From 14eae24181eddb7dc53a30315278f80127ed5e5d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 18 2010 19:06:29 +0000 Subject: - Allow policykit to send itself signals --- diff --git a/policy-F13.patch b/policy-F13.patch index 979061f..2773287 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -18535,8 +18535,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.9/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/mta.if 2010-02-17 10:00:50.000000000 -0500 -@@ -335,6 +335,7 @@ ++++ serefpolicy-3.7.9/policy/modules/services/mta.if 2010-02-18 08:18:31.000000000 -0500 +@@ -220,6 +220,25 @@ + application_executable_file($1) + ') + ++###################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mta_dontaudit_leaks_system_mail',` ++ gen_require(` ++ type system_mail_t; ++ ') ++ ++ dontaudit $1 system_mail_t:fifo_file write; ++ dontaudit $1 system_mail_t:tcp_socket { read write }; ++') ++ + ######################################## + ## + ## Make the specified type by a system MTA. +@@ -335,6 +354,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) @@ -18544,7 +18570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ') -@@ -365,6 +366,25 @@ +@@ -365,6 +385,25 @@ ######################################## ## @@ -18570,7 +18596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Execute send mail in a specified domain. ## ## -@@ -454,7 +474,8 @@ +@@ -454,7 +493,8 @@ type etc_mail_t; ') @@ -18580,7 +18606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -678,7 +699,7 @@ +@@ -678,7 +718,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -18589,7 +18615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -765,6 +786,25 @@ +@@ -765,6 +805,25 @@ ####################################### ## @@ -18868,8 +18894,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_write_log(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.9/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nagios.fc 2010-02-17 10:00:50.000000000 -0500 -@@ -1,16 +1,87 @@ ++++ serefpolicy-3.7.9/policy/modules/services/nagios.fc 2010-02-18 08:18:31.000000000 -0500 +@@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) @@ -18901,7 +18927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +# admin plugins -+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) + +# check disk plugins +/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) @@ -18909,10 +18935,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + ++# mail plugins ++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++ +# system plugins +/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) @@ -18964,7 +18992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.9/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nagios.if 2010-02-17 10:00:50.000000000 -0500 ++++ serefpolicy-3.7.9/policy/modules/services/nagios.if 2010-02-18 08:18:31.000000000 -0500 @@ -64,7 +64,7 @@ ######################################## @@ -18997,7 +19025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ## ## ## -@@ -92,10 +91,121 @@ +@@ -92,10 +91,123 @@ ## ## # @@ -19047,6 +19075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + gen_require(` + type nagios_t, nrpe_t; ++ type nagios_log_t; + ') + + type nagios_$1_plugin_t; @@ -19067,6 +19096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + # cjp: leaked file descriptor + dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; ++ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; + + miscfiles_read_localization(nagios_$1_plugin_t) +') @@ -19124,7 +19154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.9/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nagios.te 2010-02-17 10:00:50.000000000 -0500 ++++ serefpolicy-3.7.9/policy/modules/services/nagios.te 2010-02-18 08:18:31.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -19163,7 +19193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +42,38 @@ +@@ -33,6 +42,44 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) @@ -19178,6 +19208,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# and nagios_checkdisk_plugin_t for domain +nagios_plugin_template(checkdisk) + ++# creates nagios_mail_plugin_exec_t for executable ++# and nagios_mail_plugin_t for domain ++nagios_plugin_template(mail) ++ +# creates nagios_services_plugin_exec_t for executable +# and nagios_services_plugin_t for domain +nagios_plugin_template(services) @@ -19190,29 +19224,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +files_tmp_file(nagios_system_plugin_tmp_t) + +nagios_plugin_template(unconfined) ++ +optional_policy(` + unconfined_domain(nagios_unconfined_plugin_t) +') + -+permissive nagios_admin_plugin_t; ++permissive nagios_admin_plugin_t; +permissive nagios_checkdisk_plugin_t; ++permissive