From ebe7e04d89e0d9628e083b5f7024a710f3aa5165 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 31 2014 15:52:29 +0000 Subject: - Turn on bacula, rhnsd policy - Add support for rhnsd unit file - Add dbus_chat_session_bus() interface - Add dbus_stream_connect_session_bus() interface - Fix logrotate_use_nfs boolean - Add lot of pcp fixes found in RHEL7 - fix labeling for pmie for pcp pkg - Change thumb_t to be allowed to chat/connect with session bus type - Allow call renice in mlocate - Add logrotate_use_nfs boolean - Allow setroubleshootd to read rpc sysctl - Fixes for *_admin interfaces - Add pegasus_openlmi_storage_var_run_t type def - Add support for /var/run/openlmi-storage - Allow tuned to create syslog.conf with correct labeling - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs - Add support for dey_sapi port - Add logging_filetrans_named_conf() - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring --- diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 1c08396..a1e742b 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2450,3 +2450,11 @@ pcp = module # bacula policy # bacula = module + +# Layer: contrib +# Module: rhnsd +# +# rhnsd policy +# + +rhnsd = module diff --git a/permissivedomains.te b/permissivedomains.te index 1a6ccc2..5d43fa3 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -157,3 +157,10 @@ optional_policy(` permissive pcp_pmie_t; permissive pcp_pmlogger_t; ') + +optional_policy(` + gen_require(` + type rhnsd_t; + ') + permissive rhnsd_t; +') diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 504052b..683c834 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -2729,7 +2729,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..010af99 100644 +index d555767..049a211 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2937,6 +2937,15 @@ index d555767..010af99 100644 ') optional_policy(` +@@ -270,7 +297,7 @@ optional_policy(` + # Passwd local policy + # + +-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; ++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource }; + dontaudit passwd_t self:capability sys_tty_config; + allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow passwd_t self:process { setrlimit setfscreate }; @@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; @@ -5587,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..1279fd8 100644 +index 4edc40d..f7e6f88 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5674,7 +5683,7 @@ index 4edc40d..1279fd8 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0) +@@ -96,42 +119,52 @@ network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5698,7 +5707,11 @@ index 4edc40d..1279fd8 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -119,19 +143,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, + network_port(dbskkd, tcp,1178,s0) + network_port(dcc, udp,6276,s0, udp,6277,s0) + network_port(dccm, tcp,5679,s0, udp,5679,s0) ++network_port(dey_sapi, tcp,4330,s0) + network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5728,7 +5741,7 @@ index 4edc40d..1279fd8 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +171,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5795,7 +5808,7 @@ index 4edc40d..1279fd8 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,26 +224,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5835,7 +5848,7 @@ index 4edc40d..1279fd8 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -214,38 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5888,7 +5901,7 @@ index 4edc40d..1279fd8 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5899,7 +5912,7 @@ index 4edc40d..1279fd8 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +324,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5912,7 +5925,7 @@ index 4edc40d..1279fd8 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -285,19 +341,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -285,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5939,7 +5952,7 @@ index 4edc40d..1279fd8 100644 ######################################## # -@@ -330,6 +390,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5948,7 +5961,7 @@ index 4edc40d..1279fd8 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +404,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -31466,7 +31479,7 @@ index b50c5fe..e55a556 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..6118015 100644 +index 4e94884..b144ffe 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -31618,12 +31631,19 @@ index 4e94884..6118015 100644 +interface(`logging_read_syslog_pid',` + gen_require(` + type syslogd_var_run_t; -+ ') -+ + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Relabel the syslog pid sock_file. @@ -31637,18 +31657,15 @@ index 4e94884..6118015 100644 +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` + type syslogd_var_run_t; - ') ++ ') -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Connect to the syslog control unix stream socket. @@ -31663,11 +31680,7 @@ index 4e94884..6118015 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') @@ -31910,13 +31923,32 @@ index 4e94884..6118015 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1380,35 @@ interface(`logging_admin',` +@@ -1085,3 +1380,54 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') + +######################################## +## ++## Transition to syslog.conf ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_filetrans_named_conf',` ++ gen_require(` ++ type syslog_conf_t; ++ ') ++ ++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") ++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") ++') ++ ++######################################## ++## +## Transition to logging named content +## +## @@ -38252,7 +38284,7 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..ca12f04 +index 0000000..04b5e3e --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,657 @@ @@ -38473,7 +38505,7 @@ index 0000000..ca12f04 +# Local policy +# + -+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; ++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin }; +allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 6fa48c8..4498c5b 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -4818,10 +4818,10 @@ index 83e899c..64beed7 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..94764d1 100644 +index 1a82e29..0b9c048 100644 --- a/apache.te +++ b/apache.te -@@ -1,297 +1,367 @@ +@@ -1,297 +1,375 @@ -policy_module(apache, 2.6.10) +policy_module(apache, 2.4.0) + @@ -4860,39 +4860,40 @@ index 1a82e29..94764d1 100644 ## -gen_tunable(allow_httpd_anon_write, false) +gen_tunable(httpd_anon_write, false) ++ ## -##

-## Determine whether httpd can use mod_auth_pam. -##

+##

-+## Allow Apache to use mod_auth_pam ++## Dontaudit Apache to search dirs. +##

## -gen_tunable(allow_httpd_mod_auth_pam, false) -+gen_tunable(httpd_mod_auth_pam, false) ++gen_tunable(httpd_dontaudit_search_dirs, false) ## -##

-## Determine whether httpd can use built in scripting. -##

+##

-+## Allow Apache to use mod_auth_ntlm_winbind ++## Allow Apache to use mod_auth_pam +##

## -gen_tunable(httpd_builtin_scripting, false) -+gen_tunable(httpd_mod_auth_ntlm_winbind, false) ++gen_tunable(httpd_mod_auth_pam, false) ## -##

-## Determine whether httpd can check spam. -##

+##

-+## Allow httpd scripts and modules execmem/execstack ++## Allow Apache to use mod_auth_ntlm_winbind +##

## -gen_tunable(httpd_can_check_spam, false) -+gen_tunable(httpd_execmem, false) ++gen_tunable(httpd_mod_auth_ntlm_winbind, false) ## -##

@@ -4900,6 +4901,13 @@ index 1a82e29..94764d1 100644 -## can connect to the network using TCP. -##

