From 4689b08b49107dd22b8baba6f880261ee57385fd Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 06 2012 22:20:13 +0000 Subject: - Add new sysadm_secadm.pp module * contains secadm definition for sysadm_t - Move user_mail_domain access out of the interface into the - Allow httpd_t to create httpd_var_lib_t directories as wel - Allow snmpd to connect to the ricci_modcluster stream - Allow firewalld to read /etc/passwd - Add auth_use_nsswitch for colord - Allow smartd to read network state - smartdnotify needs to read /etc/group --- diff --git a/modules-mls.conf b/modules-mls.conf index 0b572be..6232449 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1861,6 +1861,13 @@ staff = module # sysadm = module +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + # Layer: role # Module: unprivuser # diff --git a/modules-targeted.conf b/modules-targeted.conf index 078c411..fc190be 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2162,6 +2162,21 @@ dbadm = module logadm = module # Layer: role +# Module: secadm +# +# secadm account on tty logins +# +secadm = module + +# Layer: role +# Module: auditadm +# +# auditadm account on tty logins +# +auditadm = module + + +# Layer: role # Module: webadm # # Minimally prived root role for managing apache @@ -2232,6 +2247,13 @@ staff = module # sysadm = module +# Layer:role +# Module: sysadm_secadm +# +# System Administrator with Security Admin rules +# +sysadm_secadm = module + # Layer: role # Module: unprivuser # diff --git a/policy-F16.patch b/policy-F16.patch index c5aacca..25b10b5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4078,7 +4078,7 @@ index d5aaf0e..6b16aef 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..70d684a 100644 +index 6a5004b..65681da 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -4098,12 +4098,11 @@ index 6a5004b..70d684a 100644 dev_read_urand(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) -@@ -25,11 +28,16 @@ fs_getattr_xattr_fs(tmpreaper_t) +@@ -25,11 +28,15 @@ fs_getattr_xattr_fs(tmpreaper_t) files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) -+files_delete_usr_dirs(tmpreaper_t) -+files_delete_usr_files(tmpreaper_t) ++files_delete_all_non_security_files(tmpreaper_t) # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +files_setattr_usr_dirs(tmpreaper_t) @@ -4115,7 +4114,7 @@ index 6a5004b..70d684a 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t) +@@ -38,13 +45,17 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -4137,7 +4136,7 @@ index 6a5004b..70d684a 100644 ') optional_policy(` -@@ -52,7 +64,9 @@ optional_policy(` +@@ -52,7 +63,9 @@ optional_policy(` ') optional_policy(` @@ -4147,7 +4146,7 @@ index 6a5004b..70d684a 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +80,13 @@ optional_policy(` +@@ -66,9 +79,13 @@ optional_policy(` ') optional_policy(` @@ -17190,7 +17189,7 @@ index c19518a..04ef731 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..3a7eb38 100644 +index ff006ea..a8532db 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -18778,7 +18777,7 @@ index ff006ea..3a7eb38 100644 ## ## ## -@@ -6117,3 +6881,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6881,302 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -19063,6 +19062,24 @@ index ff006ea..3a7eb38 100644 + + dontaudit $1 file_type:dir_file_class_set write; +') ++ ++######################################## ++## ++## Allow domain to delete to all files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_delete_all_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ allow $1 non_security_file_type:file_class_set unlink; ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 22821ff..4486d80 100644 --- a/policy/modules/kernel/files.te @@ -22362,11 +22379,39 @@ index 2be17d2..cdcc621 100644 +tunable_policy(`allow_execmod',` + userdom_execmod_user_home_files(staff_t) +') +diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if +index ff92430..36740ea 100644 +--- a/policy/modules/roles/sysadm.if ++++ b/policy/modules/roles/sysadm.if +@@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',` + allow sysadm_t $1:process sigchld; + ') + ++####################################### ++## ++## sysadm stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sysadm_stub',` ++ gen_require(` ++ type sysadm_t; ++ role sysadm_r; ++ ') ++') ++ + ######################################## + ## + ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..37bdf8d 100644 +index e14b961..aed3d37 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) +@@ -5,39 +5,60 @@ policy_module(sysadm, 2.2.1) # Declarations # @@ -22380,7 +22425,12 @@ index e14b961..37bdf8d 100644 role sysadm_r; userdom_admin_user_template(sysadm) -@@ -24,20 +17,52 @@ ifndef(`enable_mls',` + +-ifndef(`enable_mls',` +- userdom_security_admin_template(sysadm_t, sysadm_r) +-') +- + ######################################## # # Local policy # @@ -22433,19 +22483,22 @@ index e14b961..37bdf8d 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,9 +80,10 @@ ifndef(`enable_mls',` - logging_manage_audit_log(sysadm_t) - logging_manage_audit_config(sysadm_t) - logging_run_auditctl(sysadm_t, sysadm_r) -+ logging_stream_connect_syslog(sysadm_t) +@@ -51,13 +72,8 @@ ifdef(`direct_sysadm_daemon',` + ') ') +-ifndef(`enable_mls',` +- logging_manage_audit_log(sysadm_t) +- logging_manage_audit_config(sysadm_t) +- logging_run_auditctl(sysadm_t, sysadm_r) +-') + -tunable_policy(`allow_ptrace',` +tunable_policy(`deny_ptrace',`',` domain_ptrace_all_domains(sysadm_t) ') -@@ -67,9 +93,9 @@ optional_policy(` +@@ -67,9 +83,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -22456,7 +22509,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -98,6 +124,10 @@ optional_policy(` +@@ -98,6 +114,10 @@ optional_policy(` ') optional_policy(` @@ -22467,21 +22520,21 @@ index e14b961..37bdf8d 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +140,20 @@ optional_policy(` +@@ -110,11 +130,20 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) + #cron_role(sysadm_r, sysadm_t) ++') ++ ++optional_policy(` ++ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -22490,7 +22543,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -128,6 +167,10 @@ optional_policy(` +@@ -128,6 +157,10 @@ optional_policy(` ') optional_policy(` @@ -22501,7 +22554,7 @@ index e14b961..37bdf8d 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +206,13 @@ optional_policy(` +@@ -163,6 +196,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -22515,7 +22568,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -170,15 +220,20 @@ optional_policy(` +@@ -170,15 +210,20 @@ optional_policy(` ') optional_policy(` @@ -22539,7 +22592,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -198,22 +253,20 @@ optional_policy(` +@@ -198,22 +243,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -22568,7 +22621,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -225,25 +278,47 @@ optional_policy(` +@@ -225,25 +268,47 @@ optional_policy(` ') optional_policy(` @@ -22616,7 +22669,7 @@ index e14b961..37bdf8d 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,31 +328,32 @@ optional_policy(` +@@ -253,31 +318,32 @@ optional_policy(` ') optional_policy(` @@ -22656,7 +22709,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -302,12 +378,18 @@ optional_policy(` +@@ -302,12 +368,18 @@ optional_policy(` ') optional_policy(` @@ -22676,7 +22729,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -332,7 +414,10 @@ optional_policy(` +@@ -332,7 +404,10 @@ optional_policy(` ') optional_policy(` @@ -22688,7 +22741,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -343,19 +428,15 @@ optional_policy(` +@@ -343,19 +418,15 @@ optional_policy(` ') optional_policy(` @@ -22710,7 +22763,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -367,45 +448,45 @@ optional_policy(` +@@ -367,45 +438,45 @@ optional_policy(` ') optional_policy(` @@ -22767,7 +22820,7 @@ index e14b961..37bdf8d 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +499,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +489,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22778,7 +22831,7 @@ index e14b961..37bdf8d 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +516,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +506,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -22786,7 +22839,7 @@ index e14b961..37bdf8d 100644 ') optional_policy(` -@@ -446,11 +524,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +514,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22809,9 +22862,8 @@ index e14b961..37bdf8d 100644 + + optional_policy(` + mplayer_role(sysadm_r, sysadm_t) - ') --') - ++ ') ++ + optional_policy(` + pyzor_role(sysadm_r, sysadm_t) + ') @@ -22838,8 +22890,9 @@ index e14b961..37bdf8d 100644 + + optional_policy(` + uml_role(sysadm_r, sysadm_t) -+ ') -+ + ') +-') + + optional_policy(` + userhelper_role_template(sysadm, sysadm_r, sysadm_t) + ') @@ -22856,6 +22909,49 @@ index e14b961..37bdf8d 100644 + xserver_role(sysadm_r, sysadm_t) + ') +') +diff --git a/policy/modules/roles/sysadm_secadm.fc b/policy/modules/roles/sysadm_secadm.fc +new file mode 100644 +index 0000000..ae3b6db +--- /dev/null ++++ b/policy/modules/roles/sysadm_secadm.fc +@@ -0,0 +1 @@ ++# No context +diff --git a/policy/modules/roles/sysadm_secadm.if b/policy/modules/roles/sysadm_secadm.if +new file mode 100644 +index 0000000..bd83148 +--- /dev/null ++++ b/policy/modules/roles/sysadm_secadm.if +@@ -0,0 +1 @@ ++## No Interfaces +diff --git a/policy/modules/roles/sysadm_secadm.te b/policy/modules/roles/sysadm_secadm.te +new file mode 100644 +index 0000000..2cc4c43 +--- /dev/null ++++ b/policy/modules/roles/sysadm_secadm.te +@@ -0,0 +1,23 @@ ++policy_module(sysadm_secadm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++gen_require(` ++ type sysadm_t; ++ ole sysadm_r; ++') ++ ++userdom_security_admin_template(sysadm_t, sysadm_r) ++ ++####################################### ++# ++# Local policy ++# ++ ++logging_manage_audit_log(sysadm_t) ++logging_manage_audit_config(sysadm_t) ++logging_run_auditctl(sysadm_t, sysadm_r) ++logging_stream_connect_syslog(sysadm_t) diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc new file mode 100644 index 0000000..0e8654b @@ -26285,7 +26381,7 @@ index 6480167..2ad693a 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..d6944c1 100644 +index 3136c6a..6bbf626 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,136 +18,233 @@ policy_module(apache, 2.2.1) @@ -26688,7 +26784,18 @@ index 3136c6a..d6944c1 