nagios_mail_plugin_t; +permissive nagios_services_plugin_t; +permissive nagios_system_plugin_t; + ######################################## # # Nagios local policy -@@ -45,6 +86,9 @@ - allow nagios_t self:tcp_socket create_stream_socket_perms; - allow nagios_t self:udp_socket create_socket_perms; - -+# needed by command.cfg -+can_exec(nagios_t, nagios_checkdisk_plugin_exec_t) -+ - read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) - read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) - allow nagios_t nagios_etc_t:dir list_dir_perms; -@@ -60,6 +104,8 @@ +@@ -60,6 +107,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -19221,17 +19247,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -76,6 +122,9 @@ +@@ -76,6 +125,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) -+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) + dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) -@@ -86,6 +135,7 @@ +@@ -86,6 +138,7 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -19239,7 +19265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -@@ -118,61 +168,63 @@ +@@ -118,61 +171,63 @@ udev_read_db(nagios_t) ') @@ -19335,7 +19361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +235,21 @@ +@@ -183,11 +238,15 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -19351,13 +19377,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) +@@ -199,6 +258,11 @@ + ') -+mta_send_mail(nrpe_t) + optional_policy(` ++ mta_send_mail(nrpe_t) ++ mta_dontaudit_leaks_system_mail(nrpe_t) ++') + - userdom_dontaudit_use_unpriv_user_fds(nrpe_t) ++optional_policy(` + seutil_sigchld_newrole(nrpe_t) + ') - optional_policy(` -@@ -209,3 +267,120 @@ +@@ -209,3 +273,149 @@ optional_policy(` udev_read_db(nrpe_t) ') @@ -19367,14 +19399,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# local policy for admin check plugins +# + -+allow nagios_admin_plugin_t self:capability { setuid setgid dac_override }; -+ -+allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms; -+allow nagios_admin_plugin_t self:udp_socket create_socket_perms; -+ -+kernel_read_system_state(nagios_admin_plugin_t) -+kernel_read_kernel_sysctls(nagios_admin_plugin_t) -+ +corecmd_read_bin_files(nagios_admin_plugin_t) +corecmd_read_bin_symlinks(nagios_admin_plugin_t) + @@ -19382,20 +19406,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +files_read_etc_files(nagios_admin_plugin_t) + -+libs_use_lib_files(nagios_admin_plugin_t) -+libs_use_ld_so(nagios_admin_plugin_t) ++# for check_file_age plugin ++files_getattr_all_dirs(nagios_admin_plugin_t) ++files_getattr_all_files(nagios_admin_plugin_t) ++files_getattr_all_symlinks(nagios_admin_plugin_t) ++files_getattr_all_pipes(nagios_admin_plugin_t) ++files_getattr_all_sockets(nagios_admin_plugin_t) ++files_getattr_all_file_type_fs(nagios_admin_plugin_t) ++dev_getattr_all_chr_files(nagios_admin_plugin_t) ++dev_getattr_all_blk_files(nagios_admin_plugin_t) ++ ++###################################### ++# ++# local policy for mail check plugins ++# ++ ++allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; ++ ++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_mail_plugin_t self:udp_socket create_socket_perms; ++ ++kernel_read_system_state(nagios_mail_plugin_t) ++kernel_read_kernel_sysctls(nagios_mail_plugin_t) + -+logging_send_syslog_msg(nagios_admin_plugin_t) ++corecmd_read_bin_files(nagios_mail_plugin_t) ++corecmd_read_bin_symlinks(nagios_mail_plugin_t) + -+sysnet_read_config(nagios_admin_plugin_t) ++dev_read_urand(nagios_mail_plugin_t) + -+nscd_dontaudit_search_pid(nagios_admin_plugin_t) ++files_read_etc_files(nagios_mail_plugin_t) ++ ++libs_use_lib_files(nagios_mail_plugin_t) ++libs_use_ld_so(nagios_mail_plugin_t) ++ ++logging_send_syslog_msg(nagios_mail_plugin_t) ++ ++sysnet_read_config(nagios_mail_plugin_t) ++ ++nscd_dontaudit_search_pid(nagios_mail_plugin_t) + +optional_policy(` -+ mta_read_config(nagios_admin_plugin_t) -+ mta_list_queue(nagios_admin_plugin_t) -+ mta_read_queue(nagios_admin_plugin_t) -+ mta_sendmail_exec(nagios_admin_plugin_t) ++ mta_send_mail(nagios_mail_plugin_t) ++') ++ ++optional_policy(` ++ postfix_stream_connect_master(nagios_mail_plugin_t) ++ posftix_exec_postqueue(nagios_mail_plugin_t) +') + +###################################### @@ -19448,6 +19505,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + mysql_stream_connect(nagios_services_plugin_t) +') + ++optional_policy(` ++ snmp_read_snmp_var_lib_files(nagios_services_plugin_t) ++') ++ +###################################### +# +# local policy for system check plugins @@ -21209,7 +21270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.9/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/policykit.te 2010-02-17 10:00:50.000000000 -0500 ++++ serefpolicy-3.7.9/policy/modules/services/policykit.te 2010-02-18 13:39:13.