+##

++## Allow httpd scripts and modules execmem/execstack ++##

++## ++gen_tunable(httpd_execmem, false) ++ ++## ++##

+## Allow httpd processes to manage IPA content +##

+## @@ -5338,7 +5346,7 @@ index 1a82e29..94764d1 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +377,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5351,7 +5359,7 @@ index 1a82e29..94764d1 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t; +@@ -311,9 +387,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5373,7 +5381,7 @@ index 1a82e29..94764d1 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -323,12 +409,19 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -5393,7 +5401,7 @@ index 1a82e29..94764d1 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -343,33 +436,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5444,7 +5452,7 @@ index 1a82e29..94764d1 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms; +@@ -378,28 +478,36 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5486,7 +5494,7 @@ index 1a82e29..94764d1 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -407,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -407,14 +515,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5508,7 +5516,7 @@ index 1a82e29..94764d1 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +552,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +560,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5650,16 +5658,20 @@ index 1a82e29..94764d1 100644 -ifdef(`hide_broken_symptoms',` - libs_exec_lib_files(httpd_t) ++tunable_policy(`httpd_dontaudit_search_dirs',` ++ files_dontaudit_search_non_security_dirs(httpd_t) + ') + +-tunable_policy(`allow_httpd_anon_write',` +- miscfiles_manage_public_files(httpd_t) +# +# We need optionals to be able to be within booleans to make this work +# +tunable_policy(`httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) + logging_send_audit_msgs(httpd_t) - ') - --tunable_policy(`allow_httpd_anon_write',` -- miscfiles_manage_public_files(httpd_t) ++') ++ +optional_policy(` + tunable_policy(`httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) @@ -5742,7 +5754,7 @@ index 1a82e29..94764d1 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +724,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +736,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5802,7 +5814,7 @@ index 1a82e29..94764d1 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +776,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +788,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5893,7 +5905,7 @@ index 1a82e29..94764d1 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,66 +823,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,66 +835,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5991,7 +6003,7 @@ index 1a82e29..94764d1 100644 ') optional_policy(` -@@ -765,6 +888,23 @@ optional_policy(` +@@ -765,6 +900,23 @@ optional_policy(` ') optional_policy(` @@ -6015,7 +6027,7 @@ index 1a82e29..94764d1 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +921,53 @@ optional_policy(` +@@ -781,34 +933,53 @@ optional_policy(` ') optional_policy(` @@ -6080,7 +6092,7 @@ index 1a82e29..94764d1 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +975,18 @@ optional_policy(` +@@ -816,8 +987,18 @@ optional_policy(` ') optional_policy(` @@ -6099,7 +6111,7 @@ index 1a82e29..94764d1 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +995,7 @@ optional_policy(` +@@ -826,6 +1007,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6107,7 +6119,7 @@ index 1a82e29..94764d1 100644 ') optional_policy(` -@@ -836,20 +1006,39 @@ optional_policy(` +@@ -836,20 +1018,39 @@ optional_policy(` ') optional_policy(` @@ -6141,19 +6153,19 @@ index 1a82e29..94764d1 100644 - ') +optional_policy(` + puppet_read_lib(httpd_t) ++') ++ ++optional_policy(` ++ pwauth_domtrans(httpd_t) ') optional_policy(` - puppet_read_lib_files(httpd_t) -+ pwauth_domtrans(httpd_t) -+') -+ -+optional_policy(` + rpm_dontaudit_read_db(httpd_t) ') optional_policy(` -@@ -857,19 +1046,35 @@ optional_policy(` +@@ -857,19 +1058,35 @@ optional_policy(` ') optional_policy(` @@ -6189,7 +6201,7 @@ index 1a82e29..94764d1 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1082,173 @@ optional_policy(` +@@ -877,65 +1094,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6262,11 +6274,10 @@ index 1a82e29..94764d1 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache PHP script local policy +# + @@ -6325,10 +6336,11 @@ index 1a82e29..94764d1 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache suexec local policy # @@ -6385,7 +6397,7 @@ index 1a82e29..94764d1 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1257,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1269,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6540,7 +6552,7 @@ index 1a82e29..94764d1 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1341,106 @@ optional_policy(` +@@ -1077,172 +1353,106 @@ optional_policy(` ') ') @@ -6562,11 +6574,11 @@ index 1a82e29..94764d1 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -+allow httpd_sys_script_t self:process getsched; - +- -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6712,7 +6724,8 @@ index 1a82e29..94764d1 100644 -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; @@ -6738,8 +6751,7 @@ index 1a82e29..94764d1 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6777,7 +6789,7 @@ index 1a82e29..94764d1 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1448,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1460,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6874,7 +6886,7 @@ index 1a82e29..94764d1 100644 ######################################## # -@@ -1315,8 +1523,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1535,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6891,7 +6903,7 @@ index 1a82e29..94764d1 100644 ') ######################################## -@@ -1324,49 +1539,38 @@ optional_policy(` +@@ -1324,49 +1551,38 @@ optional_policy(` # User content local policy # @@ -6956,7 +6968,7 @@ index 1a82e29..94764d1 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1580,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1592,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -8297,6 +8309,18 @@ index d6ceef4..c10d39c 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) +diff --git a/bacula.if b/bacula.if +index dcd774e..c240ffa 100644 +--- a/bacula.if ++++ b/bacula.if +@@ -69,6 +69,7 @@ interface(`bacula_admin',` + type bacula_t, bacula_etc_t, bacula_log_t; + type bacula_spool_t, bacula_var_lib_t; + type bacula_var_run_t, bacula_initrc_exec_t; ++ attribute_role bacula_admin_roles; + ') + + allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te index 3beba2f..7ca4480 100644 --- a/bacula.te @@ -10337,6 +10361,19 @@ index 581c8ef..2c71b1d 100644 +dev_search_sysfs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) +diff --git a/calamaris.if b/calamaris.if +index cd9c528..9de38c4 100644 +--- a/calamaris.if ++++ b/calamaris.if +@@ -42,7 +42,7 @@ interface(`calamaris_run',` + attribute_role calamaris_roles; + ') + +- lightsquid_domtrans($1) ++ clamd_domtrans($1) + roleattribute $2 calamaris_roles; + ') + diff --git a/calamaris.te b/calamaris.te index f4f21d3..de28437 100644 --- a/calamaris.te @@ -13358,10 +13395,10 @@ index 23dc348..c4450f7 100644 /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) diff --git a/condor.if b/condor.if -index 3fe3cb8..5fe84a6 100644 +index 3fe3cb8..e979b3d 100644 --- a/condor.if +++ b/condor.if -@@ -1,81 +1,397 @@ +@@ -1,81 +1,396 @@ -## High-Throughput Computing System. + +## policy for condor @@ -13416,13 +13453,13 @@ index 3fe3cb8..5fe84a6 100644 +## +## +# -+interface(`condor_domtrans',` ++interface(`condor_domtrans_master',` + gen_require(` -+ type condor_t, condor_exec_t; ++ type condor_master_t, condor_master_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, condor_exec_t, condor_t) ++ domtrans_pattern($1, condor_master_exec_t, condor_master_t) +') + +####################################### @@ -13703,7 +13740,7 @@ index 3fe3cb8..5fe84a6 100644 +# +interface(`condor_systemctl',` + gen_require(` -+ type condor_t; ++ type condor_domain; + type condor_unit_file_t; + ') + @@ -13712,10 +13749,9 @@ index 3fe3cb8..5fe84a6 100644 + allow $1 condor_unit_file_t:file read_file_perms; + allow $1 condor_unit_file_t:service manage_service_perms; + -+ ps_process_pattern($1, condor_t) + ps_process_pattern($1, condor_domain) +') + -+ +####################################### +## +## Read and write condor_startd server TCP sockets. @@ -13730,7 +13766,11 @@ index 3fe3cb8..5fe84a6 100644 + gen_require(` + type condor_startd_t; + ') -+ + +- init_labeled_script_domtrans($1, condor_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 condor_initrc_exec_t system_r; +- allow $2 system_r; + allow $1 condor_startd_t:tcp_socket rw_socket_perms; +') + @@ -13778,12 +13818,8 @@ index 3fe3cb8..5fe84a6 100644 + ') + + allow $1 condor_domain:process { signal_perms }; - ps_process_pattern($1, condor_domain) - -- init_labeled_script_domtrans($1, condor_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 condor_initrc_exec_t system_r; -- allow $2 system_r; ++ ps_process_pattern($1, condor_domain) ++ + init_labeled_script_domtrans($1, condor_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 condor_initrc_exec_t system_r; @@ -13799,7 +13835,7 @@ index 3fe3cb8..5fe84a6 100644 files_search_var_lib($1) admin_pattern($1, condor_var_lib_t) -@@ -85,4 +401,13 @@ interface(`condor_admin',` +@@ -85,4 +400,13 @@ interface(`condor_admin',` files_search_tmp($1) admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) @@ -19128,7 +19164,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index afcf3a2..49bb04b 100644 +index afcf3a2..7574fa1 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -19253,7 +19289,7 @@ index afcf3a2..49bb04b 100644 ## ## ## -@@ -103,65 +129,29 @@ template(`dbus_role_template',` +@@ -103,91 +129,82 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -19287,12 +19323,17 @@ index afcf3a2..49bb04b 100644 ## -## Acquire service on DBUS -## session bus. --## ++## Creating connections to specified ++## DBUS sessions. + ## -## --## ++## + ## -## Domain allowed access. --## --## ++## The prefix of the user role (e.g., user ++## is the prefix for user_r). + ## + ## -# -interface(`dbus_connect_session_bus',` - refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.') @@ -19304,207 +19345,335 @@ index afcf3a2..49bb04b 100644 -## Acquire service on all DBUS -## session busses. -## --## --## --## Domain allowed access. --## --## --# + ## + ## + ## Domain allowed access. + ## + ## + # -interface(`dbus_connect_all_session_bus',` -- gen_require(` ++interface(`dbus_session_client',` + gen_require(` - attribute session_bus_type; - class dbus acquire_svc; -- ') -- ++ class dbus send_msg; ++ type $1_dbusd_t; + ') + - allow $1 session_bus_type:dbus acquire_svc; --') -- --####################################### --## ++ allow $2 $1_dbusd_t:fd use; ++ allow $2 { $1_dbusd_t self }:dbus send_msg; ++ allow $2 $1_dbusd_t:unix_stream_socket connectto; + ') + + ####################################### + ## -## Acquire service on specified -## DBUS session bus. -+## Creating connections to specified -+## DBUS sessions. ++## Template for creating connections to ++## a user DBUS. ## - ## +-## +-## +-## The prefix of the user role (e.g., user +-## is the prefix for user_r). +-## +-## + ## ## -@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',` + ## Domain allowed access. ## ## # -interface(`dbus_connect_spec_session_bus',` -+interface(`dbus_session_client',` ++interface(`dbus_session_bus_client',` gen_require(` -+ class dbus send_msg; - type $1_dbusd_t; +- type $1_dbusd_t; - class dbus acquire_svc; ++ attribute session_bus_type; ++ class dbus send_msg; ') - allow $2 $1_dbusd_t:dbus acquire_svc; -+ allow $2 $1_dbusd_t:fd use; -+ allow $2 { $1_dbusd_t self }:dbus send_msg; -+ allow $2 $1_dbusd_t:unix_stream_socket connectto; ++ # SE-DBus specific