diff --git a/modules-targeted.conf b/modules-targeted.conf index a26ebe1..d9d1f2c 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2522,3 +2522,10 @@ jockey = module # numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology # numad = module + +# Layer: services +# Module: condor +# +# policy for condor +# +condor = module diff --git a/permissivedomains.pp b/permissivedomains.pp index d30be32..0b07d35 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/permissivedomains.te b/permissivedomains.te index 3f7b35a..7e7f75c 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -119,3 +119,20 @@ optional_policy(` permissive numad_t; ') + +optional_policy(` + gen_require(` + type condor_collector_t; + type condor_negotiator_t; + type condor_startd_t; + type condor_schedd_t; + type condor_procd_t; + type condor_master_t; + ') + permissive condor_collector_t; + permissive condor_negotiator_t; + permissive condor_schedd_t; + permissive condor_startd_t; + permissive condor_procd_t; + permissive condor_master_t; +') diff --git a/policy-F16.patch b/policy-F16.patch index 2bcd13f..8e93f9c 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -58629,11 +58629,15 @@ index 057abb0..c75e9e9 100644 optional_policy(` nscd_dontaudit_search_pid(amtu_t) diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te -index e81bdbd..dd1522d 100644 +index e81bdbd..c3328eb 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te -@@ -26,10 +26,8 @@ libs_domtrans_ldconfig(anaconda_t) +@@ -22,14 +22,10 @@ kernel_domtrans_to(anaconda_t, anaconda_exec_t) + init_domtrans_script(anaconda_t) + +-libs_domtrans_ldconfig(anaconda_t) +- logging_send_syslog_msg(anaconda_t) -modutils_domtrans_insmod(anaconda_t) @@ -58644,7 +58648,7 @@ index e81bdbd..dd1522d 100644 userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -@@ -38,6 +36,10 @@ optional_policy(` +@@ -38,6 +34,10 @@ optional_policy(` ') optional_policy(` @@ -58655,7 +58659,7 @@ index e81bdbd..dd1522d 100644 rpm_domtrans(anaconda_t) rpm_domtrans_script(anaconda_t) ') -@@ -51,7 +53,7 @@ optional_policy(` +@@ -51,7 +51,7 @@ optional_policy(` ') optional_policy(` @@ -61152,7 +61156,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..b9c7b11 100644 +index 47a8f7d..a609a22 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -61235,7 +61239,7 @@ index 47a8f7d..b9c7b11 100644 domain_use_interactive_fds(rpm_t) domain_dontaudit_getattr_all_pipes(rpm_t) domain_dontaudit_getattr_all_tcp_sockets(rpm_t) -@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -173,23 +192,26 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -61249,7 +61253,7 @@ index 47a8f7d..b9c7b11 100644 libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -185,11 +206,13 @@ libs_domtrans_ldconfig(rpm_t) +-libs_domtrans_ldconfig(rpm_t) logging_send_syslog_msg(rpm_t) @@ -61264,7 +61268,7 @@ index 47a8f7d..b9c7b11 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -207,6 +230,7 @@ optional_policy(` +@@ -207,6 +229,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -61272,7 +61276,7 @@ index 47a8f7d..b9c7b11 100644 ') optional_policy(` -@@ -214,7 +238,7 @@ optional_policy(` +@@ -214,7 +237,7 @@ optional_policy(` ') optional_policy(` @@ -61281,7 +61285,7 @@ index 47a8f7d..b9c7b11 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -225,7 +249,8 @@ optional_policy(` +@@ -225,7 +248,8 @@ optional_policy(` # rpm-script Local policy # @@ -61291,7 +61295,7 @@ index 47a8f7d..b9c7b11 100644 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; -@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -257,12 +281,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -61310,7 +61314,7 @@ index 47a8f7d..b9c7b11 100644 dev_list_sysfs(rpm_script_t) # ideally we would not need this -@@ -282,7 +313,6 @@ fs_unmount_xattr_fs(rpm_script_t) +@@ -282,7 +312,6 @@ fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) mcs_killall(rpm_script_t) @@ -61318,7 +61322,7 @@ index 47a8f7d..b9c7b11 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -299,19 +329,20 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -299,19 +328,20 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -61343,7 +61347,12 @@ index 47a8f7d..b9c7b11 100644 domain_use_interactive_fds(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) -@@ -331,23 +362,24 @@ libs_domtrans_ldconfig(rpm_script_t) +@@ -326,28 +356,28 @@ init_telinit(rpm_script_t) + + libs_exec_ld_so(rpm_script_t) + libs_exec_lib_files(rpm_script_t) +-libs_domtrans_ldconfig(rpm_script_t) + logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) @@ -61372,7 +61381,7 @@ index 47a8f7d..b9c7b11 100644 allow rpm_script_t self:process execmem; ') -@@ -356,6 +388,10 @@ optional_policy(` +@@ -356,6 +386,10 @@ optional_policy(` ') optional_policy(` @@ -61383,7 +61392,7 @@ index 47a8f7d..b9c7b11 100644 dbus_system_bus_client(rpm_script_t) ') -@@ -368,6 +404,11 @@ optional_policy(` +@@ -368,6 +402,11 @@ optional_policy(` ') optional_policy(` @@ -61395,7 +61404,7 @@ index 47a8f7d..b9c7b11 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,7 +418,7 @@ optional_policy(` +@@ -377,7 +416,7 @@ optional_policy(` ') optional_policy(` @@ -63184,7 +63193,7 @@ index 0000000..efebae7 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..6f05817 +index 0000000..27363a4 --- /dev/null +++ b/policy/modules/apps/chrome.te @@ -0,0 +1,183 @@ @@ -63365,7 +63374,7 @@ index 0000000..6f05817 +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) + +optional_policy(` + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) @@ -71509,7 +71518,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..d0282f6 100644 +index 3fae11a..73fd79f 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -71524,7 +71533,15 @@ index 3fae11a..d0282f6 100644 /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -71,6 +72,13 @@ ifdef(`distro_redhat',` +@@ -46,6 +47,7 @@ ifdef(`distro_redhat',` + /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) + /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) + + /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -71,6 +73,13 @@ ifdef(`distro_redhat',` /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -71538,7 +71555,7 @@ index 3fae11a..d0282f6 100644 /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -97,8 +105,6 @@ ifdef(`distro_redhat',` +@@ -97,8 +106,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -71547,7 +71564,7 @@ index 3fae11a..d0282f6 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,18 +136,14 @@ ifdef(`distro_debian',` +@@ -130,18 +137,14 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -71568,7 +71585,7 @@ index 3fae11a..d0282f6 100644 /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -152,7 +154,7 @@ ifdef(`distro_gentoo',` +@@ -152,7 +155,7 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -71577,7 +71594,7 @@ index 3fae11a..d0282f6 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +170,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +171,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -71585,7 +71602,7 @@ index 3fae11a..d0282f6 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,67 +182,93 @@ ifdef(`distro_gentoo',` +@@ -179,67 +183,93 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -71724,7 +71741,7 @@ index 3fae11a..d0282f6 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -247,11 +276,18 @@ ifdef(`distro_gentoo',` +@@ -247,11 +277,18 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -71744,7 +71761,7 @@ index 3fae11a..d0282f6 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -267,6 +303,10 @@ ifdef(`distro_gentoo',` +@@ -267,6 +304,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -71755,7 +71772,7 @@ index 3fae11a..d0282f6 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,15 +326,19 @@ ifdef(`distro_gentoo',` +@@ -286,15 +327,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -71776,7 +71793,7 @@ index 3fae11a..d0282f6 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +350,12 @@ ifdef(`distro_redhat', ` +@@ -306,10 +351,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -71787,11 +71804,11 @@ index 3fae11a..d0282f6 100644 -/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/tuned/powersave/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/tuned/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +365,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +366,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -71803,7 +71820,7 @@ index 3fae11a..d0282f6 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,20 +411,21 @@ ifdef(`distro_redhat', ` +@@ -363,20 +412,21 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -71829,7 +71846,7 @@ index 3fae11a..d0282f6 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +434,13 @@ ifdef(`distro_suse', ` +@@ -385,3 +435,13 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -73372,7 +73389,7 @@ index 4f3b542..63f4e1c 100644 + dev_filetrans($1, ppp_device_t, chr_file, "ppp") +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..949b72f 100644 +index 99b71cb..a8962b5 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -73436,7 +73453,7 @@ index 99b71cb..949b72f 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -65,30 +93,38 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -65,30 +93,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -73471,12 +73488,13 @@ index 99b71cb..949b72f 100644 network_port(cobbler, tcp,25151,s0) +network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0) network_port(comsat, udp,512,s0) ++network_port(condor, tcp, 9618,s0, udp, 9618,s0) +network_port(couchdb, tcp,5984,s0, udp,5984,s0) +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -99,14 +135,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -99,14 +136,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -73500,7 +73518,7 @@ index 99b71cb..949b72f 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -115,11 +160,13 @@ network_port(hddtemp, tcp,7634,s0) +@@ -115,11 +161,13 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -73516,7 +73534,7 @@ index 99b71cb..949b72f 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +176,28 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +177,28 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -73548,7 +73566,7 @@ index 99b71cb..949b72f 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +207,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +208,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -73581,7 +73599,7 @@ index 99b71cb..949b72f 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -175,38 +240,46 @@ network_port(pulseaudio, tcp,4713,s0) +@@ -175,38 +241,46 @@ network_port(pulseaudio, tcp,4713,s0) network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) @@ -73590,7 +73608,7 @@ index 99b71cb..949b72f 100644 network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) -+network_port(rdate, tcp,37,s0, udp,37,s0) ++network_port(time, tcp,37,s0, udp,37,s0) +network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) @@ -73634,7 +73652,7 @@ index 99b71cb..949b72f 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +288,12 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +289,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -73648,7 +73666,7 @@ index 99b71cb..949b72f 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +305,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +306,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -73656,7 +73674,7 @@ index 99b71cb..949b72f 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +315,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +316,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -73669,7 +73687,7 @@ index 99b71cb..949b72f 100644 ######################################## # -@@ -282,9 +365,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +366,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -78010,7 +78028,7 @@ index cda5588..e89e4bf 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 97fcdac..e8f904f 100644 +index 97fcdac..cddd329 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -78281,7 +78299,7 @@ index 97fcdac..e8f904f 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -2025,6 +2185,24 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2025,6 +2185,68 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -78303,10 +78321,54 @@ index 97fcdac..e8f904f 100644 + +######################################## +## ++## Execute a file on a FUSE filesystem ++## in the specified domain. ++## ++## ++##

