## for read permission. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_check_read_all_chr_dev_nodes',` -+ gen_require(` -+ attribute device_node, memory_raw_read; -+ type device_t; -+ ') -+ -+ allow $1 { device_t device_node }:chr_file read; -+ typeattribute $1 memory_raw_read; -+') -+ -+######################################## -+## -+## Check all character device nodes -+## for write permission. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_check_write_all_chr_dev_nodes',` -+ gen_require(` -+ attribute device_node, memory_raw_write; -+ type device_t; -+ ') -+ -+ allow $1 { device_t device_node }:chr_file write; -+ typeattribute $1 memory_raw_write; -+') -+ -+######################################## -+## -+## Create all character device_nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_create_all_chr_dev_nodes',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ create_chr_files_pattern($1, device_t, device_node) -+') -+ -+######################################## -+## -+## Create all block device_nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_create_all_blk_dev_nodes',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ create_blk_files_pattern($1, device_t, device_node) -+') -+ -+######################################## -+## -+## Set attributes of all character -+## device_nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_all_chr_dev_nodes',` -+ gen_require(` -+ type device_t; -+ attribute device_node; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, { device_t device_node }) -+') -+ -+######################################## -+## -+## Set attributes of all block -+## device_nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_all_blk_dev_nodes',` -+ gen_require(` -+ type device_t; -+ attribute device_node; -+ ') -+ -+ setattr_blk_files_pattern($1, device_t, { device_t device_node }) -+') -+ -+######################################## -+## - ## Dontaudit getattr for generic device files. - ## - ## -@@ -920,7 +1135,7 @@ interface(`dev_filetrans',` +@@ -920,7 +975,7 @@ interface(`dev_filetrans',` type device_t; ') @@ -11614,7 +11483,15 @@ index e9313fb..1d51170 100644 dev_associate($2) files_associate_tmp($2) -@@ -1178,6 +1393,42 @@ interface(`dev_create_all_chr_files',` +@@ -1006,6 +1061,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` + interface(`dev_getattr_all_chr_files',` + gen_require(` + attribute device_node; ++ type device_t; + ') + + getattr_chr_files_pattern($1, device_t, device_node) +@@ -1178,6 +1234,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -11657,7 +11534,7 @@ index e9313fb..1d51170 100644 ## Delete all block device files. ## ## -@@ -2663,7 +2914,7 @@ interface(`dev_write_misc',` +@@ -2663,7 +2755,7 @@ interface(`dev_write_misc',` ## ## ## @@ -11666,7 +11543,7 @@ index e9313fb..1d51170 100644 ## ## # -@@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',` +@@ -3192,24 +3284,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -11691,7 +11568,7 @@ index e9313fb..1d51170 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3793,6 +4026,24 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3793,6 +3867,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -11716,7 +11593,7 @@ index e9313fb..1d51170 100644 ## Search the sysfs directories. ## ## -@@ -3884,25 +4135,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3884,25 +3976,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -11742,7 +11619,7 @@ index e9313fb..1d51170 100644 ## Read hardware state information. ## ## -@@ -3954,6 +4186,42 @@ interface(`dev_rw_sysfs',` +@@ -3954,6 +4027,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -11785,7 +11662,7 @@ index e9313fb..1d51170 100644 ## Read and write the TPM device. ## ## -@@ -4514,6 +4782,24 @@ interface(`dev_rwx_vmware',` +@@ -4514,6 +4623,24 @@ interface(`dev_rwx_vmware',` ######################################## ## @@ -11810,7 +11687,7 @@ index e9313fb..1d51170 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +5034,772 @@ interface(`dev_unconfined',` +@@ -4748,3 +4875,772 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -15816,7 +15693,7 @@ index a9b8982..57c4a6a 100644 +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 3723150..8320396 100644 +index 3723150..b7b777d 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -15828,41 +15705,7 @@ index 3723150..8320396 100644 typeattribute $1 fixed_disk_raw_read; ') -@@ -152,6 +154,33 @@ interface(`storage_raw_write_fixed_disk',` - - ######################################## - ## -+## Directly check for write from a -+## fixed disk. This is extremly -+## dangerous as it can bypass the -+## SELinux protections for filesystem -+## objects, and should only be used -+## by trusted domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`storage_raw_check_write_fixed_disk',` -+ gen_require(` -+ attribute fixed_disk_raw_write; -+ type fixed_disk_device_t; -+ ') -+ -+ dev_list_all_dev_nodes($1) -+ allow $1 fixed_disk_device_t:blk_file write; -+ allow $1 fixed_disk_device_t:chr_file write; -+ typeattribute $1 fixed_disk_raw_write; -+') -+ -+######################################## -+## - ## Do not audit attempts made by the caller to write - ## fixed disk device nodes. - ## -@@ -203,7 +232,10 @@ interface(`storage_create_fixed_disk_dev',` +@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',` type