permissions ++ allow $1 { session_bus_type self }:dbus send_msg; ++ ++ # For connecting to the bus ++ allow $1 session_bus_type:unix_stream_socket connectto; ++ ++ allow session_bus_type $1:process sigkill; ') - ####################################### +-####################################### ++######################################## ## -## Creating connections to DBUS -## session bus. -+## Template for creating connections to -+## a user DBUS. ++## Send a message the session DBUS. ## ## ## -@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',` +@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',` + ## ## # - interface(`dbus_session_bus_client',` +-interface(`dbus_session_bus_client',` - refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.') - dbus_all_session_bus_client($1) --') -- ++interface(`dbus_send_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ class dbus send_msg; ++ ') ++ ++ allow $1 session_bus_type:dbus send_msg; + ') + -####################################### --## ++######################################## + ## -## Creating connections to all -## DBUS session busses. --## --## --## --## Domain allowed access. --## --## --# ++## Read dbus configuration. + ## + ## + ## +@@ -211,57 +231,38 @@ interface(`dbus_session_bus_client',` + ## + ## + # -interface(`dbus_all_session_bus_client',` ++interface(`dbus_read_config',` gen_require(` - attribute session_bus_type, dbusd_session_bus_client; -+ attribute session_bus_type; - class dbus send_msg; +- class dbus send_msg; ++ type dbusd_etc_t; ') - typeattribute $1 dbusd_session_bus_client; - -+ # SE-DBus specific permissions - allow $1 { session_bus_type self }:dbus send_msg; +- allow $1 { session_bus_type self }:dbus send_msg; - allow session_bus_type $1:dbus send_msg; - - allow $1 session_bus_type:unix_stream_socket connectto; - allow $1 session_bus_type:fd use; --') ++ allow $1 dbusd_etc_t:dir list_dir_perms; ++ allow $1 dbusd_etc_t:file read_file_perms; + ') -####################################### --## ++######################################## + ## -## Creating connections to specified -## DBUS session bus. --## ++## Read system dbus lib files. + ## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## --## --## --## Domain allowed access. --## --## --# + ## + ## + ## Domain allowed access. + ## + ## + # -interface(`dbus_spec_session_bus_client',` -- gen_require(` ++interface(`dbus_read_lib_files',` + gen_require(` - attribute dbusd_session_bus_client; - type $1_dbusd_t; - class dbus send_msg; -- ') -- ++ type system_dbusd_var_lib_t; + ') + - typeattribute $2 dbusd_session_bus_client; - - allow $2 { $1_dbusd_t self }:dbus send_msg; - allow $1_dbusd_t $2:dbus send_msg; -+ # For connecting to the bus -+ allow $1 session_bus_type:unix_stream_socket connectto; - +- - allow $2 $1_dbusd_t:unix_stream_socket connectto; - allow $2 $1_dbusd_t:fd use; -+ allow session_bus_type $1:process sigkill; ++ files_search_var_lib($1) ++ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ') -####################################### +######################################## ## -## Send messages to DBUS session bus. -+## Send a message the session DBUS. ++## Create, read, write, and delete ++## system dbus lib files. ## ## ## -@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',` +@@ -269,15 +270,19 @@ interface(`dbus_spec_session_bus_client',` + ## ## # - interface(`dbus_send_session_bus',` +-interface(`dbus_send_session_bus',` - refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.') - dbus_send_all_session_bus($1) --') -- ++interface(`dbus_manage_lib_files',` ++ gen_require(` ++ type system_dbusd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + ') + -####################################### --## ++######################################## + ## -## Send messages to all DBUS -## session busses. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to the system DBUS ++## for service (acquire_svc). + ## + ## + ## +@@ -285,44 +290,52 @@ interface(`dbus_send_session_bus',` + ## + ## + # -interface(`dbus_send_all_session_bus',` ++interface(`dbus_connect_session_bus',` gen_require(` attribute session_bus_type; - class dbus send_msg; +- class dbus send_msg; ++ class dbus acquire_svc; ') - allow $1 dbus_session_bus_type:dbus send_msg; --') -- ++ allow $1 session_bus_type:dbus acquire_svc; + ') + -####################################### --## ++######################################## + ## -## Send messages to specified -## DBUS session busses. --## ++## Allow a application domain to be started ++## by the session dbus. + ## -## --## ++## + ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). --## --## --## --## ++## User domain prefix to be used. + ## + ## + ## + ## -## Domain allowed access. --## --## --# ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an ++## entry point to this domain. + ## + ## + # -interface(`dbus_send_spec_session_bus',` -- gen_require(` -- type $1_dbusd_t; ++interface(`dbus_session_domain',` + gen_require(` + type $1_dbusd_t; - class dbus send_msg; -- ') -- + ') + - allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1 session_bus_type:dbus send_msg; ++ domtrans_pattern($1_dbusd_t, $2, $3) ++ ++ dbus_session_bus_client($3) ++ dbus_connect_session_bus($3) ') ######################################## ## -## Read dbus configuration content. -+## Read dbus configuration. ++## Connect to the system DBUS ++## for service (acquire_svc). ## ## ## -@@ -380,69 +281,32 @@ interface(`dbus_manage_lib_files',` +@@ -330,18 +343,18 @@ interface(`dbus_send_spec_session_bus',` + ## + ## + # +-interface(`dbus_read_config',` ++interface(`dbus_connect_system_bus',` + gen_require(` +- type dbusd_etc_t; ++ type system_dbusd_t; ++ class dbus acquire_svc; + ') + +- allow $1 dbusd_etc_t:dir list_dir_perms; +- allow $1 dbusd_etc_t:file read_file_perms; ++ allow $1 system_dbusd_t:dbus acquire_svc; + ') + + ######################################## + ## +-## Read system dbus lib files. ++## Send a message on the system