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -21218,7 +21279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:capability { setgid setuid sys_ptrace }; -+allow policykit_t self:process { getsched getattr }; ++allow policykit_t self:process { getsched getattr signal }; +allow policykit_t self:fifo_file rw_fifo_file_perms; + allow policykit_t self:unix_dgram_socket create_socket_perms; @@ -21408,7 +21469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.9/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/postfix.if 2010-02-17 10:00:50.000000000 -0500 ++++ serefpolicy-3.7.9/policy/modules/services/postfix.if 2010-02-18 14:01:59.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21477,7 +21538,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Allow domain to read postfix local process state ## ## -@@ -378,7 +405,7 @@ +@@ -368,6 +395,25 @@ + can_exec($1, postfix_master_exec_t) + ') + ++####################################### ++## ++## Connect to postfix master process using a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`postfix_stream_connect_master',` ++ gen_require(` ++ type postfix_master_t, postfix_public_t; ++ ') ++ ++ stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) ++') ++ + ######################################## + ## + ## Create a named socket in a postfix private directory. +@@ -378,7 +424,7 @@ ## ## # @@ -21486,7 +21573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post gen_require(` type postfix_private_t; ') -@@ -389,6 +416,25 @@ +@@ -389,6 +435,25 @@ ######################################## ## @@ -21512,7 +21599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -418,10 +464,10 @@ +@@ -418,10 +483,10 @@ # interface(`postfix_search_spool',` gen_require(` @@ -21525,20 +21612,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -437,11 +483,30 @@ +@@ -437,15 +502,34 @@ # interface(`postfix_list_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; -+ ') -+ + ') + +- allow $1 postfix_spool_t:dir list_dir_perms; + allow $1 postfix_spool_type:dir list_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## + files_search_spool($1) + ') + + ######################################## + ## +## Getattr postfix mail spool files. +## +## @@ -21550,15 +21638,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; - ') - -- allow $1 postfix_spool_t:dir list_dir_perms; - files_search_spool($1) ++ ') ++ ++ files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) - ') - - ######################################## -@@ -456,16 +521,16 @@ ++') ++ ++######################################## ++## + ## Read postfix mail spool files. + ## + ## +@@ -456,16 +540,16 @@ # interface(`postfix_read_spool_files',` gen_require(` @@ -21578,7 +21669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## ## ## -@@ -475,11 +540,11 @@ +@@ -475,11 +559,11 @@ # interface(`postfix_manage_spool_files',` gen_require(` @@ -21592,7 +21683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -500,3 +565,62 @@ +@@ -500,3 +584,80 @@ typeattribute $1 postfix_user_domtrans; ') @@ -21635,6 +21726,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) +') + ++####################################### ++## ++## Execute the master postqueue in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`posftix_exec_postqueue',` ++ gen_require(` ++ type postfix_postqueue_exec_t; ++ ') ++ ++ can_exec($1, postfix_postqueue_exec_t) ++') ++ +######################################## +## +## Execute the master postdrop in the @@ -22698,8 +22807,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.9/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.te 2010-02-17 11:41:10.000000000 -0500 -@@ -0,0 +1,204 @@ ++++ serefpolicy-3.7.9/policy/modules/services/rgmanager.te 2010-02-18 13:58:07.000000000 -0500 +@@ -0,0 +1,217 @@ + +policy_module(rgmanager,1.0.0) + @@ -22774,7 +22883,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +consoletype_exec(rgmanager_t) + +kernel_read_kernel_sysctls(rgmanager_t) ++kernel_read_rpc_sysctls(rgmanager_t) ++kernel_read_system_state(rgmanager_t) ++kernel_rw_rpc_sysctls(rgmanager_t) +kernel_search_debugfs(rgmanager_t) ++kernel_search_network_state(rgmanager_t) + +fs_getattr_xattr_fs(rgmanager_t) + @@ -22787,6 +22900,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +domain_getattr_all_domains(rgmanager_t) +domain_dontaudit_ptrace_all_domains(rgmanager_t) + ++storage_getattr_fixed_disk_dev(rgmanager_t) ++ +# needed by resources scripts +auth_read_all_files_except_shadow(rgmanager_t) +auth_dontaudit_getattr_shadow(rgmanager_t) @@ -22796,7 +22911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + +files_create_var_run_dirs(rgmanager_t) + -+fs_getattr_xattr_fs(rgmanager_t) ++fs_getattr_all_fs(rgmanager_t) + +term_getattr_pty_fs(rgmanager_t) +#term_use_ptmx(rgmanager_t) @@ -22810,6 +22925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + +miscfiles_read_localization(rgmanager_t) + ++mount_domtrans(rgmanager_t) ++ +tunable_policy(`rgmanager_can_network_connect',` + corenet_tcp_connect_all_ports(rgmanager_t) +') @@ -22875,13 +22992,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) +') + -+ +optional_policy(` + rpc_initrc_domtrans_nfsd(rgmanager_t) + rpc_initrc_domtrans_rpcd(rgmanager_t) + + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) ++ rpc_manage_nfs_state_data(rgmanager_t) +') + +optional_policy(` @@ -22902,8 +23019,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + udev_read_db(rgmanager_t) +') + ++optional_policy(` ++ virt_stream_connect(rgmanager_t) ++') + -+ ++optional_policy(` ++ xen_domtrans_xm(rgmanager_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.9/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.7.9/policy/modules/services/rhcs.fc 2010-02-17 11:41:10.000000000 -0500 @@ -22933,10 +23055,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.9/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rhcs.if 2010-02-17 10:00:50.000000000 -0500 -@@ -0,0 +1,367 @@ ++++ serefpolicy-3.7.9/policy/modules/services/rhcs.if 2010-02-18 08:40:35.000000000 -0500 +@@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + ++####################################### ++## ++## Creates types and rules for a basic ++## rhcs init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`rhcs_domain_template',` ++ ++ gen_require(` ++ attribute cluster_domain; ++ ') ++ ++ ############################## ++ # ++ # $1_t declarations ++ # ++ ++ type $1_t, cluster_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) ++ ++ # log files ++ type $1_var_log_t; ++ logging_log_file($1_var_log_t) ++ ++ # pid files ++ type $1_var_run_t; ++ files_pid_file($1_var_run_t) ++ ++ ############################## ++ # ++ # $1_t local policy ++ # ++ ++ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file }) ++ ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) ++ ++ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t) ++ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t) ++ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file }) ++ ++') ++ +###################################### +## +## Execute a domain transition to run groupd. @@ -23304,10 +23483,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.9/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rhcs.te 2010-02-17 11:41:10.000000000 -0500 -@@ -0,0 +1,427 @@ ++++ serefpolicy-3.7.9/policy/modules/services/rhcs.te 2010-02-18 08:40:35.000000000 -0500 +@@ -0,0 +1,247 @@ + -+policy_module(rhcs,1.0.0) ++policy_module(rhcs,1.1.0) + +######################################## +# @@ -23321,120 +23500,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +## +gen_tunable(fenced_can_network_connect, false) + -+type dlm_controld_t; -+type dlm_controld_exec_t; -+init_daemon_domain(dlm_controld_t, dlm_controld_exec_t) -+ -+# log files -+type dlm_controld_var_log_t; -+logging_log_file(dlm_controld_var_log_t) -+ -+# pid files -+type dlm_controld_var_run_t; -+files_pid_file(dlm_controld_var_run_t) ++attribute cluster_domain; + -+type dlm_controld_tmpfs_t; -+files_tmpfs_file(dlm_controld_tmpfs_t) ++rhcs_domain_template(dlm_controld) + -+type fenced_t; -+type fenced_exec_t; -+init_daemon_domain(fenced_t, fenced_exec_t) ++rhcs_domain_template(fenced) + +# tmp files +type fenced_tmp_t; +files_tmp_file(fenced_tmp_t) + -+type fenced_tmpfs_t; -+files_tmpfs_file(fenced_tmpfs_t) -+ +type fenced_lock_t; +files_lock_file(fenced_lock_t) + -+# log files -+type fenced_var_log_t; -+logging_log_file(fenced_var_log_t) -+ -+# pid files -+type fenced_var_run_t; -+files_pid_file(fenced_var_run_t) -+ -+type gfs_controld_t; -+type gfs_controld_exec_t; -+init_daemon_domain(gfs_controld_t, gfs_controld_exec_t) -+ -+# log files -+type gfs_controld_var_log_t; -+logging_log_file(gfs_controld_var_log_t) ++rhcs_domain_template(gfs_controld) + -+# pid files -+type gfs_controld_var_run_t; -+files_pid_file(gfs_controld_var_run_t) ++rhcs_domain_template(groupd) + -+type gfs_controld_tmpfs_t; -+files_tmpfs_file(gfs_controld_tmpfs_t) -+ -+ -+type groupd_t; -+type groupd_exec_t; -+init_daemon_domain(groupd_t, groupd_exec_t) -+ -+# log files -+type groupd_var_log_t; -+logging_log_file(groupd_var_log_t) -+ -+# pid files -+type groupd_var_run_t; -+files_pid_file(groupd_var_run_t) -+ -+type groupd_tmpfs_t; -+files_tmpfs_file(groupd_tmpfs_t) -+ -+type qdiskd_t; -+type