++## Execute a file on a FUSE filesystem ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. This is not suggested. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## home directories on FUSE filesystems, ++## in particular used by the ssh-agent policy. ++##

++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`fs_fusefs_domtrans',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, fusefs_t, $2) ++') ++ ++######################################## ++## ## Get the attributes of an hugetlbfs ## filesystem. ## -@@ -2080,6 +2258,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2080,6 +2302,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -78331,7 +78393,7 @@ index 97fcdac..e8f904f 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,6 +2344,7 @@ interface(`fs_list_inotifyfs',` +@@ -2148,6 +2388,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -78339,7 +78401,7 @@ index 97fcdac..e8f904f 100644 ') ######################################## -@@ -2480,6 +2677,7 @@ interface(`fs_read_nfs_files',` +@@ -2480,6 +2721,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -78347,7 +78409,7 @@ index 97fcdac..e8f904f 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,6 +2716,7 @@ interface(`fs_write_nfs_files',` +@@ -2518,6 +2760,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -78355,7 +78417,7 @@ index 97fcdac..e8f904f 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2544,6 +2743,25 @@ interface(`fs_exec_nfs_files',` +@@ -2544,6 +2787,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -78381,7 +78443,7 @@ index 97fcdac..e8f904f 100644 ## Append files ## on a NFS filesystem. ## -@@ -2584,6 +2802,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2584,6 +2846,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -78424,7 +78486,7 @@ index 97fcdac..e8f904f 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2598,7 +2852,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2598,7 +2896,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -78433,7 +78495,7 @@ index 97fcdac..e8f904f 100644 ') ######################################## -@@ -2736,7 +2990,7 @@ interface(`fs_search_removable',` +@@ -2736,7 +3034,7 @@ interface(`fs_search_removable',` ## ## ## @@ -78442,7 +78504,7 @@ index 97fcdac..e8f904f 100644 ## ## # -@@ -2772,7 +3026,7 @@ interface(`fs_read_removable_files',` +@@ -2772,7 +3070,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -78451,7 +78513,7 @@ index 97fcdac..e8f904f 100644 ## ## # -@@ -2965,6 +3219,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2965,6 +3263,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -78459,7 +78521,7 @@ index 97fcdac..e8f904f 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3005,6 +3260,7 @@ interface(`fs_manage_nfs_files',` +@@ -3005,6 +3304,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -78467,7 +78529,7 @@ index 97fcdac..e8f904f 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3045,6 +3301,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3045,6 +3345,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -78475,7 +78537,7 @@ index 97fcdac..e8f904f 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3258,6 +3515,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3258,6 +3559,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -78500,7 +78562,7 @@ index 97fcdac..e8f904f 100644 ######################################## ## ## Read and write NFS server files. -@@ -3810,6 +4085,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3810,6 +4129,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -78525,7 +78587,7 @@ index 97fcdac..e8f904f 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3958,6 +4251,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3958,6 +4295,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -78568,7 +78630,7 @@ index 97fcdac..e8f904f 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4059,7 +4388,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4059,7 +4432,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -78577,7 +78639,7 @@ index 97fcdac..e8f904f 100644 ') ######################################## -@@ -4119,6 +4448,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4119,6 +4492,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -78602,7 +78664,7 @@ index 97fcdac..e8f904f 100644 ## Read tmpfs link files. ## ## -@@ -4175,6 +4522,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4175,6 +4566,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -78627,7 +78689,7 @@ index 97fcdac..e8f904f 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4251,6 +4616,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4251,6 +4660,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -78653,7 +78715,7 @@ index 97fcdac..e8f904f 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4457,6 +4841,8 @@ interface(`fs_mount_all_fs',` +@@ -4457,6 +4885,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -78662,7 +78724,7 @@ index 97fcdac..e8f904f 100644 ') ######################################## -@@ -4503,7 +4889,7 @@ interface(`fs_unmount_all_fs',` +@@ -4503,7 +4933,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -78671,7 +78733,7 @@ index 97fcdac..e8f904f 100644 ## Example attributes: ##

