From 9532ecd407660927d76901719afb6de2c3269351 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 02 2014 18:27:29 +0000 Subject: * Tue Sep 02 2014 Lukas Vrabec 3.13.1-78 - Allow unconfined_service_t to dbus chat with all dbus domains - Assign rabbitmq port. BZ#1135523 - Add new interface to allow creation of file with lib_t type - Allow init to read all config files - We want to remove openshift_t domains ability to look at /proc/net - I guess lockdown is a file not a directory - Label /var/bacula/ as bacula_store_t - Allow rhsmcertd to seng signull to sosreport. - Allow sending of snmp trap messages by radiusd. - remove redundant rule fron nova.te. - Add auth_use_nsswitch() for ctdbd. - call nova_vncproxy_t instead of vncproxy. - Allow nova-vncproxy to use varnishd port. - Fix rhnsd_manage_config() to allow manage also symlinks. - Allow bacula to create dirs/files in /tmp - Allow nova-api to use nsswitch. - Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. - Allow usbmuxd connect to itself by stream socket. (#1135945) - I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft - Allow nswrapper_32_64.nppdf.so to be created with the proper label - Assign rabbitmq port. BZ#1135523 - Dontaudit leaks of file descriptors from domains that transition to thumb_t - Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource - Allow unconfined_service_t to dbus chat with all dbus domains - Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way) --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index d3c0391..1782a37 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..68b9da6 100644 +index b191055..6b99aea 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5612,7 +5612,7 @@ index b191055..68b9da6 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +176,53 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +176,54 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5652,6 +5652,7 @@ index b191055..68b9da6 100644 +network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keystone, tcp, 35357,s0, udp, 35357,s0) +network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0) ++network_port(rabbitmq, tcp,25672,s0) +network_port(rlogin, tcp,543,s0, tcp,2105,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) @@ -5680,7 +5681,7 @@ index b191055..68b9da6 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +230,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +231,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5721,7 +5722,7 @@ index b191055..68b9da6 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -213,68 +267,79 @@ network_port(postgrey, tcp,60000,s0) +@@ -213,68 +268,79 @@ network_port(postgrey, tcp,60000,s0) network_port(pptp, tcp,1723,s0, udp,1723,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) @@ -5812,7 +5813,7 @@ index b191055..68b9da6 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +353,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +354,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5839,7 +5840,7 @@ index b191055..68b9da6 100644 ######################################## # -@@ -333,6 +402,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +403,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5848,7 +5849,7 @@ index b191055..68b9da6 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +416,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +417,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -9584,7 +9585,7 @@ index b876c48..b2aed45 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..47dc71f 100644 +index f962f76..9157763 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13575,7 +13576,7 @@ index f962f76..47dc71f 100644 ## ## ## -@@ -6073,58 +6838,1243 @@ interface(`files_read_generic_pids',` +@@ -6073,43 +6838,1340 @@ interface(`files_read_generic_pids',` ## ## # @@ -14702,11 +14703,10 @@ index f962f76..47dc71f 100644 + ') + + search_dirs_pattern($1, var_t, var_spool_t) - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. ++') ++ ++######################################## ++## +## Do not audit attempts to search generic +## spool directories. +## @@ -14722,45 +14722,19 @@ index f962f76..47dc71f 100644 + ') + + dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## List the contents of generic spool +## (/var/spool) directories. - ## --## --##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--##
    --##
  • files_pid_file()
    • --##
--##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

--## type mypidfile_t; --## files_pid_file(mypidfile_t) --## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; --## files_pid_filetrans(mydomain_t, mypidfile_t, file) --##

--## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`files_list_spool',` + gen_require(` @@ -14776,12 +14750,10 @@ index f962f76..47dc71f 100644 +## spool directories (/var/spool). +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# +interface(`files_manage_generic_spool_dirs',` + gen_require(` @@ -14797,8 +14769,7 @@ index f962f76..47dc71f 100644 +## Read generic spool files. +## +## - ## --## The object class of the object being created. ++## +## Domain allowed access. +## +## @@ -14851,19 +14822,14 @@ index f962f76..47dc71f 100644 +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. - ## - ## - ## -@@ -6132,44 +8082,165 @@ interface(`files_write_generic_pid_pipes',` - ## The name of the object being created. - ## - ## --## - # --interface(`files_pid_filetrans',` -- gen_require(` -- type var_t, var_run_t; -- ') ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; @@ -14949,17 +14915,40 @@ index f962f76..47dc71f 100644 +######################################## +## +## Create a core files in / -+## -+## -+##

+ ## + ## + ##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-##
    +-##
  • files_pid_file()
    • +-##
+-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +## Create a core file in /, -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## + ##

+ ## + ## +@@ -6117,14 +8179,82 @@ interface(`files_write_generic_pid_pipes',` + ## Domain allowed access. + ## + ## +-## +## +# +interface(`files_manage_root_files',` @@ -14990,173 +14979,208 @@ index f962f76..47dc71f 100644 + gen_require(` + type default_t; + ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ + allow $1 default_t:dir create; - ') - - ######################################## - ## --## Create a generic lock directory within the run directories ++') ++ ++######################################## ++## +## Create, default_t objects with an automatic +## type transition. - ## - ## --## --## Domain allowed access ++## ++## +## +## Domain allowed access. ++## ++## ++## ++## ++## The class of the object being created. ++## ++## ++# ++interface(`files_root_filetrans_default',` ++ gen_require(` ++ type root_t, default_t; ++ ') ++ ++ filetrans_pattern($1, root_t, default_t, $2) ++') ++ ++######################################## ++## ++## Create, lib_t objects with an automatic ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## + ## +-## The type of the object to be created. ++## Type of the directory to be transitioned from ## ## --## -+## + ## ## --## The name of the object being created. +-## The object class of the object being created. +## The class of the object being created. ## ## + ## +@@ -6132,65 +8262,56 @@ interface(`files_write_generic_pid_pipes',` + ## The name of the object being created. + ## + ## +-## # --interface(`files_pid_filetrans_lock_dir',` +-interface(`files_pid_filetrans',` - gen_require(` -- type var_lock_t; +- type