--## Allow Apache to communicate with avahi service via dbus --##
++ ++##++## Allow http daemon to connect to zabbix ++##
++##+## Allow http daemon to check spam +##
+##+-## Allow Apache to communicate with avahi service via dbus +-##
+##+## Allow Apache to communicate with avahi service via dbus +##
@@ -26444,7 +26460,7 @@ index 3136c6a..6b7400b 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -166,7 +248,7 @@ files_type(httpd_cache_t) +@@ -166,7 +256,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26453,7 +26469,7 @@ index 3136c6a..6b7400b 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +259,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +267,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26463,7 +26479,7 @@ index 3136c6a..6b7400b 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +301,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +309,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26486,7 +26502,7 @@ index 3136c6a..6b7400b 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +325,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +333,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26497,7 +26513,7 @@ index 3136c6a..6b7400b 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +336,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +344,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26505,7 +26521,7 @@ index 3136c6a..6b7400b 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +358,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +366,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26529,7 +26545,7 @@ index 3136c6a..6b7400b 100644 ######################################## # # Apache server local policy -@@ -281,11 +394,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +402,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26543,7 +26559,7 @@ index 3136c6a..6b7400b 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +444,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +452,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26554,7 +26570,7 @@ index 3136c6a..6b7400b 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +471,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +479,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26564,7 +26580,7 @@ index 3136c6a..6b7400b 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +484,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +492,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26581,7 +26597,7 @@ index 3136c6a..6b7400b 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +501,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +509,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26597,7 +26613,7 @@ index 3136c6a..6b7400b 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +514,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +522,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26605,7 +26621,7 @@ index 3136c6a..6b7400b 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +526,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +534,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26709,7 +26725,7 @@ index 3136c6a..6b7400b 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +633,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +641,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -26732,6 +26748,10 @@ index 3136c6a..6b7400b 100644 + corenet_tcp_connect_ldap_port(httpd_t) +') + ++tunable_policy(`httpd_can_connect_zabbix',` ++ corenet_tcp_connect_zabbix_port(httpd_t) ++') ++ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) + corenet_tcp_bind_all_ephemeral_ports(httpd_t) @@ -26763,7 +26783,7 @@ index 3136c6a..6b7400b 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +687,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +699,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26780,7 +26800,7 @@ index 3136c6a..6b7400b 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +711,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +723,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26801,7 +26821,7 @@ index 3136c6a..6b7400b 100644 ') optional_policy(` -@@ -513,7 +735,13 @@ optional_policy(` +@@ -513,7 +747,13 @@ optional_policy(` ') optional_policy(` @@ -26816,7 +26836,7 @@ index 3136c6a..6b7400b 100644 ') optional_policy(` -@@ -528,7 +756,19 @@ optional_policy(` +@@ -528,7 +768,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26837,7 +26857,7 @@ index 3136c6a..6b7400b 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +777,13 @@ optional_policy(` +@@ -537,8 +789,13 @@ optional_policy(` ') optional_policy(` @@ -26852,7 +26872,7 @@ index 3136c6a..6b7400b 100644 ') ') -@@ -556,7 +801,13 @@ optional_policy(` +@@ -556,7 +813,13 @@ optional_policy(` ') optional_policy(` @@ -26866,7 +26886,7 @@ index 3136c6a..6b7400b 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +818,7 @@ optional_policy(` +@@ -567,6 +830,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26874,7 +26894,7 @@ index 3136c6a..6b7400b 100644 ') optional_policy(` -@@ -577,6 +829,20 @@ optional_policy(` +@@ -577,6 +841,20 @@ optional_policy(` ') optional_policy(` @@ -26895,7 +26915,7 @@ index 3136c6a..6b7400b 