fixed_disk_device_t; ') @@ -15873,40 +15716,7 @@ index 3723150..8320396 100644 dev_add_entry_generic_dirs($1) ') -@@ -474,6 +506,32 @@ interface(`storage_write_scsi_generic',` - - ######################################## - ## -+## Directly check for write from any -+## SCSI device. This is extremly -+## dangerous as it can bypass the -+## SELinux protections for filesystem -+## objects, and should only be used -+## by trusted domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`storage_check_write_scsi_generic',` -+ gen_require(` -+ attribute scsi_generic_write; -+ type scsi_generic_device_t; -+ ') -+ -+ dev_list_all_dev_nodes($1) -+ allow $1 scsi_generic_device_t:chr_file write; -+ typeattribute $1 scsi_generic_write; -+') -+ -+######################################## -+## - ## Set attributes of the device nodes - ## for the SCSI generic inerface. - ## -@@ -807,3 +865,304 @@ interface(`storage_unconfined',` +@@ -807,3 +812,358 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -16040,6 +15850,50 @@ index 3723150..8320396 100644 + dev_filetrans($1, fixed_disk_device_t, blk_file, sdc7) + dev_filetrans($1, fixed_disk_device_t, blk_file, sdc8) + dev_filetrans($1, fixed_disk_device_t, blk_file, sdc9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg9) + dev_filetrans($1, fixed_disk_device_t, blk_file, dm-0) + dev_filetrans($1, fixed_disk_device_t, blk_file, dm-1) + dev_filetrans($1, fixed_disk_device_t, blk_file, dm-2) @@ -16185,6 +16039,16 @@ index 3723150..8320396 100644 + dev_filetrans($1, scsi_generic_device_t, chr_file, sg7) + dev_filetrans($1, scsi_generic_device_t, chr_file, sg8) + dev_filetrans($1, scsi_generic_device_t, chr_file, sg9) ++ dev_filetrans($1, removable_device_t, blk_file, sr0) ++ dev_filetrans($1, removable_device_t, blk_file, sr1) ++ dev_filetrans($1, removable_device_t, blk_file, sr2) ++ dev_filetrans($1, removable_device_t, blk_file, sr3) ++ dev_filetrans($1, removable_device_t, blk_file, sr4) ++ dev_filetrans($1, removable_device_t, blk_file, sr5) ++ dev_filetrans($1, removable_device_t, blk_file, sr6) ++ dev_filetrans($1, removable_device_t, blk_file, sr7) ++ dev_filetrans($1, removable_device_t, blk_file, sr8) ++ dev_filetrans($1, removable_device_t, blk_file, sr9) + dev_filetrans($1, removable_device_t, blk_file, sjcd) + dev_filetrans($1, removable_device_t, blk_file, sonycd) + dev_filetrans($1, tape_device_t, chr_file, tape0) @@ -19149,10 +19013,10 @@ index e88b95f..4b5f106 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..0380c60 100644 +index 1bd5812..58e01b0 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -15,6 +15,14 @@ +@@ -15,6 +15,13 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -19162,11 +19026,10 @@ index 1bd5812..0380c60 100644 /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + +# ABRT retrace server -+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) ++/usr/bin/coredump2packages\.py -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) + -+/usr/share/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -+/usr/share/abrt-retrace/worker\.py -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -+/usr/share/abrt-retrace/coredump2packages\.py -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) ++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 0b827c5..c3b3a95 100644 --- a/policy/modules/services/abrt.if @@ -19326,7 +19189,7 @@ index 0b827c5..c3b3a95 100644 + manage_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..0944e25 100644 +index 30861ec..3cdc81e 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19578,7 +19441,7 @@ index 30861ec..0944e25 100644 +manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t) +manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t) + -+allow abrt_retrace_worker_t abrt_etc_t:file r_file_perms; ++allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms; + +can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) + @@ -20986,7 +20849,7 @@ index 6480167..1440827 100644 + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..5bbc3c3 100644 +index 3136c6a..02f0378 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -21366,7 +21229,7 @@ index 3136c6a..5bbc3c3 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +492,12 @@ files_read_etc_files(httpd_t) +@@ -402,6 +492,13 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -21374,12 +21237,13 @@ index 3136c6a..5bbc3c3 100644 +manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) libs_read_lib_files(httpd_t) -@@ -416,34 +512,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +513,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -21456,7 +21320,7 @@ index 3136c6a..5bbc3c3 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +592,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +593,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -21467,7 +21331,7 @@ index 3136c6a..5bbc3c3 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +606,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +607,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -21497,7 +21361,7 @@ index 3136c6a..5bbc3c3 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +636,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +637,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -21514,7 +21378,7 @@ index 