From 9c7346238816576f2d9985342234a56ac780ef8d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Dec 05 2012 13:45:02 +0000 Subject: - Allow setroubleshoot to getattr on all executables - Allow tuned to execute profiles scripts in /etc/tuned - Allow apache to create directories to store its log files - Allow all directories/files in /var/log starting with passenger to be labele - Looks like apache is sending sinal to openshift_initrc_t now,needs back port - Allow Postfix to be configured to listen on TCP port 10026 for email from DS - Add filename transition for /etc/tuned/active_profile - Allow condor_master to send mails - Allow condor_master to read submit.cf - Allow condor_master to create /tmp files/dirs - Allow condor_mater to send sigkill to other condor domains - Allow condor_procd sigkill capability - tuned-adm wants to talk with tuned daemon - Allow kadmind and krb5kdc to also list sssd_public_t - Allow accountsd to dbus chat with init - Fix git_read_generic_system_content_files() interface - pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" - Fix mozilla_plugin_can_network_connect to allow to connect to all ports - Label all munin plugins which are not covered by munin plugins policy as un - dspam wants to search /var/spool for opendkim data - Revert "Add support for tcp/10026 port as dspam_port_t" - Turning on labeled networking requires additional access for netlabel_peer_t - Allow all application domains to use fifo_files passed in from userdomains, - Allow systemd_tmpfiles_t to setattr on mandb_cache_t --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index d885a84..e97a802 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -114348,7 +114348,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..651978f 100644 +index fe2ee5e..7369e6c 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0) @@ -114401,7 +114401,15 @@ index fe2ee5e..651978f 100644 type client_packet_t, packet_type, client_packet_type; # -@@ -59,6 +75,12 @@ sid port gen_context(system_u:object_r:port_t,s0) +@@ -46,6 +62,7 @@ type client_packet_t, packet_type, client_packet_type; + # + type netlabel_peer_t; + sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) ++mcs_untrusted_proc(netlabel_peer_t) + + # + # port_t is the default type of INET port numbers. +@@ -59,6 +76,12 @@ sid port gen_context(system_u:object_r:port_t,s0) type unreserved_port_t, port_type, unreserved_port_type; # @@ -114414,7 +114422,7 @@ index fe2ee5e..651978f 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -74,30 +96,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -74,30 +97,39 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -114455,7 +114463,7 @@ index fe2ee5e..651978f 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -108,14 +139,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -108,14 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -114479,7 +114487,7 @@ index fe2ee5e..651978f 100644 network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) -@@ -123,104 +163,139 @@ network_port(hadoop_datanode, tcp,50010,s0) +@@ -123,104 +164,139 @@ network_port(hadoop_datanode, tcp,50010,s0) network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) @@ -114638,7 +114646,7 @@ index fe2ee5e..651978f 100644 network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) network_port(utcpserver) # no defined portcon -@@ -228,9 +303,12 @@ network_port(uucpd, tcp,540,s0) +@@ -228,9 +304,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -114652,7 +114660,7 @@ index fe2ee5e..651978f 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -242,17 +320,22 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -242,17 +321,22 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -114677,7 +114685,7 @@ index fe2ee5e..651978f 100644 ######################################## # -@@ -297,9 +380,22 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -297,9 +381,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -114702,6 +114710,8 @@ index fe2ee5e..651978f 100644 + +allow netlabel_peer_type netlabel_peer_t:peer recv; +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; ++allow netlabel_peer_t netif_t:netif ingress; ++allow netlabel_peer_t node_t:node recvfrom; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e168..51ad69a 100644 --- a/policy/modules/kernel/corenetwork.te.m4 @@ -117642,7 +117652,7 @@ index 8796ca3..c2055b3 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index e1e814d..74f20a1 100644 +index e1e814d..d042988 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -117662,15 +117672,12 @@ index e1e814d..74f20a1 100644 allow $1 non_security_file_type:file mounton; ') -@@ -618,6 +619,64 @@ interface(`files_dontaudit_getattr_non_security_files',` - dontaudit $1 non_security_file_type:file getattr; - ') +@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',` -+ -+######################################## -+## -+## Do not audit attempts to search -+## of non security dirs. + ######################################## + ## ++## Do not audit attempts to search ++## non security dirs. +## +## +## @@ -117724,10 +117731,12 @@ index e1e814d..74f20a1 100644 + dontaudit $1 non_security_file_type:dir setattr; +') + - ######################################## - ## ++######################################## ++## ## Read all files. -@@ -683,12 +742,82 @@ interface(`files_read_non_security_files',` + ## + ## +@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -117810,7 +117819,7 @@ index e1e814d..74f20a1 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ## -@@ -953,6 +1082,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -117836,7 +117845,7 @@ index e1e814d..74f20a1 100644 ## Get the attributes of all named sockets. ## ## -@@ -1073,10 +1221,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1220,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -117849,7 +117858,7 @@ index e1e814d..74f20a1 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1655,6 +1801,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1655,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -117874,7 +117883,7 @@ index e1e814d..74f20a1 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1673,6 +1837,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1673,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -117899,7 +117908,7 @@ index e1e814d..74f20a1 100644 ## List the contents of the root directory. ## ## -@@ -1856,6 +2038,42 @@ interface(`files_delete_root_dir_entry',` +@@ -1856,6 +2037,42 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -117942,7 +117951,7 @@ index e1e814d..74f20a1 100644 ## Unmount a rootfs filesystem. ## ## -@@ -1874,6 +2092,24 @@ interface(`files_unmount_rootfs',` +@@ -1874,6 +2091,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -117967,7 +117976,7 @@ index e1e814d..74f20a1 100644 ## Get attributes of the /boot directory. ## ## -@@ -2573,6 +2809,24 @@ interface(`files_rw_etc_dirs',` +@@ -2573,6 +2808,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -117992,7 +118001,7 @@ index e1e814d..74f20a1 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2644,6 +2898,7 @@ interface(`files_read_etc_files',` +@@ -2644,6 +2897,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -118000,7 +118009,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -2652,7 +2907,7 @@ interface(`files_read_etc_files',` +@@ -2652,7 +2906,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -118009,7 +118018,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -2708,6 +2963,25 @@ interface(`files_manage_etc_files',` +@@ -2708,6 +2962,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -118035,7 +118044,7 @@ index e1e814d..74f20a1 100644 ## Delete system configuration files in /etc. ## ## -@@ -2726,6 +3000,24 @@ interface(`files_delete_etc_files',` +@@ -2726,6 +2999,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -118060,7 +118069,7 @@ index e1e814d..74f20a1 100644 ## Execute generic files in /etc. ## ## -@@ -2891,24 +3183,6 @@ interface(`files_delete_boot_flag',` +@@ -2891,24 +3182,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -118085,7 +118094,7 @@ index e1e814d..74f20a1 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2949,9 +3223,7 @@ interface(`files_read_etc_runtime_files',` +@@ -2949,9 +3222,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -118096,7 +118105,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -2959,12 +3231,50 @@ interface(`files_read_etc_runtime_files',` +@@ -2959,12 +3230,50 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -118149,7 +118158,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -2986,6 +3296,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2986,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -118157,7 +118166,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -3007,6 +3318,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3007,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -118165,7 +118174,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -3135,6 +3447,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -118191,7 +118200,7 @@ index e1e814d..74f20a1 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3382,6 +3713,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -118217,7 +118226,7 @@ index e1e814d..74f20a1 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3723,20 +4073,38 @@ interface(`files_list_mnt',` +@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -118261,7 +118270,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -4126,6 +4494,127 @@ interface(`files_read_world_readable_sockets',` +@@ -4126,6 +4493,127 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -118389,7 +118398,7 @@ index e1e814d..74f20a1 100644 ######################################## ## ## Allow the specified type to associate -@@ -4148,6 +4637,26 @@ interface(`files_associate_tmp',` +@@ -4148,6 +4636,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -118416,7 +118425,7 @@ index e1e814d..74f20a1 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4161,6 +4670,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4161,6 +4669,7 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -118424,7 +118433,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir getattr; ') -@@ -4171,7 +4681,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4171,7 +4680,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -118433,7 +118442,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4198,6 +4708,7 @@ interface(`files_search_tmp',` +@@ -4198,6 +4707,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -118441,7 +118450,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4234,6 +4745,7 @@ interface(`files_list_tmp',` +@@ -4234,6 +4744,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -118449,7 +118458,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4243,7 +4755,7 @@ interface(`files_list_tmp',` +@@ -4243,7 +4754,7 @@ interface(`files_list_tmp',` ## ## ## @@ -118458,7 +118467,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4255,6 +4767,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4255,6 +4766,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -118484,7 +118493,7 @@ index e1e814d..74f20a1 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4270,6 +4801,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4270,6 +4800,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -118492,7 +118501,7 @@ index e1e814d..74f20a1 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4311,6 +4843,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4311,6 +4842,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -118525,7 +118534,7 @@ index e1e814d..74f20a1 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4365,6 +4923,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4365,6 +4922,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -118568,7 +118577,7 @@ index e1e814d..74f20a1 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4383,6 +4977,42 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4383,6 +4976,42 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -118611,7 +118620,7 @@ index e1e814d..74f20a1 100644 ## List all tmp directories. ## ## -@@ -4428,7 +5058,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4428,7 +5057,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -118620,7 +118629,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4488,7 +5118,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4488,7 +5117,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -118629,7 +118638,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -4573,6 +5203,16 @@ interface(`files_purge_tmp',` +@@ -4573,6 +5202,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -118646,7 +118655,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5150,12 +5790,30 @@ interface(`files_list_var',` +@@ -5150,12 +5789,30 @@ interface(`files_list_var',` ######################################## ## @@ -118680,7 +118689,7 @@ index e1e814d..74f20a1 100644 ## ## # -@@ -5505,6 +6163,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5505,6 +6162,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -118706,7 +118715,7 @@ index e1e814d..74f20a1 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,7 +6227,7 @@ interface(`files_manage_mounttab',` +@@ -5550,7 +6226,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -118715,7 +118724,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -5558,12 +6235,13 @@ interface(`files_manage_mounttab',` +@@ -5558,12 +6234,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -118731,7 +118740,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5581,6 +6259,7 @@ interface(`files_search_locks',` +@@ -5581,6 +6258,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -118739,7 +118748,7 @@ index e1e814d..74f20a1 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5607,7 +6286,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5607,7 +6285,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -118767,7 +118776,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -5615,13 +6313,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5615,13 +6312,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -118784,7 +118793,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5640,7 +6337,7 @@ interface(`files_rw_lock_dirs',` +@@ -5640,7 +6336,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -118793,7 +118802,7 @@ index e1e814d..74f20a1 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5673,7 +6370,6 @@ interface(`files_create_lock_dirs',` +@@ -5673,7 +6369,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -118801,7 +118810,7 @@ index e1e814d..74f20a1 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5701,8 +6397,7 @@ interface(`files_getattr_generic_locks',` +@@ -5701,8 +6396,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -118811,7 +118820,7 @@ index e1e814d..74f20a1 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5718,13 +6413,12 @@ interface(`files_getattr_generic_locks',` +@@ -5718,13 +6412,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -118829,7 +118838,7 @@ index e1e814d..74f20a1 100644 ') ######################################## -@@ -5743,8 +6437,7 @@ interface(`files_manage_generic_locks',` +@@ -5743,8 +6436,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -118839,7 +118848,7 @@ index e1e814d..74f20a1 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5786,8 +6479,7 @@ interface(`files_read_all_locks',` +@@ -5786,8 +6478,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -118849,7 +118858,7 @@ index e1e814d..74f20a1 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6501,7 @@ interface(`files_manage_all_locks',` +@@ -5809,8 +6500,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -118859,7 +118868,7 @@ index e1e814d..74f20a1 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5847,8 +6538,7 @@ interface(`files_lock_filetrans',` +@@ -5847,8 +6537,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -118869,7 +118878,7 @@ index e1e814d..74f20a1 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5911,6 +6601,43 @@ interface(`files_search_pids',` +@@ -5911,6 +6600,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -118913,7 +118922,7 @@ index e1e814d..74f20a1 100644 ######################################## ## ## Do not audit attempts to search -@@ -5933,6 +6660,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5933,6 +6659,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -118939,7 +118948,7 @@ index e1e814d..74f20a1 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6048,7 +6794,6 @@ interface(`files_pid_filetrans',` +@@ -6048,7 +6793,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -118947,7 +118956,7 @@ index e1e814d..74f20a1 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6157,30 +6902,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6157,30 +6901,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -118982,7 +118991,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6188,43 +6928,35 @@ interface(`files_read_all_pids',` +@@ -6188,43 +6927,35 @@ interface(`files_read_all_pids',` ## ## # @@ -119033,7 +119042,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6232,21 +6964,17 @@ interface(`files_delete_all_pids',` +@@ -6232,21 +6963,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -119058,7 +119067,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6254,56 +6982,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -6254,56 +6981,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -119134,7 +119143,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6311,18 +7042,17 @@ interface(`files_list_spool',` +@@ -6311,18 +7041,17 @@ interface(`files_list_spool',` ## ## # @@ -119157,7 +119166,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6330,19 +7060,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6330,19 +7059,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -119182,7 +119191,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6350,55 +7079,62 @@ interface(`files_read_generic_spool',` +@@ -6350,55 +7078,62 @@ interface(`files_read_generic_spool',` ## ## # @@ -119269,7 +119278,7 @@ index e1e814d..74f20a1 100644 ## ## ## -@@ -6406,25 +7142,283 @@ interface(`files_spool_filetrans',` +@@ -6406,25 +7141,283 @@ interface(`files_spool_filetrans',` ## ## # @@ -119568,7 +119577,7 @@ index e1e814d..74f20a1 100644 # is remounted for polyinstantiation aware programs (like gdm) allow $1 polyparent:dir { getattr mounton }; -@@ -6467,3 +7461,457 @@ interface(`files_unconfined',` +@@ -6467,3 +7460,457 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -120027,7 +120036,7 @@ index e1e814d..74f20a1 100644 +') + diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 52ef84e..932cc01 100644 +index 52ef84e..45cb0bc 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.17.0) @@ -120090,17 +120099,15 @@ index 52ef84e..932cc01 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -79,8 +95,7 @@ typealias etc_runtime_t alias firstboot_rw_t; - # assigned an extended attribute (EA) value (when using a filesystem - # that supports EAs). +@@ -81,6 +97,7 @@ typealias etc_runtime_t alias firstboot_rw_t; # --type file_t; --files_mountpoint(file_t) -+type file_t, security_file_type, mountpoint; + type file_t; + files_mountpoint(file_t) ++files_base_file(file_t) kernel_rootfs_mountpoint(file_t) sid file gen_context(system_u:object_r:file_t,s0) -@@ -89,6 +104,7 @@ sid file gen_context(system_u:object_r:file_t,s0) +@@ -89,6 +106,7 @@ sid file gen_context(system_u:object_r:file_t,s0) # are created # type home_root_t; @@ -120108,7 +120115,7 @@ index 52ef84e..932cc01 100644 files_mountpoint(home_root_t) files_poly_parent(home_root_t) -@@ -96,12 +112,13 @@ files_poly_parent(home_root_t) +@@ -96,12 +114,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; @@ -120123,7 +120130,7 @@ index 52ef84e..932cc01 100644 files_mountpoint(mnt_t) # -@@ -123,6 +140,7 @@ files_type(readable_t) +@@ -123,6 +142,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; @@ -120131,7 +120138,7 @@ index 52ef84e..932cc01 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,52 +151,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,52 +153,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -120195,7 +120202,7 @@ index 52ef84e..932cc01 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -186,7 +215,9 @@ files_mountpoint(var_run_t) +@@ -186,7 +217,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -120205,7 +120212,7 @@ index 52ef84e..932cc01 100644 ######################################## # -@@ -225,10 +256,11 @@ fs_associate_tmpfs(tmpfsfile) +@@ -225,10 +258,11 @@ fs_associate_tmpfs(tmpfsfile) # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:{ file chr_file } ~execmod; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; @@ -130834,10 +130841,10 @@ index 1b6619e..219acba 100644 + allow $1 application_domain_type:socket_class_set getattr; +') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te -index c6fdab7..0118d30 100644 +index c6fdab7..c59902a 100644 --- a/policy/modules/system/application.te +++ b/policy/modules/system/application.te -@@ -6,6 +6,28 @@ attribute application_domain_type; +@@ -6,6 +6,30 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -130846,6 +130853,8 @@ index c6fdab7..0118d30 100644 +userdom_inherit_append_user_home_content_files(application_domain_type) +userdom_inherit_append_admin_home_files(application_domain_type) +userdom_inherit_append_user_tmp_files(application_domain_type) ++userdom_rw_inherited_user_tmp_files(application_domain_type) ++userdom_rw_inherited_user_pipes(application_domain_type) +logging_inherit_append_all_logs(application_domain_type) + +files_dontaudit_search_non_security_dirs(application_domain_type) @@ -142193,10 +142202,10 @@ index 0000000..5d53f08 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..538bb15 +index 0000000..5b669b8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,449 @@ +@@ -0,0 +1,450 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -142525,6 +142534,7 @@ index 0000000..538bb15 +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) +miscfiles_relabel_man_pages(systemd_tmpfiles_t) ++miscfiles_delete_man_pages(systemd_tmpfiles_t) + +seutil_read_config(systemd_tmpfiles_t) +seutil_read_file_contexts(systemd_tmpfiles_t) @@ -143995,7 +144005,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..89e714c 100644 +index e720dcd..69b008a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -146510,7 +146520,7 @@ index e720dcd..89e714c 100644 ## ## ## -@@ -3142,54 +3888,54 @@ interface(`userdom_write_user_tmp_files',` +@@ -3142,36 +3888,37 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -146553,44 +146563,66 @@ index e720dcd..89e714c 100644 ######################################## ## -## Get the attributes of all user domains. -+## Do not audit attempts to use user ttys. ++## Allow domain to read/write inherited users ++## fifo files. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -3179,40 +3926,96 @@ interface(`userdom_read_all_users_state',` ## ## # -interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_rw_inherited_user_pipes',` gen_require(` -- attribute userdomain; -+ type user_tty_device_t; + attribute userdomain; ') - allow $1 userdomain:process getattr; -+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; ++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## -## Inherit the file descriptors from all user domains -+## Read the process state of all user domains. ++## Do not audit attempts to use user ttys. ## ## ## -@@ -3197,12 +3943,50 @@ interface(`userdom_getattr_all_users',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`userdom_use_all_users_fds',` -+interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_use_user_ttys',` gen_require(` - attribute userdomain; +- attribute userdomain; ++ type user_tty_device_t; ') - allow $1 userdomain:fd use; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to inherit the file +-## descriptors from any user domains. ++## Read the process state of all user domains. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_all_users_state',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ + read_files_pattern($1, userdomain, userdomain) + read_lnk_files_pattern($1,userdomain,userdomain) + kernel_search_proc($1) @@ -146630,10 +146662,20 @@ index e720dcd..89e714c 100644 + ') + + allow $1 userdomain:fd use; - ') - - ######################################## -@@ -3242,6 +4026,42 @@ interface(`userdom_signal_all_users',` ++') ++ ++######################################## ++## ++## Do not audit attempts to inherit the file ++## descriptors from any user domains. ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -3242,6 +4045,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -146676,7 +146718,7 @@ index e720dcd..89e714c 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4082,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4101,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -146701,7 +146743,7 @@ index e720dcd..89e714c 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4134,1361 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4153,1361 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 6c2d5c9..20d2ada 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -908,7 +908,7 @@ index c0f858d..4a3dab6 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 1632f10..5fe3889 100644 +index 1632f10..074ebc9 100644 --- a/accountsd.te +++ b/accountsd.te @@ -1,5 +1,9 @@ @@ -921,7 +921,7 @@ index 1632f10..5fe3889 100644 ######################################## # # Declarations -@@ -7,37 +11,46 @@ policy_module(accountsd, 1.0.0) +@@ -7,37 +11,48 @@ policy_module(accountsd, 1.0.0) type accountsd_t; type accountsd_exec_t; @@ -966,13 +966,14 @@ index 1632f10..5fe3889 100644 auth_use_nsswitch(accountsd_t) auth_read_shadow(accountsd_t) -- --miscfiles_read_localization(accountsd_t) +auth_read_login_records(accountsd_t) +-miscfiles_read_localization(accountsd_t) ++init_dbus_chat(accountsd_t) + logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) -@@ -50,8 +63,20 @@ usermanage_domtrans_passwd(accountsd_t) +@@ -50,8 +65,20 @@ usermanage_domtrans_passwd(accountsd_t) optional_policy(` consolekit_read_log(accountsd_t) @@ -3102,7 +3103,7 @@ index 6480167..f319eaf 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..ba4ab9e 100644 +index 0833afb..2032414 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3453,7 +3454,15 @@ index 0833afb..ba4ab9e 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -336,8 +514,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -305,6 +483,7 @@ allow httpd_t httpd_lock_t:file manage_file_perms; + files_lock_filetrans(httpd_t, httpd_lock_t, file) + + allow httpd_t httpd_log_t:dir