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +857,11 @@ optional_policy(` +@@ -591,6 +869,11 @@ optional_policy(` ') optional_policy(` @@ -26907,7 +26927,7 @@ index 3136c6a..6b7400b 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +874,12 @@ optional_policy(` +@@ -603,6 +886,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26920,7 +26940,7 @@ index 3136c6a..6b7400b 100644 ######################################## # # Apache helper local policy -@@ -616,7 +893,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +905,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26933,7 +26953,7 @@ index 3136c6a..6b7400b 100644 ######################################## # -@@ -654,28 +935,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +947,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26977,7 +26997,7 @@ index 3136c6a..6b7400b 100644 ') ######################################## -@@ -685,6 +968,8 @@ optional_policy(` +@@ -685,6 +980,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26986,7 +27006,7 @@ index 3136c6a..6b7400b 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +984,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +996,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27012,7 +27032,7 @@ index 3136c6a..6b7400b 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1030,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1042,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27045,7 +27065,7 @@ index 3136c6a..6b7400b 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1077,25 @@ optional_policy(` +@@ -769,6 +1089,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27071,7 +27091,7 @@ index 3136c6a..6b7400b 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1116,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1128,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27089,7 +27109,7 @@ index 3136c6a..6b7400b 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1135,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1147,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27146,7 +27166,7 @@ index 3136c6a..6b7400b 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1186,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1198,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27177,7 +27197,7 @@ index 3136c6a..6b7400b 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1221,20 @@ optional_policy(` +@@ -842,10 +1233,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27198,7 +27218,7 @@ index 3136c6a..6b7400b 100644 ') ######################################## -@@ -891,11 +1280,135 @@ optional_policy(` +@@ -891,11 +1292,135 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -32494,20 +32514,29 @@ index e67a003..8bd4751 100644 unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc -index 3a6d7eb..3f0e601 100644 +index 3a6d7eb..6c753ff 100644 --- a/policy/modules/services/corosync.fc +++ b/policy/modules/services/corosync.fc -@@ -1,8 +1,10 @@ +@@ -1,8 +1,14 @@ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) /usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) ++ ++/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) ++/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:corosync_exec_t,s0) /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) +@@ -10,3 +16,4 @@ + + /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) + /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) ++/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index 5220c9d..db158cc 100644 --- a/policy/modules/services/corosync.if @@ -32554,7 +32583,7 @@ index 5220c9d..db158cc 100644 domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 04969e5..0f56485 100644 +index 04969e5..a603e70 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -32571,7 +32600,7 @@ index 04969e5..0f56485 100644 -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; -+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock }; ++allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock }; +allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; @@ -32601,15 +32630,20 @@ index 04969e5..0f56485 100644 corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,6 +80,7 @@ dev_read_urand(corosync_t) +@@ -73,9 +80,12 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) ++files_read_etc_files(corosync_t) +files_read_usr_files(corosync_t) auth_use_nsswitch(corosync_t) -@@ -83,19 +91,44 @@ logging_send_syslog_msg(corosync_t) ++init_domtrans_script(corosync_t) + init_read_script_state(corosync_t) + init_rw_script_tmp_files(corosync_t) + +@@ -83,21 +93,51 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -32638,13 +32672,17 @@ index 04969e5..0f56485 100644 +optional_policy(` + drbd_domtrans(corosync_t) +') - -- rhcs_rw_fenced_semaphores(corosync_t) ++ +optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) + lvm_delete_clvmd_tmpfs_files(corosync_t) +') +- rhcs_rw_fenced_semaphores(corosync_t) ++optional_policy(` ++ qpidd_rw_shm(corosync_t) ++') + - rhcs_rw_gfs_controld_semaphores(corosync_t) +optional_policy(` + rhcs_getattr_fenced(corosync_t) @@ -32658,6 +32696,9 @@ index 04969e5..0f56485 100644 ') optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) + ') ++ diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc index 01d31f1..8e2754b 100644 --- a/policy/modules/services/courier.fc @@ -33385,7 +33426,7 @@ index 35241ed..7a0913c 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..958bd54 100644 +index f7583ab..d382f40 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -33590,7 +33631,7 @@ index f7583ab..958bd54 100644 # Not sure why this is needed userdom_list_user_home_dirs(crond_t) +userdom_list_admin_dir(crond_t) -+userdom_create_all_users_keys(crond_t) ++userdom_manage_all_users_keys(crond_t) mta_send_mail(crond_t) +mta_system_content(cron_spool_t) @@ -33698,7 +33739,7 @@ index f7583ab..958bd54 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +419,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,11 +419,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -33712,8 +33753,11 @@ index f7583ab..958bd54 100644 +allow system_cronjob_t cron_spool_t:file rw_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) ++kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) + kernel_read_software_raid_state(system_cronjob_t) + +@@ -365,6 +449,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -33721,7 +33765,7 @@ index f7583ab..958bd54 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +475,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +476,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -33729,7 +33773,7 @@ index f7583ab..958bd54 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +498,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +499,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -33741,7 +33785,7 @@ index f7583ab..958bd54 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +526,8 @@ optional_policy(` +@@ -439,6 +527,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -33750,7 +33794,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -446,6 +535,14 @@ optional_policy(` +@@ -446,6 +536,14 @@ optional_policy(` ') optional_policy(` @@ -33765,7 +33809,7 @@ index f7583ab..958bd54 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,6 +553,10 @@ optional_policy(` +@@ -456,6 +554,10 @@ optional_policy(` ') optional_policy(` @@ -33776,7 +33820,7 @@ index f7583ab..958bd54 100644 lpd_list_spool(system_cronjob_t) ') -@@ -464,7 +565,9 @@ optional_policy(` +@@ -464,7 +566,9 @@ optional_policy(` ') optional_policy(` @@ -33786,7 +33830,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -472,6 +575,10 @@ optional_policy(` +@@ -472,6 +576,10 @@ optional_policy(` ') optional_policy(` @@ -33797,7 +33841,7 @@ index f7583ab..958bd54 100644 postfix_read_config(system_cronjob_t) ') -@@ -480,7 +587,7 @@ optional_policy(` +@@ -480,7 +588,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -33806,7 +33850,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -495,6 +602,7 @@ optional_policy(` +@@ -495,6 +603,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -33814,7 +33858,7 @@ index f7583ab..958bd54 100644 ') optional_policy(` -@@ -502,7 +610,13 @@ optional_policy(` +@@ -502,7 +611,13 @@ optional_policy(` ') optional_policy(` @@ -33828,7 +33872,7 @@ index f7583ab..958bd54 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +709,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +710,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -35699,19 +35743,20 @@ index 8ba9425..555058a 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc -index 418a5a0..d13814e 100644 +index 418a5a0..de67309 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc -@@ -1,3 +1,8 @@ +@@ -1,3 +1,9 @@ +/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + +/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -@@ -6,9 +11,14 @@ +@@ -6,9 +12,14 @@ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -45201,14 +45246,14 @@ index 98d28b4..1c1d012 100644 + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc -index 4d69477..4079870 100644 +index 4d69477..d3b4f39 100644 --- a/policy/modules/services/memcached.fc +++ b/policy/modules/services/memcached.fc @@ -2,4 +2,5 @@ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) -+/var/run/ipa_memcached -s gen_context(system_u:object_r:memcached_var_run_t,s0) ++/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index db4fd6f..ce07b3f 100644 @@ -47050,10 +47095,20 @@ index 64268e4..a7d94de 100644 + exim_manage_log(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc -index fd71d69..bf90863 100644 +index fd71d69..26597b2 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc -@@ -51,6 +51,7 @@ +@@ -41,6 +41,9 @@ + /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) + ++# selinux plugins ++/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) ++ + # system plugins + /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +@@ -51,6 +54,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -47061,7 +47116,7 @@ index fd71d69..bf90863 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -63,6 +64,7 @@ +@@ -63,6 +67,7 @@ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) @@ -47166,7 +47221,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..171ebec 100644 +index f17583b..923fdfb 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -47178,7 +47233,7 @@ index f17583b..171ebec 100644 