3136c6a..5bbc3c3 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +660,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +661,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -21535,7 +21399,7 @@ index 3136c6a..5bbc3c3 100644 ') optional_policy(` -@@ -513,7 +684,13 @@ optional_policy(` +@@ -513,7 +685,13 @@ optional_policy(` ') optional_policy(` @@ -21550,7 +21414,7 @@ index 3136c6a..5bbc3c3 100644 ') optional_policy(` -@@ -528,7 +705,18 @@ optional_policy(` +@@ -528,7 +706,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -21570,7 +21434,7 @@ index 3136c6a..5bbc3c3 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +725,13 @@ optional_policy(` +@@ -537,8 +726,13 @@ optional_policy(` ') optional_policy(` @@ -21585,7 +21449,7 @@ index 3136c6a..5bbc3c3 100644 ') ') -@@ -556,7 +749,13 @@ optional_policy(` +@@ -556,7 +750,13 @@ optional_policy(` ') optional_policy(` @@ -21599,7 +21463,7 @@ index 3136c6a..5bbc3c3 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +766,7 @@ optional_policy(` +@@ -567,6 +767,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -21607,7 +21471,7 @@ index 3136c6a..5bbc3c3 100644 ') optional_policy(` -@@ -577,6 +777,16 @@ optional_policy(` +@@ -577,6 +778,16 @@ optional_policy(` ') optional_policy(` @@ -21624,7 +21488,7 @@ index 3136c6a..5bbc3c3 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +801,11 @@ optional_policy(` +@@ -591,6 +802,11 @@ optional_policy(` ') optional_policy(` @@ -21636,7 +21500,7 @@ index 3136c6a..5bbc3c3 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +818,11 @@ optional_policy(` +@@ -603,6 +819,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -21648,7 +21512,7 @@ index 3136c6a..5bbc3c3 100644 ######################################## # # Apache helper local policy -@@ -616,7 +836,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +837,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -21661,7 +21525,7 @@ index 3136c6a..5bbc3c3 100644 ######################################## # -@@ -654,28 +878,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +879,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -21705,7 +21569,7 @@ index 3136c6a..5bbc3c3 100644 ') ######################################## -@@ -699,17 +925,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +926,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21731,7 +21595,7 @@ index 3136c6a..5bbc3c3 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +971,27 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +972,27 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -21760,7 +21624,7 @@ index 3136c6a..5bbc3c3 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1014,25 @@ optional_policy(` +@@ -769,6 +1015,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21786,7 +21650,7 @@ index 3136c6a..5bbc3c3 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1053,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1054,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21804,7 +21668,7 @@ index 3136c6a..5bbc3c3 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1072,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1073,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21861,7 +21725,7 @@ index 3136c6a..5bbc3c3 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1123,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1124,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21892,7 +21756,7 @@ index 3136c6a..5bbc3c3 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1158,20 @@ optional_policy(` +@@ -842,10 +1159,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21913,7 +21777,7 @@ index 3136c6a..5bbc3c3 100644 ') ######################################## -@@ -891,11 +1217,21 @@ optional_policy(` +@@ -891,11 +1218,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -23439,6 +23303,452 @@ index 0000000..e7d2a5b +dev_search_sysfs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) +diff --git a/policy/modules/services/callweaver.fc b/policy/modules/services/callweaver.fc +new file mode 100644 +index 0000000..3e15c63 +--- /dev/null ++++ b/policy/modules/services/callweaver.fc +@@ -0,0 +1,11 @@ ++/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0) ++ ++/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0) ++ ++/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0) ++ ++/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0) ++ ++/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0) ++ ++/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) +diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if +new file mode 100644 +index 0000000..c8d7b83 +--- /dev/null ++++ b/policy/modules/services/callweaver.if +@@ -0,0 +1,338 @@ ++## Open source PBX project. ++ ++######################################## ++## ++## Execute callweaver in the ++## callweaver domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`callweaver_domtrans',` ++ gen_require(` ++ type callweaver_t, callweaver_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, callweaver_exec_t, callweaver_t) ++') ++ ++######################################## ++## ++## Execute callweaver in the ++## callweaver domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`callweaver_initrc_domtrans',` ++ gen_require(` ++ type