setattr; ++create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) + create_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + append_files_pattern(httpd_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_t, httpd_log_t, httpd_log_t) +@@ -336,8 +515,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -3465,7 +3474,7 @@ index 0833afb..ba4ab9e 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +526,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -346,8 +527,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -3476,7 +3485,7 @@ index 0833afb..ba4ab9e 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,8 +543,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,8 +544,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3487,7 +3496,7 @@ index 0833afb..ba4ab9e 100644 corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) corenet_udp_sendrecv_generic_if(httpd_t) -@@ -372,11 +554,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +555,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -3508,7 +3517,7 @@ index 0833afb..ba4ab9e 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +575,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +576,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -3523,7 +3532,7 @@ index 0833afb..ba4ab9e 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -396,61 +591,112 @@ domain_use_interactive_fds(httpd_t) +@@ -396,61 +592,112 @@ domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) @@ -3644,7 +3653,7 @@ index 0833afb..ba4ab9e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +707,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +708,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3708,7 +3717,7 @@ index 0833afb..ba4ab9e 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +771,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +772,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3731,7 +3740,7 @@ index 0833afb..ba4ab9e 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +806,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +807,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3752,7 +3761,7 @@ index 0833afb..ba4ab9e 100644 ') optional_policy(` -@@ -525,6 +830,9 @@ optional_policy(` +@@ -525,6 +831,9 @@ optional_policy(` ') optional_policy(` @@ -3762,7 +3771,7 @@ index 0833afb..ba4ab9e 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +848,24 @@ optional_policy(` +@@ -540,6 +849,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3787,7 +3796,7 @@ index 0833afb..ba4ab9e 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +875,24 @@ optional_policy(` +@@ -549,13 +876,24 @@ optional_policy(` ') optional_policy(` @@ -3813,7 +3822,7 @@ index 0833afb..ba4ab9e 100644 ') optional_policy(` -@@ -573,7 +910,21 @@ optional_policy(` +@@ -573,7 +911,21 @@ optional_policy(` ') optional_policy(` @@ -3835,7 +3844,7 @@ index 0833afb..ba4ab9e 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -584,6 +935,7 @@ optional_policy(` +@@ -584,6 +936,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3843,12 +3852,13 @@ index 0833afb..ba4ab9e 100644 ') optional_policy(` -@@ -594,6 +946,41 @@ optional_policy(` +@@ -594,6 +947,42 @@ optional_policy(` ') optional_policy(` + openshift_search_lib(httpd_t) + openshift_initrc_signull(httpd_t) ++ openshift_initrc_signal(httpd_t) +') + +optional_policy(` @@ -3885,7 +3895,7 @@ index 0833afb..ba4ab9e 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -608,6 +995,11 @@ optional_policy(` +@@ -608,6 +997,11 @@ optional_policy(` ') optional_policy(` @@ -3897,7 +3907,7 @@ index 0833afb..ba4ab9e 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -620,6 +1012,12 @@ optional_policy(` +@@ -620,6 +1014,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3910,7 +3920,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1031,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1033,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3954,7 +3964,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # -@@ -671,28 +1104,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1106,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3998,7 +4008,7 @@ index 0833afb..ba4ab9e 100644 ') ######################################## -@@ -702,6 +1137,7 @@ optional_policy(` +@@ -702,6 +1139,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -4006,7 +4016,7 @@ index 0833afb..ba4ab9e 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1152,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1154,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4035,7 +4045,7 @@ index 0833afb..ba4ab9e 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1182,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1184,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -4053,7 +4063,7 @@ index 0833afb..ba4ab9e 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1200,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1202,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -4086,7 +4096,7 @@ index 0833afb..ba4ab9e 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1247,25 @@ optional_policy(` +@@ -786,6 +1249,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4112,7 +4122,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1286,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1288,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4130,7 +4140,7 @@ index 