type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t) -@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t) +@@ -24,15 +26,16 @@ files_tmp_file(munin_tmp_t) type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t) @@ -47188,7 +47243,17 @@ index f17583b..171ebec 100644 type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) -@@ -40,7 +45,7 @@ munin_plugin_template(system) + munin_plugin_template(disk) +- + munin_plugin_template(mail) +- ++munin_plugin_template(selinux) + munin_plugin_template(services) +- + munin_plugin_template(system) + + ######################################## +@@ -40,7 +43,7 @@ munin_plugin_template(system) # Local policy # @@ -47197,7 +47262,7 @@ index f17583b..171ebec 100644 dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -71,9 +76,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -71,9 +74,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) files_search_var_lib(munin_t) @@ -47211,7 +47276,7 @@ index f17583b..171ebec 100644 kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) -@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t) +@@ -116,6 +122,7 @@ logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -47219,7 +47284,7 @@ index f17583b..171ebec 100644 sysnet_exec_ifconfig(munin_t) -@@ -145,6 +154,7 @@ optional_policy(` +@@ -145,6 +152,7 @@ optional_policy(` optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -47227,7 +47292,7 @@ index f17583b..171ebec 100644 mta_read_queue(munin_t) ') -@@ -159,6 +169,7 @@ optional_policy(` +@@ -159,6 +167,7 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -47235,20 +47300,19 @@ index f17583b..171ebec 100644 ') optional_policy(` -@@ -182,6 +193,7 @@ optional_policy(` +@@ -182,6 +191,7 @@ optional_policy(` # local policy for disk plugins # -+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio }; ++allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +202,13 @@ corecmd_exec_shell(disk_munin_plugin_t) - - corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) +@@ -192,13 +202,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) --files_read_etc_files(disk_munin_plugin_t) + files_read_etc_files(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) ++files_read_usr_files(disk_munin_plugin_t) -fs_getattr_all_fs(disk_munin_plugin_t) - @@ -47261,7 +47325,7 @@ index f17583b..171ebec 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +231,44 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -47292,7 +47356,19 @@ index f17583b..171ebec 100644 ') optional_policy(` -@@ -245,6 +259,8 @@ optional_policy(` + sendmail_read_log(mail_munin_plugin_t) + ') + ++################################## ++# ++# local policy for selinux plugins ++# ++ ++selinux_get_enforce_mode(selinux_munin_plugin_t) ++ ++ + ################################### + # # local policy for service plugins # @@ -47301,7 +47377,7 @@ index f17583b..171ebec 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +279,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -47316,7 +47392,7 @@ index f17583b..171ebec 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +292,10 @@ optional_policy(` +@@ -279,6 +300,10 @@ optional_policy(` ') optional_policy(` @@ -47327,7 +47403,7 @@ index f17583b..171ebec 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +303,10 @@ optional_policy(` +@@ -286,6 +311,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -47338,7 +47414,7 @@ index f17583b..171ebec 100644 ################################## # # local policy for system plugins -@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,13 +324,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -47355,7 +47431,7 @@ index f17583b..171ebec 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +341,35 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -47387,6 +47463,10 @@ index f17583b..171ebec 100644 +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) ++ ++optional_policy(` ++ nscd_socket_use(munin_plugin_domain) ++') diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index e9c0982..840e562 100644 --- a/policy/modules/services/mysql.if @@ -48517,7 +48597,7 @@ index 15448d5..62284bf 100644 +/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..d3595cf 100644 +index abe3f7f..7c7f939 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -48529,7 +48609,7 @@ index abe3f7f..d3595cf 100644 allow $1 var_yp_t:file read_file_perms; corenet_all_recvfrom_unlabeled($1) -@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',` +@@ -49,14 +49,15 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) @@ -48543,9 +48623,13 @@ index abe3f7f..d3595cf 100644 - corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_all_reserved_ports($1) corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) +- corenet_dontaudit_tcp_connect_all_ports($1) ++# Attempt to see if this is actually needed ++# corenet_dontaudit_tcp_connect_all_ports($1) corenet_sendrecv_portmap_client_packets($1) -@@ -243,25 +243,6 @@ interface(`nis_read_ypbind_pid',` + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) +@@ -243,25 +244,6 @@ interface(`nis_read_ypbind_pid',` ######################################## ##++## Allow zabbix to connect to unreserved ports ++##
++##