From e6657a2595fcc257a437317f6363b3a43b8d1408 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Aug 01 2011 21:22:34 +0000 Subject: - Add sblim, uuidd policies - Allow kernel_t dyntrasition to init_t --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 770508a..e3b5d24 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2437,3 +2437,10 @@ ctdbd = module # fcoemon # fcoemon = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module diff --git a/policy-F16.patch b/policy-F16.patch index bc64861..31d23df 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -6147,7 +6147,7 @@ index 4f9dc90..8dc8a5f 100644 + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te -index 66beb80..702a727 100644 +index 66beb80..b69a628 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t) @@ -6190,7 +6190,7 @@ index 66beb80..702a727 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(irc_t) -@@ -101,3 +125,73 @@ tunable_policy(`use_samba_home_dirs',` +@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` nis_use_ypbind(irc_t) ') @@ -6221,6 +6221,11 @@ index 66beb80..702a727 100644 +corenet_tcp_sendrecv_ircd_port(irssi_t) +corenet_sendrecv_ircd_client_packets(irssi_t) + ++# tcp:7000 is often used for SSL irc ++corenet_tcp_connect_gatekeeper_port(irssi_t) ++corenet_tcp_sendrecv_gatekeeper_port(irssi_t) ++corenet_sendrecv_gatekeeper_client_packets(irssi_t) ++ +# Privoxy +corenet_tcp_connect_http_cache_port(irssi_t) +corenet_tcp_sendrecv_http_cache_port(irssi_t) @@ -11876,7 +11881,7 @@ index 4f3b542..5a41e58 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..7345e5f 100644 +index 99b71cb..68a36f8 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,14 @@ attribute netif_type; @@ -11921,7 +11926,19 @@ index 99b71cb..7345e5f 100644 type client_packet_t, packet_type, client_packet_type; # -@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -50,6 +66,11 @@ type port_t, port_type; + sid port gen_context(system_u:object_r:port_t,s0) + + # ++# port_t is the default type of INET port numbers. ++# ++type unreserved_port_t, unreserved_port_type; ++ ++# + # reserved_port_t is the type of INET port numbers below 1024. + # + type reserved_port_t, port_type, reserved_port_type; +@@ -65,22 +86,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -11949,7 +11966,7 @@ index 99b71cb..7345e5f 100644 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0) +@@ -88,7 +113,9 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -11959,7 +11976,7 @@ index 99b71cb..7345e5f 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -99,9 +126,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -11974,7 +11991,7 @@ index 99b71cb..7345e5f 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +161,25 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -12003,7 +12020,7 @@ index 99b71cb..7345e5f 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +@@ -155,13 +192,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) @@ -12017,7 +12034,7 @@ index 99b71cb..7345e5f 100644 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) +network_port(piranha, tcp,3636,s0) -+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) ++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9946, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0) @@ -12026,7 +12043,12 @@ index 99b71cb..7345e5f 100644 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -179,29 +224,34 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) + network_port(radius, udp,1645,s0, udp,1812,s0) + network_port(radsec, tcp,2083,s0) + network_port(razor, tcp,2703,s0) ++network_port(repository, tcp, 6363, s0) + network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -12059,7 +12081,7 @@ index 99b71cb..7345e5f 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0) +@@ -215,7 +265,7 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -12068,7 +12090,7 @@ index 99b71cb..7345e5f 100644 network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +279,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -12076,7 +12098,16 @@ index 99b71cb..7345e5f 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -238,6 +289,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) + portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) ++portcon udp 1024-65536 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon tcp 1024-65536 gen_context(system_u:object_r:unreserved_port_t, s0) + + ######################################## + # +@@ -282,9 +335,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -13651,7 +13682,7 @@ index fae1ab1..da927bb 100644 +dontaudit can_change_object_identity can_change_object_identity:key link; + diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c19518a..ba08cfe 100644 +index c19518a..b630279c 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -13662,7 +13693,12 @@ index c19518a..ba08cfe 