qdiskd_exec_t; -+init_daemon_domain(qdiskd_t, qdiskd_exec_t) -+ -+type qdiskd_tmpfs_t; -+files_tmpfs_file(qdiskd_tmpfs_t) ++rhcs_domain_template(qdiskd) + +# var/lib files +type qdiskd_var_lib_t; +files_type(qdiskd_var_lib_t) + -+# log files -+type qdiskd_var_log_t; -+logging_log_file(qdiskd_var_log_t) -+ -+# pid files -+type qdiskd_var_run_t; -+files_pid_file(qdiskd_var_run_t) -+ +##################################### +# +# dlm_controld local policy +# + -+allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource }; -+allow dlm_controld_t self:process setsched; ++allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; + -+allow dlm_controld_t self:sem create_sem_perms; -+allow dlm_controld_t self:fifo_file rw_fifo_file_perms; -+allow dlm_controld_t self:unix_stream_socket create_stream_socket_perms; -+allow dlm_controld_t self:unix_dgram_socket create_socket_perms; +allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + -+manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -+manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -+fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t) -+logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file }) -+ -+# pid files -+manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) -+manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) -+files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file }) -+ +stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + @@ -23448,16 +23545,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +init_rw_script_tmp_files(dlm_controld_t) + -+libs_use_ld_so(dlm_controld_t) -+libs_use_shared_libs(dlm_controld_t) -+ -+logging_send_syslog_msg(dlm_controld_t) -+ -+miscfiles_read_localization(dlm_controld_t) -+ +optional_policy(` -+ ccs_stream_connect(dlm_controld_t) -+ corosync_stream_connect(dlm_controld_t) ++ ccs_stream_connect(dlm_controld_t) +') + +####################################### @@ -23465,13 +23554,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# fenced local policy +# + -+allow fenced_t self:capability { sys_nice sys_rawio sys_resource }; -+allow fenced_t self:process { setsched getsched }; ++allow fenced_t self:capability { sys_rawio sys_resource }; ++allow fenced_t self:process getsched; + -+allow fenced_t self:fifo_file rw_fifo_file_perms; -+allow fenced_t self:sem create_sem_perms; -+allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow fenced_t self:unix_dgram_socket create_socket_perms; +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; + @@ -23480,25 +23565,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# tmp files +manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir }) -+ -+manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) -+manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) -+fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file }) ++manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) ++files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) + +manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) +files_lock_filetrans(fenced_t,fenced_lock_t,file) + -+# log files -+manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t) -+logging_log_filetrans(fenced_t,fenced_var_log_t,{ file }) -+ -+# pid file -+manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t) -+manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -+manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -+files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) -+ +stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +corecmd_exec_bin(fenced_t) @@ -23510,19 +23582,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +storage_raw_write_fixed_disk(fenced_t) +storage_raw_read_removable_device(fenced_t) + ++term_getattr_pty_fs(fenced_t) +term_use_ptmx(fenced_t) + +auth_use_nsswitch(fenced_t) + +files_read_usr_symlinks(fenced_t) + -+libs_use_ld_so(fenced_t) -+libs_use_shared_libs(fenced_t) -+ -+logging_send_syslog_msg(fenced_t) -+ -+miscfiles_read_localization(fenced_t) -+ +tunable_policy(`fenced_can_network_connect',` + corenet_tcp_connect_all_ports(fenced_t) +') @@ -23533,10 +23599,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') + +optional_policy(` -+ corosync_stream_connect(fenced_t) -+') -+ -+optional_policy(` + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) +') @@ -23546,31 +23608,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# gfs_controld local policy +# + -+allow gfs_controld_t self:capability { net_admin sys_nice sys_resource }; -+allow gfs_controld_t self:process setsched; ++allow gfs_controld_t self:capability { net_admin sys_resource }; + -+allow gfs_controld_t self:sem create_sem_perms; +allow gfs_controld_t self:shm create_shm_perms; -+allow gfs_controld_t