##
    -@@ -4866,3 +5252,24 @@ interface(`fs_unconfined',` +@@ -4866,3 +5296,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -84098,7 +84160,7 @@ index c0f858d..10a0cd6 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..1204d7f 100644 +index 1632f10..15b7925 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -1,5 +1,9 @@ @@ -84156,7 +84218,13 @@ index 1632f10..1204d7f 100644 miscfiles_read_localization(accountsd_t) -@@ -55,3 +70,9 @@ optional_policy(` +@@ -50,8 +65,15 @@ usermanage_domtrans_passwd(accountsd_t) + + optional_policy(` + consolekit_read_log(accountsd_t) ++ consolekit_dbus_chat(accountsd_t) + ') + optional_policy(` policykit_dbus_chat(accountsd_t) ') @@ -85518,10 +85586,10 @@ index 6480167..4fc1968 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..639f834 100644 +index 3136c6a..80880c0 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,136 +18,247 @@ policy_module(apache, 2.2.1) +@@ -18,136 +18,254 @@ policy_module(apache, 2.2.1) # Declarations # @@ -85644,10 +85712,7 @@ index 3136c6a..639f834 100644 gen_tunable(httpd_can_sendmail, false) + - ## --##

    --## Allow Apache to communicate with avahi service via dbus --##

    ++## +##

    +## Allow http daemon to connect to zabbix +##

    @@ -85661,7 +85726,10 @@ index 3136c6a..639f834 100644 +##     +gen_tunable(httpd_can_check_spam, false) + -+## + ## +-##

    +-## Allow Apache to communicate with avahi service via dbus +-##

    +##

    +## Allow Apache to communicate with avahi service via dbus +##

    @@ -85785,6 +85853,13 @@ index 3136c6a..639f834 100644 -## Allow httpd to run gpg -##