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +486,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -339,8 +470,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) + manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) + fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + ++manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) + manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +-files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) ++files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) + + setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +@@ -355,6 +487,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26698,7 +26805,7 @@ index 3136c6a..d6944c1 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +499,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +500,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26715,7 +26822,7 @@ index 3136c6a..d6944c1 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +516,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +517,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26731,7 +26838,7 @@ index 3136c6a..d6944c1 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +529,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +530,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26739,7 +26846,7 @@ index 3136c6a..d6944c1 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +541,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +542,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26843,7 +26950,7 @@ index 3136c6a..d6944c1 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +648,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +649,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -26901,7 +27008,7 @@ index 3136c6a..d6944c1 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +706,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +707,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26918,7 +27025,7 @@ index 3136c6a..d6944c1 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +730,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +731,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26939,7 +27046,7 @@ index 3136c6a..d6944c1 100644 ') optional_policy(` -@@ -513,7 +754,13 @@ optional_policy(` +@@ -513,7 +755,13 @@ optional_policy(` ') optional_policy(` @@ -26954,7 +27061,7 @@ index 3136c6a..d6944c1 100644 ') optional_policy(` -@@ -528,7 +775,19 @@ optional_policy(` +@@ -528,7 +776,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26975,7 +27082,7 @@ index 3136c6a..d6944c1 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +796,13 @@ optional_policy(` +@@ -537,8 +797,13 @@ optional_policy(` ') optional_policy(` @@ -26990,7 +27097,7 @@ index 3136c6a..d6944c1 100644 ') ') -@@ -556,7 +820,21 @@ optional_policy(` +@@ -556,7 +821,21 @@ optional_policy(` ') optional_policy(` @@ -27012,7 +27119,7 @@ index 3136c6a..d6944c1 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +845,7 @@ optional_policy(` +@@ -567,6 +846,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -27020,7 +27127,7 @@ index 3136c6a..d6944c1 100644 ') optional_policy(` -@@ -577,6 +856,20 @@ optional_policy(` +@@ -577,6 +857,20 @@ optional_policy(` ') optional_policy(` @@ -27041,7 +27148,7 @@ index 3136c6a..d6944c1 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +884,11 @@ optional_policy(` +@@ -591,6 +885,11 @@ optional_policy(` ') optional_policy(` @@ -27053,7 +27160,7 @@ index 3136c6a..d6944c1 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +901,12 @@ optional_policy(` +@@ -603,6 +902,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -27066,7 +27173,7 @@ index 3136c6a..d6944c1 100644 ######################################## # # Apache helper local policy -@@ -616,7 +920,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +921,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -27079,7 +27186,7 @@ index 3136c6a..d6944c1 100644 ######################################## # -@@ -654,28 +962,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +963,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27123,7 +27230,7 @@ index 3136c6a..d6944c1 100644 ') ######################################## -@@ -685,6 +995,8 @@ optional_policy(` +@@ -685,6 +996,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27132,7 +27239,7 @@ index 3136c6a..d6944c1 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1011,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1012,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27158,7 +27265,7 @@ index 3136c6a..d6944c1 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1057,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1058,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27191,7 +27298,7 @@ index 3136c6a..d6944c1 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1104,25 @@ optional_policy(` +@@ -769,6 +1105,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27217,7 +27324,7 @@ index 3136c6a..d6944c1 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1143,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1144,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27235,7 +27342,7 @@ index 3136c6a..d6944c1 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1162,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1163,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27292,7 +27399,7 @@ index 3136c6a..d6944c1 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1213,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1214,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27323,7 +27430,7 @@ index 3136c6a..d6944c1 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1248,20 @@ optional_policy(` +@@ -842,10 +1249,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27344,7 +27451,7 @@ index 3136c6a..d6944c1 100644 ') ######################################## -@@ -891,11 +1307,135 @@ optional_policy(` +@@ -891,11 +1308,135 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -31352,7 +31459,7 @@ index 0000000..7f55959 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..8b32b57 +index 0000000..22b18dc --- /dev/null +++ b/policy/modules/services/cloudform.te @@ -0,0 +1,222 @@ @@ -31504,7 +31611,7 @@ index 0000000..8b32b57 +# mongod local policy +# + -+allow mongod_t self:process { setsched signal }; ++allow mongod_t self:process { execmem setsched signal }; + +allow mongod_t self:netlink_route_socket r_netlink_socket_perms; +allow mongod_t self:unix_stream_socket create_stream_socket_perms; @@ -32368,7 +32475,7 @@ index 0000000..ca71d08 +') + diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..029adf3 100644 +index 74505cc..543b5dc 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.0) @@ -32416,7 +32523,7 @@ index 74505cc..029adf3 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,19 +76,33 @@ files_list_mnt(colord_t) +@@ -65,19 +76,35 @@ files_list_mnt(colord_t) files_read_etc_files(colord_t) files_read_usr_files(colord_t) @@ -32431,6 +32538,8 @@ index 74505cc..029adf3 100644 +storage_read_scsi_generic(colord_t) +storage_write_scsi_generic(colord_t) + ++auth_use_nsswitch(colord_t) ++ logging_send_syslog_msg(colord_t) miscfiles_read_localization(colord_t) @@ -32451,7 +32560,7 @@ index 74505cc..029adf3 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +114,12 @@ optional_policy(` +@@ -89,6 +116,12 @@ optional_policy(` ') optional_policy(` @@ -32464,7 +32573,7 @@ index 74505cc..029adf3 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +127,16 @@ optional_policy(` +@@ -96,5 +129,16 @@ optional_policy(` ') optional_policy(` @@ -39873,10 +39982,10 @@ index 0000000..06462d4 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..8dcd6e4 +index 0000000..2e4b1aa --- /dev/null +++ b/policy/modules/services/firewalld.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,70 @@ + +policy_module(firewalld,1.0.0) + @@ -39926,6 +40035,8 @@ index 0000000..8dcd6e4 +files_read_etc_files(firewalld_t) +files_read_usr_files(firewalld_t) + ++auth_read_passwd(firewalld_t) ++ +logging_send_syslog_msg(firewalld_t) + +miscfiles_read_localization(firewalld_t) @@ -46738,7 +46849,7 @@ index 256166a..71e7a36 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..381f8c1 100644 +index 343cee3..7ae15f4 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -46752,24 +46863,103 @@ index 343cee3..381f8c1 100644 gen_require(` attribute user_mail_domain; type sendmail_exec_t; -@@ -104,6 +104,7 @@ template(`mta_base_mail_template',` +@@ -56,92 +56,11 @@ template(`mta_base_mail_template',` + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) -+ postfix_rw_master_pipes($1_mail_t) - ') +- ############################## +- # +- # $1_mail_t local policy +- # +- +- allow $1_mail_t self:capability { setuid setgid chown }; +- allow $1_mail_t self:process { signal_perms setrlimit }; +- allow $1_mail_t self:tcp_socket create_socket_perms; +- +- # re-exec itself +- can_exec($1_mail_t, sendmail_exec_t) +- allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; +- +- kernel_read_system_state($1_mail_t) +- kernel_read_kernel_sysctls($1_mail_t) +- +- corenet_all_recvfrom_unlabeled($1_mail_t) +- corenet_all_recvfrom_netlabel($1_mail_t) +- corenet_tcp_sendrecv_generic_if($1_mail_t) +- corenet_tcp_sendrecv_generic_node($1_mail_t) +- corenet_tcp_sendrecv_all_ports($1_mail_t) +- corenet_tcp_connect_all_ports($1_mail_t) +- corenet_tcp_connect_smtp_port($1_mail_t) +- corenet_sendrecv_smtp_client_packets($1_mail_t) +- +- corecmd_exec_bin($1_mail_t) +- +- files_read_etc_files($1_mail_t) +- files_search_spool($1_mail_t) +- # It wants to check for nscd +- files_dontaudit_search_pids($1_mail_t) ++ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) ++ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) ++ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - optional_policy(` -@@ -128,6 +129,8 @@ template(`mta_base_mail_template',` - # Write to /var/spool/mail and /var/spool/mqueue. - manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) - manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) -+ read_lnk_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) -+ read_lnk_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) - - # Check available space. - fs_getattr_xattr_fs($1_mail_t) -@@ -158,6 +161,7 @@ template(`mta_base_mail_template',` + auth_use_nsswitch($1_mail_t) +- +- init_dontaudit_rw_utmp($1_mail_t) +- +- logging_send_syslog_msg($1_mail_t) +- +- miscfiles_read_localization($1_mail_t) +- +- optional_policy(` +- exim_read_log($1_mail_t) +- exim_append_log($1_mail_t) +- exim_manage_spool_files($1_mail_t) +- ') +- +- optional_policy(` +- postfix_domtrans_user_mail_handler($1_mail_t) +- ') +- +- optional_policy(` +- procmail_exec($1_mail_t) +- ') +- +- optional_policy(` +- qmail_domtrans_inject($1_mail_t) +- ') +- +- optional_policy(` +- gen_require(` +- type etc_mail_t, mail_spool_t, mqueue_spool_t; +- ') +- +- manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) +- manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) +- files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) +- +- allow $1_mail_t etc_mail_t:dir search_dir_perms; +- +- # Write to /var/spool/mail and /var/spool/mqueue. +- manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) +- manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) +- +- # Check available space. +- fs_getattr_xattr_fs($1_mail_t) +- +- files_read_etc_runtime_files($1_mail_t) +- +- # Write to /var/log/sendmail.st +- sendmail_manage_log($1_mail_t) +- sendmail_create_log($1_mail_t) +- ') +- +- optional_policy(` +- uucp_manage_spool($1_mail_t) +- ') + ') + + ######################################## +@@ -158,6 +77,7 @@ template(`mta_base_mail_template',` ## User domain for the role ## ## @@ -46777,7 +46967,7 @@ index 343cee3..381f8c1 100644 # interface(`mta_role',` gen_require(` -@@ -169,11 +173,19 @@ interface(`mta_role',` +@@ -169,11 +89,19 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -46798,7 +46988,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -220,6 +232,25 @@ interface(`mta_agent_executable',` +@@ -220,6 +148,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -46824,7 +47014,7 @@ index 343cee3..381f8c1 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,10 +337,11 @@ interface(`mta_mailserver_sender',` +@@ -306,10 +253,11 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -46837,7 +47027,7 @@ index 343cee3..381f8c1 100644 ') ####################################### -@@ -330,12 +362,6 @@ interface(`mta_mailserver_user_agent',` +@@ -330,12 +278,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -46850,7 +47040,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -350,9 +376,8 @@ interface(`mta_mailserver_user_agent',` +@@ -350,9 +292,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -46861,7 +47051,7 @@ index 343cee3..381f8c1 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -391,12 +416,19 @@ interface(`mta_send_mail',` +@@ -391,12 +332,19 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -46883,7 +47073,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -409,7 +441,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +357,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -46891,7 +47081,7 @@ index 343cee3..381f8c1 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +451,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +367,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -46916,7 +47106,7 @@ index 343cee3..381f8c1 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +487,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +403,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -46943,7 +47133,7 @@ index 343cee3..381f8c1 100644 ## Read mail server configuration. ## ## -@@ -474,7 +543,8 @@ interface(`mta_write_config',` +@@ -474,7 +459,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -46953,7 +47143,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -494,6 +564,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +480,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -46961,7 +47151,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -532,7 +603,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +519,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -46970,7 +47160,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -552,7 +623,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +539,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -46979,7 +47169,7 @@ index 343cee3..381f8c1 100644 ') ####################################### -@@ -646,8 +717,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +633,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -46990,7 +47180,7 @@ index 343cee3..381f8c1 100644 ') ####################################### -@@ -677,7 +748,26 @@ interface(`mta_spool_filetrans',` +@@ -677,7 +664,26 @@ interface(`mta_spool_filetrans',` ') files_search_spool($1) @@ -47018,7 +47208,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -697,8 +787,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +703,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -47029,7 +47219,7 @@ index 343cee3..381f8c1 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +928,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +844,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -47038,7 +47228,7 @@ index 343cee3..381f8c1 100644 ') ######################################## -@@ -864,6 +954,36 @@ interface(`mta_manage_queue',` +@@ -864,6 +870,36 @@ interface(`mta_manage_queue',` ####################################### ## @@ -47075,7 +47265,7 @@ index 343cee3..381f8c1 100644 ## Read sendmail binary. ## ## -@@ -899,3 +1019,114 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +935,114 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -47191,7 +47381,7 @@ index 343cee3..381f8c1 