From 975a3877fdd737569cbb15221b0e5c939a87dd60 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 12 2014 11:25:26 +0000 Subject: - Allow zabbix to send system log msgs - Allow init_t to stream connect to ipsec --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 93d3bb1..395b847 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -31347,7 +31347,7 @@ index 24e7804..2863546 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..c207a0a 100644 +index dd3be8d..6f5676a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -31608,7 +31608,7 @@ index dd3be8d..c207a0a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +299,225 @@ ifdef(`distro_gentoo',` +@@ -186,29 +299,226 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -31797,6 +31797,7 @@ index dd3be8d..c207a0a 100644 + optional_policy(` + ipsec_read_config(init_t) + ipsec_manage_pid(init_t) ++ ipsec_stream_connect(init_t) + ') + + optional_policy(` @@ -31842,7 +31843,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -216,7 +525,30 @@ optional_policy(` +@@ -216,7 +526,30 @@ optional_policy(` ') optional_policy(` @@ -31873,7 +31874,7 @@ index dd3be8d..c207a0a 100644 ') ######################################## -@@ -225,8 +557,9 @@ optional_policy(` +@@ -225,8 +558,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -31885,7 +31886,7 @@ index dd3be8d..c207a0a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +590,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +591,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -31902,7 +31903,7 @@ index dd3be8d..c207a0a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +615,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +616,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -31945,7 +31946,7 @@ index dd3be8d..c207a0a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +652,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +653,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -31957,7 +31958,7 @@ index dd3be8d..c207a0a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +664,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +665,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -31968,7 +31969,7 @@ index dd3be8d..c207a0a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +675,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +676,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -31978,7 +31979,7 @@ index dd3be8d..c207a0a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +684,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +685,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -31986,7 +31987,7 @@ index dd3be8d..c207a0a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +691,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +692,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -31994,7 +31995,7 @@ index dd3be8d..c207a0a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +699,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +700,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -32012,7 +32013,7 @@ index dd3be8d..c207a0a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +717,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +718,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -32026,7 +32027,7 @@ index dd3be8d..c207a0a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +732,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +733,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -32040,7 +32041,7 @@ index dd3be8d..c207a0a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +745,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +746,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -32048,7 +32049,7 @@ index dd3be8d..c207a0a 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +757,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +758,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -32056,7 +32057,7 @@ index dd3be8d..c207a0a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +776,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +777,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -32080,7 +32081,7 @@ index dd3be8d..c207a0a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +809,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +810,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -32088,7 +32089,7 @@ index dd3be8d..c207a0a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +843,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +844,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -32099,7 +32100,7 @@ index dd3be8d..c207a0a 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +867,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +868,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -32108,7 +32109,7 @@ index dd3be8d..c207a0a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +882,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +883,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -32116,7 +32117,7 @@ index dd3be8d..c207a0a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +903,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +904,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -32124,7 +32125,7 @@ index dd3be8d..c207a0a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +913,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +914,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -32169,7 +32170,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -558,14 +958,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +959,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -32201,7 +32202,7 @@ index dd3be8d..c207a0a 100644 ') ') -@@ -576,6 +993,39 @@ ifdef(`distro_suse',` +@@ -576,6 +994,39 @@ ifdef(`distro_suse',` ') ') @@ -32241,7 +32242,7 @@ index dd3be8d..c207a0a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1038,8 @@ optional_policy(` +@@ -588,6 +1039,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -32250,7 +32251,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -609,6 +1061,7 @@ optional_policy(` +@@ -609,6 +1062,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -32258,7 +32259,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -625,6 +1078,17 @@ optional_policy(` +@@ -625,6 +1079,17 @@ optional_policy(` ') optional_policy(` @@ -32276,7 +32277,7 @@ index dd3be8d..c207a0a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1105,13 @@ optional_policy(` +@@ -641,9 +1106,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -32290,7 +32291,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -656,15 +1124,11 @@ optional_policy(` +@@ -656,15 +1125,11 @@ optional_policy(` ') optional_policy(` @@ -32308,7 +32309,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -685,6 +1149,15 @@ optional_policy(` +@@ -685,6 +1150,15 @@ optional_policy(` ') optional_policy(` @@ -32324,7 +32325,7 @@ index dd3be8d..c207a0a 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1198,7 @@ optional_policy(` +@@ -725,6 +1199,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -32332,7 +32333,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -742,7 +1216,13 @@ optional_policy(` +@@ -742,7 +1217,13 @@ optional_policy(` ') optional_policy(` @@ -32347,7 +32348,7 @@ index dd3be8d..c207a0a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1245,10 @@ optional_policy(` +@@ -765,6 +1246,10 @@ optional_policy(` ') optional_policy(` @@ -32358,7 +32359,7 @@ index dd3be8d..c207a0a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1258,20 @@ optional_policy(` +@@ -774,10 +1259,20 @@ optional_policy(` ') optional_policy(` @@ -32379,7 +32380,7 @@ index dd3be8d..c207a0a 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1280,10 @@ optional_policy(` +@@ -786,6 +1281,10 @@ optional_policy(` ') optional_policy(` @@ -32390,7 +32391,7 @@ index dd3be8d..c207a0a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1305,6 @@ optional_policy(` +@@ -807,8 +1306,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -32399,7 +32400,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -817,6 +1313,10 @@ optional_policy(` +@@ -817,6 +1314,10 @@ optional_policy(` ') optional_policy(` @@ -32410,7 +32411,7 @@ index dd3be8d..c207a0a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1326,12 @@ optional_policy(` +@@ -826,10 +1327,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -32423,7 +32424,7 @@ index dd3be8d..c207a0a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1358,35 @@ optional_policy(` +@@ -856,12 +1359,35 @@ optional_policy(` ') optional_policy(` @@ -32460,7 +32461,7 @@ index dd3be8d..c207a0a 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1396,18 @@ optional_policy(` +@@ -871,6 +1397,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -32479,7 +32480,7 @@ index dd3be8d..c207a0a 100644 ') optional_policy(` -@@ -886,6 +1423,10 @@ optional_policy(` +@@ -886,6 +1424,10 @@ optional_policy(` ') optional_policy(` @@ -32490,7 +32491,7 @@ index dd3be8d..c207a0a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1437,218 @@ optional_policy(` +@@ -896,3 +1438,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -32765,7 +32766,7 @@ index 662e79b..08589f8 100644 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..e6ffda3 100644 +index 0d4c8d3..3a3ec52 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',` @@ -32926,7 +32927,15 @@ index 0d4c8d3..e6ffda3 100644 ') ######################################## -@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',` +@@ -282,6 +392,7 @@ interface(`ipsec_manage_pid',` + + files_search_pids($1) + manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) ++ manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + ') + + ######################################## +@@ -369,3 +480,26 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 20d4414..d7fa6a4 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -105295,7 +105295,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..20fc1ba 100644 +index 46e4cd3..614e66c 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3) @@ -105382,17 +105382,17 @@ index 46e4cd3..20fc1ba 100644 -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; +allow zabbix_t self:capability { dac_read_search dac_override }; -+ -+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) -+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) -+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) -+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -logging_log_filetrans(zabbix_t, zabbix_log_t, file) ++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) ++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") ++ +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) @@ -105414,7 +105414,7 @@ index 46e4cd3..20fc1ba 100644 corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) -@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) +@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) corenet_sendrecv_http_client_packets(zabbix_t) corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t) @@ -105437,8 +105437,12 @@ index 46e4cd3..20fc1ba 100644 - zabbix_agent_tcp_connect(zabbix_t) ++logging_send_syslog_msg(zabbix_t) ++ tunable_policy(`zabbix_can_network',` -@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',` + corenet_sendrecv_all_client_packets(zabbix_t) + corenet_tcp_connect_all_ports(zabbix_t) +@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',` ') optional_policy(` @@ -105453,7 +105457,7 @@ index 46e4cd3..20fc1ba 100644 ') optional_policy(` -@@ -125,6 +143,7 @@ optional_policy(` +@@ -125,6 +145,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -105461,7 +105465,7 @@ index 46e4cd3..20fc1ba 100644 ') ######################################## -@@ -132,18 +151,7 @@ optional_policy(` +@@ -132,18 +153,7 @@ optional_policy(` # Agent local policy # @@ -105481,7 +105485,7 @@ index 46e4cd3..20fc1ba 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -105500,7 +105504,7 @@ index 46e4cd3..20fc1ba 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e6ab3c0..c2c3db4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 135%{?dist} +Release: 136%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 12 2014 Miroslav Grepl 3.12.1-136 +- Allow zabbix to send system log msgs +- Allow init_t to stream connect to ipsec + * Tue Mar 11 2014 Miroslav Grepl 3.12.1-135 - Add docker_connect_any boolean