var_t, var_run_t; - ') -+interface(`files_root_filetrans_default',` ++interface(`files_filetrans_lib',` + gen_require(` -+ type root_t, default_t; ++ type lib_t, lib_t; + ') -- files_pid_filetrans($1, var_lock_t, dir, $2) -+ filetrans_pattern($1, root_t, default_t, $2) +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ filetrans_pattern($1, $2, lib_t, $3, $4) ') ######################################## ## --## Read and write generic process ID files. +-## Create a generic lock directory within the run directories +## manage generic symbolic links +## in the /var/run directory. ## ## +-## +-## Domain allowed access +-## +-## +-## ## -@@ -6177,20 +8248,18 @@ interface(`files_pid_filetrans_lock_dir',` +-## The name of the object being created. ++## Domain allowed access. ## ## # --interface(`files_rw_generic_pids',` +-interface(`files_pid_filetrans_lock_dir',` +interface(`files_manage_generic_pids_symlinks',` gen_require(` -- type var_t, var_run_t; +- type var_lock_t; + type var_run_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) +- files_pid_filetrans($1, var_lock_t, dir, $2) + manage_lnk_files_pattern($1,var_run_t,var_run_t) ') ######################################## ## --## Do not audit attempts to get the attributes of --## daemon runtime data files. +-## Read and write generic process ID files. +## Do not audit attempts to getattr +## all tmpfs files. ## ## ## -@@ -6198,19 +8267,17 @@ interface(`files_rw_generic_pids',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_getattr_all_pids',` +-interface(`files_rw_generic_pids',` +interface(`files_dontaudit_getattr_tmpfs_files',` gen_require(` -- attribute pidfile; -- type var_run_t; +- type var_t, var_run_t; + attribute tmpfsfile; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file getattr; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + allow $1 tmpfsfile:file getattr; ') ######################################## ## --## Do not audit attempts to write to daemon runtime data files. +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Allow read write all tmpfs files ## ## ## -@@ -6218,18 +8285,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6198,19 +8319,17 @@ interface(`files_rw_generic_pids',` ## ## # --interface(`files_dontaudit_write_all_pids',` +-interface(`files_dontaudit_getattr_all_pids',` +interface(`files_rw_tmpfs_files',` gen_require(` - attribute pidfile; +- type var_run_t; + attribute tmpfsfile; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file write; +- dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file { read write }; ') ######################################## ## --## Do not audit attempts to ioctl daemon runtime data files. +-## Do not audit attempts to write to daemon runtime data files. +## Do not audit attempts to read security files ## ## ## -@@ -6237,41 +8303,43 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6218,38 +8337,43 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # --interface(`files_dontaudit_ioctl_all_pids',` +-interface(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_read_security_files',` gen_require(` - attribute pidfile; -- type var_run_t; + attribute security_file_type; ') - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file ioctl; +- dontaudit $1 pidfile:file write; + dontaudit $1 security_file_type:file read_file_perms; ') ######################################## ## --## Read all process ID files. +-## Do not audit attempts to ioctl daemon runtime data files. +## rw any files inherited from another process ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## --## +## +## +## Object type. +## +## # --interface(`files_read_all_pids',` +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_rw_all_inherited_files',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_run_t; + attribute file_type; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; @@ -15165,16 +15189,16 @@ index f962f76..47dc71f 100644 ######################################## ## --## Delete all process IDs. +-## Read all process ID files. +## Allow any file point to be the entrypoint of this domain ## ## ## -@@ -6280,67 +8348,55 @@ interface(`files_read_all_pids',` +@@ -6258,127 +8382,111 @@ interface(`files_dontaudit_ioctl_all_pids',` ## ## # --interface(`files_delete_all_pids',` +-interface(`files_read_all_pids',` +interface(`files_entrypoint_all_files',` gen_require(` - attribute pidfile; @@ -15182,19 +15206,15 @@ index f962f76..47dc71f 100644 + attribute file_type; ') - -- allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + allow $1 file_type:file entrypoint; ') ######################################## ## --## Delete all process ID directories. +-## Delete all process IDs. +## Do not audit attempts to rw inherited file perms +## of non security files. ## @@ -15204,8 +15224,9 @@ index f962f76..47dc71f 100644 +## Domain to not audit. ## ## +-## # --interface(`files_delete_all_pid_dirs',` +-interface(`files_delete_all_pids',` +interface(`files_dontaudit_all_non_security_leaks',` gen_require(` - attribute pidfile; @@ -15215,66 +15236,73 @@ index f962f76..47dc71f 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content +-## Delete all process ID directories. +## Do not audit attempts to read or write +## all leaked files. ## ## ## --## Domain alloed access. +-## Domain allowed access. +## Domain to not audit. ## ## # --interface(`files_manage_all_pids',` +-interface(`files_delete_all_pid_dirs',` +interface(`files_dontaudit_leaks',` gen_require(` - attribute pidfile; +- type var_t, var_run_t; + attribute file_type; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. +-## Create, read, write and delete all +-## var_run (pid) content +## Allow domain to create_file_ass all types ## ## ## -@@ -6348,37 +8404,37 @@ interface(`files_manage_all_pids',` +-## Domain alloed access. ++## Domain allowed access. ## ## # --interface(`files_mounton_all_poly_members',` +-interface(`files_manage_all_pids',` +interface(`files_create_as_is_all_files',` gen_require(` -- attribute polymember; +- attribute pidfile; + attribute file_type; + class kernel_service create_files_as; ') -- allow $1 polymember:dir mounton; +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 file_type:kernel_service create_files_as; ') ######################################## ## --## Search the contents of generic spool --## directories (/var/spool). +-## Mount filesystems on all polyinstantiation +-## member directories. +## Do not audit attempts to check the +## access on all files ## @@ -15285,69 +15313,69 @@ index f962f76..47dc71f 100644 ## ## # --interface(`files_search_spool',` +-interface(`files_mounton_all_poly_members',` +interface(`files_dontaudit_all_access_check',` gen_require(` -- type var_t, var_spool_t; +- attribute polymember; + attribute file_type; ') -- search_dirs_pattern($1, var_t, var_spool_t) +- allow $1 polymember:dir mounton; + dontaudit $1 file_type:dir_file_class_set audit_access; ') ######################################## ## --## Do not audit attempts to search generic --## spool directories. +-## Search the contents of generic spool +-## directories (/var/spool). +## Do not audit attempts to write to all files ## ## ## -@@ -6386,132 +8442,207 @@ interface(`files_search_spool',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_search_spool',` +-interface(`files_search_spool',` +interface(`files_dontaudit_write_all_files',` gen_require(` -- type var_spool_t; +- type var_t, var_spool_t; + attribute file_type; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; +- search_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set