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..a7d94de 100644 +index 64268e4..ab8c4e4 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -47213,7 +47403,15 @@ index 64268e4..a7d94de 100644 type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t) +@@ -42,6 +44,7 @@ typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t }; + typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; + ubac_constrained(user_mail_t) + ubac_constrained(user_mail_tmp_t) ++userdom_user_tmp_content(user_mail_tmp_t) + + ######################################## + # +@@ -50,22 +53,11 @@ ubac_constrained(user_mail_tmp_t) # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; @@ -47237,7 +47435,7 @@ index 64268e4..a7d94de 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -79,9 +70,16 @@ selinux_getattr_fs(system_mail_t) +@@ -79,9 +71,16 @@ selinux_getattr_fs(system_mail_t) term_dontaudit_use_unallocated_ttys(system_mail_t) init_use_script_ptys(system_mail_t) @@ -47255,7 +47453,7 @@ index 64268e4..a7d94de 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,14 +90,21 @@ optional_policy(` +@@ -92,14 +91,21 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -47280,7 +47478,7 @@ index 64268e4..a7d94de 100644 ') optional_policy(` -@@ -108,9 +113,15 @@ optional_policy(` +@@ -108,9 +114,15 @@ optional_policy(` ') optional_policy(` @@ -47296,7 +47494,7 @@ index 64268e4..a7d94de 100644 ') optional_policy(` -@@ -124,12 +135,9 @@ optional_policy(` +@@ -124,12 +136,9 @@ optional_policy(` ') optional_policy(` @@ -47311,7 +47509,7 @@ index 64268e4..a7d94de 100644 ') optional_policy(` -@@ -146,6 +154,10 @@ optional_policy(` +@@ -146,6 +155,10 @@ optional_policy(` ') optional_policy(` @@ -47322,7 +47520,7 @@ index 64268e4..a7d94de 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,22 +170,13 @@ optional_policy(` +@@ -158,22 +171,13 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -47348,7 +47546,7 @@ index 64268e4..a7d94de 100644 ') optional_policy(` -@@ -189,6 +192,10 @@ optional_policy(` +@@ -189,6 +193,10 @@ optional_policy(` ') optional_policy(` @@ -47359,7 +47557,7 @@ index 64268e4..a7d94de 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,15 +206,16 @@ optional_policy(` +@@ -199,15 +207,16 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -47380,7 +47578,7 @@ index 64268e4..a7d94de 100644 ######################################## # # Mailserver delivery local policy -@@ -220,28 +228,21 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,28 +229,21 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -47415,7 +47613,7 @@ index 64268e4..a7d94de 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +250,25 @@ optional_policy(` +@@ -249,16 +251,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -47443,7 +47641,7 @@ index 64268e4..a7d94de 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -277,6 +287,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) +@@ -277,14 +288,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) # files in an appropriate place for mta_user_agent userdom_read_user_tmp_files(mta_user_agent) @@ -47452,7 +47650,15 @@ index 64268e4..a7d94de 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +304,49 @@ optional_policy(` + ') + + optional_policy(` +- allow user_mail_t self:capability dac_override; +- + # Read user temporary files. + # postfix seems to need write access if the file handle is opened read/write + userdom_rw_user_tmp_files(user_mail_t) +@@ -292,3 +303,115 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -47462,6 +47668,9 @@ index 64268e4..a7d94de 100644 +# Comman user_mail_domain policy +# + ++allow user_mail_domain self:capability { setuid setgid chown }; ++allow user_mail_domain self:process { signal_perms setrlimit }; ++allow user_mail_domain self:tcp_socket create_socket_perms; +allow user_mail_domain self:fifo_file rw_fifo_file_perms; +allow user_mail_domain mta_exec_type:file entrypoint; + @@ -47484,6 +47693,53 @@ index 64268e4..a7d94de 100644 + +files_read_usr_files(user_mail_domain) + ++# Write to /var/spool/mail and /var/spool/mqueue. ++manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) ++manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t) ++read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) ++read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t) ++ ++# re-exec itself ++can_exec(user_mail_domain, sendmail_exec_t) ++allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; ++ ++kernel_read_system_state(user_mail_domain) ++kernel_read_kernel_sysctls(user_mail_domain) ++ ++corenet_all_recvfrom_unlabeled(user_mail_domain) ++corenet_all_recvfrom_netlabel(user_mail_domain) ++corenet_tcp_sendrecv_generic_if(user_mail_domain) ++corenet_tcp_sendrecv_generic_node(user_mail_domain) ++corenet_tcp_sendrecv_all_ports(user_mail_domain) ++corenet_tcp_connect_all_ports(user_mail_domain) ++corenet_tcp_connect_smtp_port(user_mail_domain) ++corenet_sendrecv_smtp_client_packets(user_mail_domain) ++ ++corecmd_exec_bin(user_mail_domain) ++ ++files_read_etc_files(user_mail_domain) ++files_search_spool(user_mail_domain) ++# It wants to check for nscd ++files_dontaudit_search_pids(user_mail_domain) ++allow user_mail_domain etc_mail_t:dir search_dir_perms; ++ ++files_read_etc_runtime_files(user_mail_domain) ++ ++# Check available space. ++fs_getattr_xattr_fs(user_mail_domain) ++ ++init_dontaudit_rw_utmp(user_mail_domain) ++ ++logging_send_syslog_msg(user_mail_domain) ++ ++miscfiles_read_localization(user_mail_domain) ++ ++optional_policy(` ++ exim_domtrans(user_mail_domain) ++ exim_manage_log(user_mail_domain) ++ exim_manage_spool_files(user_mail_domain) ++') ++ +optional_policy(` + # postfix needs this for newaliases + files_getattr_tmp_dirs(user_mail_domain) @@ -47491,6 +47747,8 @@ index 64268e4..a7d94de 100644 + postfix_exec_master(user_mail_domain) + postfix_read_config(user_mail_domain) + postfix_search_spool(user_mail_domain) ++ postfix_domtrans_user_mail_handler(user_mail_domain) ++ postfix_rw_master_pipes(user_mail_domain) + + ifdef(`distro_redhat',` + # compatability for old default main.cf @@ -47498,9 +47756,23 @@ index 64268e4..a7d94de 100644 + ') +') + ++ +optional_policy(` -+ exim_domtrans(user_mail_domain) -+ exim_manage_log(user_mail_domain) ++ procmail_exec(user_mail_domain) ++') ++ ++optional_policy(` ++ qmail_domtrans_inject(user_mail_domain) ++') ++ ++optional_policy(` ++ # Write to /var/log/sendmail.st ++ sendmail_manage_log(user_mail_domain) ++ sendmail_create_log(user_mail_domain) ++') ++ ++optional_policy(` ++ uucp_manage_spool(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc index fd71d69..26597b2 100644 @@ -61833,7 +62105,7 @@ index adea9f9..145adbd 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 606a098..5e4d100 100644 +index 606a098..441f753 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -35,7 +35,7 @@ ifdef(`enable_mls',` @@ -61845,7 +62117,15 @@ index 606a098..5e4d100 100644 dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -@@ -73,19 +73,28 @@ files_read_etc_runtime_files(fsdaemon_t) +@@ -52,6 +52,7 @@ manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) + files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) + + kernel_read_kernel_sysctls(fsdaemon_t) ++kernel_read_network_state(fsdaemon_t) + kernel_read_software_raid_state(fsdaemon_t) + kernel_read_system_state(fsdaemon_t) + +@@ -73,19 +74,30 @@ files_read_etc_runtime_files(fsdaemon_t) files_read_usr_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) @@ -61869,6 +62149,8 @@ index 606a098..5e4d100 100644 +application_signull(fsdaemon_t) + ++auth_read_passwd(fsdaemon_t) ++ +init_read_utmp(fsdaemon_t) + libs_exec_ld_so(fsdaemon_t) @@ -62042,7 +62324,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..035a27f 100644 +index 3d8d1b3..f4d9c37 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -62132,6 +62414,17 @@ index 3d8d1b3..035a27f 100644 optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) +@@ -140,6 +147,10 @@ optional_policy(` + ') + + optional_policy(` ++ ricci_stream_connect_modclusterd(snmpd_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(snmpd_t) + ') + diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if index c117e8b..e428bb9 100644 --- a/policy/modules/services/snort.if @@ -80430,10 +80723,10 @@ index 0000000..19ba4e1 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..40e1dcc +index 0000000..abd1c1a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,393 @@ +@@ -0,0 +1,395 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -80519,6 +80812,8 @@ index 0000000..40e1dcc +dev_setattr_video_dev(systemd_logind_t) +dev_setattr_all_chr_files(systemd_logind_t) + ++domain_read_all_domains_state(systemd_logind_t) ++ +# /etc/udev/udev.conf should probably have a private type if only for confined administration +# /etc/nsswitch.conf +files_read_etc_files(systemd_logind_t) @@ -82117,7 +82412,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..9fecf40 100644 +index 4b2878a..6843ef8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -83753,7 +84048,7 @@ index 4b2878a..9fecf40 100644 ## Mmap user home files. ## ## -@@ -1698,14 +2184,35 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1698,14 +2184,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -83761,6 +84056,7 @@ index 4b2878a..9fecf40 100644 ') - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) + read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) files_search_home($1) @@ -83790,7 +84086,7 @@ index 4b2878a..9fecf40 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -83808,7 +84104,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -83869,7 +84165,7 @@ index 4b2878a..9fecf40 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -83879,7 +84175,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2391,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -83904,7 +84200,7 @@ index 4b2878a..9fecf40 100644 ######################################## ## -@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -83929,7 +84225,7 @@ index 4b2878a..9fecf40 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -83938,7 +84234,7 @@ index 4b2878a..9fecf40 100644 files_search_home($1) ') -@@ -2039,7 +2614,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2615,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -83947,7 +84243,22 @@ index 4b2878a..9fecf40 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2158,11 +2734,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` + # + interface(`userdom_read_user_tmp_files',` + gen_require(` +- type