DBUS. + ## + ## + ## +@@ -349,19 +362,18 @@ interface(`dbus_read_config',` + ## + ## + # +-interface(`dbus_read_lib_files',` ++interface(`dbus_send_system_bus',` + gen_require(` +- type system_dbusd_var_lib_t; ++ type system_dbusd_t; ++ class dbus send_msg; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ allow $1 system_dbusd_t:dbus send_msg; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## system dbus lib files. ++## Allow unconfined access to the system DBUS. + ## + ## + ## +@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',` + ## + ## + # +-interface(`dbus_manage_lib_files',` ++interface(`dbus_system_bus_unconfined',` + gen_require(` +- type system_dbusd_var_lib_t; ++ type system_dbusd_t; ++ class dbus all_dbus_perms; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ++ allow $1 system_dbusd_t:dbus *; + ') ######################################## ## -## Allow a application domain to be -## started by the specified session bus. -+## Connect to the system DBUS -+## for service (acquire_svc). ++## Create a domain for processes ++## which can be started by the system dbus ## -## -## @@ -19514,28 +19683,45 @@ index afcf3a2..49bb04b 100644 -## ## ## --## Type to be used as a domain. --## --## --## --## + ## Type to be used as a domain. +@@ -396,81 +402,66 @@ interface(`dbus_manage_lib_files',` + ## + ## + ## -## Type of the program to be used as an -## entry point to this domain. --## --## --# ++## Type of the program to be used as an entry point to this domain. + ## + ## + # -interface(`dbus_session_domain',` - refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.') - dbus_all_session_domain($1, $2) --') -- --######################################## --## ++interface(`dbus_system_domain',` ++ gen_require(` ++ attribute system_bus_type; ++ type system_dbusd_t; ++ role system_r; ++ ') ++ typeattribute $1 system_bus_type; ++ ++ domain_type($1) ++ domain_entry_file($1, $2) ++ ++ domtrans_pattern(system_dbusd_t, $2, $1) ++ ++ ps_process_pattern($1, system_dbusd_t) ++ + ') + + ######################################## + ## -## Allow a application domain to be -## started by the specified session bus. --## --## --## ++## Use and inherit system DBUS file descriptors. + ## + ## + ## -## Type to be used as a domain. -## -## @@ -19548,254 +19734,254 @@ index afcf3a2..49bb04b 100644 ## # -interface(`dbus_all_session_domain',` -+interface(`dbus_connect_session_bus',` ++interface(`dbus_use_system_bus_fds',` gen_require(` - type session_bus_type; -+ attribute session_bus_type; -+ class dbus acquire_svc; ++ type system_dbusd_t; ') - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) -+ allow $1 session_bus_type:dbus acquire_svc; ++ allow $1 system_dbusd_t:fd use; ') ######################################## ## -## Allow a application domain to be -## started by the specified session bus. -+## Allow a application domain to be started -+## by the session dbus. ++## Allow unconfined access to the system DBUS. ## -## -+## - ## +-## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -+## User domain prefix to be used. - ## - ## +-## +-## ## -@@ -457,20 +321,21 @@ interface(`dbus_all_session_domain',` + ## +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an +-## entry point to this domain. ++## Domain allowed access. ## ## # -interface(`dbus_spec_session_domain',` -+interface(`dbus_session_domain',` ++interface(`dbus_unconfined',` gen_require(` - type $1_dbusd_t; +- type $1_dbusd_t; ++ attribute dbusd_unconfined; ') - domtrans_pattern($1_dbusd_t, $2, $3) - +- domtrans_pattern($1_dbusd_t, $2, $3) +- - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) -+ dbus_session_bus_client($3) -+ dbus_connect_session_bus($3) ++ typeattribute $1 dbusd_unconfined; ') ######################################## ## -## Acquire service on the DBUS system bus. -+## Connect to the system DBUS -+## for service (acquire_svc). ++## Delete all dbus pid files ## ## ## -@@ -489,7 +354,7 @@ interface(`dbus_connect_system_bus',` +@@ -478,18 +469,18 @@ interface(`dbus_spec_session_domain',` + ## + ## + # +-interface(`dbus_connect_system_bus',` ++interface(`dbus_delete_pid_files',` + gen_require(` +- type system_dbusd_t; +- class dbus acquire_svc; ++ type system_dbusd_var_run_t; + ') + +- allow $1 system_dbusd_t:dbus acquire_svc; ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) + ') ######################################## ## -## Send messages to the DBUS system bus. -+## Send a message on the system DBUS. ++## Read all dbus pid files ## ## ## -@@ -508,7 +373,7 @@ interface(`dbus_send_system_bus',` +@@ -497,98 +488,80 @@ interface(`dbus_connect_system_bus',` + ## + ## + # +-interface(`dbus_send_system_bus',` ++interface(`dbus_read_pid_files',` + gen_require(` +- type system_dbusd_t; +- class dbus send_msg; ++ type system_dbusd_var_run_t; + ') + +- allow $1 system_dbusd_t:dbus send_msg; ++ files_search_pids($1) ++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) + ') ######################################## ## -## Unconfined access to DBUS system bus. -+## Allow unconfined access to the system DBUS. ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## -@@ -527,8 +392,8 @@ interface(`dbus_system_bus_unconfined',` +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_system_bus_unconfined',` ++interface(`dbus_dontaudit_stream_connect_session_bus',` + gen_require(` +- type system_dbusd_t; +- class dbus all_dbus_perms; ++ attribute session_bus_type; + ') + +- allow $1 system_dbusd_t:dbus *; ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; + ') ######################################## ## -## Create a domain for processes which -## can be started by the DBUS system bus. -+## Create a domain for processes -+## which can be started by the system dbus ++## Allow attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## -@@ -543,33 +408,24 @@ interface(`dbus_system_bus_unconfined',` +-## Type to be used as a domain. +-## +-## +-## +-## +-## Type of the program to be used as an entry point to this domain. ++## Domain