From 61d57dcca03fec8572f25fb7f9708f813dcc75bd Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 15 2010 16:48:46 +0000 Subject: - Allow abrt sigkill - Add ncftool policy - Add cluster fixes - Fixes for audisp-remote --- diff --git a/modules-minimum.conf b/modules-minimum.conf index c104d67..1e2dc16 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1074,6 +1074,13 @@ mysql = module nagios = module # Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin # Module: netutils # # Network analysis utilities diff --git a/modules-mls.conf b/modules-mls.conf index 6caf71e..4bdf45c 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1012,6 +1012,13 @@ mysql = module nagios = module # Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin # Module: netutils # # Network analysis utilities diff --git a/modules-targeted.conf b/modules-targeted.conf index 7d0d335..b811559 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1074,6 +1074,13 @@ mysql = module nagios = module # Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin # Module: netutils # # Network analysis utilities diff --git a/policy-F13.patch b/policy-F13.patch index 9ca5bb7..a889915 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -383,7 +383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.19/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-01 14:04:47.354160745 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-15 07:03:31.488859559 +0200 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -392,11 +392,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -@@ -85,6 +84,7 @@ +@@ -85,6 +84,8 @@ hal_dontaudit_use_fds(consoletype_t) hal_dontaudit_rw_pipes(consoletype_t) hal_dontaudit_rw_dgram_sockets(consoletype_t) + hal_dontaudit_write_log(consoletype_t) ++ hal_dontaudit_read_pid_files(consoletype_t) ') optional_policy(` @@ -602,6 +603,172 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.7.19/policy/modules/admin/ncftool.fc +--- nsaserefpolicy/policy/modules/admin/ncftool.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.fc 2010-06-15 18:40:03.048768063 +0200 +@@ -0,0 +1,2 @@ ++ ++/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.7.19/policy/modules/admin/ncftool.if +--- nsaserefpolicy/policy/modules/admin/ncftool.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if 2010-06-15 18:40:03.049767991 +0200 +@@ -0,0 +1,74 @@ ++ ++## policy for ncftool ++ ++######################################## ++## ++## Execute a domain transition to run ncftool. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ncftool_domtrans',` ++ gen_require(` ++ type ncftool_t, ncftool_exec_t; ++ ') ++ ++ domtrans_pattern($1, ncftool_exec_t, ncftool_t) ++') ++ ++######################################## ++## ++## Execute ncftool in the ncftool domain, and ++## allow the specified role the ncftool domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the ncftool domain. ++## ++## ++# ++interface(`ncftool_run',` ++ gen_require(` ++ type ncftool_t; ++ ') ++ ++ ncftool_domtrans($1) ++ role $2 types ncftool_t; ++') ++ ++######################################## ++## ++## Role access for ncftool ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`ncftool_role',` ++ gen_require(` ++ type ncftool_t; ++ ') ++ ++ role $1 types ncftool_t; ++ ++ ncftool_domtrans($2) ++ ++ ps_process_pattern($2, ncftool_t) ++ allow $2 ncftool_t:process signal; ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te +--- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-06-15 18:46:57.405767946 +0200 +@@ -0,0 +1,78 @@ ++ ++policy_module(ncftool,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ncftool_t; ++type ncftool_exec_t; ++application_domain(ncftool_t, ncftool_exec_t) ++domain_obj_id_change_exemption(ncftool_t) ++domain_system_change_exemption(ncftool_t) ++role system_r types ncftool_t; ++ ++permissive ncftool_t; ++ ++######################################## ++# ++# ncftool local policy ++# ++ ++allow ncftool_t self:capability { net_admin sys_ptrace }; ++ ++allow ncftool_t self:process signal; ++ ++allow ncftool_t self:fifo_file manage_fifo_file_perms; ++allow ncftool_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; ++allow ncftool_t self:tcp_socket { create ioctl }; ++ ++kernel_read_system_state(ncftool_t) ++kernel_read_network_state(ncftool_t) ++kernel_read_kernel_sysctls(ncftool_t) ++kernel_request_load_module(ncftool_t) ++kernel_read_modprobe_sysctls(ncftool_t) ++kernel_rw_net_sysctls(ncftool_t) ++ ++corecmd_exec_bin(ncftool_t) ++corecmd_exec_shell(ncftool_t) ++consoletype_exec(ncftool_t) ++ ++domain_read_all_domains_state(ncftool_t) ++ ++dev_read_sysfs(ncftool_t) ++ ++files_read_etc_files(ncftool_t) ++files_read_etc_runtime_files(ncftool_t) ++files_read_usr_files(ncftool_t) ++ ++modutils_read_module_config(ncftool_t) ++ ++term_use_all_terms(ncftool_t) ++ ++miscfiles_read_localization(ncftool_t) ++ ++modutils_domtrans_insmod(ncftool_t) ++ ++sysnet_delete_dhcpc_pid(ncftool_t) ++sysnet_domtrans_dhcpc(ncftool_t) ++sysnet_domtrans_ifconfig(ncftool_t) ++sysnet_etc_filetrans_config(ncftool_t) ++sysnet_manage_config(ncftool_t) ++sysnet_read_dhcpc_state(ncftool_t) ++sysnet_relabelfrom_net_conf(ncftool_t) ++sysnet_relabelto_net_conf(ncftool_t) ++ ++userdom_read_user_tmp_files(ncftool_t) ++ ++optional_policy(` ++ brctl_domtrans(ncftool_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(ncftool_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 09:41:59.953610894 +0200 @@ -614,6 +781,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) +/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.7.19/policy/modules/admin/netutils.if +--- nsaserefpolicy/policy/modules/admin/netutils.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/netutils.if 2010-06-15 18:40:03.058768889 +0200 +@@ -299,3 +299,4 @@ + + can_exec($1, traceroute_exec_t) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.19/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-06-14 11:19:18.240056520 +0200 @@ -1725,8 +1900,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te java_domtrans_unconfined(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-05-28 09:41:59.961611278 +0200 -@@ -87,7 +87,11 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-06-14 20:23:23.332218554 +0200 +@@ -81,13 +81,18 @@ + + init_rw_utmp(shorewall_t) + ++logging_read_generic_logs(shorewall_t) + logging_send_syslog_msg(shorewall_t) + + miscfiles_read_localization(shorewall_t) sysnet_domtrans_ifconfig(shorewall_t) @@ -10578,7 +10760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-05-28 09:42:00.046610802 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-06-15 18:40:03.060767978 +0200 @@ -28,17 +28,29 @@ corecmd_exec_shell(sysadm_t) @@ -10725,10 +10907,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,12 +246,18 @@ +@@ -212,12 +246,22 @@ ') optional_policy(` ++ iptables_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + kerberos_exec_kadmind(sysadm_t) +') + @@ -10744,7 +10930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` kudzu_run(sysadm_t, sysadm_r) -@@ -227,9 +267,11 @@ +@@ -227,9 +271,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -10756,7 +10942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` logrotate_run(sysadm_t, sysadm_r) -@@ -252,8 +294,10 @@ +@@ -252,8 +298,10 @@ optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -10767,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') -@@ -261,6 +305,7 @@ +@@ -261,6 +309,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') @@ -10775,7 +10961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) -@@ -308,8 +353,14 @@ +@@ -308,8 +357,14 @@ ') optional_policy(` @@ -10790,7 +10976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` quota_run(sysadm_t, sysadm_r) -@@ -319,9 +370,11 @@ +@@ -319,9 +374,11 @@ raid_domtrans_mdadm(sysadm_t) ') @@ -10802,7 +10988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rpc_domtrans_nfsd(sysadm_t) -@@ -331,9 +384,11 @@ +@@ -331,9 +388,11 @@ rpm_run(sysadm_t, sysadm_r) ') @@ -10814,7 +11000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -358,8 +413,14 @@ +@@ -358,8 +417,14 @@ ') optional_policy(` @@ -10829,7 +11015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -382,9 +443,11 @@ +@@ -382,9 +447,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') @@ -10841,7 +11027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +456,21 @@ +@@ -393,17 +460,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -10863,7 +11049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +484,11 @@ +@@ -417,9 +488,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -10875,7 +11061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +496,15 @@ +@@ -427,9 +500,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -10891,7 +11077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +515,30 @@ +@@ -440,13 +519,30 @@ ') optional_policy(` @@ -11609,8 +11795,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-28 09:42:00.049610676 +0200 -@@ -0,0 +1,439 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-06-15 18:40:03.061767907 +0200 +@@ -0,0 +1,443 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -11770,6 +11956,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` ++ ncftool_run(unconfined_usertype, unconfined_r) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) + ') + @@ -12522,7 +12712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt admin_pattern($1, abrt_var_cache_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-09 16:27:06.470757212 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-15 06:54:27.545609592 +0200 @@ -1,5 +1,5 @@ -policy_module(abrt, 1.0.1) @@ -12530,7 +12720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ######################################## # -@@ -33,12 +33,24 @@ +@@ -33,13 +33,25 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -12551,11 +12741,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt # -allow abrt_t self:capability { setuid setgid sys_nice dac_override }; +-allow abrt_t self:process { signal signull setsched getsched }; +allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; +dontaudit abrt_t self:capability sys_rawio; - allow abrt_t self:process { signal signull setsched getsched }; ++allow abrt_t self:process { signal signull sigkill setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; + allow abrt_t self:tcp_socket create_stream_socket_perms; @@ -54,20 +66,25 @@ manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) @@ -13114,8 +13306,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-28 09:42:00.056610845 +0200 -@@ -0,0 +1,118 @@ ++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-06-15 18:40:09.962020397 +0200 +@@ -0,0 +1,114 @@ + +policy_module(aisexec,1.0.0) + @@ -13216,20 +13408,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +') + +optional_policy(` -+ # to communication with RHCS -+ dlm_controld_manage_tmpfs_files(aisexec_t) -+ dlm_controld_rw_semaphores(aisexec_t) ++ # to communication with RHCS ++ rhcs_rw_dlm_controld_semaphores(aisexec_t) + -+ fenced_manage_tmpfs_files(aisexec_t) -+ fenced_rw_semaphores(aisexec_t) ++ rhcs_rw_fenced_semaphores(aisexec_t) + -+ gfs_controld_manage_tmpfs_files(aisexec_t) -+ gfs_controld_rw_semaphores(aisexec_t) -+ gfs_controld_t_rw_shm(aisexec_t) ++ rhcs_rw_gfs_controld_semaphores(aisexec_t) ++ rhcs_rw_gfs_controld_shm(aisexec_t) + -+ groupd_manage_tmpfs_files(aisexec_t) -+ groupd_rw_semaphores(aisexec_t) -+ groupd_rw_shm(aisexec_t) ++ rhcs_rw_groupd_semaphores(aisexec_t) ++ rhcs_rw_groupd_shm(aisexec_t) +') + +userdom_rw_semaphores(aisexec_t) @@ -14440,6 +14628,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.19/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/avahi.te 2010-06-15 18:00:13.770018228 +0200 +@@ -104,6 +104,10 @@ + ') + + optional_policy(` ++ mpd_dbus_chat(avahi_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(avahi_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-06-09 23:44:39.315208775 +0200 @@ -16485,7 +16687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.19/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-05-28 09:42:00.086610824 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-06-15 18:01:58.476767291 +0200 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -16541,7 +16743,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ') optional_policy(` -@@ -100,19 +110,37 @@ +@@ -91,6 +101,10 @@ + ') + + optional_policy(` ++ mpd_dbus_chat(consolekit_t) ++ ') ++ ++ optional_policy(` + rpm_dbus_chat(consolekit_t) + ') + +@@ -100,19 +114,37 @@ ') optional_policy(` @@ -16712,8 +16925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-05-28 12:24:51.498860537 +0200 -@@ -0,0 +1,126 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-06-15 18:40:09.963018230 +0200 +@@ -0,0 +1,120 @@ + +policy_module(corosync,1.0.0) + @@ -16826,14 +17039,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +optional_policy(` + # to communication with RHCS -+ dlm_controld_manage_tmpfs_files(corosync_t) -+ dlm_controld_rw_semaphores(corosync_t) -+ -+ fenced_manage_tmpfs_files(corosync_t) -+ fenced_rw_semaphores(corosync_t) -+ -+ gfs_controld_manage_tmpfs_files(corosync_t) -+ gfs_controld_rw_semaphores(corosync_t) ++ rhcs_rw_cluster_shm(corosync_t) ++ rhcs_rw_cluster_semaphores(corosync_t) +') + +optional_policy(` @@ -20670,8 +20877,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if --- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-14 18:37:18.471468823 +0200 -@@ -0,0 +1,274 @@ ++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-15 17:58:09.853018142 +0200 +@@ -0,0 +1,295 @@ + +## policy for daemon for playing music + @@ -20899,6 +21106,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + ++####################################### ++## ++## Send and receive messages from ++## mpd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mpd_dbus_chat',` ++ gen_require(` ++ type mpd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 mpd_t:dbus send_msg; ++ allow mpd_t $1:dbus send_msg; ++') ++ +######################################## +## +## All of the rules required to administrate @@ -25238,7 +25466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-05-28 09:42:00.158610990 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-06-15 07:28:56.615609284 +0200 @@ -6,6 +6,15 @@ # Declarations # @@ -25567,10 +25795,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -451,6 +525,15 @@ +@@ -451,6 +525,17 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) ++mta_mailserver_user_agent(postfix_postqueue_t) ++ +optional_policy(` + cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t) +') @@ -25583,7 +25813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -464,6 +547,7 @@ +@@ -464,6 +549,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -25591,7 +25821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -499,13 +583,14 @@ +@@ -499,13 +585,14 @@ # # connect to master process @@ -25607,7 +25837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +620,18 @@ +@@ -535,9 +622,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -25626,7 +25856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +653,22 @@ +@@ -559,20 +655,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -26526,7 +26756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-05-28 09:42:00.169610746 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-06-15 18:40:09.964045327 +0200 @@ -0,0 +1,223 @@ + +policy_module(rgmanager, 1.0.0) @@ -26668,7 +26898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') + +optional_policy(` -+ groupd_stream_connect(rgmanager_t) ++ rhcs_stream_connect_groupd(rgmanager_t) +') + +optional_policy(` @@ -26678,7 +26908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +optional_policy(` + ccs_manage_config(rgmanager_t) + ccs_stream_connect(rgmanager_t) -+ gfs_controld_stream_connect(rgmanager_t) ++ rhcs_stream_connect_gfs_controld(rgmanager_t) +') + +optional_policy(` @@ -26753,463 +26983,454 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-05-28 09:42:00.169610746 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-06-15 18:40:09.966019131 +0200 @@ -0,0 +1,23 @@ -+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) -+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) ++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) ++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) ++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) ++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) + -+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) -+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) -+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) -+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + -+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) -+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) -+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) ++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) + -+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) ++/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) ++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) ++/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) ++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) + -+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) -+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) -+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) -+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) ++/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) ++/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) ++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) ++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-05-28 09:42:00.170610889 +0200 -@@ -0,0 +1,424 @@ -+## SELinux policy for RHCS - Red Hat Cluster Suite ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-06-15 18:40:09.967767835 +0200 +@@ -0,0 +1,415 @@ ++## RHCS - Red Hat Cluster Suite + +####################################### +## -+## Creates types and rules for a basic -+## rhcs init daemon domain. ++## Creates types and rules for a basic ++## rhcs init daemon domain. +## +## -+## -+## Prefix for the domain. -+## ++## ++## Prefix for the domain. ++## +## +# +template(`rhcs_domain_template',` -+ + gen_require(` -+ attribute cluster_domain; ++ attribute cluster_domain; ++ attribute cluster_tmpfs; + ') + + ############################## -+ # -+ # $1_t declarations -+ # ++ # ++ # Declarations ++ # + + type $1_t, cluster_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + -+ type $1_tmpfs_t; ++ type $1_tmpfs_t, cluster_tmpfs; + files_tmpfs_file($1_tmpfs_t) + -+ # log files + type $1_var_log_t; + logging_log_file($1_var_log_t) + -+ # pid files + type $1_var_run_t; + files_pid_file($1_var_run_t) + + ############################## -+ # -+ # $1_t local policy -+ # ++ # ++ # Local policy ++ # + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file }) ++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) ++ ++ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t) ++ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) ++ logging_log_filetrans($1_t, $1_var_log_t, { file