callweaver_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, callweaver_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read callweaver log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_read_log',` ++ gen_require(` ++ type callweaver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, callweaver_log_t, callweaver_log_t) ++') ++ ++######################################## ++## ++## Append to callweaver log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_append_log',` ++ gen_require(` ++ type callweaver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, callweaver_log_t, callweaver_log_t) ++') ++ ++######################################## ++## ++## Manage callweaver log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_manage_log',` ++ gen_require(` ++ type callweaver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t) ++ manage_files_pattern($1, callweaver_log_t, callweaver_log_t) ++ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t) ++') ++ ++######################################## ++## ++## Search callweaver lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_search_lib',` ++ gen_require(` ++ type callweaver_var_lib_t; ++ ') ++ ++ allow $1 callweaver_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read callweaver lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_read_lib_files',` ++ gen_require(` ++ type callweaver_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t) ++') ++ ++######################################## ++## ++## Manage callweaver lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_manage_lib_files',` ++ gen_require(` ++ type callweaver_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t) ++') ++ ++######################################## ++## ++## Manage callweaver lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_manage_lib_dirs',` ++ gen_require(` ++ type callweaver_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Read callweaver PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_read_pid_files',` ++ gen_require(` ++ type callweaver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 callweaver_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Connect to callweaver over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_stream_connect',` ++ gen_require(` ++ type callweaver_t, callweaver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) ++') ++ ++######################################## ++## ++## Search callweaver spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_search_spool',` ++ gen_require(` ++ type callweaver_spool_t; ++ ') ++ ++ allow $1 callweaver_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') ++ ++######################################## ++## ++## Read callweaver spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_read_spool_files',` ++ gen_require(` ++ type callweaver_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, callweaver_spool_t callweaver_spool_t) ++') ++ ++######################################## ++## ++## Manage callweaver spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_manage_spool_files',` ++ gen_require(` ++ type callweaver_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t) ++') ++ ++######################################## ++## ++## Manage callweaver spool dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`callweaver_manage_spool_dirs',` ++ gen_require(` ++ type callweaver_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an callweaver environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`callweaver_admin',` ++ gen_require(` ++ type callweaver_t; ++ type callweaver_initrc_exec_t; ++ type callweaver_log_t; ++ type callweaver_var_lib_t; ++ type callweaver_var_run_t; ++ type callweaver_spool_t; ++ ') ++ ++ allow $1 callweaver_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, callweaver_t) ++ ++ callweaver_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 callweaver_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, callweaver_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, callweaver_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, callweaver_var_run_t) ++ ++ files_search_spool($1) ++ admin_pattern($1, callweaver_spool_t) ++') +diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te +new file mode 100644 +index 0000000..a67f732 +--- /dev/null ++++ b/policy/modules/services/callweaver.te +@@ -0,0 +1,79 @@ ++policy_module(callweaver,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type callweaver_t; ++type callweaver_exec_t; ++init_daemon_domain(callweaver_t, callweaver_exec_t) ++ ++permissive callweaver_t; ++ ++type callweaver_initrc_exec_t; ++init_script_file(callweaver_initrc_exec_t) ++ ++type callweaver_log_t; ++logging_log_file(callweaver_log_t) ++ ++type callweaver_var_lib_t; ++files_type(callweaver_var_lib_t) ++ ++type callweaver_var_run_t; ++files_pid_file(callweaver_var_run_t) ++ ++type callweaver_spool_t; ++files_type(callweaver_spool_t) ++ ++######################################## ++# ++# callweaver local policy ++# ++ ++allow callweaver_t self:capability { setuid sys_nice setgid }; ++allow callweaver_t self:process { setsched signal }; ++allow callweaver_t self:fifo_file rw_fifo_file_perms; ++allow callweaver_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) ++manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t) ++logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } ) ++ ++manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) ++manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) ++files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } ) ++ ++manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) ++manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) ++manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) ++files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file }) ++ ++manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) ++manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) ++manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) ++files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file }) ++ ++allow callweaver_t self:tcp_socket create_stream_socket_perms; ++allow callweaver_t self:udp_socket create_socket_perms; ++ ++kernel_read_sysctl(callweaver_t) ++kernel_read_kernel_sysctls(callweaver_t) ++ ++corenet_udp_bind_asterisk_port(callweaver_t) ++corenet_udp_bind_generic_port(callweaver_t) ++corenet_udp_bind_sip_port(callweaver_t) ++ ++dev_manage_generic_symlinks(callweaver_t) ++ ++domain_use_interactive_fds(callweaver_t) ++ ++files_read_etc_files(callweaver_t) ++ ++term_getattr_pty_fs(callweaver_t) ++term_use_generic_ptys(callweaver_t) ++term_use_ptmx(callweaver_t) ++ ++auth_use_nsswitch(callweaver_t) ++ ++miscfiles_read_localization(callweaver_t) diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc index 5432d0e..f77df02 100644 --- a/policy/modules/services/canna.fc @@ -25008,10 +25318,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..c0e81e5 +index 0000000..74788d2 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,107 @@ +@@ -0,0 +1,108 @@ +policy_module(colord,1.0.0) + +######################################## @@ -25072,6 +25382,7 @@ index 0000000..c0e81e5 +dev_read_urand(colord_t) +dev_list_sysfs(colord_t) +dev_rw_generic_usb_dev(colord_t) ++storage_getattr_fixed_disk_dev(colord_t) +storage_read_scsi_generic(colord_t) +storage_write_scsi_generic(colord_t) + @@ -27495,7 +27806,7 @@ index f706b99..f0c629f 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..bf57734 100644 +index f231f17..7cc036b 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -27521,7 +27832,15 @@ index f231f17..bf57734 100644 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -97,6 +102,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) + dev_manage_generic_files(devicekit_disk_t) + dev_getattr_all_chr_files(devicekit_disk_t) + dev_getattr_mtrr_dev(devicekit_disk_t) ++dev_rw_generic_blk_files(devicekit_disk_t) + + domain_getattr_all_pipes(devicekit_disk_t) + domain_getattr_all_sockets(devicekit_disk_t) +@@ -105,14 +111,17 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -27540,7 +27859,7 @@ index f231f17..bf57734 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -127,7 +135,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -127,7 +136,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -27549,7 +27868,7 @@ index f231f17..bf57734 100644 auth_use_nsswitch(devicekit_disk_t) -@@ -178,33 +186,53 @@ optional_policy(` +@@ -178,33 +187,53 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -27606,7 +27925,7 @@ index f231f17..bf57734 100644 domain_read_all_domains_state(devicekit_power_t) dev_read_input(devicekit_power_t) -@@ -212,21 +240,28 @@ dev_rw_generic_usb_dev(devicekit_power_t) +@@ -212,21 +241,28 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -27636,7 +27955,7 @@ index f231f17..bf57734 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,6 +270,10 @@ optional_policy(` +@@ -235,6 +271,10 @@ optional_policy(` ') optional_policy(` @@ -27647,7 +27966,7 @@ index f231f17..bf57734 100644 cron_initrc_domtrans(devicekit_power_t) ') -@@ -261,14 +300,21 @@ optional_policy(` +@@ -261,14 +301,21 @@ optional_policy(` ') optional_policy(` @@ -27670,7 +27989,7 @@ index f231f17..bf57734 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +322,25 @@ optional_policy(` +@@ -276,9 +323,25 @@ optional_policy(` ') optional_policy(` @@ -28227,7 +28546,7 @@ index 0000000..9d8f5de +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..da04e46 +index 0000000..61e618a --- /dev/null +++ b/policy/modules/services/dirsrv.te @@ -0,0 +1,179 @@ @@ -28323,7 +28642,7 @@ index 0000000..da04e46 + +kernel_read_system_state(dirsrv_t) + -+corecmd_search_sbin(dirsrv_t) ++corecmd_search_bin(dirsrv_t) + +corenet_all_recvfrom_unlabeled(dirsrv_t) +corenet_all_recvfrom_netlabel(dirsrv_t) @@ -31662,7 +31981,7 @@ index 9878499..9167dc9 100644 domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..e141bc5 100644 +index da2127e..ae77997 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0) @@ -31746,19 +32065,19 @@ index da2127e..e141bc5 100644 -files_read_etc_files(jabberd_t) -files_read_etc_runtime_files(jabberd_t) -+miscfiles_read_certs(jabberd_router_t) ++miscfiles_read_generic_certs(jabberd_router_t) ++ ++optional_policy(` ++ kerberos_use(jabberd_router_t) ++') -fs_getattr_all_fs(jabberd_t) -fs_search_auto_mountpoints(jabberd_t) +optional_policy(` -+ kerberos_use(jabberd_router_t) ++ nis_use_ypbind(jabberd_router_t) +') -logging_send_syslog_msg(jabberd_t) -+optional_policy(` -+ nis_use_ypbind(jabberd_router_t) -+') -+ +##################################### +# +# Local policy for other jabberd