to not audit. + ## + ## # - interface(`dbus_system_domain',` +-interface(`dbus_system_domain',` ++interface(`dbus_stream_connect_session_bus',` gen_require(` -+ attribute system_bus_type; - type system_dbusd_t; - role system_r; +- type system_dbusd_t; +- role system_r; ++ attribute session_bus_type; ') -+ typeattribute $1 system_bus_type; - - domain_type($1) - domain_entry_file($1, $2) +- domain_type($1) +- domain_entry_file($1, $2) +- - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - +- domtrans_pattern(system_dbusd_t, $2, $1) +- - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) -+ ps_process_pattern($1, system_dbusd_t) - +- - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') ++ allow $1 session_bus_type:unix_stream_socket connectto; ') ######################################## ## -## Use and inherit DBUS system bus -## file descriptors. -+## Use and inherit system DBUS file descriptors. ++## Do not audit attempts to send dbus ++## messages to session bus types. ## ## ## -@@ -587,26 +443,25 @@ interface(`dbus_use_system_bus_fds',` +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_use_system_bus_fds',` ++interface(`dbus_chat_session_bus',` + gen_require(` +- type system_dbusd_t; ++ attribute session_bus_type; ++ class dbus send_msg; + ') + +- allow $1 system_dbusd_t:fd use; ++ allow $1 session_bus_type:dbus send_msg; ++ allow session_bus_type $1:dbus send_msg; + ') ######################################## ## -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. -+## Allow unconfined access to the system DBUS. ++## Do not audit attempts to send dbus ++## messages to session bus types. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -596,28 +569,32 @@ interface(`dbus_use_system_bus_fds',` ## ## # -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_unconfined',` ++interface(`dbus_dontaudit_chat_session_bus',` gen_require(` - type system_dbusd_t; -+ attribute dbusd_unconfined; ++ attribute session_bus_type; ++ class dbus send_msg; ') - dontaudit $1 system_dbusd_t:tcp_socket { read write }; -+ typeattribute $1 dbusd_unconfined; ++ dontaudit $1 session_bus_type:dbus send_msg; ') ######################################## ## -## Unconfined access to DBUS. -+## Delete all dbus pid files ++## Do not audit attempts to send dbus ++## messages to system bus types. ## ## ## -@@ -614,10 +469,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`dbus_unconfined',` -+interface(`dbus_delete_pid_files',` ++interface(`dbus_dontaudit_chat_system_bus',` gen_require(` - attribute dbusd_unconfined; -+ type system_dbusd_var_run_t; ++ attribute system_bus_type; ++ class dbus send_msg; ') - typeattribute $1 dbusd_unconfined; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -+') -+ -+######################################## -+## -+## Read all dbus pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_read_pid_files',` -+ gen_require(` -+ type system_dbusd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to connect to -+## session bus types with a unix -+## stream socket. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_stream_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ ') -+ -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus send_msg; -+ ') -+ -+ dontaudit $1 session_bus_type:dbus send_msg; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to system bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_system_bus',` -+ gen_require(` -+ attribute system_bus_type; -+ class dbus send_msg; -+ ') -+ + dontaudit $1 system_bus_type:dbus send_msg; + dontaudit system_bus_type $1:dbus send_msg; ') @@ -25409,7 +25595,7 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index 5cf6ac6..0fc685b 100644 +index 5cf6ac6..1893f7f 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,6 +2,66 @@ @@ -25509,7 +25695,12 @@ index 5cf6ac6..0fc685b 100644 ## ## ## -@@ -45,10 +124,14 @@ interface(`firewalld_admin',` +@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',` + interface(`firewalld_admin',` + gen_require(` + type firewalld_t, firewalld_initrc_exec_t; +- type firewall_etc_rw_t, firewalld_var_run_t; ++ type firewalld_etc_rw_t, firewalld_var_run_t; type firewalld_var_log_t; ') @@ -25531,7 +25722,8 @@ index 5cf6ac6..0fc685b 100644 admin_pattern($1, firewalld_var_log_t) - files_search_etc($1) - admin_pattern($1, firewall_etc_rw_t) +- admin_pattern($1, firewall_etc_rw_t) ++ admin_pattern($1, firewalld_etc_rw_t) + + admin_pattern($1, firewalld_unit_file_t) + firewalld_systemctl($1) @@ -36711,7 +36903,7 @@ index d5d1572..82267a7 100644 /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tp.if b/l2tp.if -index 73e2803..2fc7570 100644 +index 73e2803..34ca3aa 100644 --- a/l2tp.if +++ b/l2tp.if @@ -1,9 +1,45 @@ @@ -36915,7 +37107,7 @@ index 73e2803..2fc7570 100644 ## ## ## -@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',` +@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',` ## ## # @@ -36923,8 +37115,7 @@ index 73e2803..2fc7570 100644 +interface(`l2tpd_admin',` gen_require(` type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; -- type l2tp_conf_t, l2tpd_tmp_t; -+ type l2tp_etc_t, l2tpd_tmp_t; + type l2tp_conf_t, l2tpd_tmp_t; ') - allow $1 l2tpd_t:process { ptrace signal_perms }; @@ -36940,13 +37131,6 @@ index 73e2803..2fc7570 100644 domain_system_change_exemption($1) role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; - - files_search_etc($1) -- admin_pattern($1, l2tp_conf_t) -+ admin_pattern($1, l2tp_etc_t) - - files_search_pids($1) - admin_pattern($1, l2tpd_var_run_t) diff --git a/l2tp.te b/l2tp.te index 19f2b97..bbbda10 100644 --- a/l2tp.te @@ -37921,10 +38105,10 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..5773c24 100644 +index 7bab8e5..f8c5464 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -1,20 +1,18 @@ +@@ -1,20 +1,26 @@ -policy_module(logrotate, 1.14.5) +policy_module(logrotate, 1.14.0) @@ -37935,7 +38119,14 @@ index 7bab8e5..5773c24 100644 -attribute_role logrotate_roles; -roleattribute system_r logrotate_roles; -- ++## ++##