user_tmp_t; ++ attribute user_tmp_type; + ') + +- read_files_pattern($1, user_tmp_t, user_tmp_t) +- allow $1 user_tmp_t:dir list_dir_perms; ++ read_files_pattern($1, user_tmp_type, user_tmp_type) ++ allow $1 user_tmp_type:dir list_dir_perms; + files_search_tmp($1) + ') + +@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -83956,7 +84267,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -2390,7 +2965,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2966,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -83965,7 +84276,7 @@ index 4b2878a..9fecf40 100644 files_search_tmp($1) ') -@@ -2419,6 +2994,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +2995,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -83991,7 +84302,7 @@ index 4b2878a..9fecf40 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3029,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3030,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -84007,7 +84318,7 @@ index 4b2878a..9fecf40 100644 ## ## ## -@@ -2462,7 +3057,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3058,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -84016,7 +84327,7 @@ index 4b2878a..9fecf40 100644 ## ## ## -@@ -2470,14 +3065,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3066,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -84051,7 +84362,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -2572,6 +3183,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +3184,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -84076,7 +84387,7 @@ index 4b2878a..9fecf40 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +3219,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +3220,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -84119,7 +84430,7 @@ index 4b2878a..9fecf40 100644 ## ## ## -@@ -2614,14 +3255,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3256,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -84157,7 +84468,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -2640,8 +3300,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3301,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -84187,7 +84498,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -2713,45 +3392,45 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,45 +3393,45 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -84253,7 +84564,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -2772,25 +3451,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3452,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -84279,7 +84590,7 @@ index 4b2878a..9fecf40 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3512,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3513,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -84288,7 +84599,7 @@ index 4b2878a..9fecf40 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3528,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3529,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -84322,7 +84633,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -2972,7 +3616,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3617,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -84331,7 +84642,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -3027,7 +3671,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3672,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -84378,7 +84689,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -3045,7 +3727,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3728,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -84387,7 +84698,7 @@ index 4b2878a..9fecf40 100644 ') ######################################## -@@ -3064,6 +3746,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3747,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -84395,7 +84706,7 @@ index 4b2878a..9fecf40 100644 kernel_search_proc($1) ') -@@ -3142,6 +3825,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3826,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -84420,7 +84731,7 @@ index 4b2878a..9fecf40 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3861,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3862,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -84445,7 +84756,7 @@ index 4b2878a..9fecf40 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3913,1254 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3914,1254 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 0f0bada..eb4534b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -22,7 +22,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 82%{?dist} +Release: 83%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -482,6 +482,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Feb 6 2012 Miroslav Grepl 3.10.0-83 +- Add new sysadm_secadm.pp module + * contains secadm definition for sysadm_t +- Move user_mail_domain access out of the interface into the te file +- Allow httpd_t to create httpd_var_lib_t directories as well as files +- Allow snmpd to connect to the ricci_modcluster stream +- Allow firewalld to read /etc/passwd +- Add auth_use_nsswitch for colord +- Allow smartd to read network state +- smartdnotify needs to read /etc/group + * Fri Feb 3 2012 Miroslav Grepl 3.10.0-82 - Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work