components @@ -31776,17 +32095,16 @@ index da2127e..e141bc5 100644 optional_policy(` - nis_use_ypbind(jabberd_t) -+ seutil_sigchld_newrole(jabberd_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(jabberd_t) ') optional_policy(` -- seutil_sigchld_newrole(jabberd_t) -+ udev_read_db(jabberd_t) + udev_read_db(jabberd_t) ') - --optional_policy(` -- udev_read_db(jabberd_t) --') ++ +####################################### +# +# Local policy for jabberd domains @@ -35236,7 +35554,7 @@ index c358d8f..fec6a97 100644 allow $1 munin_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..8f01394 100644 +index f17583b..6b17513 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -35392,7 +35710,7 @@ index f17583b..8f01394 100644 rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +# needed by munin_* plugins -+allow system_munin_plugin_t munin_log_t:file r_file_perms; ++allow system_munin_plugin_t munin_log_t:file read_file_perms; + kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -39287,7 +39605,7 @@ index 46bee12..37bd751 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..38fe95a 100644 +index 06e37d4..4276415 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -39477,7 +39795,14 @@ index 06e37d4..38fe95a 100644 ######################################## # # Postfix map local policy -@@ -390,8 +429,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m +@@ -385,13 +424,15 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; + read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + ++mcs_file_read_all(postfix_pickup_t) ++ + ######################################## + # # Postfix pipe local policy # @@ -39487,7 +39812,7 @@ index 06e37d4..38fe95a 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +440,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +442,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -39496,7 +39821,7 @@ index 06e37d4..38fe95a 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +461,7 @@ optional_policy(` +@@ -420,6 +463,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -39504,7 +39829,7 @@ index 06e37d4..38fe95a 100644 ') optional_policy(` -@@ -436,6 +478,9 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,6 +480,9 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -39514,7 +39839,7 @@ index 06e37d4..38fe95a 100644 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) postfix_list_spool(postfix_postdrop_t) -@@ -487,8 +532,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +534,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -39525,7 +39850,7 @@ index 06e37d4..38fe95a 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +552,8 @@ optional_policy(` +@@ -507,6 +554,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -39534,7 +39859,7 @@ index 06e37d4..38fe95a 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +568,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -39543,7 +39868,7 @@ index 06e37d4..38fe95a 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +588,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -39552,7 +39877,7 @@ index 06e37d4..38fe95a 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +637,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -39569,7 +39894,7 @@ index 06e37d4..38fe95a 100644 ') optional_policy(` -@@ -611,8 +664,8 @@ optional_policy(` +@@ -611,8 +666,8 @@ optional_policy(` # Postfix virtual local policy # @@ -39579,7 +39904,7 @@ index 06e37d4..38fe95a 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +685,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -40517,7 +40842,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..ebb9b4d 100644 +index 64c5f95..0d94b62 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -40608,7 +40933,7 @@ index 64c5f95..ebb9b4d 100644 logging_send_syslog_msg(puppetmaster_t) miscfiles_read_localization(puppetmaster_t) -+miscfiles_read_certs(puppetmaster_t) ++miscfiles_read_generic_certs(puppetmaster_t) + +seutil_read_file_contexts(puppetmaster_t) @@ -40618,15 +40943,15 @@ index 64c5f95..ebb9b4d 100644 +mta_send_mail(puppetmaster_t) + +optional_policy(` -+ tunable_policy(`puppetmaster_use_db',` -+ mysql_stream_connect(puppetmaster_t) -+ ') ++ tunable_policy(`puppetmaster_use_db',` ++ mysql_stream_connect(puppetmaster_t) ++ ') +') + +optional_policy(` -+ tunable_policy(`puppetmaster_use_db',` -+ postgresql_stream_connect(puppetmaster_t) -+ ') ++ tunable_policy(`puppetmaster_use_db',` ++ postgresql_stream_connect(puppetmaster_t) ++ ') +') + optional_policy(` @@ -44599,10 +44924,10 @@ index adea9f9..d5b2d93 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 606a098..8b74d10 100644 +index 606a098..14535da 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te -@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t) +@@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t) files_read_usr_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) @@ -44624,6 +44949,11 @@ index 606a098..8b74d10 100644 term_dontaudit_search_ptys(fsdaemon_t) ++init_read_utmp(fsdaemon_t) ++ + libs_exec_ld_so(fsdaemon_t) + libs_exec_lib_files(fsdaemon_t) + diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 740994a..a92ba26 100644 --- a/policy/modules/services/smokeping.te @@ -53590,7 +53920,7 @@ index cc83689..48662f1 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..22a5fdd 100644 +index