100644 ') ifdef(`distro_suse',` -@@ -57,6 +58,13 @@ ifdef(`distro_suse',` +@@ -53,10 +54,18 @@ ifdef(`distro_suse',` + /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) ++/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -13676,7 +13712,7 @@ index c19518a..ba08cfe 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -68,7 +76,10 @@ ifdef(`distro_suse',` +@@ -68,7 +77,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -13688,7 +13724,7 @@ index c19518a..ba08cfe 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <> +@@ -102,10 +114,9 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -13700,7 +13736,7 @@ index c19518a..ba08cfe 100644 # # /lost+found -@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -146,7 +157,7 @@ HOME_ROOT/lost\+found/.* <> /opt -d gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) @@ -13709,7 +13745,7 @@ index c19518a..ba08cfe 100644 # # /proc -@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <> +@@ -154,6 +165,12 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -13722,7 +13758,7 @@ index c19518a..ba08cfe 100644 # # /run # -@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -13730,7 +13766,7 @@ index c19518a..ba08cfe 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -230,17 +245,20 @@ ifndef(`distro_redhat',` +@@ -230,17 +246,20 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -13752,14 +13788,14 @@ index c19518a..ba08cfe 100644 /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> -@@ -257,3 +275,5 @@ ifndef(`distro_redhat',` +@@ -257,3 +276,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..a049775 100644 +index ff006ea..367d234 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -14713,7 +14749,7 @@ index ff006ea..a049775 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14740,6 +14776,24 @@ index ff006ea..a049775 100644 + +######################################## +## ++## Execute generic programs in /var/run in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ exec_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. +## @@ -14758,7 +14812,7 @@ index ff006ea..a049775 100644 ') ######################################## -@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',` +@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -14849,7 +14903,7 @@ index ff006ea..a049775 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',` +@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14858,7 +14912,7 @@ index ff006ea..a049775 100644 ') ######################################## -@@ -6117,3 +6751,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6769,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15941,7 +15995,7 @@ index 6346378..edbe041 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..2860a62 100644 +index d91c62f..9740613 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -15981,7 +16035,7 @@ index d91c62f..2860a62 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,19 +276,40 @@ files_list_root(kernel_t) +@@ -269,25 +276,47 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -16022,7 +16076,14 @@ index d91c62f..2860a62 100644 optional_policy(` hotplug_search_config(kernel_t) ') -@@ -297,6 +325,19 @@ optional_policy(` + + optional_policy(` + init_sigchld(kernel_t) ++ init_dyntrans(kernel_t) + ') + + optional_policy(` +@@ -297,6 +326,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -16042,7 +16103,7 @@ index d91c62f..2860a62 100644 ') optional_policy(` -@@ -334,9 +375,7 @@ optional_policy(` +@@ -334,9 +376,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16053,7 +16114,7 @@ index d91c62f..2860a62 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -345,7 +384,7 @@ optional_policy(` +@@ -345,7 +385,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16062,7 +16123,7 @@ index d91c62f..2860a62 100644 ') ') -@@ -358,6 +397,15 @@ optional_policy(` +@@ -358,6 +398,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -23155,7 +23216,7 @@ index 0197980..f8bce2c 100644 +/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te -index f4e7ad3..68aebc4 100644 +index f4e7ad3..2faf42a 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te @@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t) @@ -23172,7 +23233,7 @@ index f4e7ad3..68aebc4 100644 -allow bitlbee_t self:capability { setgid setuid }; -allow bitlbee_t self:process signal; -+allow bitlbee_t self:capability { setgid setuid sys_nice }; ++allow bitlbee_t self:capability { dac_override setgid setuid sys_nice }; +allow bitlbee_t self:process { setsched signal }; + +allow bitlbee_t self:fifo_file rw_fifo_file_perms; @@ -23211,6 +23272,16 @@ index f4e7ad3..68aebc4 100644 # Allow bitlbee to connect to jabber servers