self:fifo_file rw_fifo_file_perms; -+allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms }; -+allow gfs_controld_t self:unix_dgram_socket { create_socket_perms }; +allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + -+manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -+manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -+fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t) -+logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file }) -+ -+# pid files -+manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) -+manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) -+files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file }) -+ -+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) ++stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(gfs_controld_t) @@ -23579,21 +23623,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +dev_rw_dlm_control(gfs_controld_t) +dev_setattr_dlm_control(gfs_controld_t) ++ +dev_rw_sysfs(gfs_controld_t) + +init_rw_script_tmp_files(gfs_controld_t) + -+libs_use_ld_so(gfs_controld_t) -+libs_use_shared_libs(gfs_controld_t) -+ -+logging_send_syslog_msg(gfs_controld_t) -+ -+miscfiles_read_localization(gfs_controld_t) -+ -+optional_policy(` -+ corosync_stream_connect(gfs_controld_t) -+') -+ +optional_policy(` + ccs_stream_connect(gfs_controld_t) +') @@ -23611,77 +23645,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +allow groupd_t self:capability { sys_nice sys_resource }; +allow groupd_t self:process setsched; + -+allow groupd_t self:sem create_sem_perms; +allow groupd_t self:shm create_shm_perms; -+allow groupd_t self:fifo_file rw_fifo_file_perms; -+allow groupd_t self:unix_stream_socket create_stream_socket_perms; -+allow groupd_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) -+manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) -+fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t) -+logging_log_filetrans(groupd_t,groupd_var_log_t,{ file }) -+ -+# pid files -+manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) -+manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) -+files_pid_filetrans(groupd_t, groupd_var_run_t, { file }) + +dev_list_sysfs(groupd_t) + +files_read_etc_files(groupd_t) + -+libs_use_ld_so(groupd_t) -+libs_use_shared_libs(groupd_t) -+ -+logging_send_syslog_msg(groupd_t) -+ -+miscfiles_read_localization(groupd_t) -+ +init_rw_script_tmp_files(groupd_t) + -+logging_send_syslog_msg(groupd_t) -+ -+optional_policy(` -+ corosync_stream_connect(groupd_t) -+') -+ +###################################### +# +# qdiskd local policy +# + -+allow qdiskd_t self:capability { sys_nice ipc_lock }; -+allow qdiskd_t self:process setsched; ++allow qdiskd_t self:capability ipc_lock; + -+allow qdiskd_t self:sem create_sem_perms; -+allow qdiskd_t self:udp_socket create_socket_perms; ++allow qdiskd_t self:tcp_socket create_stream_socket_perms; +allow qdiskd_t self:udp_socket create_socket_perms; -+allow qdiskd_t self:unix_dgram_socket create_socket_perms; -+allow qdiskd_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file }) + -+# log files -+manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) -+manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) -+logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file }) -+ -+manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) -+manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) -+fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file }) -+ -+# pid files -+manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) -+manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) -+files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file }) -+ +corecmd_getattr_sbin_files(qdiskd_t) +corecmd_exec_shell(qdiskd_t) + @@ -23711,27 +23697,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +files_read_etc_files(qdiskd_t) + -+libs_use_ld_so(qdiskd_t) -+libs_use_shared_libs(qdiskd_t) -+ -+logging_send_syslog_msg(qdiskd_t) -+ -+miscfiles_read_localization(qdiskd_t) -+ +optional_policy(` -+ corosync_stream_connect(qdiskd_t) ++ ccs_stream_connect(qdiskd_t) +') + +optional_policy(` -+ ccs_stream_connect(qdiskd_t) ++ netutils_domtrans_ping(qdiskd_t) +') + +optional_policy(` -+ netutils_domtrans_ping(qdiskd_t) ++ udev_read_db(qdiskd_t) +') + ++##################################### ++# ++# rhcs domains common policy ++# ++ ++allow cluster_domain self:capability { sys_nice }; ++allow cluster_domain self:process setsched; ++ ++allow cluster_domain self:sem create_sem_perms; ++allow cluster_domain self:fifo_file rw_fifo_file_perms; ++allow cluster_domain self:unix_stream_socket create_stream_socket_perms; ++allow cluster_domain self:unix_dgram_socket