sock_file }) + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) + -+ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t) -+ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t) -+ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file }) -+ +') + +###################################### +## -+## Execute a domain transition to run groupd. ++## Execute a domain transition to run dlm_controld. +## +## +## -+## Domain allowed to transition. ++## Domain allowed to transition. +## +## +# -+interface(`groupd_domtrans',` -+ gen_require(` -+ type groupd_t, groupd_exec_t; -+ ') ++interface(`rhcs_domtrans_dlm_controld',` ++ gen_require(` ++ type dlm_controld_t, dlm_controld_exec_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1,groupd_exec_t,groupd_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) +') + +##################################### +## -+## Connect to groupd over a unix domain -+## stream socket. ++## Connect to dlm_controld over a unix domain ++## stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`groupd_stream_connect',` -+ gen_require(` -+ type groupd_t, groupd_var_run_t; -+ ') ++interface(`rhcs_stream_connect_dlm_controld',` ++ gen_require(` ++ type dlm_controld_t, dlm_controld_var_run_t; ++ ') + -+ files_search_pids($1) -+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +') + +##################################### +## -+## Manage groupd tmpfs files. ++## Allow read and write access to dlm_controld semaphores. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`groupd_manage_tmpfs_files',` -+ gen_require(` -+ type groupd_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+ manage_lnk_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) -+') ++interface(`rhcs_rw_dlm_controld_semaphores',` ++ gen_require(` ++ type dlm_controld_t, dlm_controld_tmpfs_t; ++ ') + -+##################################### -+## -+## Allow read and write access to groupd semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`groupd_rw_semaphores',` -+ gen_require(` -+ type groupd_t; -+ ') ++ allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; + -+ allow $1 groupd_t:sem { rw_sem_perms destroy }; ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +') + -+######################################## ++###################################### +## -+## Read and write to group shared memory. ++## Execute a domain transition to run fenced. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`groupd_rw_shm',` -+ gen_require(` -+ type groupd_t; -+ ') ++interface(`rhcs_domtrans_fenced',` ++ gen_require(` ++ type fenced_t, fenced_exec_t; ++ ') + -+ allow $1 groupd_t:shm { rw_shm_perms destroy }; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, fenced_exec_t, fenced_t) +') + +###################################### +## -+## Execute a domain transition to run dlm_controld. ++## Allow read and write access to fenced semaphores. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dlm_controld_domtrans',` -+ gen_require(` -+ type dlm_controld_t, dlm_controld_exec_t; -+ ') ++interface(`rhcs_rw_fenced_semaphores',` ++ gen_require(` ++ type fenced_t, fenced_tmpfs_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1,dlm_controld_exec_t,dlm_controld_t) ++ allow $1 fenced_t:sem { rw_sem_perms destroy }; + ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) +') + -+##################################### ++###################################### +## -+## Connect to dlm_controld over a unix domain -+## stream socket. ++## Connect to fenced over an unix domain stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dlm_controld_stream_connect',` -+ gen_require(` -+ type dlm_controld_t, dlm_controld_var_run_t; -+ ') ++interface(`rhcs_stream_connect_fenced',` ++ gen_require(` ++ type fenced_var_run_t, fenced_t; ++ ') + -+ files_search_pids($1) -+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) ++ allow $1 fenced_t:unix_stream_socket connectto; ++ allow $1 fenced_var_run_t:sock_file { getattr write }; ++ files_search_pids($1) +') + +##################################### +## -+## Manage dlm_controld tmpfs files. ++## Execute a domain transition to run gfs_controld. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dlm_controld_manage_tmpfs_files',` -+ gen_require(` -+ type dlm_controld_tmpfs_t; -+ ') ++interface(`rhcs_domtrans_gfs_controld',` ++ gen_require(` ++ type gfs_controld_t, gfs_controld_exec_t; ++ ') + -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -+ manage_lnk_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) +') + -+##################################### ++#################################### +## -+## Allow read and write access to dlm_controld semaphores. ++## Allow read and write access to gfs_controld semaphores. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dlm_controld_rw_semaphores',` -+ gen_require(` -+ type dlm_controld_t; -+ ') ++interface(`rhcs_rw_gfs_controld_semaphores',` ++ gen_require(` ++ type gfs_controld_t, gfs_controld_tmpfs_t; ++ ') ++ ++ allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; + -+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + -+###################################### ++######################################## +## -+## Execute a domain transition to run fenced. ++## Read and write to gfs_controld_t shared memory. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`fenced_domtrans',` -+ gen_require(` -+ type fenced_t, fenced_exec_t; -+ ') ++interface(`rhcs_rw_gfs_controld_shm',` ++ gen_require(` ++ type gfs_controld_t, gfs_controld_tmpfs_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1,fenced_exec_t,fenced_t) ++ allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; + ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + -+###################################### ++##################################### +## -+## Connect to fenced over an unix domain stream socket. ++## Connect to gfs_controld_t over an unix domain stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`fenced_stream_connect',` -+ gen_require(` -+ type fenced_var_run_t, fenced_t; -+ ') ++interface(`rhcs_stream_connect_gfs_controld',` ++ gen_require(` ++ type gfs_controld_t, gfs_controld_var_run_t; ++ ') + -+ allow $1 fenced_t:unix_stream_socket connectto; -+ allow $1 fenced_var_run_t:sock_file { getattr write }; -+ files_search_pids($1) ++ files_search_pids($1) ++ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) +') + -+##################################### ++###################################### +## -+## Managed fenced tmpfs files. ++## Execute a domain transition to run groupd. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`fenced_manage_tmpfs_files',` -+ gen_require(` -+ type fenced_tmpfs_t; -+ ') ++interface(`rhcs_domtrans_groupd',` ++ gen_require(` ++ type groupd_t, groupd_exec_t; ++ ') + -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) -+ manage_lnk_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, groupd_exec_t, groupd_t) +') + -+###################################### ++##################################### +## -+## Allow read and write access to fenced semaphores. ++## Connect to groupd over a unix domain ++## stream socket. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`fenced_rw_semaphores',` -+ gen_require(` -+ type fenced_t; -+ ') ++interface(`rhcs_stream_connect_groupd',` ++ gen_require(` ++ type groupd_t, groupd_var_run_t; ++ ') + -+ allow $1 fenced_t:sem { rw_sem_perms destroy }; ++ files_search_pids($1) ++ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) +') + +##################################### +## -+## Execute a domain transition to run gfs_controld. ++## Allow read and write access to groupd semaphores. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`gfs_controld_domtrans',` -+ gen_require(` -+ type gfs_controld_t, gfs_controld_exec_t; -+ ') ++interface(`rhcs_rw_groupd_semaphores',` ++ gen_require(` ++ type groupd_t, groupd_tmpfs_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1,gfs_controld_exec_t,gfs_controld_t) ++ allow $1 groupd_t:sem { rw_sem_perms destroy }; ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + -+################################### ++######################################## +## -+## Manage gfs_controld tmpfs files. ++## Read and write to group shared memory. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`gfs_controld_manage_tmpfs_files',` -+ gen_require(` -+ type gfs_controld_tmpfs_t; -+ ') ++interface(`rhcs_rw_groupd_shm',` ++ gen_require(` ++ type groupd_t, groupd_tmpfs_t; ++ ') + -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -+ manage_lnk_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) ++ allow $1 groupd_t:shm { rw_shm_perms destroy }; ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + -+#################################### ++######################################## +## -+## Allow read and write access to gfs_controld semaphores. ++## Read and write to cluster domains shared memory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`gfs_controld_rw_semaphores',` -+ gen_require(` -+ type gfs_controld_t; -+ ') ++interface(`rhcs_rw_cluster_shm',` ++ gen_require(` ++ attribute cluster_domain; ++ attribute cluster_tmpfs; ++ ') + -+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; ++ allow $1 cluster_domain:shm { rw_shm_perms destroy }; ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) ++ manage_lnk_files_pattern($1, cluster_tmpfs, cluster_tmpfs) +') + -+######################################## ++#################################### +## -+## Read and write to gfs_controld_t shared memory. ++## Read and write access to cluster domains semaphores. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`gfs_controld_t_rw_shm',` ++interface(`rhcs_rw_cluster_semaphores',` + gen_require(` -+ type gfs_controld_t; ++ type cluster_domain; + ') + -+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; ++ allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') + -+##################################### ++###################################### +## -+## Connect to gfs_controld_t over an unix domain stream socket. ++## Execute a domain transition to run qdiskd. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`gfs_controld_stream_connect',` -+ gen_require(` -+ type gfs_controld_t, gfs_controld_var_run_t; -+ ') ++interface(`rhcs_domtrans_qdiskd',` ++ gen_require(` ++ type qdiskd_t, qdiskd_exec_t; ++ ') + -+ files_search_pids($1) -+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) +') + -+###################################### ++######################################## +## -+## Execute a domain transition to run qdiskd. ++## Allow domain to read qdiskd tmpfs files +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`qdiskd_domtrans',` -+ gen_require(` -+ type qdiskd_t, qdiskd_exec_t; -+ ') ++interface(`rhcs_read_qdiskd_tmpfs_files',` ++ gen_require(` ++ type qdiskd_tmpfs_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1,qdiskd_exec_t,qdiskd_t) ++ allow $1 qdiskd_tmpfs_t:file read_file_perms; +') -+ -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-28 12:24:14.508611285 +0200 -@@ -0,0 +1,242 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-06-15 18:40:09.968779078 +0200 +@@ -0,0 +1,243 @@ + +policy_module(rhcs,1.1.0) + @@ -27226,6 +27447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +gen_tunable(fenced_can_network_connect, false) + +attribute cluster_domain; ++attribute cluster_tmpfs; + +rhcs_domain_template(dlm_controld) + @@ -27897,6 +28119,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki ## Allow rtkit to control scheduling for your process ## ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.19/policy/modules/services/rtkit.te +--- nsaserefpolicy/policy/modules/services/rtkit.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rtkit.te 2010-06-15 18:00:58.428018646 +0200 +@@ -32,5 +32,9 @@ + miscfiles_read_localization(rtkit_daemon_t) + + optional_policy(` ++ mpd_dbus_chat(rtkit_daemon_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-05-28 09:42:00.178610776 +0200 @@ -32654,7 +32889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-05-28 09:42:00.216612297 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-06-15 17:06:19.819626772 +0200 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -32747,7 +32982,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -682,6 +728,8 @@ +@@ -674,6 +720,8 @@ + + init_exec($1) + ++ corecmd_exec_bin($1) ++ + tunable_policy(`init_upstart',` + gen_require(` + type init_t; +@@ -682,6 +730,8 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; @@ -32756,7 +33000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -754,18 +802,19 @@ +@@ -754,18 +804,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -32780,7 +33024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -781,19 +830,41 @@ +@@ -781,23 +832,45 @@ # interface(`init_domtrans_script',` gen_require(` @@ -32803,11 +33047,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -32820,13 +33064,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -849,8 +920,10 @@ ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -849,8 +922,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -32837,7 +33085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1637,7 +1710,7 @@ +@@ -1637,7 +1712,7 @@ type initrc_var_run_t; ') @@ -32846,7 +33094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1712,3 +1785,56 @@ +@@ -1712,3 +1787,56 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -33483,8 +33731,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-05-28 09:42:00.220610773 +0200 -@@ -1,13 +1,18 @@ ++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-06-15 18:40:03.062767626 +0200 +@@ -1,13 +1,16 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -33503,8 +33751,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) + -+/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0) -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-05-28 09:42:00.220610773 +0200 @@ -34088,7 +34334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-09 23:05:38.904506480 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-15 17:07:51.140615800 +0200 @@ -61,6 +61,7 @@ type syslogd_t; type syslogd_exec_t; @@ -34129,27 +34375,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -252,6 +263,8 @@ +@@ -252,6 +263,9 @@ # Audit remote logger local