corenet_tcp_connect_jabber_client_port(bitlbee_t) corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) +@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t) + corenet_tcp_sendrecv_http_port(bitlbee_t) + corenet_tcp_connect_http_cache_port(bitlbee_t) + corenet_tcp_sendrecv_http_cache_port(bitlbee_t) ++corenet_tcp_bind_ircd_port(bitlbee_t) ++corenet_tcp_sendrecv_ircd_port(bitlbee_t) ++corenet_sendrecv_ircd_server_packets(bitlbee_t) + + dev_read_rand(bitlbee_t) + dev_read_urand(bitlbee_t) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 3e45431..4aa8fb1 100644 --- a/policy/modules/services/bluetooth.if @@ -27476,24 +27547,27 @@ index f7583ab..3c9cf5a 100644 diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc new file mode 100644 -index 0000000..e490a2a +index 0000000..2db6b61 --- /dev/null +++ b/policy/modules/services/ctdbd.fc -@@ -0,0 +1,15 @@ +@@ -0,0 +1,18 @@ + +/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) + -+/var/log/log.ctdb gen_context(system_u:object_r:ctdbd_log_t,s0) ++/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++ ++/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) ++ ++/var/log/log\.ctdb -- gen_context(system_u:object_r:ctdbd_log_t,s0) + +/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) + +/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + -+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 @@ -27758,7 +27832,7 @@ index 0000000..9146ef1 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..5e2a4bd +index 0000000..579e420 --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,114 @@ @@ -27835,11 +27909,13 @@ index 0000000..5e2a4bd +kernel_read_system_state(ctdbd_t) + +corenet_tcp_bind_generic_node(ctdbd_t) ++corenet_tcp_bind_ctdb_port(ctdbd_t) + +corecmd_exec_bin(ctdbd_t) +corecmd_exec_shell(ctdbd_t) + +dev_read_sysfs(ctdbd_t) ++dev_read_urand(ctdbd_t) + +domain_use_interactive_fds(ctdbd_t) +domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -27852,8 +27928,6 @@ index 0000000..5e2a4bd +miscfiles_read_localization(ctdbd_t) +miscfiles_read_public_files(ctdbd_t) + -+#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) -+#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) + +optional_policy(` + consoletype_exec(ctdbd_t) @@ -27870,7 +27944,7 @@ index 0000000..5e2a4bd +optional_policy(` + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) -+ samba_read_var_files(ctdbd_t) ++ samba_rw_var_files(ctdbd_t) +') + +optional_policy(` @@ -36210,10 +36284,10 @@ index 0000000..e2cda9b + diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te new file mode 100644 -index 0000000..1c74e98 +index 0000000..b5ba929 --- /dev/null +++ b/policy/modules/services/lldpad.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,70 @@ +policy_module(lldpad, 1.0.0) + +######################################## @@ -36279,6 +36353,8 @@ index 0000000..1c74e98 + +miscfiles_read_localization(lldpad_t) + ++userdom_dgram_send(lldpad_t) ++ +optional_policy(` + fcoemon_dgram_send(lldpad_t) +') @@ -48314,7 +48390,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..a23112b 100644 +index e30bb63..2977339 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -48411,17 +48487,18 @@ index e30bb63..a23112b 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') +optional_policy(` + ctdbd_stream_connect(smbd_t) ++ ctdbd_manage_lib_files(smbd_t) +') optional_policy(` cups_read_rw_config(smbd_t) -@@ -445,26 +445,25 @@ optional_policy(` +@@ -445,26 +446,25 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -48455,7 +48532,7 @@ index e30bb63..a23112b 100644 ######################################## # # nmbd Local policy -@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -48466,7 +48543,7 @@ index e30bb63..a23112b 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -48484,7 +48561,7 @@ index e30bb63..a23112b 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t) +@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -48493,7 +48570,7 @@ index e30bb63..a23112b 100644 ######################################## # -@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -48518,7 +48595,7 @@ index e30bb63..a23112b 100644 ######################################## # # SWAT Local policy -@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -48527,7 +48604,7 @@ index e30bb63..a23112b 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -48542,7 +48619,7 @@ index e30bb63..a23112b 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -48550,7 +48627,7 @@ index e30bb63..a23112b 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +759,8 @@ logging_search_logs(swat_t) +@@ -754,6 +760,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -48559,7 +48636,7 @@ index e30bb63..a23112b 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -48581,7 +48658,7 @@ index e30bb63..a23112b 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -48589,7 +48666,7 @@ index e30bb63..a23112b 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -48598,7 +48675,7 @@ index e30bb63..a23112b 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +931,18 @@ optional_policy(` +@@ -922,6 +932,18 @@ optional_policy(` # optional_policy(` @@ -48617,7 +48694,7 @@ index e30bb63..a23112b 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +953,12 @@ optional_policy(` +@@ -932,9 +954,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -48776,10 +48853,10 @@ index 0000000..486d53d +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..f050bc5 +index 0000000..dae577a --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,65 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -48820,12 +48897,16 @@ index 0000000..f050bc5 +manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) + ++kernel_read_system_state(sanlock_t) ++ +domain_use_interactive_fds(sanlock_t) + +files_read_etc_files(sanlock_t) + +storage_raw_rw_fixed_disk(sanlock_t) + ++dev_read_urand(sanlock_t) ++ +logging_send_syslog_msg(sanlock_t) + +init_read_utmp(sanlock_t) @@ -48915,6 +48996,205 @@ index cfc60dd..53a9d2d 100644 ') optional_policy(` +diff --git a/policy/modules/services/sblim.fc b/policy/modules/services/sblim.fc +new file mode 100644 +index 0000000..d5c3c3f +--- /dev/null ++++ b/policy/modules/services/sblim.fc +@@ -0,0 +1,6 @@ ++ ++/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) ++ ++/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) ++ ++/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) +diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if +new file mode 100644 +index 0000000..8aef188 +--- /dev/null ++++ b/policy/modules/services/sblim.if +@@ -0,0 +1,78 @@ ++ ++## policy for SBLIM Gatherer ++ ++######################################## ++## ++## Transition to gatherd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sblim_gatherd_domtrans',` ++ gen_require(` ++ type sblim_gatherd_t, sblim_gatherd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) ++') ++ ++ ++######################################## ++## ++## Read gatherd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sblim_read_pid_files',` ++ gen_require(` ++ type sblim_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 gatherd_var_run_t:file read_file_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gatherd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`sblim_admin',` ++ gen_require(` ++ type sblim_gatherd_t; ++ type sblim_reposd_t; ++ type sblim_var_run_t; ++ ') ++ ++ allow $1 sblim_gatherd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sblim_gatherd_t) ++ ++ allow $1 sblim_reposd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sblim_reposd_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, sblim_var_run_t) ++ ++') ++ +diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te +new file mode 100644 +index 0000000..3ced316 +--- /dev/null ++++ b/policy/modules/services/sblim.te +@@ -0,0 +1,97 @@ ++policy_module(sblim, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute sblim_domain; ++ ++type sblim_gatherd_t, sblim_domain; ++type sblim_gatherd_exec_t; ++init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) ++ ++permissive sblim_gatherd_t; ++ ++type sblim_reposd_t, sblim_domain; ++type sblim_reposd_exec_t; ++init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) ++ ++permissive sblim_gatherd_t; ++ ++type sblim_var_run_t; ++files_pid_file(sblim_var_run_t) ++ ++######################################## ++# ++# sblim_gatherd local policy ++# ++ ++#needed by ps ++allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; ++ ++allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; ++allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_fs_sysctls(sblim_gatherd_t) ++kernel_read_kernel_sysctls(sblim_gatherd_t) ++ ++corecmd_exec_bin(sblim_gatherd_t) ++corecmd_exec_shell(sblim_gatherd_t) ++ ++corenet_tcp_connect_repository_port(sblim_gatherd_t) ++ ++domain_read_all_domains_state(sblim_gatherd_t) ++ ++fs_getattr_all_fs(sblim_gatherd_t) ++ ++term_getattr_pty_fs(sblim_gatherd_t) ++ ++init_read_utmp(sblim_gatherd_t) ++ ++userdom_signull_unpriv_users(sblim_gatherd_t) ++ ++optional_policy(` ++ sysnet_dns_name_resolve(sblim_gatherd_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(sblim_gatherd_t) ++') ++ ++optional_policy(` ++ xen_stream_connect(sblim_gatherd_t) ++ xen_stream_connect_xenstore(sblim_gatherd_t) ++') ++ ++####################################### ++# ++# sblim_reposd local policy ++# ++ ++domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) ++ ++corenet_tcp_bind_all_nodes(sblim_reposd_t) ++corenet_tcp_bind_repository_port(sblim_reposd_t) ++ ++###################################### ++# ++# sblim_domain local policy ++# ++ ++allow sblim_domain self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++ ++kernel_read_network_state(sblim_domain) ++kernel_read_system_state(sblim_domain) ++ ++dev_read_sysfs(sblim_domain) ++ ++logging_send_syslog_msg(sblim_domain) ++ ++files_read_etc_files(sblim_domain) ++ ++miscfiles_read_localization(sblim_domain) diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc index a86ec50..ef4199b 100644 --- a/policy/modules/services/sendmail.fc @@ -51988,6 +52268,270 @@ index d4349e9..f14d337 100644 - nscd_socket_use(uux_t) + postfix_rw_master_pipes(uux_t) ') +diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc +new file mode 100644 +index 0000000..c184667 +--- /dev/null ++++ b/policy/modules/services/uuidd.fc +@@ -0,0 +1,9 @@ ++ ++/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) ++ ++ ++/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) ++ ++/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) ++ ++/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) +diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if +new file mode 100644 +index 0000000..5a2fd4c +--- /dev/null ++++ b/policy/modules/services/uuidd.if +@@ -0,0 +1,193 @@ ++## policy for uuidd ++ ++######################################## ++## ++## Transition to uuidd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`uuidd_domtrans',` ++ gen_require(` ++ type uuidd_t, uuidd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, uuidd_exec_t, uuidd_t) ++') ++ ++######################################## ++## ++## Execute uuidd server in the uuidd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_initrc_domtrans',` ++ gen_require(` ++ type uuidd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, uuidd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search uuidd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_search_lib',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ allow $1 uuidd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read uuidd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_read_lib_files',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage uuidd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_manage_lib_files',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage uuidd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_manage_lib_dirs',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Read uuidd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_read_pid_files',` ++ gen_require(` ++ type uuidd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 uuidd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Connect to uuidd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_stream_connect_manager',` ++ gen_require(` ++ type uuidd_t, uuidd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an uuidd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`uuidd_admin',` ++ gen_require(` ++ type uuidd_t; ++ type uuidd_initrc_exec_t; ++ type uuidd_var_lib_t; ++ type uuidd_var_run_t; ++ ') ++ ++ allow $1 uuidd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, uuidd_t) ++ ++ uuidd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 uuidd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, uuidd_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, uuidd_var_run_t) ++') +diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te +new file mode 100644 +index 0000000..1adb81a +--- /dev/null ++++ b/policy/modules/services/uuidd.te +@@ -0,0 +1,44 @@ ++policy_module(uuidd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type uuidd_t; ++type uuidd_exec_t; ++init_daemon_domain(uuidd_t, uuidd_exec_t) ++ ++permissive uuidd_t; ++ ++type uuidd_initrc_exec_t; ++init_script_file(uuidd_initrc_exec_t) ++ ++type uuidd_var_lib_t; ++files_type(uuidd_var_lib_t) ++ ++type uuidd_var_run_t; ++files_pid_file(uuidd_var_run_t) ++ ++######################################## ++# ++# uuidd local policy ++# ++allow uuidd_t self:capability { kill setuid }; ++allow uuidd_t self:process { signal }; ++ ++allow uuidd_t self:fifo_file rw_fifo_file_perms; ++allow uuidd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) ++manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) ++ ++manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) ++manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) ++manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) ++ ++domain_use_interactive_fds(uuidd_t) ++ ++files_read_etc_files(uuidd_t) ++ ++miscfiles_read_localization(uuidd_t) diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index f9310f3..064171e 100644 --- a/policy/modules/services/varnishd.te @@ -52802,7 +53346,7 @@ index 7c5d8d8..4feaf88 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..5a0c2ce 100644 +index 3eca020..e18ede2 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -52977,7 +53521,12 @@ index 3eca020..5a0c2ce 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,6 +170,8 @@ dev_list_sysfs(svirt_t) +@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t) + + dev_list_sysfs(svirt_t) + ++fs_getattr_xattr_fs(svirt_t) ++ userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) @@ -52986,7 +53535,7 @@ index 3eca020..5a0c2ce 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +186,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -53002,7 +53551,7 @@ index 3eca020..5a0c2ce 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +203,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -53025,7 +53574,7 @@ index 3eca020..5a0c2ce 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +228,35 @@ optional_policy(` +@@ -174,21 +230,35 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -53066,7 +53615,7 @@ index 3eca020..5a0c2ce 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +268,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -53084,7 +53633,7 @@ index 3eca020..5a0c2ce 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +292,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -53100,7 +53649,7 @@ index 3eca020..5a0c2ce 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +320,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -53133,7 +53682,7 @@ index 3eca020..5a0c2ce 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +352,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -53152,14 +53701,14 @@ index 3eca020..5a0c2ce 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +387,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -53182,7 +53731,7 @@ index 3eca020..5a0c2ce 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +428,10 @@ optional_policy(` +@@ -313,6 +430,10 @@ optional_policy(` ') optional_policy(` @@ -53193,7 +53742,7 @@ index 3eca020..5a0c2ce 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,11 +448,17 @@ optional_policy(` +@@ -329,11 +450,17 @@ optional_policy(` ') optional_policy(` @@ -53211,7 +53760,7 @@ index 3eca020..5a0c2ce 100644 ') optional_policy(` -@@ -365,6 +490,12 @@ optional_policy(` +@@ -365,6 +492,12 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -53224,7 +53773,7 @@ index 3eca020..5a0c2ce 100644 ') optional_policy(` -@@ -385,23 +516,37 @@ optional_policy(` +@@ -385,29 +518,45 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -53267,7 +53816,15 @@ index 3eca020..5a0c2ce 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) + + kernel_read_system_state(virt_domain) + ++fs_getattr_xattr_fs(virt_domain) ++ + corecmd_exec_bin(virt_domain) + corecmd_exec_shell(virt_domain) + +@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -53280,7 +53837,7 @@ index 3eca020..5a0c2ce 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +575,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +579,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -53293,7 +53850,7 @@ index 3eca020..5a0c2ce 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,14 +588,20 @@ files_search_all(virt_domain) +@@ -440,14 +592,20 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -53301,12 +53858,12 @@ index 3eca020..5a0c2ce 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -53317,7 +53874,7 @@ index 3eca020..5a0c2ce 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +611,176 @@ optional_policy(` +@@ -457,8 +615,176 @@ optional_policy(` ') optional_policy(` @@ -57557,7 +58114,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..354e39c 100644 +index 94fd8dd..417ec32 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,42 @@ interface(`init_script_domain',` @@ -57725,7 +58282,7 @@ index 94fd8dd..354e39c 100644 ') ') -@@ -401,16 +428,19 @@ interface(`init_system_domain',` +@@ -401,20 +428,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -57745,7 +58302,29 @@ index 94fd8dd..354e39c 100644 mls_rangetrans_target($1) ') ') -@@ -451,6 +481,10 @@ interface(`init_exec',` + ++###################################### ++## ++## Allow domain dyntransition to init_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`init_dyntrans',` ++ gen_require(` ++ type anon_sftpd_t; ++ ') ++ ++ dyntrans_pattern($1, init_t) ++') ++ + ######################################## + ## + ## Execute init (/sbin/init) with a domain transition. +@@ -451,6 +499,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -57756,7 +58335,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -509,6 +543,24 @@ interface(`init_sigchld',` +@@ -509,6 +561,24 @@ interface(`init_sigchld',` ######################################## ## @@ -57781,7 +58360,7 @@ index 94fd8dd..354e39c 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +571,29 @@ interface(`init_sigchld',` +@@ -519,10 +589,29 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -57813,7 +58392,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -688,19 +759,25 @@ interface(`init_telinit',` +@@ -688,19 +777,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -57840,7 +58419,7 @@ index 94fd8dd..354e39c 100644 ') ') -@@ -730,7 +807,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +825,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -57849,7 +58428,7 @@ index 94fd8dd..354e39c 100644 ## ## # -@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +868,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -57873,7 +58452,7 @@ index 94fd8dd..354e39c 100644 ') ') -@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,23 +896,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -57896,11 +58475,11 @@ index 94fd8dd..354e39c 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -57913,13 +58492,17 @@ index 94fd8dd..354e39c 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',` ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -868,9 +986,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -57934,7 +58517,7 @@ index 94fd8dd..354e39c 100644 files_search_etc($1) ') -@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1202,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -57959,7 +58542,7 @@ index 94fd8dd..354e39c 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -57973,7 +58556,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -58001,7 +58584,7 @@ index 94fd8dd..354e39c 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -58027,7 +58610,7 @@ index 94fd8dd..354e39c 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1695,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -58052,7 +58635,7 @@ index 94fd8dd..354e39c 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -58061,7 +58644,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1909,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -58190,7 +58773,7 @@ index 94fd8dd..354e39c 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2065,156 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -58348,7 +58931,7 @@ index 94fd8dd..354e39c 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..837bc69 100644 +index 29a9565..4d20828 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -58579,9 +59162,9 @@ index 29a9565..837bc69 100644 + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) -+ files_delete_all_pid_sockets(init_t) ++ files_delete_all_pids(init_t) ++ files_exec_generic_pid_files(init_t) + files_create_all_pid_pipes(init_t) -+ files_delete_all_pid_pipes(init_t) + files_create_all_spool_sockets(init_t) + files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) @@ -60601,7 +61184,7 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..fa034d6 100644 +index b6ec597..2674701 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) @@ -60761,7 +61344,7 @@ index b6ec597..fa034d6 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -496,6 +535,10 @@ optional_policy(` +@@ -496,11 +535,20 @@ optional_policy(` ') optional_policy(` @@ -60772,17 +61355,16 @@ index b6ec597..fa034d6 100644 postgresql_stream_connect(syslogd_t) ') -@@ -504,6 +547,10 @@ optional_policy(` - ') - optional_policy(` -+ daemontools_search_svc_dir(syslogd_t) + seutil_sigchld_newrole(syslogd_t) ++ snmp_read_snmp_var_lib_files(syslogd_t) +') + +optional_policy(` - udev_read_db(syslogd_t) ++ daemontools_search_svc_dir(syslogd_t) ') + optional_policy(` diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index 879bb1e..7b22111 100644 --- a/policy/modules/system/lvm.fc @@ -63506,7 +64088,7 @@ index ff80d0a..752e031 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..0cdb0be 100644 +index 34d0ec5..76e53a6 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -63705,7 +64287,7 @@ index 34d0ec5..0cdb0be 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +363,14 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +363,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -63713,6 +64295,10 @@ index 34d0ec5..0cdb0be 100644 + brctl_domtrans(ifconfig_t) +') + ++optional_policy(` ++ ctdbd_read_lib_files(ifconfig_t) ++') ++ ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit ifconfig_t self:capability sys_module; @@ -63720,7 +64306,7 @@ index 34d0ec5..0cdb0be 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +381,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +385,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -63735,7 +64321,7 @@ index 34d0ec5..0cdb0be 100644 ') optional_policy(` -@@ -335,6 +397,18 @@ optional_policy(` +@@ -335,6 +401,18 @@ optional_policy(` ') optional_policy(` @@ -63754,7 +64340,7 @@ index 34d0ec5..0cdb0be 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +430,9 @@ optional_policy(` +@@ -356,3 +434,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2d6973c..b7ccc22 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Aug Mon 1 2011 Miroslav Grepl 3.10.0-12 +- Add sblim, uuidd policies +- Allow kernel_t dyntrasition to init_t + * Fri Jul 29 2011 Miroslav Grepl 3.10.0-11 - init_t need setexec - More fixes of rules which cause an explosion in rules by Dan Walsh