write; ') ######################################## ## --## List the contents of generic spool --## (/var/spool) directories. +-## Do not audit attempts to search generic +-## spool directories. +## Allow domain to delete to all files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -6386,132 +8494,189 @@ interface(`files_search_spool',` ## ## # --interface(`files_list_spool',` +-interface(`files_dontaudit_search_spool',` +interface(`files_delete_all_non_security_files',` gen_require(` -- type var_t, var_spool_t; +- type var_spool_t; + attribute non_security_file_type; ') -- list_dirs_pattern($1, var_t, var_spool_t) +- dontaudit $1 var_spool_t:dir search_dir_perms; + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; ') ######################################## ## --## Create, read, write, and delete generic --## spool directories (/var/spool). +-## List the contents of generic spool +-## (/var/spool) directories. +## Allow domain to delete to all dirs ## ## @@ -15357,21 +15385,21 @@ index f962f76..47dc71f 100644 ## ## # --interface(`files_manage_generic_spool_dirs',` +-interface(`files_list_spool',` +interface(`files_delete_all_non_security_dirs',` gen_require(` - type var_t, var_spool_t; + attribute non_security_file_type; ') -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) +- list_dirs_pattern($1, var_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; ') ######################################## ## --## Read generic spool files. +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Transition named content in the var_run_t directory ## ## @@ -15381,7 +15409,7 @@ index f962f76..47dc71f 100644 ## ## # --interface(`files_read_generic_spool',` +-interface(`files_manage_generic_spool_dirs',` +interface(`files_filetrans_named_content',` gen_require(` - type var_t, var_spool_t; @@ -15395,8 +15423,8 @@ index f962f76..47dc71f 100644 + type tmp_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -15438,8 +15466,7 @@ index f962f76..47dc71f 100644 ######################################## ## --## Create, read, write, and delete generic --## spool files. +-## Read generic spool files. +## Make the specified type a +## base file. ## @@ -15458,44 +15485,33 @@ index f962f76..47dc71f 100644 ## +## # --interface(`files_manage_generic_spool',` +-interface(`files_read_generic_spool',` +interface(`files_base_file',` gen_require(` - type var_t, var_spool_t; + attribute base_file_type; ') -- -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) + files_type($1) + typeattribute $1 base_file_type; - ') ++') - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) ++######################################## ++## +## Make the specified type a +## base read only file. - ## --## --## --## Domain allowed access. --## --## --## ++## +## +##

+## Make the specified type readable for all domains. +##

+## +## - ## --## Type to which the created node will be transitioned. ++## +## Type to be used as a base read only files. - ## - ## --## ++## ++## +## +# +interface(`files_ro_base_file',` @@ -15504,42 +15520,62 @@ index f962f76..47dc71f 100644 + ') + files_base_file($1) + typeattribute $1 base_ro_file_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Read all ro base files. -+## -+## + ## + ## ## --## Object class(es) (single or set including {}) for which this --## the transition will occur. -+## Domain allowed access. + ## Domain allowed access. ## ## --## +## -+# + # +-interface(`files_manage_generic_spool',` +interface(`files_read_all_base_ro_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) + read_files_pattern($1, base_ro_file_type, base_ro_file_type) + read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Execute all base ro files. -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## # -interface(`files_spool_filetrans',` @@ -15563,7 +15599,7 @@ index f962f76..47dc71f 100644 ## ## ## -@@ -6519,53 +8650,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8684,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15621,7 +15657,7 @@ index f962f76..47dc71f 100644 ## ## ## -@@ -6573,10 +8668,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8702,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -32457,7 +32493,7 @@ index 79a45f6..c6373d9 100644 + files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..b5b7bf6 100644 +index 17eda24..dd417eb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -32660,7 +32696,8 @@ index 17eda24..b5b7bf6 100644 +domain_read_all_domains_state(init_t) +domain_getattr_all_domains(init_t) - files_read_etc_files(init_t) +-files_read_etc_files(init_t) ++files_read_config_files(init_t) +files_read_all_pids(init_t) +files_read_system_conf_files(init_t) files_rw_generic_pids(init_t) @@ -44631,10 +44668,10 @@ index 5ca20a9..e749152 100644 + corecmd_bin_domtrans($1, unconfined_service_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..fcc9efe 100644 +index 5fe902d..b8aeff9 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,20 @@ +@@ -1,207 +1,24 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -44700,13 +44737,16 @@ index 5fe902d..fcc9efe 100644 -optional_policy(` - ada_domtrans(unconfined_t) -') -- --optional_policy(` ++corecmd_bin_entry_type(unconfined_service_t) ++corecmd_shell_entry_type(unconfined_service_t) + + optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) --') -- --optional_policy(` ++ rpm_transition_script(unconfined_service_t, system_r) + ') + + optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') - @@ -44844,12 +44884,10 @@ index 5fe902d..fcc9efe 100644 - -allow unconfined_execmem_t self:process { execstack execmem }; -unconfined_domain_noaudit(unconfined_execmem_t) -+corecmd_bin_entry_type(unconfined_service_t) -+corecmd_shell_entry_type(unconfined_service_t) - - optional_policy(` +- +-optional_policy(` - unconfined_dbus_chat(unconfined_execmem_t) -+ rpm_transition_script(unconfined_service_t, system_r) ++ dbus_chat_system_bus(unconfined_service_t) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..1ee08ec 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d3c91fc..566ed57 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8703,6 +8703,19 @@ index 7811450..d8a8bd6 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) +diff --git a/bacula.fc b/bacula.fc +index 27ec3d5..65aa71b 100644 +--- a/bacula.fc ++++ b/bacula.fc +@@ -8,6 +8,8 @@ + /usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) + /usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) + ++/var/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0) ++ + /var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0) + + /var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0) diff --git a/bacula.if b/bacula.if index dcd774e..c240ffa 100644 --- a/bacula.if @@ -8716,10 +8729,20 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b000..373576e 100644 +index f16b000..5aaaf4f 100644 --- a/bacula.te +++ b/bacula.te -@@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t; +@@ -27,6 +27,9 @@ type bacula_store_t; + files_type(bacula_store_t) + files_mountpoint(bacula_store_t) + ++type bacula_tmp_t; ++files_tmp_file(bacula_tmp_t) ++ + type bacula_var_lib_t; + files_type(bacula_var_lib_t) + +@@ -43,16 +46,22 @@ role bacula_admin_roles types bacula_admin_t; # Local policy # @@ -8731,6 +8754,10 @@ index f16b000..373576e 100644 read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) ++manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t) ++manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t) ++files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file }) ++ +manage_dirs_pattern(bacula_t,bacula_log_t, bacula_log_t) append_files_pattern(bacula_t, bacula_log_t, bacula_log_t) create_files_pattern(bacula_t, bacula_log_t, bacula_log_t) @@ -8739,7 +8766,7 @@ index f16b000..373576e 100644 manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t) manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t) -@@ -88,6 +90,10 @@ corenet_udp_bind_generic_node(bacula_t) +@@ -88,6 +97,10 @@ corenet_udp_bind_generic_node(bacula_t) corenet_sendrecv_generic_server_packets(bacula_t) corenet_udp_bind_generic_port(bacula_t) @@ -8750,7 +8777,7 @@ index f16b000..373576e 100644 corenet_sendrecv_hplip_server_packets(bacula_t) corenet_tcp_bind_hplip_port(bacula_t) corenet_udp_bind_hplip_port(bacula_t) -@@ -105,6 +111,7 @@ files_read_all_symlinks(bacula_t) +@@ -105,6 +118,7 @@ files_read_all_symlinks(bacula_t) fs_getattr_xattr_fs(bacula_t) fs_list_all(bacula_t) @@ -8758,16 +8785,30 @@ index f16b000..373576e 100644 auth_read_shadow(bacula_t) logging_send_syslog_msg(bacula_t) -@@ -148,9 +155,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) +@@ -125,6 +139,10 @@ optional_policy(` + ldap_stream_connect(bacula_t) + ') + ++optional_policy(` ++ postgresql_tcp_connect(bacula_t) ++') ++ + ######################################## + # + # Client local policy +@@ -148,11 +166,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) domain_use_interactive_fds(bacula_admin_t) -files_read_etc_files(bacula_admin_t) - +- -miscfiles_read_localization(bacula_admin_t) - +- sysnet_dns_name_resolve(bacula_admin_t) + userdom_dontaudit_search_user_home_dirs(bacula_admin_t) + userdom_use_user_ptys(bacula_admin_t) ++ diff --git a/bcfg2.fc b/bcfg2.fc index fb42e35..8af0e14 100644 --- a/bcfg2.fc @@ -16470,7 +16511,7 @@ index ad0bae9..615a947 100644 +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') diff --git a/cron.if b/cron.if -index 1303b30..72481a7 100644 +index 1303b30..b4363e9 100644 --- a/cron.if +++ b/cron.if @@ -2,11 +2,12 @@ @@ -16616,7 +16657,7 @@ index 1303b30..72481a7 100644 optional_policy(` gen_require(` -@@ -119,78 +137,87 @@ interface(`cron_role',` +@@ -119,78 +137,75 @@ interface(`cron_role',` dbus_stub(cronjob_t) allow cronjob_t $2:dbus send_msg; @@ -16661,7 +16702,7 @@ index 1303b30..72481a7 100644 + # Declarations + # + -+ role $1 types { unconfined_cronjob_t crontab_t }; ++ role $1 types unconfined_cronjob_t; - role $1 types { unconfined_cronjob_t crontab_t }; + ############################## @@ -16673,28 +16714,22 @@ index 1303b30..72481a7 100644 - # - # Local policy - # -+ domtrans_pattern($2, crontab_exec_t, crontab_t) ++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - domtrans_pattern($2, crontab_exec_t, crontab_t) -+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; ++ allow $2 crond_t:process sigchld; - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; -+ allow $2 crond_t:process sigchld; - +- - allow $2 user_cron_spool_t:file { getattr read write ioctl }; -+ allow $2 user_cron_spool_t:file { getattr read write ioctl }; - +- - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) -+ allow $2 crontab_t:process { signal_perms }; -+ ps_process_pattern($2, crontab_t) - +- - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 crontab_t:process ptrace; -+ ') ++ allow $2 user_cron_spool_t:file { getattr read write ioctl }; - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; @@ -16710,8 +16745,10 @@ index 1303b30..72481a7 100644 + ') - allow $2 crond_t:fifo_file rw_fifo_file_perms; -+ corecmd_exec_bin(crontab_t) -+ corecmd_exec_shell(crontab_t) ++ tunable_policy(`cron_userdomain_transition',` ++ allow crond_t $2:process transition; ++ allow crond_t $2:fd use; ++ allow crond_t $2:key manage_key_perms; - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, unconfined_cronjob_t) @@ -16719,31 +16756,26 @@ index 1303b30..72481a7 100644 - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; -+ tunable_policy(`cron_userdomain_transition',` -+ allow crond_t $2:process transition; -+ allow crond_t $2:fd use; -+ allow crond_t $2:key manage_key_perms; - -- dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 user_cron_spool_t:file entrypoint; -- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; +- dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 crond_t:fifo_file rw_fifo_file_perms; + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; +- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; ++ dontaudit $2 user_cron_spool_t:file entrypoint; + - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; -') -+ dontaudit $2 user_cron_spool_t:file entrypoint; -+ + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + ') optional_policy(` gen_require(` -@@ -198,55 +225,60 @@ interface(`cron_unconfined_role',` +@@ -198,55 +213,60 @@ interface(`cron_unconfined_role',` ') dbus_stub(unconfined_cronjob_t) @@ -16823,7 +16855,7 @@ index 1303b30..72481a7 100644 # Manipulate other users crontab. allow $2 self:passwd crontab; -@@ -254,28 +286,26 @@ interface(`cron_admin_role',` +@@ -254,28 +274,26 @@ interface(`cron_admin_role',` corecmd_exec_bin(admin_crontab_t) corecmd_exec_shell(admin_crontab_t) @@ -16831,16 +16863,15 @@ index 1303b30..72481a7 100644 - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; +- +- allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; -- allow $2 user_cron_spool_t:file entrypoint; -+ allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; -+ allow $2 crond_t:fifo_file rw_fifo_file_perms; ++ allow $2 user_cron_spool_t:file entrypoint; - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) @@ -16848,6 +16879,9 @@ index 1303b30..72481a7 100644 - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; ++ allow $2 crond_t:fifo_file rw_fifo_file_perms; + +- dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 cronjob_t:process { signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` @@ -16855,8 +16889,6 @@ index 1303b30..72481a7 100644 + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; -- dontaudit $2 user_cron_spool_t:file entrypoint; -- - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; @@ -16868,7 +16900,7 @@ index 1303b30..72481a7 100644 optional_policy(` gen_require(` -@@ -285,13 +315,13 @@ interface(`cron_admin_role',` +@@ -285,13 +303,13 @@ interface(`cron_admin_role',` dbus_stub(admin_cronjob_t) allow cronjob_t $2:dbus send_msg; @@ -16885,7 +16917,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -307,15 +337,15 @@ interface(`cron_admin_role',` +@@ -307,15 +325,15 @@ interface(`cron_admin_role',` interface(`cron_system_entry',` gen_require(` type crond_t, system_cronjob_t; @@ -16904,7 +16936,7 @@ index 1303b30..72481a7 100644 ') ######################################## -@@ -333,13 +363,12 @@ interface(`cron_domtrans',` +@@ -333,13 +351,12 @@ interface(`cron_domtrans',` type system_cronjob_t, crond_exec_t; ') @@ -16919,7 +16951,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -352,7 +381,6 @@ interface(`cron_exec',` +@@ -352,7 +369,6 @@ interface(`cron_exec',` type crond_exec_t; ') @@ -16927,7 +16959,7 @@ index 1303b30..72481a7 100644 can_exec($1, crond_exec_t) ') -@@ -376,7 +404,31 @@ interface(`cron_initrc_domtrans',` +@@ -376,7 +392,31 @@ interface(`cron_initrc_domtrans',` ######################################## ## @@ -16960,7 +16992,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -394,7 +446,7 @@ interface(`cron_use_fds',` +@@ -394,7 +434,7 @@ interface(`cron_use_fds',` ######################################## ## @@ -16969,7 +17001,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -412,7 +464,7 @@ interface(`cron_sigchld',` +@@ -412,7 +452,7 @@ interface(`cron_sigchld',` ######################################## ## @@ -16978,7 +17010,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -420,17 +472,17 @@ interface(`cron_sigchld',` +@@ -420,17 +460,17 @@ interface(`cron_sigchld',` ## ## # @@ -17000,7 +17032,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -438,17 +490,17 @@ interface(`cron_setattr_log_files',` +@@ -438,17 +478,17 @@ interface(`cron_setattr_log_files',` ## ## # @@ -17022,7 +17054,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -456,18 +508,20 @@ interface(`cron_create_log_files',` +@@ -456,18 +496,20 @@ interface(`cron_create_log_files',` ## ## # @@ -17048,7 +17080,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -475,48 +529,37 @@ interface(`cron_write_log_files',` +@@ -475,48 +517,37 @@ interface(`cron_write_log_files',` ## ## # @@ -17108,7 +17140,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -524,36 +567,35 @@ interface(`cron_generic_log_filetrans_log',` +@@ -524,36 +555,35 @@ interface(`cron_generic_log_filetrans_log',` ## ## # @@ -17153,7 +17185,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -561,17 +603,17 @@ interface(`cron_dontaudit_write_pipes',` +@@ -561,17 +591,17 @@ interface(`cron_dontaudit_write_pipes',` ## ## # @@ -17175,7 +17207,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -589,8 +631,7 @@ interface(`cron_rw_tcp_sockets',` +@@ -589,8 +619,7 @@ interface(`cron_rw_tcp_sockets',` ######################################## ## @@ -17185,7 +17217,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -608,7 +649,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` +@@ -608,7 +637,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -17194,7 +17226,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -627,8 +668,26 @@ interface(`cron_search_spool',` +@@ -627,8 +656,26 @@ interface(`cron_search_spool',` ######################################## ## @@ -17223,7 +17255,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -641,13 +700,13 @@ interface(`cron_manage_pid_files',` +@@ -641,13 +688,13 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -17239,7 +17271,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -660,13 +719,13 @@ interface(`cron_anacron_domtrans_system_job',` +@@ -660,13 +707,13 @@ interface(`cron_anacron_domtrans_system_job',` type system_cronjob_t, anacron_exec_t; ') @@ -17255,7 +17287,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -684,7 +743,7 @@ interface(`cron_use_system_job_fds',` +@@ -684,7 +731,7 @@ interface(`cron_use_system_job_fds',` ######################################## ## @@ -17264,7 +17296,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -692,19 +751,17 @@ interface(`cron_use_system_job_fds',` +@@ -692,19 +739,17 @@ interface(`cron_use_system_job_fds',` ## ## # @@ -17288,7 +17320,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -712,18 +769,17 @@ interface(`cron_read_system_job_lib_files',` +@@ -712,18 +757,17 @@ interface(`cron_read_system_job_lib_files',` ## ## # @@ -17311,7 +17343,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -731,18 +787,17 @@ interface(`cron_manage_system_job_lib_files',` +@@ -731,18 +775,17 @@ interface(`cron_manage_system_job_lib_files',` ## ## # @@ -17333,7 +17365,7 @@ index 1303b30..72481a7 100644 ## ## ## -@@ -750,86 +805,142 @@ interface(`cron_write_system_job_pipes',` +@@ -750,86 +793,142 @@ interface(`cron_write_system_job_pipes',` ## ## # @@ -17503,7 +17535,7 @@ index 1303b30..72481a7 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..24f2712 100644 +index 7de3859..c5ba745 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,46 @@ gen_require(` @@ -18285,7 +18317,7 @@ index 7de3859..24f2712 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +688,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +688,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -18382,6 +18414,9 @@ index 7de3859..24f2712 100644 +allow crontab_domain crond_t:process signal; +allow crontab_domain crond_var_run_t:file read_file_perms; + ++corecmd_exec_bin(crontab_domain) ++corecmd_exec_shell(crontab_domain) ++ +# create files in /var/spool/cron +manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) +filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) @@ -18757,7 +18792,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..3ceae52 100644 +index 001b502..2ab29db 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -18826,7 +18861,7 @@ index 001b502..3ceae52 100644 +fs_getattr_all_fs(ctdbd_t) + -+auth_read_passwd(ctdbd_t) ++auth_use_nsswitch(ctdbd_t) + logging_send_syslog_msg(ctdbd_t) @@ -20303,7 +20338,7 @@ index dda905b..ccd0ba9 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..89671dd 100644 +index 62d22cb..cbf09ce 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -20961,7 +20996,7 @@ index 62d22cb..89671dd 100644 ## ## ## -@@ -498,98 +492,80 @@ interface(`dbus_connect_system_bus',` +@@ -498,98 +492,100 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -21015,21 +21050,38 @@ index 62d22cb..89671dd 100644 ## ## -## Type to be used as a domain. --## --## ++## Domain to not audit. + ## + ## -## --## ++# ++interface(`dbus_stream_connect_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ ') ++ ++ allow $1 session_bus_type:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## Do not audit attempts to send dbus ++## messages to session bus types. ++## ++## + ## -## Type of the program to be used as an entry point to this domain. +## Domain to not audit. ## ## # -interface(`dbus_system_domain',` -+interface(`dbus_stream_connect_session_bus',` ++interface(`dbus_chat_session_bus',` gen_require(` - type system_dbusd_t; - role system_r; + attribute session_bus_type; ++ class dbus send_msg; ') - domain_type($1) @@ -21049,7 +21101,8 @@ index 62d22cb..89671dd 100644 - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') -+ allow $1 session_bus_type:unix_stream_socket connectto; ++ allow $1 session_bus_type:dbus send_msg; ++ allow session_bus_type $1:dbus send_msg; ') ######################################## @@ -21067,7 +21120,7 @@ index 62d22cb..89671dd 100644 ## # -interface(`dbus_use_system_bus_fds',` -+interface(`dbus_chat_session_bus',` ++interface(`dbus_dontaudit_chat_session_bus',` gen_require(` - type system_dbusd_t; + attribute session_bus_type; @@ -21075,8 +21128,7 @@ index 62d22cb..89671dd 100644 ') - allow $1 system_dbusd_t:fd use; -+ allow $1 session_bus_type:dbus send_msg; -+ allow session_bus_type $1:dbus send_msg; ++ dontaudit $1 session_bus_type:dbus send_msg; ') ######################################## @@ -21084,30 +21136,31 @@ index 62d22cb..89671dd 100644 -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. +## Do not audit attempts to send dbus -+## messages to session bus types. ++## messages to system bus types. ## ## ## -@@ -597,28 +573,49 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +593,50 @@ interface(`dbus_use_system_bus_fds',` ## ## # -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+interface(`dbus_dontaudit_chat_session_bus',` ++interface(`dbus_dontaudit_chat_system_bus',` gen_require(` - type system_dbusd_t; -+ attribute session_bus_type; ++ attribute system_bus_type; + class dbus send_msg; ') - dontaudit $1 system_dbusd_t:tcp_socket { read write }; -+ dontaudit $1 session_bus_type:dbus send_msg; ++ dontaudit $1 system_bus_type:dbus send_msg; ++ dontaudit system_bus_type $1:dbus send_msg; ') ######################################## ## -## Unconfined