    +##

    ++## Allow httpd to access cifs file systems ++##

    ++##     ++gen_tunable(httpd_use_fusefs, false) ++ ++## ++##

    +## Allow httpd to run gpg in gpg-web domain +##

    ##     @@ -85825,7 +85900,7 @@ index 3136c6a..639f834 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -166,7 +277,7 @@ files_type(httpd_cache_t) +@@ -166,7 +284,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -85834,7 +85909,7 @@ index 3136c6a..639f834 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +288,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +295,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -85844,7 +85919,7 @@ index 3136c6a..639f834 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +330,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +337,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -85867,7 +85942,7 @@ index 3136c6a..639f834 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +354,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +361,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -85878,7 +85953,7 @@ index 3136c6a..639f834 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +365,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +372,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -85886,7 +85961,7 @@ index 3136c6a..639f834 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +387,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +394,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -85910,7 +85985,7 @@ index 3136c6a..639f834 100644 ######################################## # # Apache server local policy -@@ -281,11 +423,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +430,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -85924,7 +85999,7 @@ index 3136c6a..639f834 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +473,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +480,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -85935,7 +86010,7 @@ index 3136c6a..639f834 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +484,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +491,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -85946,7 +86021,7 @@ index 3136c6a..639f834 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +501,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +508,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -85956,7 +86031,7 @@ index 3136c6a..639f834 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +514,16 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +521,16 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -85974,7 +86049,7 @@ index 3136c6a..639f834 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +532,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +539,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -85990,7 +86065,7 @@ index 3136c6a..639f834 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +545,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +552,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -85998,7 +86073,7 @@ index 3136c6a..639f834 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +557,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +564,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -86102,8 +86177,14 @@ index 3136c6a..639f834 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +664,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +669,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) + ') ++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` ++ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) ++') ++ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) @@ -86160,7 +86241,7 @@ index 3136c6a..639f834 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +722,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +733,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -86174,10 +86255,16 @@ index 3136c6a..639f834 100644 + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ++') ++ ++tunable_policy(`httpd_use_fusefs',` ++ fs_manage_fusefs_dirs(httpd_t) ++ fs_manage_fusefs_files(httpd_t) ++ fs_manage_fusefs_symlinks(httpd_t) ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +746,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +763,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -86198,7 +86285,7 @@ index 3136c6a..639f834 100644 ') optional_policy(` -@@ -513,7 +770,13 @@ optional_policy(` +@@ -513,7 +787,13 @@ optional_policy(` ') optional_policy(` @@ -86213,7 +86300,7 @@ index 3136c6a..639f834 100644 ') optional_policy(` -@@ -528,7 +791,19 @@ optional_policy(` +@@ -528,7 +808,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -86234,7 +86321,7 @@ index 3136c6a..639f834 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +812,13 @@ optional_policy(` +@@ -537,8 +829,13 @@ optional_policy(` ') optional_policy(` @@ -86249,7 +86336,7 @@ index 3136c6a..639f834 100644 ') ') -@@ -556,7 +836,21 @@ optional_policy(` +@@ -556,7 +853,21 @@ optional_policy(` ') optional_policy(` @@ -86271,7 +86358,7 @@ index 3136c6a..639f834 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +861,7 @@ optional_policy(` +@@ -567,6 +878,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -86279,7 +86366,7 @@ index 3136c6a..639f834 100644 ') optional_policy(` -@@ -577,6 +872,29 @@ optional_policy(` +@@ -577,6 +889,29 @@ optional_policy(` ') optional_policy(` @@ -86309,7 +86396,7 @@ index 3136c6a..639f834 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +909,11 @@ optional_policy(` +@@ -591,6 +926,11 @@ optional_policy(` ') optional_policy(` @@ -86321,7 +86408,7 @@ index 3136c6a..639f834 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +926,12 @@ optional_policy(` +@@ -603,6 +943,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -86334,7 +86421,7 @@ index 3136c6a..639f834 100644 ######################################## # # Apache helper local policy -@@ -616,7 +945,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +962,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -86347,7 +86434,7 @@ index 3136c6a..639f834 100644 ######################################## # -@@ -654,28 +987,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1004,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -86391,7 +86478,7 @@ index 3136c6a..639f834 100644 ') ######################################## -@@ -685,6 +1020,8 @@ optional_policy(` +@@ -685,6 +1037,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -86400,7 +86487,7 @@ index 3136c6a..639f834 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1036,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1053,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -86426,7 +86513,7 @@ index 3136c6a..639f834 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1082,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1099,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -86459,7 +86546,7 @@ index 3136c6a..639f834 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1129,25 @@ optional_policy(` +@@ -769,6 +1146,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -86485,7 +86572,7 @@ index 3136c6a..639f834 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1168,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1185,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -86503,7 +86590,7 @@ index 3136c6a..639f834 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1187,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1204,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -86560,7 +86647,7 @@ index 3136c6a..639f834 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1238,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1255,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -86588,10 +86675,20 @@ index 3136c6a..639f834 100644 + fs_exec_cifs_files(httpd_suexec_t) +') + ++tunable_policy(`httpd_use_fusefs',` ++ fs_manage_fusefs_dirs(httpd_sys_script_t) ++ fs_manage_fusefs_files(httpd_sys_script_t) ++ fs_manage_fusefs_symlinks(httpd_sys_script_t) ++ fs_manage_fusefs_dirs(httpd_suexec_t) ++ fs_manage_fusefs_files(httpd_suexec_t) ++ fs_manage_fusefs_symlinks(httpd_suexec_t) ++ fs_exec_fusefs_files(httpd_suexec_t) ++') ++ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1273,20 @@ optional_policy(` +@@ -842,10 +1300,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -86612,7 +86709,7 @@ index 3136c6a..639f834 100644 ') ######################################## -@@ -891,11 +1332,135 @@ optional_policy(` +@@ -891,11 +1359,135 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -90144,7 +90241,7 @@ index 7a6e5ba..e238dfd 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te -index c3e3f79..7d6e85e 100644 +index c3e3f79..4189861 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t) @@ -90200,7 +90297,7 @@ index c3e3f79..7d6e85e 100644 logging_send_syslog_msg(certmonger_t) miscfiles_read_localization(certmonger_t) -@@ -58,15 +72,57 @@ miscfiles_manage_generic_cert_files(certmonger_t) +@@ -58,15 +72,59 @@ miscfiles_manage_generic_cert_files(certmonger_t) sysnet_dns_name_resolve(certmonger_t) @@ -90256,14 +90353,16 @@ index c3e3f79..7d6e85e 100644 + allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms; + allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms; + ++ init_domtrans_script(certmonger_unconfined_t) ++ + unconfined_domain(certmonger_unconfined_t) +') diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc new file mode 100644 -index 0000000..4ec83df +index 0000000..4c52fa3 --- /dev/null +++ b/policy/modules/services/cfengine.fc -@@ -0,0 +1,10 @@ +@@ -0,0 +1,12 @@ + +/usr/sbin/cf-serverd -- gen_context(system_u:object_r:cfengine_serverd_exec_t,s0) +/usr/sbin/cf-execd -- gen_context(system_u:object_r:cfengine_execd_exec_t,s0) @@ -90274,15 +90373,43 @@ index 0000000..4ec83df +/etc/rc\.d/init\.d/cf-execd -- gen_context(system_u:object_r:cfengine_initrc_exec_t,s0) + +/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) ++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_var_log_t,s0) ++ diff --git a/policy/modules/services/cfengine.if b/policy/modules/services/cfengine.if new file mode 100644 -index 0000000..883b697 +index 0000000..2972c77 --- /dev/null +++ b/policy/modules/services/cfengine.if -@@ -0,0 +1,42 @@ +@@ -0,0 +1,143 @@ + +## policy for cfengine + ++###################################### ++## ++## Creates types and rules for a basic ++## cfengine init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`cfengine_domain_template',` ++ gen_require(` ++ attribute cfengine_domain; ++ ') ++ ++ ############################## ++ # ++ # Declarations ++ # ++ ++ type cfengine_$1_t, cfengine_domain; ++ type cfengine_$1_exec_t; ++ init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) ++ ++') + +######################################## +## @@ -90303,6 +90430,24 @@ index 0000000..883b697 + domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t) +') + ++####################################### ++## ++## Search cfengine lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_search_lib_files',` ++ gen_require(` ++ type cfengine_var_lib_t; ++ ') ++ ++ allow $1 cfengine_var_lib_t:dir search_dir_perms; ++') ++ +######################################## +## +## Read cfengine lib files. @@ -90322,12 +90467,69 @@ index 0000000..883b697 + read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) +') + ++###################################### ++## ++## Allow the specified domain to read cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_read_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ files_search_var_lib($1) ++ cfengine_search_lib_files($1) ++ read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t) ++') ++ ++##################################### ++## ++## Allow the specified domain to append cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_append_inherited_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ cfengine_search_lib_files($1) ++ allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; ++') ++ ++#################################### ++## ++## Dontaudit the specified domain to