++## Allow logrotate to manage nfs files ++##

++## ++gen_tunable(logrotate_use_nfs, false) ++ + type logrotate_t; -type logrotate_exec_t; domain_type(logrotate_t) @@ -37949,7 +38140,7 @@ index 7bab8e5..5773c24 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +31,27 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -37983,7 +38174,7 @@ index 7bab8e5..5773c24 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive }; +@@ -48,79 +60,99 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -38089,7 +38280,11 @@ index 7bab8e5..5773c24 100644 +userdom_dontaudit_getattr_user_home_content(logrotate_t) -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) -- ++tunable_policy(`logrotate_use_nfs',` ++ fs_read_nfs_files(logrotate_t) ++ fs_read_nfs_symlinks(logrotate_t) ++') + -ifdef(`distro_debian',` +ifdef(`distro_debian', ` allow logrotate_t logrotate_tmp_t:file relabel_file_perms; @@ -38105,7 +38300,7 @@ index 7bab8e5..5773c24 100644 ') optional_policy(` -@@ -135,16 +154,17 @@ optional_policy(` +@@ -135,16 +167,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -38125,7 +38320,7 @@ index 7bab8e5..5773c24 100644 ') optional_policy(` -@@ -170,6 +190,10 @@ optional_policy(` +@@ -170,6 +203,10 @@ optional_policy(` ') optional_policy(` @@ -38136,7 +38331,7 @@ index 7bab8e5..5773c24 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +202,7 @@ optional_policy(` +@@ -178,7 +215,7 @@ optional_policy(` ') optional_policy(` @@ -38145,7 +38340,7 @@ index 7bab8e5..5773c24 100644 ') optional_policy(` -@@ -198,21 +222,26 @@ optional_policy(` +@@ -198,21 +235,26 @@ optional_policy(` ') optional_policy(` @@ -38176,7 +38371,7 @@ index 7bab8e5..5773c24 100644 ') optional_policy(` -@@ -228,10 +257,21 @@ optional_policy(` +@@ -228,10 +270,21 @@ optional_policy(` ') optional_policy(` @@ -38198,7 +38393,7 @@ index 7bab8e5..5773c24 100644 su_exec(logrotate_t) ') -@@ -241,13 +281,11 @@ optional_policy(` +@@ -241,13 +294,11 @@ optional_policy(` ####################################### # @@ -57947,17 +58142,19 @@ index 3ad10b5..49baca5 100644 diff --git a/pcp.fc b/pcp.fc new file mode 100644 -index 0000000..59d23a4 +index 0000000..ceecf91 --- /dev/null +++ b/pcp.fc -@@ -0,0 +1,20 @@ +@@ -0,0 +1,22 @@ +/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/pmwie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0) + ++/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++ +/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) +/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) +/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) @@ -57970,7 +58167,7 @@ index 0000000..59d23a4 +/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) + +/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0) -+ ++/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 index 0000000..9ca6d26 @@ -58059,10 +58256,10 @@ index 0000000..9ca6d26 +') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..51d765d +index 0000000..6493b00 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,135 @@ +@@ -0,0 +1,150 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -58100,6 +58297,9 @@ index 0000000..51d765d +# + +allow pcp_domain self:capability { setuid setgid dac_override }; ++allow pcp_domain self:process signal_perms; ++allow pcp_domain self:tcp_socket create_stream_socket_perms; ++allow pcp_domain self:udp_socket create_socket_perms; + +manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t) +manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t) @@ -58113,7 +58313,7 @@ index 0000000..51d765d +manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) +manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) +manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) -+files_pid_filetrans(pcp_domain, pcp_var_run_t, { file }) ++files_pid_filetrans(pcp_domain, pcp_var_run_t, { file sock_file }) + +manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) +manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) @@ -58125,6 +58325,8 @@ index 0000000..51d765d + +dev_read_urand(pcp_domain) + ++fs_getattr_all_fs(pcp_domain) ++ +auth_read_passwd(pcp_domain) + +miscfiles_read_generic_certs(pcp_domain) @@ -58136,16 +58338,15 @@ index 0000000..51d765d +# pcp_pmcd local policy +# + -+allow pcp_pmcd_t self:process { setsched signal }; ++allow pcp_pmcd_t self:process { setsched }; +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; -+allow pcp_pmcd_t self:tcp_socket create_socket_perms; -+allow pcp_pmcd_t self:tcp_socket listen; -+allow pcp_pmcd_t self:udp_socket create_socket_perms; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; + -+kernel_read_system_state(pcp_pmcd_t) +kernel_read_network_state(pcp_pmcd_t) ++kernel_read_system_state(pcp_pmcd_t) +kernel_read_state(pcp_pmcd_t) ++kernel_read_fs_sysctls(pcp_pmcd_t) ++kernel_read_rpc_sysctls(pcp_pmcd_t) + +corecmd_exec_bin(pcp_pmcd_t) + @@ -58153,6 +58354,17 @@ index 0000000..51d765d + +domain_read_all_domains_state(pcp_pmcd_t) + ++dev_getattr_all_blk_files(pcp_pmcd_t) ++dev_getattr_all_chr_files(pcp_pmcd_t) ++dev_read_sysfs(pcp_pmcd_t) ++dev_read_urand(pcp_pmcd_t) ++ ++fs_getattr_all_fs(pcp_pmcd_t) ++fs_getattr_all_dirs(pcp_pmcd_t) ++fs_list_cgroup_dirs(pcp_pmcd_t) ++ ++storage_getattr_fixed_disk_dev(pcp_pmcd_t) ++ +auth_use_nsswitch(pcp_pmcd_t) + +optional_policy(` @@ -58169,10 +58381,7 @@ index 0000000..51d765d +# + +allow pcp_pmproxy_t self:process setsched; -+allow pcp_pmproxy_t self:tcp_socket listen; +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; -+allow pcp_pmproxy_t self:tcp_socket create_socket_perms; -+allow pcp_pmproxy_t self:udp_socket create_socket_perms; + +auth_use_nsswitch(pcp_pmproxy_t) + @@ -58181,9 +58390,6 @@ index 0000000..51d765d +# pcp_pmwebd local policy +# + -+allow pcp_pmwebd_t self:tcp_socket listen; -+allow pcp_pmwebd_t self:tcp_socket create_socket_perms; -+ +corenet_tcp_bind_generic_node(pcp_pmwebd_t) + +######################################## @@ -58191,10 +58397,16 @@ index 0000000..51d765d +# pcp_pmmgr local policy +# + -+allow pcp_pmmgr_t self:process { setpgid signal signull }; ++allow pcp_pmmgr_t self:process { setpgid }; ++ ++allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto; + +kernel_read_system_state(pcp_pmmgr_t) + ++corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t) ++ ++corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t) ++ +corecmd_exec_bin(pcp_pmmgr_t) + +auth_use_nsswitch(pcp_pmmgr_t) @@ -58264,10 +58476,10 @@ index 96db654..6d3feb9 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..fabf59e 100644 +index dfd46e4..d40433a 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,30 @@ +@@ -1,15 +1,32 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -58276,23 +58488,25 @@ index dfd46e4..fabf59e 100644 -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+ -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0) ++ ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++ +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) + +/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) @@ -58407,7 +58621,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..fb427b9 100644 +index 7bcf327..a8401a8 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -58431,7 +58645,7 @@ index 7bcf327..fb427b9 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,297 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,304 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -58454,6 +58668,9 @@ index 7bcf327..fb427b9 100644 +type pegasus_openlmi_storage_lib_t; +files_type(pegasus_openlmi_storage_lib_t) + ++type pegasus_openlmi_storage_var_run_t; ++files_pid_file(pegasus_openlmi_storage_var_run_t) ++ +pegasus_openlmi_domain_template(system) +typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t; +pegasus_openlmi_domain_template(unconfined) @@ -58647,6 +58864,10 @@ index 7bcf327..fb427b9 100644 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t) +files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir}) + ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t) ++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t) ++files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage") ++ +kernel_read_all_sysctls(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) +kernel_request_load_module(pegasus_openlmi_storage_t) @@ -58734,7 +58955,7 @@ index 7bcf327..fb427b9 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +330,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -58765,7 +58986,7 @@ index 7bcf327..fb427b9 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +356,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -58798,7 +59019,7 @@ index 7bcf327..fb427b9 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +384,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -58810,7 +59031,7 @@ index 7bcf327..fb427b9 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +400,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -58828,14 +59049,14 @@ index 7bcf327..fb427b9 100644 - dbus_connect_system_bus(pegasus_t) + dmidecode_domtrans(pegasus_t) +') -+ -+optional_policy(` -+ dbus_system_bus_client(pegasus_t) -+ dbus_connect_system_bus(pegasus_t) - optional_policy(` - networkmanager_dbus_chat(pegasus_t) - ') ++optional_policy(` ++ dbus_system_bus_client(pegasus_t) ++ dbus_connect_system_bus(pegasus_t) ++ + optional_policy(` + networkmanager_dbus_chat(pegasus_t) + ') @@ -58846,7 +59067,7 @@ index 7bcf327..fb427b9 100644 ') optional_policy(` -@@ -151,16 +434,24 @@ optional_policy(` +@@ -151,16 +441,24 @@ optional_policy(` ') optional_policy(` @@ -58875,7 +59096,7 @@ index 7bcf327..fb427b9 100644 ') optional_policy(` -@@ -168,7 +459,7 @@ optional_policy(` +@@ -168,7 +466,7 @@ optional_policy(` ') optional_policy(` @@ -76497,21 +76718,23 @@ index 3f32e4b..f97ea42 100644 diff --git a/rhnsd.fc b/rhnsd.fc new file mode 100644 -index 0000000..1936028 +index 0000000..88fe240 --- /dev/null +++ b/rhnsd.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0) + ++/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0) ++ +/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0) + +/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0) diff --git a/rhnsd.if b/rhnsd.if new file mode 100644 -index 0000000..88087b7 +index 0000000..335573a --- /dev/null +++ b/rhnsd.if -@@ -0,0 +1,74 @@ +@@ -0,0 +1,98 @@ +## policy for rhnsd + +######################################## @@ -76553,6 +76776,30 @@ index 0000000..88087b7 + +######################################## +## ++## Execute rhnsd server in the rhnsd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhnsd_systemctl',` ++ gen_require(` ++ type rhnsd_t; ++ type rhnsd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rhnsd_unit_file_t:file read_file_perms; ++ allow $1 rhnsd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rhnsd_t) ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an rhnsd environment +## @@ -76588,10 +76835,10 @@ index 0000000..88087b7 +') diff --git a/rhnsd.te b/rhnsd.te new file mode 100644 -index 0000000..0e965c3 +index 0000000..be2e57e --- /dev/null +++ b/rhnsd.te -@@ -0,0 +1,40 @@ +@@ -0,0 +1,43 @@ +policy_module(rhnsd, 1.0.0) + +######################################## @@ -76609,6 +76856,9 @@ index 0000000..0e965c3 +type rhnsd_initrc_exec_t; +init_script_file(rhnsd_initrc_exec_t) + ++type rhnsd_unit_file_t; ++systemd_unit_file(rhnsd_unit_file_t) ++ +######################################## +# +# rhnsd local policy @@ -86274,7 +86524,7 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..b8b6cf4 100644 +index 49b12ae..0f1e101 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -86347,7 +86597,14 @@ index 49b12ae..b8b6cf4 100644 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -61,14 +70,13 @@ corecmd_exec_bin(setroubleshootd_t) +@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t) + kernel_read_network_state(setroubleshootd_t) + kernel_dontaudit_list_all_proc(setroubleshootd_t) + kernel_read_irq_sysctls(setroubleshootd_t) ++kernel_read_rpc_sysctls(setroubleshootd_t) + kernel_read_unlabeled_state(setroubleshootd_t) + + corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) corecmd_read_all_executables(setroubleshootd_t) @@ -86365,7 +86622,7 @@ index 49b12ae..b8b6cf4 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +84,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) +@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) @@ -86377,7 +86634,7 @@ index 49b12ae..b8b6cf4 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -101,33 +108,32 @@ selinux_read_policy(setroubleshootd_t) +@@ -101,33 +109,32 @@ selinux_read_policy(setroubleshootd_t) term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) @@ -86418,7 +86675,7 @@ index 49b12ae..b8b6cf4 100644 ') optional_policy(` -@@ -135,10 +141,18 @@ optional_policy(` +@@ -135,10 +142,18 @@ optional_policy(` ') optional_policy(` @@ -86437,7 +86694,7 @@ index 49b12ae..b8b6cf4 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,26 +162,36 @@ optional_policy(` +@@ -148,26 +163,36 @@ optional_policy(` ######################################## # @@ -86476,7 +86733,7 @@ index 49b12ae..b8b6cf4 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +199,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -87199,9 +87456,18 @@ index 7880d1f..8804935 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te -index ba26427..83d21aa 100644 +index ba26427..8417705 100644 --- a/slocate.te +++ b/slocate.te +@@ -18,7 +18,7 @@ files_type(locate_var_lib_t) + # + + allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +-allow locate_t self:process { execmem execheap execstack signal }; ++allow locate_t self:process { execmem execheap execstack signal setsched }; + allow locate_t self:fifo_file rw_fifo_file_perms; + allow locate_t self:unix_stream_socket create_socket_perms; + @@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t) auth_use_nsswitch(locate_t) @@ -94047,10 +94313,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..81e8be9 +index 0000000..bb3e477 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,155 @@ +@@ -0,0 +1,156 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -94171,8 +94437,9 @@ index 0000000..81e8be9 + +optional_policy(` + dbus_exec_dbusd(thumb_t) -+ dbus_dontaudit_stream_connect_session_bus(thumb_t) -+ dbus_dontaudit_chat_session_bus(thumb_t) ++ dbus_connect_session_bus(thumb_t) ++ dbus_stream_connect_session_bus(thumb_t) ++ dbus_chat_session_bus(thumb_t) +') + +optional_policy(` @@ -95108,7 +95375,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..177ecd6 100644 +index 7116181..d25d643 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -95171,7 +95438,7 @@ index 7116181..177ecd6 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +78,59 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -95195,6 +95462,7 @@ index 7116181..177ecd6 100644 logging_send_syslog_msg(tuned_t) +#bug in tuned +logging_manage_syslog_config(tuned_t) ++logging_filetrans_named_conf(tuned_t) + +mount_read_pid_files(tuned_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 13d6c68..843f956 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 122%{?dist} +Release: 123%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,30 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jan 31 2014 Miroslav Grepl 3.12.1-123 +- Turn on bacula, rhnsd policy +- Add support for rhnsd unit file +- Add dbus_chat_session_bus() interface +- Add dbus_stream_connect_session_bus() interface +- Fix logrotate_use_nfs boolean +- Add lot of pcp fixes found in RHEL7 +- fix labeling for pmie for pcp pkg +- Change thumb_t to be allowed to chat/connect with session bus type +- Allow call renice in mlocate +- Add logrotate_use_nfs boolean +- Allow setroubleshootd to read rpc sysctl +- Fixes for *_admin interfaces +- Add pegasus_openlmi_storage_var_run_t type def +- Add support for /var/run/openlmi-storage +- Allow tuned to create syslog.conf with correct labeling +- Add httpd_dontaudit_search_dirs boolean +- Add support for winbind.service +- ALlow also fail2ban-client to read apache logs +- Allow vmtools to getattr on all fs +- Add support for dey_sapi port +- Add logging_filetrans_named_conf() +- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring + * Tue Jan 28 2014 Miroslav Grepl 3.12.1-122 - Update snapper policy - Allow domains to append rkhunter lib files