policy # ++allow audisp_remote_t self:capability { setuid setpcap }; +allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(audisp_remote_t) -@@ -268,6 +281,10 @@ +@@ -266,6 +280,15 @@ - logging_send_syslog_msg(audisp_remote_t) + files_read_etc_files(audisp_remote_t) +auth_use_nsswitch(audisp_remote_t) ++auth_dontaudit_write_login_records(audisp_remote_t) + ++init_read_utmp(audisp_remote_t) ++init_dontaudit_write_utmp(audisp_remote_t) +init_telinit(audisp_remote_t) + - miscfiles_read_localization(audisp_remote_t) ++logging_search_logs(audisp_remote_t) ++logging_send_audit_msgs(audisp_remote_t) + logging_send_syslog_msg(audisp_remote_t) - sysnet_dns_name_resolve(audisp_remote_t) -@@ -372,8 +389,10 @@ + miscfiles_read_localization(audisp_remote_t) +@@ -372,8 +395,10 @@ manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) @@ -34162,7 +34414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -@@ -491,6 +510,10 @@ +@@ -491,6 +516,10 @@ ') optional_policy(` @@ -34307,6 +34559,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.19/policy/modules/system/modutils.if +--- nsaserefpolicy/policy/modules/system/modutils.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/modutils.if 2010-06-15 18:40:03.063767415 +0200 +@@ -59,6 +59,7 @@ + files_search_etc($1) + files_search_boot($1) + ++ list_dirs_pattern($1, modules_conf_t, modules_conf_t) + read_files_pattern($1, modules_conf_t, modules_conf_t) + read_lnk_files_pattern($1, modules_conf_t, modules_conf_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-28 09:42:00.507610874 +0200 @@ -36057,7 +36320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-28 09:42:00.518610770 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-06-15 18:40:03.064777332 +0200 @@ -60,25 +60,24 @@ netutils_run(dhcpc_t, $2) netutils_run_ping(dhcpc_t, $2) @@ -36143,7 +36406,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ####################################### ## ## Set the attributes of network config files. -@@ -403,11 +439,8 @@ +@@ -270,6 +306,44 @@ + + ####################################### + ## ++## Allow caller to relabel net_conf files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelfrom_net_conf',` ++ ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:file relabelfrom; ++') ++ ++###################################### ++## ++## Allow caller to relabel net_conf files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelto_net_conf',` ++ ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:file relabelto; ++') ++ ++####################################### ++## + ## Read network config files. + ## + ## +@@ -403,11 +477,8 @@ type net_conf_t; ') @@ -36157,7 +36465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -464,6 +497,10 @@ +@@ -464,6 +535,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -36168,7 +36476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -677,7 +714,10 @@ +@@ -677,7 +752,10 @@ corenet_tcp_connect_ldap_port($1) corenet_sendrecv_ldap_client_packets($1) @@ -36180,7 +36488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -709,5 +749,52 @@ +@@ -709,5 +787,52 @@ corenet_tcp_connect_portmap_port($1) corenet_sendrecv_portmap_client_packets($1) @@ -36236,7 +36544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-08 15:28:13.716610680 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-15 07:01:15.534609419 +0200 @@ -1,5 +1,5 @@ -policy_module(sysnetwork, 1.10.3) @@ -36291,15 +36599,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -172,6 +184,7 @@ +@@ -172,6 +184,8 @@ optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) + hal_dontaudit_write_log(dhcpc_t) ++ hal_dontaudit_read_pid_files(dhcpc_t) ') optional_policy(` -@@ -193,6 +206,12 @@ +@@ -193,6 +207,12 @@ ') optional_policy(` @@ -36312,7 +36621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet nis_read_ypbind_pid(dhcpc_t) ') -@@ -214,6 +233,7 @@ +@@ -214,6 +234,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -36320,7 +36629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -277,8 +297,11 @@ +@@ -277,8 +298,11 @@ domain_use_interactive_fds(ifconfig_t) @@ -36332,7 +36641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -306,6 +329,8 @@ +@@ -306,6 +330,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -36341,7 +36650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -328,6 +353,8 @@ +@@ -328,6 +354,8 @@ optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6abd395..b133944 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 28%{?dist} +Release: 29%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Tue Jun 15 2010 Miroslav Grepl 3.7.19-29 +- Allow abrt sigkill +- Add ncftool policy +- Add cluster fixes +- Fixes for audisp-remote + * Mon Jun 14 2010 Miroslav Grepl 3.7.19-28 - Fixes for netutils - Cleanup of aiccu policy