create_socket_perms; ++ ++libs_use_ld_so(cluster_domain) ++libs_use_shared_libs(cluster_domain) ++ ++logging_send_syslog_msg(cluster_domain) ++ ++miscfiles_read_localization(cluster_domain) ++ +optional_policy(` -+ udev_read_db(qdiskd_t) ++ corosync_stream_connect(cluster_domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.9/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 @@ -31367,7 +31366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.9/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.fc 2010-02-17 10:00:50.000000000 -0500 ++++ serefpolicy-3.7.9/policy/modules/system/miscfiles.fc 2010-02-17 17:36:49.000000000 -0500 @@ -42,6 +42,7 @@ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31376,7 +31375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -@@ -70,7 +71,7 @@ +@@ -70,13 +71,15 @@ /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -31385,6 +31384,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) +-/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + ++/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) ++ ++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) + + ifdef(`distro_debian',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.9/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 +++ serefpolicy-3.7.9/policy/modules/system/miscfiles.if 2010-02-17 10:00:50.000000000 -0500 @@ -36573,7 +36581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +allow userdomain userdomain:process signull; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.9/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/xen.if 2010-02-17 10:00:50.000000000 -0500 ++++ serefpolicy-3.7.9/policy/modules/system/xen.if 2010-02-18 12:02:24.000000000 -0500 @@ -180,6 +180,25 @@ ######################################## @@ -36600,10 +36608,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ## Connect to xend over an unix domain stream socket. ## ## +@@ -213,7 +232,8 @@ + interface(`xen_domtrans_xm',` + gen_require(` + type xm_t, xm_exec_t; ++ attribute xm_transition_domain; + ') +- ++ typeattribute $1 xm_transition_domain; + domtrans_pattern($1, xm_exec_t, xm_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.9/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/xen.te 2010-02-17 10:00:50.000000000 -0500 -@@ -85,6 +85,7 @@ ++++ serefpolicy-3.7.9/policy/modules/system/xen.te 2010-02-18 12:03:13.000000000 -0500 +@@ -5,6 +5,7 @@ + # + # Declarations + # ++attribute xm_transition_domain; + + ## + ##

+@@ -85,6 +86,7 @@ type xenconsoled_t; type xenconsoled_exec_t; init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) @@ -36611,7 +36637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te # pid files type xenconsoled_var_run_t; -@@ -209,6 +210,7 @@ +@@ -209,6 +211,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) @@ -36619,7 +36645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xend_t) storage_raw_write_fixed_disk(xend_t) -@@ -259,6 +261,7 @@ +@@ -259,6 +262,7 @@ # allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; @@ -36627,7 +36653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; -@@ -279,6 +282,7 @@ +@@ -279,6 +283,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) @@ -36635,7 +36661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_read_usr_files(xenconsoled_t) fs_list_tmpfs(xenconsoled_t) -@@ -297,6 +301,10 @@ +@@ -297,6 +302,10 @@ xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) @@ -36646,7 +36672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te ######################################## # # Xen store local policy -@@ -340,6 +348,9 @@ +@@ -340,6 +349,9 @@ files_read_usr_files(xenstored_t) @@ -36656,7 +36682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xenstored_t) storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) -@@ -421,7 +432,14 @@ +@@ -421,7 +433,14 @@ xen_stream_connect_xenstore(xm_t) optional_policy(` @@ -36671,11 +36697,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te virt_stream_connect(xm_t) ') -@@ -438,6 +456,8 @@ +@@ -435,9 +454,14 @@ + kernel_read_xen_state(xm_ssh_t) + kernel_write_xen_state(xm_ssh_t) + ++ dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_inherited_fifo_file_perms; ++ files_search_tmp(xm_ssh_t) ++ fs_manage_xenfs_dirs(xm_ssh_t) fs_manage_xenfs_files(xm_ssh_t) -+userdom_search_admin_dir(xm_ssh_t) ++ userdom_search_admin_dir(xm_ssh_t) + #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 358f154..c54e93e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.9 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,9 @@ exit 0 %endif %changelog +* Thu Feb 18 2010 Dan Walsh 3.7.9-4 +- Allow policykit to send itself signals + * Wed Feb 17 2010 Dan Walsh 3.7.9-3 - Fix duplicate cobbler definition