write cfengine's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cfengine_dontaudit_write_log',` ++ gen_require(` ++ type cfengine_var_log_t; ++ ') ++ ++ dontaudit $1 cfengine_var_log_t:file write; ++') diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te new file mode 100644 -index 0000000..1ba0484 +index 0000000..02d8a13 --- /dev/null +++ b/policy/modules/services/cfengine.te -@@ -0,0 +1,127 @@ +@@ -0,0 +1,99 @@ +policy_module(cfengine, 1.0.0) + +######################################## @@ -90335,9 +90537,11 @@ index 0000000..1ba0484 +# Declarations +# + -+type cfengine_serverd_t; -+type cfengine_serverd_exec_t; -+init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t) ++attribute cfengine_domain; ++ ++cfengine_domain_template(serverd) ++cfengine_domain_template(execd) ++cfengine_domain_template(monitord) + +type cfengine_initrc_exec_t; +init_script_file(cfengine_initrc_exec_t) @@ -90345,116 +90549,86 @@ index 0000000..1ba0484 +type cfengine_var_lib_t; +files_type(cfengine_var_lib_t) + -+type cfengine_execd_t; -+type cfengine_execd_exec_t; -+init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t) ++type cfengine_var_log_t; ++logging_log_file(cfengine_var_log_t) + -+type cfengine_monitord_t; -+type cfengine_monitord_exec_t; -+init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t) -+ -+######################################## ++####################################### +# -+# cfengine-server local policy ++# cfengine domain local policy +# -+allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_serverd_t self:process { fork setfscreate signal }; + -+allow cfengine_serverd_t self:fifo_file rw_fifo_file_perms; -+allow cfengine_serverd_t self:unix_stream_socket create_stream_socket_perms; ++allow cfengine_domain self:fifo_file rw_fifo_file_perms; ++allow cfengine_domain self:unix_stream_socket create_stream_socket_perms; + -+manage_dirs_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_serverd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+files_var_lib_filetrans(cfengine_serverd_t, cfengine_var_lib_t, { dir file }) ++manage_dirs_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) ++manage_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) ++manage_lnk_files_pattern(cfengine_domain, cfengine_var_lib_t, cfengine_var_lib_t) ++files_var_lib_filetrans(cfengine_domain, cfengine_var_lib_t, { dir file }) + -+kernel_read_system_state(cfengine_serverd_t) ++manage_files_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t) ++manage_dirs_pattern(cfengine_domain, cfengine_var_log_t,cfengine_var_log_t) ++logging_log_filetrans(cfengine_domain,cfengine_var_log_t,{ dir file }) + -+corecmd_exec_bin(cfengine_serverd_t) -+corecmd_exec_shell(cfengine_serverd_t) ++kernel_read_system_state(cfengine_domain) + -+dev_read_urand(cfengine_serverd_t) -+dev_read_sysfs(cfengine_serverd_t) ++corecmd_exec_bin(cfengine_domain) ++corecmd_exec_shell(cfengine_domain) + -+domain_use_interactive_fds(cfengine_serverd_t) ++dev_read_urand(cfengine_domain) ++dev_read_sysfs(cfengine_domain) + -+files_read_etc_files(cfengine_serverd_t) + -+auth_use_nsswitch(cfengine_serverd_t) ++logging_send_syslog_msg(cfengine_domain) + -+logging_send_syslog_msg(cfengine_serverd_t) ++miscfiles_read_localization(cfengine_domain) + -+miscfiles_read_localization(cfengine_serverd_t) ++sysnet_dns_name_resolve(cfengine_domain) ++sysnet_domtrans_ifconfig(cfengine_domain) + -+sysnet_dns_name_resolve(cfengine_serverd_t) -+sysnet_domtrans_ifconfig(cfengine_serverd_t) ++files_read_etc_files(cfengine_domain) + +######################################## +# -+# cfengine_exec local policy ++# cfengine-server local policy +# -+allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot }; -+allow cfengine_execd_t self:process { fork setfscreate signal }; -+ -+allow cfengine_execd_t self:fifo_file rw_fifo_file_perms; -+allow cfengine_execd_t self:unix_stream_socket create_stream_socket_perms; + -+manage_dirs_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_execd_t, cfengine_var_lib_t, cfengine_var_lib_t) ++allow cfengine_serverd_t self:capability { chown kill setgid setuid sys_chroot }; ++allow cfengine_serverd_t self:process { fork setfscreate signal }; + -+domain_use_interactive_fds(cfengine_execd_t) ++domain_use_interactive_fds(cfengine_serverd_t) + -+files_read_etc_files(cfengine_execd_t) ++auth_use_nsswitch(cfengine_serverd_t) + -+kernel_read_system_state(cfengine_execd_t) ++######################################## ++# ++# cfengine_exec local policy ++# + -+corecmd_exec_bin(cfengine_execd_t) -+corecmd_exec_shell(cfengine_execd_t) ++allow cfengine_execd_t self:capability { chown kill setgid setuid sys_chroot }; ++allow cfengine_execd_t self:process { fork setfscreate signal }; + -+dev_read_urand(cfengine_execd_t) -+dev_read_sysfs(cfengine_execd_t) ++domain_read_all_domains_state(cfengine_execd_t) ++domain_use_interactive_fds(cfengine_execd_t) + +auth_use_nsswitch(cfengine_execd_t) + -+logging_send_syslog_msg(cfengine_execd_t) -+ -+miscfiles_read_localization(cfengine_execd_t) -+ -+sysnet_dns_name_resolve(cfengine_execd_t) -+sysnet_domtrans_ifconfig(cfengine_execd_t) -+ +######################################## +# +# cfengine_monitord local policy +# ++ +allow cfengine_monitord_t self:capability { chown kill setgid setuid sys_chroot }; +allow cfengine_monitord_t self:process { fork setfscreate signal }; + -+allow cfengine_monitord_t self:fifo_file rw_fifo_file_perms; -+allow cfengine_monitord_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t) -+manage_lnk_files_pattern(cfengine_monitord_t, cfengine_var_lib_t, cfengine_var_lib_t) -+ -+corecmd_exec_bin(cfengine_monitord_t) -+ -+dev_read_sysfs(cfengine_monitord_t) -+dev_read_urand(cfengine_monitord_t) ++kernel_read_hotplug_sysctls(cfengine_monitord_t) ++kernel_read_network_state(cfengine_monitord_t) + ++domain_read_all_domains_state(cfengine_monitord_t) +domain_use_interactive_fds(cfengine_monitord_t) + -+files_read_etc_files(cfengine_monitord_t) ++fs_getattr_xattr_fs(cfengine_monitord_t) + +auth_use_nsswitch(cfengine_monitord_t) -+ -+logging_send_syslog_msg(cfengine_monitord_t) -+ -+miscfiles_read_localization(cfengine_monitord_t) -+ -+sysnet_dns_name_resolve(cfengine_monitord_t) -+sysnet_domtrans_ifconfig(cfengine_monitord_t) diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc index b6bb46c..645d203 100644 --- a/policy/modules/services/cgroup.fc @@ -92563,6 +92737,526 @@ index 74505cc..6d575af 100644 +optional_policy(` + zoneminder_rw_tmpfs_files(colord_t) +') +diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc +new file mode 100644 +index 0000000..a9ad037 +--- /dev/null ++++ b/policy/modules/services/condor.fc +@@ -0,0 +1,20 @@ ++/usr/lib/systemd/system/condor.service -- gen_context(system_u:object_r:condor_unit_file_t,s0) ++ ++/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) ++/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) ++/usr/sbin/condor_negotiator -- gen_context(system_u:object_r:condor_negotiator_exec_t,s0) ++/usr/sbin/condor_schedd -- gen_context(system_u:object_r:condor_schedd_exec_t,s0) ++/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) ++/usr/sbin/condor_procd -- gen_context(system_u:object_r:condor_procd_exec_t,s0) ++ ++/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) ++ ++/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) ++ ++/var/lib/condor/spool(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) ++ ++/var/lock/condor(/.*)? gen_context(system_u:object_r:condor_var_lock_t,s0) ++ ++/var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0) ++ ++/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) +diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if +new file mode 100644 +index 0000000..7b54001 +--- /dev/null ++++ b/policy/modules/services/condor.if +@@ -0,0 +1,278 @@ ++ ++## policy for condor ++ ++##################################### ++## ++## Creates types and rules for a basic ++## condor init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`condor_domain_template',` ++ gen_require(` ++ type condor_master_t; ++ attribute condor_domain; ++ ') ++ ++ ############################# ++ # ++ # Declarations ++ # ++ ++ type condor_$1_t, condor_domain; ++ type condor_$1_exec_t; ++ init_daemon_domain(condor_$1_t, condor_$1_exec_t) ++ role system_r types condor_$1_t; ++ ++ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) ++ allow condor_master_t condor_$1_exec_t:file ioctl; ++') ++ ++######################################## ++## ++## Transition to condor. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`condor_domtrans',` ++ gen_require(` ++ type condor_t, condor_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, condor_exec_t, condor_t) ++') ++######################################## ++## ++## Read condor's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`condor_read_log',` ++ gen_require(` ++ type condor_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, condor_log_t, condor_log_t) ++') ++ ++######################################## ++## ++## Append to condor log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_append_log',` ++ gen_require(` ++ type condor_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, condor_log_t, condor_log_t) ++') ++ ++######################################## ++## ++## Manage condor log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_log',` ++ gen_require(` ++ type condor_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, condor_log_t, condor_log_t) ++ manage_files_pattern($1, condor_log_t, condor_log_t) ++ manage_lnk_files_pattern($1, condor_log_t, condor_log_t) ++') ++ ++######################################## ++## ++## Search condor lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_search_lib',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ allow $1 condor_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read condor lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_read_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++######################################## ++## ++## Manage condor lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_lib_files',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++######################################## ++## ++## Manage condor lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_manage_lib_dirs',` ++ gen_require(` ++ type condor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t) ++') ++ ++######################################## ++## ++## Read condor PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`condor_read_pid_files',` ++ gen_require(` ++ type condor_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 condor_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute condor server in the condor domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`condor_systemctl',` ++ gen_require(` ++ type condor_t; ++ type condor_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 condor_unit_file_t:file read_file_perms; ++ allow $1 condor_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, condor_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an condor environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`condor_admin',` ++ gen_require(` ++ type condor_t; ++ type condor_log_t; ++ type condor_var_lib_t; ++ type condor_var_run_t; ++ type condor_unit_file_t; ++ ') ++ ++ allow $1 condor_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, condor_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, condor_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, condor_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, condor_var_run_t) ++ ++ condor_systemctl($1) ++ admin_pattern($1, condor_unit_file_t) ++ allow $1 condor_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te +new file mode 100644 +index 0000000..0878667 +--- /dev/null ++++ b/policy/modules/services/condor.te +@@ -0,0 +1,204 @@ ++policy_module(condor, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow codnor domain to connect to the network using TCP. ++##