access to DBUS. -+## Do not audit attempts to send dbus ++## Allow attempts to send dbus +## messages to system bus types. ## ## @@ -21118,7 +21171,7 @@ index 62d22cb..89671dd 100644 ## # -interface(`dbus_unconfined',` -+interface(`dbus_dontaudit_chat_system_bus',` ++interface(`dbus_chat_system_bus',` gen_require(` - attribute dbusd_unconfined; + attribute system_bus_type; @@ -21126,8 +21179,8 @@ index 62d22cb..89671dd 100644 ') - typeattribute $1 dbusd_unconfined; -+ dontaudit $1 system_bus_type:dbus send_msg; -+ dontaudit system_bus_type $1:dbus send_msg; ++ allow $1 system_bus_type:dbus send_msg; ++ allow system_bus_type $1:dbus send_msg; +') + +####################################### @@ -46183,7 +46236,7 @@ index 6ffaba2..549fb8c 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..f741e56 100644 +index 6194b80..9dbe23d 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -46318,11 +46371,11 @@ index 6194b80..f741e56 100644 - - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) -- -- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; -- allow $2 mozilla_plugin_t:fd use; + mozilla_filetrans_home_content($2) +- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; +- allow $2 mozilla_plugin_t:fd use; +- - stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - - allow mozilla_plugin_t $2:process signull; @@ -46926,7 +46979,7 @@ index 6194b80..f741e56 100644 ## ## ## -@@ -530,45 +557,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +557,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -46935,7 +46988,7 @@ index 6194b80..f741e56 100644 + gen_require(` - type mozilla_plugin_home_t; -+ type mozilla_home_t; ++ type mozilla_home_t, mozilla_plugin_rw_t; ') - userdom_search_user_home_dirs($1) @@ -46944,6 +46997,7 @@ index 6194b80..f741e56 100644 - allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; - allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; - allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; ++ files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") @@ -54922,10 +54976,10 @@ index 0000000..ce897e2 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..271f4b6 +index 0000000..459a025 --- /dev/null +++ b/nova.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,335 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -55049,7 +55103,7 @@ index 0000000..271f4b6 +corenet_tcp_connect_all_ports(nova_api_t) +corenet_tcp_bind_all_unreserved_ports(nova_api_t) + -+auth_read_passwd(nova_api_t) ++auth_use_nsswitch(nova_api_t) + +logging_send_syslog_msg(nova_api_t) + @@ -55223,6 +55277,13 @@ index 0000000..271f4b6 +# nova vncproxy local policy +# + ++allow nova_vncproxy_t self:udp_socket create_socket_perms; ++ ++corenet_udp_bind_generic_node(nova_vncproxy_t) ++corenet_tcp_bind_generic_node(nova_vncproxy_t) ++ ++corenet_tcp_bind_varnishd_port(nova_vncproxy_t) ++ +####################################### +# +# nova volume local policy @@ -57610,10 +57671,10 @@ index 379af96..fac7d7b 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..dae3360 100644 +index 57c0161..4534676 100644 --- a/nut.if +++ b/nut.if -@@ -1,39 +1,24 @@ +@@ -1,39 +1,59 @@ -## Network UPS Tools +## nut - Network UPS Tools @@ -57622,36 +57683,67 @@ index 57c0161..dae3360 100644 ## -## All of the rules required to -## administrate an nut environment. -+## Execute swift server in the swift domain. ++## Creates types and rules for a basic ++## Network UPS Tools systemd daemon domain. ## - ## +-## -## -## Domain allowed access. -## -+## -+## Domain allowed to transition. -+## - ## +-## -## -## -## Role allowed access. -## --## ++## ++## ++## Prefix for the domain. ++## + ## -## # -interface(`nut_admin',` -- gen_require(` -- attribute nut_domain; ++template(`nut_domain_template',` + gen_require(` + attribute nut_domain; - type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; -- ') -- + ') + - allow $1 nut_domain:process { ptrace signal_perms }; - ps_process_pattern($1, nut_domain_t) -- ++ type nut_$1_t, nut_domain; ++ type nut_$1_exec_t; ++ init_daemon_domain(nut_$1_t, nut_$1_exec_t) ++ ++ type nut_$1_tmp_t; ++ files_tmp_file(nut_$1_tmp_t) ++ ++ manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) ++ manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) ++ manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) ++ files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) ++ fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) + - init_labeled_script_domtrans($1, nut_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nut_initrc_exec_t system_r; - allow $2 system_r; ++ auth_use_nsswitch(nut_$1_t) ++ ++ logging_send_syslog_msg(nut_$1_t) ++ ++') ++ ++####################################### ++## ++## Execute swift server in the swift domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# +interface(`nut_systemctl',` + gen_require(` + type nut_t; @@ -57669,13 +57761,32 @@ index 57c0161..dae3360 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..09484a9 100644 +index 5b2cb0d..ad16c77 100644 --- a/nut.te +++ b/nut.te -@@ -22,139 +22,150 @@ type nut_upsdrvctl_t, nut_domain; - type nut_upsdrvctl_exec_t; - init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) +@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0) + + attribute nut_domain; + ++nut_domain_template(upsd) ++nut_domain_template(upsmon) ++nut_domain_template(upsdrvctl) ++ + type nut_conf_t; + files_config_file(nut_conf_t) +-type nut_upsd_t, nut_domain; +-type nut_upsd_exec_t; +-init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) +- +-type nut_upsmon_t, nut_domain; +-type nut_upsmon_exec_t; +-init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) +- +-type nut_upsdrvctl_t, nut_domain; +-type nut_upsdrvctl_exec_t; +-init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) +- -type nut_initrc_exec_t; -init_script_file(nut_initrc_exec_t) - @@ -57694,13 +57805,16 @@ index 5b2cb0d..09484a9 100644 # -allow nut_domain self:capability { setgid setuid dac_override kill }; --allow nut_domain self:process signal_perms; ++allow nut_domain self:capability { setgid setuid dac_override }; ++ + allow nut_domain self:process signal_perms; -allow nut_domain self:fifo_file rw_fifo_file_perms; -allow nut_domain self:unix_dgram_socket sendto; -- + -allow nut_domain nut_conf_t:dir list_dir_perms; -allow nut_domain nut_conf_t:file read_file_perms; -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; ++allow nut_domain self:fifo_file rw_fifo_file_perms; +allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; +# pid file @@ -57723,16 +57837,15 @@ index 5b2cb0d..09484a9 100644 # -allow nut_upsd_t self:tcp_socket { accept listen }; -+allow nut_upsd_t self:capability { setgid setuid dac_override }; -+allow nut_upsd_t self:process signal_perms; ++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) -+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; ++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) -+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; ++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) -corenet_all_recvfrom_unlabeled(nut_upsd_t) -corenet_all_recvfrom_netlabel(nut_upsd_t) @@ -57740,23 +57853,19 @@ index 5b2cb0d..09484a9 100644 -corenet_tcp_sendrecv_generic_node(nut_upsd_t) -corenet_tcp_sendrecv_all_ports(nut_upsd_t) -corenet_tcp_bind_generic_node(nut_upsd_t) -+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - --corenet_sendrecv_ups_server_packets(nut_upsd_t) --corenet_tcp_bind_ups_port(nut_upsd_t) +kernel_read_kernel_sysctls(nut_upsd_t) +-corenet_sendrecv_ups_server_packets(nut_upsd_t) + corenet_tcp_bind_ups_port(nut_upsd_t) +- -corenet_sendrecv_generic_server_packets(nut_upsd_t) -+corenet_tcp_bind_ups_port(nut_upsd_t) corenet_tcp_bind_generic_port(nut_upsd_t) - -files_read_usr_files(nut_upsd_t) +- +-auth_use_nsswitch(nut_upsd_t) +corenet_tcp_bind_all_nodes(nut_upsd_t) - auth_use_nsswitch(nut_upsd_t) - -+logging_send_syslog_msg(nut_upsd_t) -+ ######################################## # -# Upsmon local policy @@ -57765,11 +57874,9 @@ index 5b2cb0d..09484a9 100644 -allow nut_upsmon_t self:capability dac_read_search; -allow nut_upsmon_t self:unix_stream_socket connectto; -+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; -+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; ++allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; -+allow nut_upsmon_t self:tcp_socket create_socket_perms; +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + @@ -57800,13 +57907,11 @@ index 5b2cb0d..09484a9 100644 +# /usr/bin/wall term_write_all_terms(nut_upsmon_t) +-auth_use_nsswitch(nut_upsmon_t) +# upsmon runs shutdown, probably need a shutdown domain +init_rw_utmp(nut_upsmon_t) +init_telinit(nut_upsmon_t) + -+logging_send_syslog_msg(nut_upsmon_t) -+ - auth_use_nsswitch(nut_upsmon_t) mta_send_mail(nut_upsmon_t) @@ -57822,19 +57927,17 @@ index 5b2cb0d..09484a9 100644 +# Local policy for upsdrvctl # -+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; -+allow nut_upsdrvctl_t self:process { sigchld signal signull }; ++allow nut_upsdrvctl_t self:capability { kill }; allow nut_upsdrvctl_t self:fd use; -+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; ++ ++can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) -+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - +read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) -+ + +kernel_read_kernel_sysctls(nut_upsdrvctl_t) + +# /sbin/upsdrvctl executes other drivers @@ -57845,15 +57948,12 @@ index 5b2cb0d..09484a9 100644 dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) +- +-auth_use_nsswitch(nut_upsdrvctl_t) +term_use_usb_ttys(nut_upsdrvctl_t) - auth_use_nsswitch(nut_upsdrvctl_t) - init_sigchld(nut_upsdrvctl_t) -+logging_send_syslog_msg(nut_upsdrvctl_t) -+ -+ ####################################### # -# Cgi local policy @@ -58815,10 +58915,10 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..ba329e2 +index 0000000..5a2f97e --- /dev/null +++ b/openshift.fc -@@ -0,0 +1,28 @@ +@@ -0,0 +1,30 @@ +/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -58840,6 +58940,8 @@ index 0000000..ba329e2 + +/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) + ++/usr/s?bin/oo-lists-ports -- gen_context(system_u:object_r:openshift_net_read_exec_t,s0) ++ +/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) @@ -59576,10 +59678,10 @@ index 0000000..a60155c +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..a2db55e +index 0000000..577c683 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,580 @@ +@@ -0,0 +1,631 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -59656,6 +59758,10 @@ index 0000000..a2db55e +type openshift_cgroup_read_exec_t; +application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t) + ++type openshift_net_read_t; ++type openshift_net_read_exec_t; ++application_domain(openshift_net_read_t, openshift_net_read_exec_t) ++ +type openshift_cgroup_read_tmp_t, openshift_file_type; +files_tmp_file(openshift_cgroup_read_tmp_t) + @@ -59789,7 +59895,7 @@ index 0000000..a2db55e +dontaudit openshift_domain openshift_var_run_t:file append; +dontaudit openshift_domain openshift_file_type:sock_file execute; + -+kernel_read_network_state(openshift_domain) ++kernel_dontaudit_search_network_state(openshift_domain) +kernel_dontaudit_list_all_proc(openshift_domain) +kernel_dontaudit_list_all_sysctls(openshift_domain) +kernel_dontaudit_request_load_module(openshift_domain) @@ -60076,6 +60182,53 @@ index 0000000..a2db55e + +######################################## +# ++# openshift_net_read local policy ++# ++ ++allow openshift_net_read_t self:process { getattr signal_perms }; ++allow openshift_net_read_t self:fifo_file rw_fifo_file_perms; ++allow openshift_net_read_t self:unix_stream_socket create_stream_socket_perms; ++allow openshift_net_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; ++ ++allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms; ++ ++kernel_read_network_state(openshift_net_read_t) ++kernel_read_system_state(openshift_net_read_t) ++ ++term_dontaudit_use_generic_ptys(openshift_net_read_t) ++ ++auth_read_passwd(openshift_net_read_t) ++ ++miscfiles_read_localization(openshift_net_read_t) ++ ++optional_policy(` ++ ssh_use_ptys(openshift_net_read_t) ++') ++ ++corecmd_exec_bin(openshift_net_read_t) ++corecmd_exec_shell(openshift_net_read_t) ++ ++dev_read_urand(openshift_net_read_t) ++ ++domain_use_interactive_fds(openshift_net_read_t) ++ ++fs_dontaudit_rw_anon_inodefs_files(openshift_net_read_t) ++ ++userdom_use_inherited_user_ptys(openshift_net_read_t) ++ ++miscfiles_read_generic_certs(openshift_net_read_t) ++ ++domtrans_pattern(openshift_domain, openshift_net_read_exec_t, openshift_net_read_t) ++role system_r types openshift_net_read_t; ++ ++allow openshift_domain openshift_net_read_t:process { getattr signal signull sigkill }; ++ ++allow openshift_net_read_t openshift_var_lib_t:dir list_dir_perms; ++manage_files_pattern(openshift_net_read_t, openshift_var_lib_t, openshift_var_lib_t) ++allow openshift_net_read_t openshift_file_type:file rw_inherited_file_perms; ++ ++######################################## ++# +# openshift_cron local policy +# +allow openshift_cron_t self:capability { dac_override net_admin sys_admin }; @@ -62534,10 +62687,10 @@ index 0000000..d9296b1 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..d4c7e21 +index 0000000..62098f0 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,232 @@ +@@ -0,0 +1,240 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -62698,6 +62851,14 @@ index 0000000..d4c7e21 + +logging_send_syslog_msg(pcp_pmproxy_t) + ++optional_policy(` ++ dbus_system_bus_client(pcp_pmproxy_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(pcp_pmproxy_t) ++ ') ++') ++ +######################################## +# +# pcp_pmwebd local policy @@ -64710,10 +64871,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..90c6736 +index 0000000..d9513e4 --- /dev/null +++ b/pki.te -@@ -0,0 +1,278 @@ +@@ -0,0 +1,279 @@ +policy_module(pki,10.0.11) + +######################################## @@ -64799,6 +64960,7 @@ index 0000000..90c6736 + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) + +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) @@ -76224,7 +76386,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..20f9ced 100644 +index dc3b0ed..7302746 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -76270,7 +76432,7 @@ index dc3b0ed..20f9ced 100644 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) -@@ -55,57 +67,73 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) +@@ -55,57 +67,75 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -76294,12 +76456,14 @@ index dc3b0ed..20f9ced 100644 +corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) +corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t) +corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t) ++corenet_tcp_bind_rabbitmq_port(rabbitmq_beam_t) +corenet_tcp_connect_amqp_port(rabbitmq_beam_t) +corenet_tcp_connect_couchdb_port(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) +corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) +corenet_tcp_connect_http_port(rabbitmq_beam_t) ++corenet_tcp_connect_rabbitmq_port(rabbitmq_beam_t) -corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t) -corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) @@ -76361,7 +76525,7 @@ index dc3b0ed..20f9ced 100644 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) -@@ -117,8 +145,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -117,8 +147,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -76447,7 +76611,7 @@ index 4460582..60cf556 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..0ae6dc6 100644 +index 403a4fe..de6f803 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -76510,6 +76674,17 @@ index 403a4fe..0ae6dc6 100644 logrotate_exec(radiusd_t) ') +@@ -140,5 +148,10 @@ optional_policy(` + ') + + optional_policy(` ++ snmp_read_snmp_var_lib_files(radiusd_t) ++ snmp_read_snmp_var_lib_files(radiusd_t) ++') ++ ++optional_policy(` + udev_read_db(radiusd_t) + ') diff --git a/radvd.if b/radvd.if index ac7058d..48739ac 100644 --- a/radvd.if @@ -81063,10 +81238,10 @@ index 0000000..860a91d +/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0) diff --git a/rhnsd.if b/rhnsd.if new file mode 100644 -index 0000000..8a5aaf0 +index 0000000..4c6fd7a --- /dev/null +++ b/rhnsd.if -@@ -0,0 +1,118 @@ +@@ -0,0 +1,119 @@ +## policy for rhnsd + +######################################## @@ -81148,6 +81323,7 @@ index 0000000..8a5aaf0 + + files_search_etc($1) + manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t) ++ manage_lnk_files_pattern($1, rhnsd_conf_t, rhnsd_conf_t) +') + +######################################## @@ -81498,7 +81674,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..04fffba 100644 +index d32e1a2..b541f8f 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -81537,7 +81713,7 @@ index d32e1a2..04fffba 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,53 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,57 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -81592,6 +81768,10 @@ index d32e1a2..04fffba 100644 +') + +optional_policy(` ++ sosreport_signull(rhsmcertd_t) ++') ++ ++optional_policy(` rpm_read_db(rhsmcertd_t) + rpm_signull(rhsmcertd_t) ') @@ -93106,7 +93286,7 @@ index 1af72df..7e55b50 100644 userdom_dontaudit_use_unpriv_user_fds(snort_t) diff --git a/sosreport.if b/sosreport.if -index 634c6b4..e1edfd9 100644 +index 634c6b4..f6db7a7 100644 --- a/sosreport.if +++ b/sosreport.if @@ -42,7 +42,7 @@ interface(`sosreport_run',` @@ -93118,6 +93298,29 @@ index 634c6b4..e1edfd9 100644 ') ######################################## +@@ -127,3 +127,22 @@ interface(`sosreport_delete_tmp_files',` + files_delete_tmp_dir_entry($1) + delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) + ') ++ ++######################################## ++## ++## Send a null signal to sosreport. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sosreport_signull',` ++ gen_require(` ++ type sosreport_t; ++ ') ++ ++ allow $1 sosreport_t:process signull; ++') ++ diff --git a/sosreport.te b/sosreport.te index f2f507d..0d4a35c 100644 --- a/sosreport.te @@ -98780,10 +98983,10 @@ index 0000000..115bf6c +/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..c1fd8b4 +index 0000000..9524b50 --- /dev/null +++ b/thumb.if -@@ -0,0 +1,133 @@ +@@ -0,0 +1,134 @@ + +## policy for thumb + @@ -98804,6 +99007,7 @@ index 0000000..c1fd8b4 + + corecmd_search_bin($1) + domtrans_pattern($1, thumb_exec_t, thumb_t) ++ dontaudit thumb_t $1:unix_stream_socket { getattr read write }; +') + + @@ -100427,15 +100631,17 @@ index 279e511..4f79ad6 100644 + modutils_read_module_deps(usbmodules_t) +') diff --git a/usbmuxd.fc b/usbmuxd.fc -index 220f6ad..cd80b9b 100644 +index 220f6ad..39b6acf 100644 --- a/usbmuxd.fc +++ b/usbmuxd.fc -@@ -1,3 +1,4 @@ +@@ -1,3 +1,6 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) -/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0) ++ ++/var/lib/lockdown -- gen_context(system_u:object_r:usbmuxd_var_lib_t,s0) diff --git a/usbmuxd.if b/usbmuxd.if index 1ec5e99..88e287d 100644 --- a/usbmuxd.if @@ -100508,10 +100714,10 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 34a8917..120d801 100644 +index 34a8917..85774c6 100644 --- a/usbmuxd.te +++ b/usbmuxd.te -@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles; +@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; type usbmuxd_t; type usbmuxd_exec_t; @@ -100522,21 +100728,40 @@ index 34a8917..120d801 100644 type usbmuxd_var_run_t; files_pid_file(usbmuxd_var_run_t) ++type usbmuxd_var_lib_t; ++files_type(usbmuxd_var_lib_t) ++ +type usbmuxd_unit_file_t; +systemd_unit_file(usbmuxd_unit_file_t) + ######################################## # # Local policy -@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t) + # + allow usbmuxd_t self:capability { kill setgid setuid }; ++dontaudit usbmuxd_t self:capability sys_resource; allow usbmuxd_t self:process { signal signull }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; +allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow usbmuxd_t self:unix_stream_socket connectto; manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t) + manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) + files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + ++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) ++manage_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) ++manage_lnk_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) ++files_var_lib_filetrans(usbmuxd_t, usbmuxd_var_lib_t, { dir file }) ++ + kernel_read_kernel_sysctls(usbmuxd_t) + kernel_read_system_state(usbmuxd_t) + + dev_read_sysfs(usbmuxd_t) ++dev_read_urand(usbmuxd_t) + dev_rw_generic_usb_dev(usbmuxd_t) auth_use_nsswitch(usbmuxd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9fee25c..5cf334d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -602,6 +602,34 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 02 2014 Lukas Vrabec 3.13.1-78 +- Allow unconfined_service_t to dbus chat with all dbus domains +- Assign rabbitmq port. BZ#1135523 +- Add new interface to allow creation of file with lib_t type +- Allow init to read all config files +- We want to remove openshift_t domains ability to look at /proc/net +- I guess lockdown is a file not a directory +- Label /var/bacula/ as bacula_store_t +- Allow rhsmcertd to seng signull to sosreport. +- Allow sending of snmp trap messages by radiusd. +- remove redundant rule fron nova.te. +- Add auth_use_nsswitch() for ctdbd. +- call nova_vncproxy_t instead of vncproxy. +- Allow nova-vncproxy to use varnishd port. +- Fix rhnsd_manage_config() to allow manage also symlinks. +- Allow bacula to create dirs/files in /tmp +- Allow nova-api to use nsswitch. +- Clean up nut policy. Allow nut domains to create temp files. Add nut_domain_template() template interface. +- Allow usbmuxd connect to itself by stream socket. (#1135945) +- I see no reason why unconfined_t should transition to crontab_t, this looks like old cruft +- Allow nswrapper_32_64.nppdf.so to be created with the proper label +- Assign rabbitmq port. BZ#1135523 +- Dontaudit leaks of file descriptors from domains that transition to thumb_t +- Fixes for usbmuxd, addition of /var/lib/lockdown, and allow it to use urand, dontaudit sys_resource +- Allow unconfined_service_t to dbus chat with all dbus domains +- Allow avahi_t communicate with pcp_pmproxy_t over dbus.(better way) +- Allow avahi_t communicate with pcp_pmproxy_t over dbus. + * Thu Aug 28 2014 Lukas Vrabec 3.13.1-77 - Allow aide to read random number generator - Allow pppd to connect to http port. (#1128947)