ea29513..787ac51 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -53975,15 +54305,18 @@ index ea29513..22a5fdd 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +482,7 @@ dev_read_sound_mixer(initrc_t) +@@ -289,8 +480,10 @@ dev_write_framebuffer(initrc_t) + dev_read_realtime_clock(initrc_t) + dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) ++dev_setattr_generic_dirs(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) +dev_rw_generic_chr_files(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +490,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +491,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -53999,7 +54332,7 @@ index ea29513..22a5fdd 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +508,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +509,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -54007,7 +54340,7 @@ index ea29513..22a5fdd 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +516,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +517,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -54019,7 +54352,7 @@ index ea29513..22a5fdd 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +535,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +536,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -54033,7 +54366,7 @@ index ea29513..22a5fdd 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +550,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +551,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -54042,7 +54375,7 @@ index ea29513..22a5fdd 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +564,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +565,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -54050,7 +54383,7 @@ index ea29513..22a5fdd 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +576,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +577,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -54058,7 +54391,7 @@ index ea29513..22a5fdd 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +597,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +598,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -54080,7 +54413,7 @@ index ea29513..22a5fdd 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +660,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +661,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -54091,7 +54424,7 @@ index ea29513..22a5fdd 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +684,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +685,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -54100,7 +54433,7 @@ index ea29513..22a5fdd 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +699,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +700,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -54108,7 +54441,7 @@ index ea29513..22a5fdd 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +729,29 @@ ifdef(`distro_redhat',` +@@ -522,8 +730,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -54138,7 +54471,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -531,10 +759,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +760,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -54161,7 +54494,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -549,6 +789,39 @@ ifdef(`distro_suse',` +@@ -549,6 +790,39 @@ ifdef(`distro_suse',` ') ') @@ -54201,7 +54534,7 @@ index ea29513..22a5fdd 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +834,8 @@ optional_policy(` +@@ -561,6 +835,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -54210,7 +54543,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -577,6 +852,7 @@ optional_policy(` +@@ -577,6 +853,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -54218,7 +54551,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -589,6 +865,11 @@ optional_policy(` +@@ -589,6 +866,11 @@ optional_policy(` ') optional_policy(` @@ -54230,7 +54563,7 @@ index ea29513..22a5fdd 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +886,13 @@ optional_policy(` +@@ -605,9 +887,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -54244,7 +54577,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -649,6 +934,11 @@ optional_policy(` +@@ -649,6 +935,11 @@ optional_policy(` ') optional_policy(` @@ -54256,7 +54589,7 @@ index ea29513..22a5fdd 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +996,13 @@ optional_policy(` +@@ -706,7 +997,13 @@ optional_policy(` ') optional_policy(` @@ -54270,7 +54603,7 @@ index ea29513..22a5fdd 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1025,10 @@ optional_policy(` +@@ -729,6 +1026,10 @@ optional_policy(` ') optional_policy(` @@ -54281,7 +54614,7 @@ index ea29513..22a5fdd 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1038,20 @@ optional_policy(` +@@ -738,10 +1039,20 @@ optional_policy(` ') optional_policy(` @@ -54302,7 +54635,7 @@ index ea29513..22a5fdd 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1060,10 @@ optional_policy(` +@@ -750,6 +1061,10 @@ optional_policy(` ') optional_policy(` @@ -54313,7 +54646,7 @@ index ea29513..22a5fdd 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1085,6 @@ optional_policy(` +@@ -771,8 +1086,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -54322,7 +54655,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -781,14 +1093,21 @@ optional_policy(` +@@ -781,14 +1094,21 @@ optional_policy(` ') optional_policy(` @@ -54344,7 +54677,7 @@ index ea29513..22a5fdd 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1119,6 @@ optional_policy(` +@@ -800,7 +1120,6 @@ optional_policy(` ') optional_policy(` @@ -54352,7 +54685,7 @@ index ea29513..22a5fdd 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1128,24 @@ optional_policy(` +@@ -810,11 +1129,24 @@ optional_policy(` ') optional_policy(` @@ -54378,7 +54711,7 @@ index ea29513..22a5fdd 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1155,25 @@ optional_policy(` +@@ -824,6 +1156,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -54404,7 +54737,7 @@ index ea29513..22a5fdd 100644 ') optional_policy(` -@@ -849,3 +1199,42 @@ optional_policy(` +@@ -849,3 +1200,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -58844,7 +59177,7 @@ index ff80d0a..95e705c 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index df32316..0c5f46e 100644 +index df32316..5dfe875 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1) @@ -59036,7 +59369,7 @@ index df32316..0c5f46e 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +361,15 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +361,14 @@ ifdef(`distro_ubuntu',` ') ') @@ -59045,14 +59378,13 @@ index df32316..0c5f46e 100644 +') + ifdef(`hide_broken_symptoms',` -+ + # caused by some bogus kernel code + dontaudit ifconfig_t self:capability sys_module; + optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,12 +380,31 @@ ifdef(`hide_broken_symptoms',` +@@ -325,12 +379,31 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -59084,7 +59416,7 @@ index df32316..0c5f46e 100644 ') optional_policy(` -@@ -355,3 +429,9 @@ optional_policy(` +@@ -355,3 +428,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -59760,7 +60092,7 @@ index 025348a..4e2ca03 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..a90decc 100644 +index d88f7c3..5635614 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -59834,35 +60166,15 @@ index d88f7c3..a90decc 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -95,8 +101,19 @@ kernel_read_software_raid_state(udev_t) - - corecmd_exec_all_executables(udev_t) +@@ -97,6 +103,7 @@ corecmd_exec_all_executables(udev_t) -+dev_write_kmsg(udev_t) dev_rw_sysfs(udev_t) --dev_manage_all_dev_nodes(udev_t) -+dev_read_raw_memory(udev_t) -+dev_check_read_all_chr_dev_nodes(udev_t) -+dev_check_read_generic_blk_dev_nodes(udev_t) -+dev_check_write_all_chr_dev_nodes(udev_t) -+dev_check_write_generic_blk_dev_nodes(udev_t) -+dev_create_all_blk_dev_nodes(udev_t) -+dev_create_all_chr_dev_nodes(udev_t) -+dev_setattr_all_chr_dev_nodes(udev_t) -+dev_setattr_all_blk_dev_nodes(udev_t) + dev_manage_all_dev_nodes(udev_t) +dev_rw_generic_usb_dev(udev_t) -+ dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +122,27 @@ dev_relabel_all_dev_nodes(udev_t) - # preserved, instead of short circuiting the relabel - dev_relabel_generic_symlinks(udev_t) - dev_manage_generic_symlinks(udev_t) -+dev_manage_generic_dirs(udev_t) - - domain_read_all_domains_state(udev_t) - domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -59884,21 +60196,7 @@ index d88f7c3..a90decc 100644 mcs_ptrace_all(udev_t) -@@ -136,6 +159,13 @@ selinux_compute_create_context(udev_t) - selinux_compute_relabel_context(udev_t) - selinux_compute_user_contexts(udev_t) - -+storage_raw_read_fixed_disk(udev_t) -+storage_read_scsi_generic(udev_t) -+storage_raw_read_removable_device(udev_t) -+storage_raw_write_removable_device(udev_t) -+storage_raw_check_write_fixed_disk(udev_t) -+storage_check_write_scsi_generic(udev_t) -+ - auth_read_pam_console_data(udev_t) - auth_domtrans_pam_console(udev_t) - auth_use_nsswitch(udev_t) -@@ -143,6 +173,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -59906,7 +60204,7 @@ index d88f7c3..a90decc 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +217,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +199,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -59927,7 +60225,7 @@ index d88f7c3..a90decc 100644 ') optional_policy(` -@@ -216,11 +248,16 @@ optional_policy(` +@@ -216,11 +230,16 @@ optional_policy(` ') optional_policy(` @@ -59944,7 +60242,7 @@ index d88f7c3..a90decc 100644 ') optional_policy(` -@@ -230,6 +267,15 @@ optional_policy(` +@@ -230,6 +249,15 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -59960,7 +60258,7 @@ index d88f7c3..a90decc 100644 ') optional_policy(` -@@ -259,6 +305,10 @@ optional_policy(` +@@ -259,6 +287,10 @@ optional_policy(` ') optional_policy(` @@ -59971,7 +60269,7 @@ index d88f7c3..a90decc 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +323,11 @@ optional_policy(` +@@ -273,6 +305,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 6d583cf..629f001 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,15 @@ exit 0 %endif %changelog +* Thu May 17 2011 Miroslav Grepl 3.9.16-22 +- Allow logrotate to execute systemctl +- Allow nsplugin_t to getattr on gpmctl +- Fix dev_getattr_all_chr_files() interface +- Allow shorewall to use inherited terms +- Allow userhelper to getattr all chr_file devices +- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t +- Fix labeling for ABRT Retrace Server + * Mon May 9 2011 Miroslav Grepl 3.9.16-21 - Dontaudit sys_module for ifconfig - Make telepathy and gkeyringd daemon working with confined users