    ++##     ++gen_tunable(condor_domain_can_network_connect, false) ++ ++attribute condor_domain; ++ ++type condor_master_t, condor_domain; ++type condor_master_exec_t; ++init_daemon_domain(condor_master_t, condor_master_exec_t) ++ ++condor_domain_template(collector) ++condor_domain_template(negotiator) ++condor_domain_template(schedd) ++condor_domain_template(startd) ++condor_domain_template(procd) ++ ++type condor_startd_tmp_t; ++files_tmp_file(condor_startd_tmp_t) ++ ++type condor_startd_tmpfs_t; ++files_tmpfs_file(condor_startd_tmpfs_t) ++ ++type condor_log_t; ++logging_log_file(condor_log_t) ++ ++type condor_var_lib_t; ++files_type(condor_var_lib_t) ++ ++type condor_var_lock_t; ++files_lock_file(condor_var_lock_t) ++ ++type condor_var_run_t; ++files_pid_file(condor_var_run_t) ++ ++type condor_unit_file_t; ++systemd_unit_file(condor_unit_file_t) ++ ++######################################## ++# ++# condor domain local policy ++# ++ ++allow condor_domain self:process signal_perms; ++allow condor_domain self:fifo_file rw_fifo_file_perms; ++ ++allow condor_domain self:tcp_socket create_stream_socket_perms; ++allow condor_domain self:udp_socket create_socket_perms; ++allow condor_domain self:unix_stream_socket create_stream_socket_perms; ++ ++allow condor_domain condor_master_t:process signull; ++allow condor_domain condor_master_t:tcp_socket getattr; ++ ++manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) ++manage_files_pattern(condor_domain, condor_log_t, condor_log_t) ++logging_log_filetrans(condor_domain, condor_log_t, { dir file }) ++ ++manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) ++manage_files_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) ++files_var_lib_filetrans(condor_domain, condor_var_lib_t, { dir file }) ++ ++manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) ++files_lock_filetrans(condor_domain, condor_var_lock_t, file) ++ ++manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t) ++manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) ++manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) ++files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) ++ ++kernel_read_system_state(condor_domain) ++kernel_read_network_state(condor_domain) ++ ++corecmd_exec_bin(condor_domain) ++corecmd_exec_shell(condor_domain) ++ ++#corenet_tcp_connect_condor_port(condor_domain) ++corenet_tcp_connect_all_ephemeral_ports(condor_domain) ++ ++domain_use_interactive_fds(condor_domain) ++ ++dev_read_rand(condor_domain) ++dev_read_urand(condor_domain) ++dev_read_sysfs(condor_domain) ++ ++files_read_etc_files(condor_domain) ++ ++logging_send_syslog_msg(condor_domain) ++ ++miscfiles_read_localization(condor_domain) ++ ++tunable_policy(`condor_domain_can_network_connect',` ++ corenet_tcp_connect_all_ports(condor_domain) ++') ++ ++optional_policy(` ++ rhcs_stream_connect_cluster(condor_domain) ++') ++ ++optional_policy(` ++ sysnet_dns_name_resolve(condor_domain) ++') ++ ++##################################### ++# ++# condor master local policy ++# ++ ++allow condor_master_t self:capability { setuid setgid dac_override }; ++ ++allow condor_master_t condor_domain:process signal; ++ ++domain_read_all_domains_state(condor_master_t) ++ ++auth_use_nsswitch(condor_master_t) ++ ++###################################### ++# ++# condor collector local policy ++# ++ ++allow condor_collector_t self:capability { setuid setgid }; ++ ++allow condor_collector_t condor_master_t:tcp_socket { getopt getattr setopt accept }; ++allow condor_collector_t condor_master_t:udp_socket { getopt getattr setopt }; ++ ++kernel_read_network_state(condor_collector_t) ++ ++auth_use_nsswitch(condor_collector_t) ++ ++##################################### ++# ++# condor negotiator local policy ++# ++allow condor_negotiator_t self:capability { setuid setgid }; ++ ++auth_use_nsswitch(condor_negotiator_t) ++ ++###################################### ++# ++# condor procd local policy ++# ++ ++allow condor_procd_t self:capability { fowner chown dac_override }; ++ ++domain_read_all_domains_state(condor_procd_t) ++ ++####################################### ++# ++# condor schedd local policy ++# ++ ++domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) ++ ++# dac_override because of /var/log/condor ++allow condor_schedd_t self:capability { setuid chown setgid dac_override }; ++ ++auth_use_nsswitch(condor_schedd_t) ++ ++##################################### ++# ++# condor startd local policy ++# ++ ++# also needed by java ++allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; ++allow condor_startd_t self:process execmem; ++ ++manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) ++manage_files_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) ++files_tmp_filetrans(condor_startd_t, condor_startd_tmp_t, { file dir }) ++allow condor_startd_t condor_startd_tmp_t:file { relabelfrom relabelto }; ++ ++manage_dirs_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) ++manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t) ++fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file }) ++ ++kernel_read_kernel_sysctls(condor_startd_t) ++ ++auth_use_nsswitch(condor_startd_t) ++ ++init_domtrans_script(condor_startd_t) ++ ++libs_exec_lib_files(condor_startd_t) ++ ++files_read_usr_files(condor_startd_t) ++ ++optional_policy(` ++ ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ++ ssh_domtrans(condor_startd_t) ++') ++ ++optional_policy(` ++ unconfined_domain(condor_startd_t) ++') ++ diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc index 32233ab..8a073d1 100644 --- a/policy/modules/services/consolekit.fc @@ -92805,7 +93499,7 @@ index e67a003..cc813f3 100644 unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc -index 3a6d7eb..4837d4d 100644 +index 3a6d7eb..945b4fa 100644 --- a/policy/modules/services/corosync.fc +++ b/policy/modules/services/corosync.fc @@ -1,8 +1,16 @@ @@ -92825,11 +93519,12 @@ index 3a6d7eb..4837d4d 100644 /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) -@@ -10,3 +18,4 @@ +@@ -10,3 +18,5 @@ /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) ++/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index 5220c9d..11e5dc4 100644 --- a/policy/modules/services/corosync.if @@ -92918,7 +93613,7 @@ index 5220c9d..11e5dc4 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 04969e5..5ca259d 100644 +index 04969e5..a5d4e70 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -92929,7 +93624,7 @@ index 04969e5..5ca259d 100644 type corosync_initrc_exec_t; init_script_file(corosync_initrc_exec_t) -@@ -27,13 +28,16 @@ logging_log_file(corosync_var_log_t) +@@ -27,23 +28,32 @@ logging_log_file(corosync_var_log_t) type corosync_var_run_t; files_pid_file(corosync_var_run_t) @@ -92944,11 +93639,14 @@ index 04969e5..5ca259d 100644 -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; +allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock }; ++# for hearbeat ++allow corosync_t self:capability { net_raw chown }; +allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; -@@ -41,9 +45,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto ++allow corosync_t self:shm create_shm_perms; + allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms; @@ -92961,19 +93659,35 @@ index 04969e5..5ca259d 100644 manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -@@ -63,8 +70,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) - files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) +@@ -52,7 +62,8 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) + manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) + manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) + manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) +-files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) ++manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t) ++files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir fifo_file sock_file }) + + manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) + manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +@@ -60,11 +71,16 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) + + manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) + manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +-files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) ++manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) ++files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir }) kernel_read_system_state(corosync_t) +kernel_read_network_state(corosync_t) +kernel_read_net_sysctls(corosync_t) ++kernel_read_kernel_sysctls(corosync_t) corecmd_exec_bin(corosync_t) +corecmd_exec_shell(corosync_t) corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,9 +83,12 @@ dev_read_urand(corosync_t) +@@ -73,9 +89,12 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) @@ -92986,7 +93700,7 @@ index 04969e5..5ca259d 100644 init_read_script_state(corosync_t) init_rw_script_tmp_files(corosync_t) -@@ -83,21 +96,51 @@ logging_send_syslog_msg(corosync_t) +@@ -83,21 +102,51 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -94168,7 +94882,7 @@ index 35241ed..2f6f038 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..86c5a58 100644 +index f7583ab..4545fb1 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -94608,11 +95322,12 @@ index f7583ab..86c5a58 100644 ') optional_policy(` -@@ -502,7 +611,17 @@ optional_policy(` +@@ -502,7 +611,18 @@ optional_policy(` ') optional_policy(` + systemd_dbus_chat_logind(system_cronjob_t) ++ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) +') + +optional_policy(` @@ -94626,7 +95341,7 @@ index f7583ab..86c5a58 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +714,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +715,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -98757,7 +99472,7 @@ index e1d7dc5..13e4800 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..47969fe 100644 +index acf6d4f..f31286c 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -98849,7 +99564,7 @@ index acf6d4f..47969fe 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -160,6 +170,15 @@ optional_policy(` +@@ -160,10 +170,24 @@ optional_policy(` ') optional_policy(` @@ -98865,7 +99580,16 @@ index acf6d4f..47969fe 100644 postgresql_stream_connect(dovecot_t) ') -@@ -180,8 +199,8 @@ optional_policy(` + optional_policy(` ++ # Handle sieve scripts ++ sendmail_domtrans(dovecot_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(dovecot_t) + ') + +@@ -180,8 +204,8 @@ optional_policy(` # dovecot auth local policy # @@ -98876,7 +99600,7 @@ index acf6d4f..47969fe 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -98886,7 +99610,7 @@ index acf6d4f..47969fe 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,9 +228,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -98899,7 +99623,7 @@ index acf6d4f..47969fe 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -216,7 +241,8 @@ files_read_usr_files(dovecot_auth_t) +@@ -216,7 +246,8 @@ files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) @@ -98909,7 +99633,7 @@ index acf6d4f..47969fe 100644 init_rw_utmp(dovecot_auth_t) -@@ -236,6 +262,8 @@ optional_policy(` +@@ -236,6 +267,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -98918,7 +99642,7 @@ index acf6d4f..47969fe 100644 ') optional_policy(` -@@ -243,6 +271,8 @@ optional_policy(` +@@ -243,6 +276,8 @@ optional_policy(` ') optional_policy(` @@ -98927,7 +99651,7 @@ index acf6d4f..47969fe 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +280,42 @@ optional_policy(` +@@ -250,23 +285,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -98972,7 +99696,7 @@ index acf6d4f..47969fe 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -283,24 +332,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +337,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -102355,10 +103079,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..a6022e7 100644 +index 4fde46b..e9fde69 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -14,19 +14,30 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # gnomeclock local policy # @@ -102376,6 +103100,8 @@ index 4fde46b..a6022e7 100644 +corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) + ++corenet_tcp_connect_time_port(gnomeclock_t) ++ +dev_read_sysfs(gnomeclock_t) -files_read_etc_files(gnomeclock_t) @@ -102391,7 +103117,7 @@ index 4fde46b..a6022e7 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +44,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +46,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -103303,7 +104029,7 @@ index df48e5e..878d9df 100644 type inetd_t; ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te -index c51a7b2..5b0226e 100644 +index c51a7b2..b07694c 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t) @@ -103312,8 +104038,8 @@ index c51a7b2..5b0226e 100644 corenet_udp_bind_inetd_child_port(inetd_t) +corenet_tcp_bind_echo_port(inetd_t) +corenet_udp_bind_echo_port(inetd_t) -+corenet_tcp_bind_rdate_port(inetd_t) -+corenet_udp_bind_rdate_port(inetd_t) ++corenet_tcp_bind_time_port(inetd_t) ++corenet_udp_bind_time_port(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) corenet_udp_bind_ktalkd_port(inetd_t) corenet_tcp_bind_printer_port(inetd_t) @@ -124350,7 +125076,7 @@ index 7e94c7c..ca74cd9 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te -index 22dac1f..75081a5 100644 +index 22dac1f..e2f2d7d 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -124389,7 +125115,18 @@ index 22dac1f..75081a5 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -128,7 +129,14 @@ optional_policy(` +@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t) + mta_sendmail_exec(sendmail_t) + + optional_policy(` ++ cfengine_dontaudit_write_log(sendmail_t) ++') ++ ++optional_policy(` + cron_read_pipes(sendmail_t) + ') + +@@ -128,7 +133,14 @@ optional_policy(` ') optional_policy(` @@ -124404,7 +125141,7 @@ index 22dac1f..75081a5 100644 ') optional_policy(` -@@ -149,7 +157,9 @@ optional_policy(` +@@ -149,7 +161,9 @@ optional_policy(` ') optional_policy(` @@ -124414,7 +125151,7 @@ index 22dac1f..75081a5 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +178,13 @@ optional_policy(` +@@ -168,20 +182,13 @@ optional_policy(` ') optional_policy(` @@ -126195,7 +126932,7 @@ index 078bcd7..21ff471 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..31b38b7 100644 +index 22adaca..60103b5 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -126689,7 +127426,7 @@ index 22adaca..31b38b7 100644 ') ###################################### -@@ -735,3 +894,63 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +894,64 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -126711,6 +127448,7 @@ index 22adaca..31b38b7 100644 + + allow sshd_t $1:process dyntransition; + allow $1 sshd_t:process sigchld; ++ allow sshd_t $1:process { getattr sigkill sigstop signull signal }; +') + +######################################## @@ -126754,7 +127492,7 @@ index 22adaca..31b38b7 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..007838e 100644 +index 2dad3c8..322c050 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0) @@ -127162,7 +127900,7 @@ index 2dad3c8..007838e 100644 ') optional_policy(` -@@ -363,3 +411,77 @@ optional_policy(` +@@ -363,3 +411,76 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -127197,7 +127935,6 @@ index 2dad3c8..007838e 100644 +# chroot_user_t local policy +# + -+ +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) +userdom_read_user_home_content_symlinks(chroot_user_t) @@ -128044,7 +128781,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te -index db9d2a5..6f172ac 100644 +index db9d2a5..d44ef1a 100644 --- a/policy/modules/services/tuned.te +++ b/policy/modules/services/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -128098,16 +128835,18 @@ index db9d2a5..6f172ac 100644 # to allow cpu tuning dev_rw_netcontrol(tuned_t) -@@ -47,6 +64,8 @@ files_read_etc_files(tuned_t) +@@ -47,6 +64,10 @@ files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) ++fs_getattr_xattr_fs(tuned_t) ++ +auth_use_nsswitch(tuned_t) + logging_send_syslog_msg(tuned_t) miscfiles_read_localization(tuned_t) -@@ -58,6 +77,10 @@ optional_policy(` +@@ -58,6 +79,10 @@ optional_policy(` fstools_domtrans(tuned_t) ') @@ -129687,7 +130426,7 @@ index 7c5d8d8..c542fe7 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..38fb812 100644 +index 3eca020..794917a 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0) @@ -129895,7 +130634,7 @@ index 3eca020..38fb812 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -130,9 +199,13 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -130,9 +199,15 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) @@ -129905,11 +130644,13 @@ index 3eca020..38fb812 100644 userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) +append_files_pattern(svirt_t, virt_home_t, virt_home_t) ++# needed for creating of monitors ++create_sock_files_pattern(svirt_t, virt_home_t, virt_home_t) +stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t) tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +220,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +222,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -129925,7 +130666,7 @@ index 3eca020..38fb812 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +237,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +239,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -129954,7 +130695,7 @@ index 3eca020..38fb812 100644 xen_rw_image_files(svirt_t) ') -@@ -173,22 +267,41 @@ optional_policy(` +@@ -173,22 +269,41 @@ optional_policy(` # virtd local policy # @@ -130003,7 +130744,7 @@ index 3eca020..38fb812 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -199,9 +312,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -199,9 +314,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -130024,7 +130765,7 @@ index 3eca020..38fb812 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +339,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +341,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -130040,7 +130781,7 @@ index 3eca020..38fb812 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +367,33 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +369,33 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -130075,7 +130816,7 @@ index 3eca020..38fb812 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +401,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +403,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -130094,7 +130835,7 @@ index 3eca020..38fb812 100644 mcs_process_set_categories(virtd_t) -@@ -276,6 +427,8 @@ term_use_ptmx(virtd_t) +@@ -276,6 +429,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -130103,7 +130844,7 @@ index 3eca020..38fb812 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -285,16 +438,31 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +440,31 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -130135,7 +130876,7 @@ index 3eca020..38fb812 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +481,10 @@ optional_policy(` +@@ -313,6 +483,10 @@ optional_policy(` ') optional_policy(` @@ -130146,7 +130887,7 @@ index 3eca020..38fb812 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -326,6 +498,14 @@ optional_policy(` +@@ -326,6 +500,14 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -130161,7 +130902,7 @@ index 3eca020..38fb812 100644 ') optional_policy(` -@@ -334,11 +514,14 @@ optional_policy(` +@@ -334,11 +516,14 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) @@ -130176,7 +130917,7 @@ index 3eca020..38fb812 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +543,11 @@ optional_policy(` +@@ -360,11 +545,11 @@ optional_policy(` ') optional_policy(` @@ -130193,7 +130934,7 @@ index 3eca020..38fb812 100644 ') optional_policy(` -@@ -394,20 +577,36 @@ optional_policy(` +@@ -394,20 +579,36 @@ optional_policy(` # virtual domains common policy # @@ -130233,7 +130974,7 @@ index 3eca020..38fb812 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +617,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +619,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -130247,7 +130988,7 @@ index 3eca020..38fb812 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +630,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +632,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -130260,7 +131001,7 @@ index 3eca020..38fb812 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +643,393 @@ files_search_all(virt_domain) +@@ -440,25 +645,393 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -134506,10 +135247,10 @@ index 1b6619e..c480ddd 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..41198a4 100644 +index c6fdab7..32f45fa 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te -@@ -6,6 +6,24 @@ attribute application_domain_type; +@@ -6,6 +6,28 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -134527,6 +135268,10 @@ index c6fdab7..41198a4 100644 +') + +optional_policy(` ++ cfengine_append_inherited_log(application_domain_type) ++') ++ ++optional_policy(` + cron_rw_inherited_user_spool_files(application_domain_type) + cron_sigchld(application_domain_type) +') @@ -137036,7 +137781,7 @@ index 94fd8dd..6acffdb 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..59ba914 100644 +index 29a9565..15a4099 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -137245,11 +137990,12 @@ index 29a9565..59ba914 100644 +storage_raw_rw_fixed_disk(init_t) + -+optional_policy(` + optional_policy(` +- auth_rw_login_records(init_t) + modutils_domtrans_insmod(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_aliases(init_t) @@ -137358,12 +138104,11 @@ index 29a9565..59ba914 100644 + systemd_filetrans_named_content(init_t) +') + - optional_policy(` -- auth_rw_login_records(init_t) ++optional_policy(` + lvm_rw_pipes(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -137914,7 +138659,7 @@ index 29a9565..59ba914 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1192,25 @@ optional_policy(` +@@ -815,11 +1192,29 @@ optional_policy(` ') optional_policy(` @@ -137927,6 +138672,10 @@ index 29a9565..59ba914 100644 +optional_policy(` + cron_rw_pipes(daemon) + cron_rw_inherited_user_spool_files(daemon) ++') ++ ++optional_policy(` ++ cfengine_append_inherited_log(daemon) ') optional_policy(` @@ -137941,7 +138690,7 @@ index 29a9565..59ba914 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1220,18 @@ optional_policy(` +@@ -829,6 +1224,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -137960,7 +138709,7 @@ index 29a9565..59ba914 100644 ') optional_policy(` -@@ -844,6 +1247,10 @@ optional_policy(` +@@ -844,6 +1251,10 @@ optional_policy(` ') optional_policy(` @@ -137971,7 +138720,7 @@ index 29a9565..59ba914 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1261,161 @@ optional_policy(` +@@ -854,3 +1265,165 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -138107,6 +138856,10 @@ index 29a9565..59ba914 100644 +') + +optional_policy(` ++ cfengine_append_inherited_log(systemprocess) ++') ++ ++optional_policy(` + cron_rw_pipes(systemprocess) +') + @@ -139563,7 +140316,7 @@ index a0b379d..95bf920 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..f9f3c56 100644 +index 02f4c97..8520fb2 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -6,6 +6,8 @@ @@ -139605,7 +140358,12 @@ index 02f4c97..f9f3c56 100644 /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,7 +56,7 @@ ifdef(`distro_suse', ` +@@ -34,11 +52,11 @@ ifdef(`distro_suse', ` + + /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +-/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++#/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -143301,7 +144059,7 @@ index ff80d0a..22c9f0d 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..cd52cdd 100644 +index 34d0ec5..92fa1e9 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -143550,7 +144308,7 @@ index 34d0ec5..cd52cdd 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +374,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -143559,6 +144317,10 @@ index 34d0ec5..cd52cdd 100644 +') + +optional_policy(` ++ cfengine_dontaudit_write_log(ifconfig_t) ++') ++ ++optional_policy(` + ctdbd_read_lib_files(ifconfig_t) +') + @@ -143569,7 +144331,7 @@ index 34d0ec5..cd52cdd 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -143584,7 +144346,7 @@ index 34d0ec5..cd52cdd 100644 ') optional_policy(` -@@ -335,7 +412,15 @@ optional_policy(` +@@ -335,7 +416,15 @@ optional_policy(` ') optional_policy(` @@ -143601,7 +144363,7 @@ index 34d0ec5..cd52cdd 100644 ') optional_policy(` -@@ -356,3 +441,9 @@ optional_policy(` +@@ -356,3 +445,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -144328,10 +145090,10 @@ index 0000000..a7e3666 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..de488ad +index 0000000..f4dd2ab --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,400 @@ +@@ -0,0 +1,402 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -144572,6 +145334,8 @@ index 0000000..de488ad +files_setattr_all_tmp_dirs(systemd_tmpfiles_t) +files_delete_boot_flag(systemd_tmpfiles_t) +files_delete_all_non_security_files(systemd_tmpfiles_t) ++files_delete_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_pipes(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) +files_manage_generic_tmp_files(systemd_tmpfiles_t) +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a230686..f194a4f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 110%{?dist} +Release: 111%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -489,6 +489,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 6 2012 Miroslav Grepl 3.10.0-111 +- Rename rdate port to time port, and allow gnomeclock to connect to it +- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda +- /etc/auto.* should be labeled bin_t +- Add httpd_use_fusefs boolean +- Add fixes for heartbeat +- Allow sshd_t to signal processes that it transitions to +- Add condor policy +- Allow svirt to create monitors in ~/.libvirt +- Allow dovecot to domtrans sendmail to handle sieve scripts +- Lot of fixes for cfengine + * Tue Apr 3 2012 Miroslav Grepl 3.10.0-110 - /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom