From 7fc8b710faf952e6b90ee6d7e1be5892decaab15 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 08 2013 11:13:40 +0000 Subject: - Allow httpd_t to connect to osapi_compute port using httpd_use_openstack - Fixes for dlm_controld - Fix apache_read_sys_content_rw_dirs() interface - Allow logrotate to read /var/log/z-push dir - Allow postfix_postdrop to acces postfix_public socket - Allow sched_setscheduler for cupsd_t - Add missing context for /usr/sbin/snmpd - Allow consolehelper more access discovered by Tom London - Allow fsdaemon to send signull to all domain - Add port definition for osapi_compute port - Allow unconfined to create /etc/hostname with correct labeling - Add systemd_filetrans_named_hostname() interface --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 45f92f2..9709c47 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..fba95c8 100644 +index 4edc40d..a69e038 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5259,7 +5259,7 @@ index 4edc40d..fba95c8 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -5276,7 +5276,9 @@ index 4edc40d..fba95c8 100644 network_port(ocsp, tcp,9080,s0) network_port(openhpid, tcp,4743,s0, udp,4743,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0) ++network_port(osapi_compute, tcp, 8774, s0) + network_port(pdps, tcp,1314,s0, udp,1314,s0) + network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -5289,7 +5291,7 @@ index 4edc40d..fba95c8 100644 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5337,7 +5339,7 @@ index 4edc40d..fba95c8 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5348,7 +5350,7 @@ index 4edc40d..fba95c8 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5361,7 +5363,7 @@ index 4edc40d..fba95c8 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0) +@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -5380,7 +5382,7 @@ index 4edc40d..fba95c8 100644 ######################################## # -@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5389,7 +5391,7 @@ index 4edc40d..fba95c8 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -7747,7 +7749,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..274ef6d 100644 +index cf04cb5..dc4207f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -7873,7 +7875,7 @@ index cf04cb5..274ef6d 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8014,6 +8016,7 @@ index cf04cb5..274ef6d 100644 + systemd_login_reboot(unconfined_domain_type) + systemd_login_halt(unconfined_domain_type) + systemd_login_undefined(unconfined_domain_type) ++ systemd_filetrans_named_hostname(unconfined_domain_type) +') + +optional_policy(` @@ -35717,10 +35720,10 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..2927875 +index 0000000..16c7767 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1103 @@ +@@ -0,0 +1,1122 @@ +## SELinux policy for systemd components + +###################################### @@ -36574,6 +36577,25 @@ index 0000000..2927875 + +######################################## +## ++## Transition to systemd named content for /etc/hostname ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_filetrans_named_hostname',` ++ gen_require(` ++ type hostname_etc_t; ++ ') ++ ++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) ++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) ++') ++ ++######################################## ++## +## Get the system status information from systemd_login +## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 43bfddb..4aeb84e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3048,7 +3048,7 @@ index 550a69e..78579c0 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 83e899c..e3bed6a 100644 +index 83e899c..c0ece1b 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3865,7 +3865,7 @@ index 83e899c..e3bed6a 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -3891,6 +3891,26 @@ index 83e899c..e3bed6a 100644 +') + +###################################### ++## ++## Allow the specified domain to read ++## apache system content rw dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_dirs',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ## -## Create, read, write, and delete -## httpd system rw content. @@ -3952,7 +3972,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -3971,7 +3991,7 @@ index 83e899c..e3bed6a 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -3983,7 +4003,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -3992,7 +4012,7 @@ index 83e899c..e3bed6a 100644 ## to the specified role. ## ## -@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4000,7 +4020,7 @@ index 83e899c..e3bed6a 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4010,7 +4030,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4026,7 +4046,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4035,7 +4055,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4050,7 +4070,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4059,7 +4079,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4069,7 +4089,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',` +@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',` ## # interface(`apache_manage_all_user_content',` @@ -4095,7 +4115,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',` +@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4105,7 +4125,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',` +@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4137,7 +4157,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4146,7 +4166,7 @@ index 83e899c..e3bed6a 100644 ') ######################################## -@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4156,7 +4176,7 @@ index 83e899c..e3bed6a 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',` +@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4189,7 +4209,7 @@ index 83e899c..e3bed6a 100644 ## ## ## -@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',` +@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4218,7 +4238,7 @@ index 83e899c..e3bed6a 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1204,10 +1379,10 @@ interface(`apache_admin',` +@@ -1204,10 +1399,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4232,7 +4252,7 @@ index 83e899c..e3bed6a 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1218,9 +1393,129 @@ interface(`apache_admin',` +@@ -1218,9 +1413,129 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -4367,7 +4387,7 @@ index 83e899c..e3bed6a 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..5e167ca 100644 +index 1a82e29..dfaef83 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,353 @@ @@ -6034,13 +6054,13 @@ index 1a82e29..5e167ca 100644 - -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) -+allow httpd_sys_script_t self:process getsched; - +- -corenet_all_recvfrom_unlabeled(httpd_script_domains) -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) -corenet_tcp_sendrecv_generic_node(httpd_script_domains) -- ++allow httpd_sys_script_t self:process getsched; + -corecmd_exec_all_executables(httpd_script_domains) +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; @@ -6173,8 +6193,7 @@ index 1a82e29..5e167ca 100644 -# - -allow httpd_sys_script_t self:tcp_socket { accept listen }; -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6204,7 +6223,8 @@ index 1a82e29..5e167ca 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6417,7 +6437,7 @@ index 1a82e29..5e167ca 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1501,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -6435,23 +6455,33 @@ index 1a82e29..5e167ca 100644 +systemd_manage_passwd_run(httpd_passwd_t) +systemd_manage_passwd_run(httpd_t) +#systemd_passwd_agent_dev_template(httpd) -+ + +-allow httpd_gpg_t self:process setrlimit; +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; -+ + +-allow httpd_gpg_t httpd_t:fd use; +-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; +-allow httpd_gpg_t httpd_t:process sigchld; +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type) +corecmd_shell_entry_type(httpd_script_type) -+ + +-dev_read_rand(httpd_gpg_t) +-dev_read_urand(httpd_gpg_t) +allow httpd_script_type self:fifo_file rw_file_perms; +allow httpd_script_type self:unix_stream_socket connectto; -+ + +-files_read_usr_files(httpd_gpg_t) +allow httpd_script_type httpd_t:fifo_file write; +# apache should set close-on-exec +apache_dontaudit_leaks(httpd_script_type) -+ + +-miscfiles_read_localization(httpd_gpg_t) +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t) +logging_search_logs(httpd_script_type) -+ + +-tunable_policy(`httpd_gpg_anon_write',` +- miscfiles_manage_public_files(httpd_gpg_t) +kernel_dontaudit_search_sysctl(httpd_script_type) +kernel_dontaudit_search_kernel_sysctl(httpd_script_type) + @@ -6466,34 +6496,24 @@ index 1a82e29..5e167ca 100644 + +libs_exec_ld_so(httpd_script_type) +libs_exec_lib_files(httpd_script_type) - --allow httpd_gpg_t self:process setrlimit; ++ +miscfiles_read_fonts(httpd_script_type) +miscfiles_read_public_files(httpd_script_type) - --allow httpd_gpg_t httpd_t:fd use; --allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; --allow httpd_gpg_t httpd_t:process sigchld; ++ +allow httpd_t httpd_script_type:unix_stream_socket connectto; - --dev_read_rand(httpd_gpg_t) --dev_read_urand(httpd_gpg_t) ++ +allow httpd_t httpd_script_exec_type:file read_file_perms; +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; +allow httpd_t httpd_script_type:process { signal sigkill sigstop }; +allow httpd_t httpd_script_exec_type:dir list_dir_perms; - --files_read_usr_files(httpd_gpg_t) ++ +allow httpd_script_type self:process { setsched signal_perms }; +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; +allow httpd_script_type self:unix_dgram_socket create_socket_perms; - --miscfiles_read_localization(httpd_gpg_t) ++ +allow httpd_script_type httpd_t:fd use; +allow httpd_script_type httpd_t:process sigchld; - --tunable_policy(`httpd_gpg_anon_write',` -- miscfiles_manage_public_files(httpd_gpg_t) ++ +dontaudit httpd_script_type httpd_t:tcp_socket { read write }; + +fs_getattr_xattr_fs(httpd_script_type) @@ -6531,6 +6551,11 @@ index 1a82e29..5e167ca 100644 + corenet_tcp_connect_keystone_port(httpd_sys_script_t) + corenet_tcp_connect_all_ephemeral_ports(httpd_t) + corenet_tcp_connect_glance_port(httpd_sys_script_t) ++ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t) ++') ++ ++tunable_policy(`httpd_use_openstack',` ++ corenet_tcp_connect_osapi_compute_port(httpd_t) ') diff --git a/apcupsd.fc b/apcupsd.fc index 5ec0e13..2da2368 100644 @@ -9565,10 +9590,10 @@ index 0c53b18..ef29f6e 100644 domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff --git a/certmaster.te b/certmaster.te -index bf82163..5397bb9 100644 +index bf82163..2b571c7 100644 --- a/certmaster.te +++ b/certmaster.te -@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) +@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) dev_read_urand(certmaster_t) files_list_var(certmaster_t) @@ -9580,6 +9605,8 @@ index bf82163..5397bb9 100644 -miscfiles_read_localization(certmaster_t) miscfiles_manage_generic_cert_dirs(certmaster_t) miscfiles_manage_generic_cert_files(certmaster_t) ++ ++mta_send_mail(certmaster_t) diff --git a/certmonger.fc b/certmonger.fc index ed298d8..cd8eb4d 100644 --- a/certmonger.fc @@ -16063,7 +16090,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..3b03f21 100644 +index 9f34c2e..fb69e2c 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16160,8 +16187,8 @@ index 9f34c2e..3b03f21 100644 +# Cups general local policy +# + -+allow cups_domain self:capability { setuid setgid }; -+allow cups_domain self:process signal_perms; ++allow cups_domain self:capability { setuid setgid sys_nice }; ++allow cups_domain self:process { getsched setsched signal_perms }; +allow cups_domain self:fifo_file rw_fifo_file_perms; +allow cups_domain self:tcp_socket { accept listen }; + @@ -32942,7 +32969,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..ed36684 100644 +index 7bab8e5..3baae66 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -33126,7 +33153,13 @@ index 7bab8e5..ed36684 100644 ') optional_policy(` -@@ -140,11 +159,11 @@ optional_policy(` +@@ -135,16 +154,17 @@ optional_policy(` + + optional_policy(` + apache_read_config(logrotate_t) ++ apache_read_sys_content_rw_dirs(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) ') optional_policy(` @@ -33140,7 +33173,7 @@ index 7bab8e5..ed36684 100644 ') optional_policy(` -@@ -178,7 +197,7 @@ optional_policy(` +@@ -178,7 +198,7 @@ optional_policy(` ') optional_policy(` @@ -33149,7 +33182,7 @@ index 7bab8e5..ed36684 100644 ') optional_policy(` -@@ -198,21 +217,22 @@ optional_policy(` +@@ -198,21 +218,22 @@ optional_policy(` ') optional_policy(` @@ -33176,7 +33209,7 @@ index 7bab8e5..ed36684 100644 ') optional_policy(` -@@ -228,10 +248,20 @@ optional_policy(` +@@ -228,10 +249,20 @@ optional_policy(` ') optional_policy(` @@ -33197,7 +33230,7 @@ index 7bab8e5..ed36684 100644 su_exec(logrotate_t) ') -@@ -241,13 +271,11 @@ optional_policy(` +@@ -241,13 +272,11 @@ optional_policy(` ####################################### # @@ -54684,7 +54717,7 @@ index 2e23946..41da729 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..b11469c 100644 +index 191a66f..7ceaec2 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -55284,7 +55317,7 @@ index 191a66f..b11469c 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,19 +495,24 @@ optional_policy(` +@@ -576,19 +495,25 @@ optional_policy(` ######################################## # @@ -55301,6 +55334,7 @@ index 191a66f..b11469c 100644 +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) ++rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) +postfix_list_spool(postfix_postdrop_t) manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -55314,7 +55348,7 @@ index 191a66f..b11469c 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -603,10 +527,7 @@ optional_policy(` +@@ -603,10 +528,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -55326,7 +55360,7 @@ index 191a66f..b11469c 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +542,23 @@ optional_policy(` +@@ -621,17 +543,23 @@ optional_policy(` ####################################### # @@ -55353,7 +55387,7 @@ index 191a66f..b11469c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +574,77 @@ optional_policy(` +@@ -647,67 +575,77 @@ optional_policy(` ######################################## # @@ -55449,7 +55483,7 @@ index 191a66f..b11469c 100644 ') optional_policy(` -@@ -720,24 +657,27 @@ optional_policy(` +@@ -720,24 +658,27 @@ optional_policy(` ######################################## # @@ -55483,7 +55517,7 @@ index 191a66f..b11469c 100644 fs_getattr_all_dirs(postfix_smtpd_t) fs_getattr_all_fs(postfix_smtpd_t) -@@ -754,6 +694,7 @@ optional_policy(` +@@ -754,6 +695,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -55491,7 +55525,7 @@ index 191a66f..b11469c 100644 ') optional_policy(` -@@ -764,31 +705,100 @@ optional_policy(` +@@ -764,31 +706,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -64957,7 +64991,7 @@ index 56bc01f..cbca7aa 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..bbe8875 100644 +index 2c2de9a..aa4480c 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -65257,7 +65291,16 @@ index 2c2de9a..bbe8875 100644 ') ##################################### -@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -79,7 +335,7 @@ optional_policy(` + # dlm_controld local policy + # + +-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; ++allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource }; + allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + + stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -65267,10 +65310,14 @@ index 2c2de9a..bbe8875 100644 + corosync_rw_tmpfs(dlm_controld_t) +') + ++optional_policy(` ++ rhcs_stream_connect_cluster(dlm_controld_t) ++') ++ ####################################### # # fenced local policy -@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t) +@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t) allow fenced_t self:capability { sys_rawio sys_resource }; allow fenced_t self:process { getsched signal_perms }; @@ -65285,7 +65332,7 @@ index 2c2de9a..bbe8875 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -65296,7 +65343,7 @@ index 2c2de9a..bbe8875 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -65307,7 +65354,7 @@ index 2c2de9a..bbe8875 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -65316,7 +65363,7 @@ index 2c2de9a..bbe8875 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -190,10 +453,6 @@ optional_policy(` +@@ -190,10 +457,6 @@ optional_policy(` ') optional_policy(` @@ -65327,7 +65374,7 @@ index 2c2de9a..bbe8875 100644 lvm_domtrans(fenced_t) lvm_read_config(fenced_t) ') -@@ -203,6 +462,13 @@ optional_policy(` +@@ -203,6 +466,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -65341,7 +65388,7 @@ index 2c2de9a..bbe8875 100644 ####################################### # # foghorn local policy -@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) +@@ -223,7 +493,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) dev_read_urand(foghorn_t) @@ -65351,7 +65398,7 @@ index 2c2de9a..bbe8875 100644 optional_policy(` dbus_connect_system_bus(foghorn_t) -@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -65360,7 +65407,7 @@ index 2c2de9a..bbe8875 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +548,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -65373,7 +65420,7 @@ index 2c2de9a..bbe8875 100644 ###################################### # # qdiskd local policy -@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +594,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -73079,7 +73126,7 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index a34eac4..25ad7ec 100644 +index a34eac4..b144d40 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -73219,7 +73266,7 @@ index a34eac4..25ad7ec 100644 optional_policy(` - virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) -+ virt_kill(sanlock_t) ++ virt_kill(sanlock_t) virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) @@ -75771,7 +75818,7 @@ index e0644b5..ea347cc 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9ade9c5..efefceb 100644 +index 9ade9c5..60d6c41 100644 --- a/smartmon.te +++ b/smartmon.te @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) @@ -75804,15 +75851,17 @@ index 9ade9c5..efefceb 100644 storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) -@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t) +@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t) - application_signull(fsdaemon_t) + term_dontaudit_search_ptys(fsdaemon_t) -+auth_read_passwd(fsdaemon_t) +-application_signull(fsdaemon_t) ++domain_signull_all_domains(fsdaemon_t) + ++auth_read_passwd(fsdaemon_t) + init_read_utmp(fsdaemon_t) - libs_exec_ld_so(fsdaemon_t) @@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t) logging_send_syslog_msg(fsdaemon_t) @@ -76248,9 +76297,17 @@ index 0000000..92c3638 + +sysnet_dns_name_resolve(smsd_t) diff --git a/snmp.fc b/snmp.fc -index c73fa24..9018dbc 100644 +index c73fa24..408ff61 100644 --- a/snmp.fc +++ b/snmp.fc +@@ -1,6 +1,6 @@ + /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) + +-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) ++/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) + /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) + + /usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -10,9 +10,12 @@ /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -83495,7 +83552,7 @@ index cf118fd..cd80e83 100644 + can_exec($1, consolehelper_exec_t) +') diff --git a/userhelper.te b/userhelper.te -index 274ed9c..9294dd6 100644 +index 274ed9c..57a9c3d 100644 --- a/userhelper.te +++ b/userhelper.te @@ -1,15 +1,12 @@ @@ -83516,7 +83573,7 @@ index 274ed9c..9294dd6 100644 type userhelper_conf_t; files_config_file(userhelper_conf_t) -@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t) +@@ -22,141 +19,72 @@ application_executable_file(consolehelper_exec_t) ######################################## # @@ -83533,8 +83590,8 @@ index 274ed9c..9294dd6 100644 -dontaudit consolehelper_type userhelper_conf_t:file audit_access; -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) +allow consolehelper_domain self:shm create_shm_perms; -+allow consolehelper_domain self:capability { setgid setuid dac_override }; -+allow consolehelper_domain self:process signal; ++allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice }; ++allow consolehelper_domain self:process { signal_perms getsched setsched }; -domain_use_interactive_fds(consolehelper_type) +allow consolehelper_domain userhelper_conf_t:file audit_access; @@ -83600,6 +83657,7 @@ index 274ed9c..9294dd6 100644 +userdom_use_user_ptys(consolehelper_domain) +userdom_use_user_ttys(consolehelper_domain) +userdom_read_user_home_content_files(consolehelper_domain) ++userdom_search_admin_dir(consolehelper_domain) -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(consolehelper_type) diff --git a/selinux-policy.spec b/selinux-policy.spec index 32c43d1..679cc34 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Apr 8 2013 Dan Walsh 3.12.1-28 +- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean +- Fixes for dlm_controld +- Fix apache_read_sys_content_rw_dirs() interface +- Allow logrotate to read /var/log/z-push dir +- Allow postfix_postdrop to acces postfix_public socket +- Allow sched_setscheduler for cupsd_t +- Add missing context for /usr/sbin/snmpd +- Allow consolehelper more access discovered by Tom London +- Allow fsdaemon to send signull to all domain +- Add port definition for osapi_compute port +- Allow unconfined to create /etc/hostname with correct labeling +- Add systemd_filetrans_named_hostname() interface + * Sat Apr 6 2013 Dan Walsh 3.12.1-27 - Fix file_contexts.subs to label /run/lock correctly