0833afb..ba4ab9e 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1305,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1307,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4189,7 +4199,7 @@ index 0833afb..ba4ab9e 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1356,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1358,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4230,7 +4240,7 @@ index 0833afb..ba4ab9e 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -859,10 +1401,20 @@ optional_policy(` +@@ -859,10 +1403,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -4251,7 +4261,7 @@ index 0833afb..ba4ab9e 100644 ') ######################################## -@@ -878,11 +1430,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1432,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4263,7 +4273,7 @@ index 0833afb..ba4ab9e 100644 ######################################## # -@@ -908,11 +1458,138 @@ optional_policy(` +@@ -908,11 +1460,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -11588,10 +11598,10 @@ index 0000000..8424fdb +') diff --git a/condor.te b/condor.te new file mode 100644 -index 0000000..328eafe +index 0000000..c2bc300 --- /dev/null +++ b/condor.te -@@ -0,0 +1,225 @@ +@@ -0,0 +1,240 @@ +policy_module(condor, 1.0.0) + +######################################## @@ -11618,6 +11628,9 @@ index 0000000..328eafe +condor_domain_template(startd) +condor_domain_template(procd) + ++type condor_master_tmp_t; ++files_tmp_file(condor_master_tmp_t) ++ +type condor_schedd_tmp_t; +files_tmp_file(condor_schedd_tmp_t) + @@ -11710,7 +11723,11 @@ index 0000000..328eafe + +allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; + -+allow condor_master_t condor_domain:process signal; ++allow condor_master_t condor_domain:process { sigkill signal }; ++ ++manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) ++manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) ++files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) + +corenet_tcp_bind_condor_port(condor_master_t) +corenet_udp_bind_condor_port(condor_master_t) @@ -11718,6 +11735,11 @@ index 0000000..328eafe + +domain_read_all_domains_state(condor_master_t) + ++optional_policy(` ++ mta_send_mail(condor_master_t) ++ mta_read_config(condor_master_t) ++') ++ +###################################### +# +# condor collector local policy @@ -11747,6 +11769,9 @@ index 0000000..328eafe + +allow condor_procd_t self:capability { fowner chown dac_override sys_ptrace }; + ++allow condor_procd_t self:capability kill; ++allow condor_procd_t condor_startd_t:process sigkill; ++ +domain_read_all_domains_state(condor_procd_t) + +####################################### @@ -19992,10 +20017,10 @@ index 0000000..a446210 +') diff --git a/dspam.te b/dspam.te new file mode 100644 -index 0000000..be45ad6 +index 0000000..2b91a78 --- /dev/null +++ b/dspam.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,92 @@ + +policy_module(dspam, 1.0.0) + @@ -20050,11 +20075,13 @@ index 0000000..be45ad6 +manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t) +files_tmp_filetrans(dspam_t, dspam_tmp_t, { sock_file }) + -+# need to add the port tcp/10026 to corenetwork.te.in -+#allow dspam_t port_t:tcp_socket name_connect; ++corenet_tcp_connect_spamd_port(dspam_t) ++corenet_tcp_bind_spamd_port(dspam_t) + +auth_use_nsswitch(dspam_t) + ++files_search_spool(dspam_t) ++ +# for RHEL5 +libs_use_ld_so(dspam_t) +libs_use_shared_libs(dspam_t) @@ -22208,7 +22235,7 @@ index 13e72a7..a4dc0b9 100644 /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/git.if b/git.if -index b0242d9..a9e6842 100644 +index b0242d9..407e79d 100644 --- a/git.if +++ b/git.if @@ -15,9 +15,9 @@ @@ -22223,7 +22250,7 @@ index b0242d9..a9e6842 100644 ') ######################################## -@@ -32,19 +32,494 @@ template(`git_role',` +@@ -32,19 +32,495 @@ template(`git_role',` # Policy # @@ -22610,6 +22637,7 @@ index b0242d9..a9e6842 100644 + + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) + read_files_pattern($1, git_sys_content_t, git_sys_content_t) ++ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` @@ -29244,7 +29272,7 @@ index 604f67b..138e1e2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") +') diff --git a/kerberos.te b/kerberos.te -index 6a95faf..69502c9 100644 +index 6a95faf..6127834 100644 --- a/kerberos.te +++ b/kerberos.te @@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) @@ -29354,7 +29382,7 @@ index 6a95faf..69502c9 100644 seutil_read_file_contexts(kadmind_t) sysnet_read_config(kadmind_t) -@@ -164,6 +173,10 @@ optional_policy(` +@@ -164,10 +173,18 @@ optional_policy(` ') optional_policy(` @@ -29365,7 +29393,15 @@ index 6a95faf..69502c9 100644 nis_use_ypbind(kadmind_t) ') -@@ -182,6 +195,7 @@ optional_policy(` + optional_policy(` ++ sssd_read_public_files(kadmind_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(kadmind_t) + ') + +@@ -182,6 +199,7 @@ optional_policy(` # Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; @@ -29373,7 +29409,7 @@ index 6a95faf..69502c9 100644 dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; -@@ -197,13 +211,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) +@@ -197,13 +215,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -29389,7 +29425,7 @@ index 6a95faf..69502c9 100644 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -221,7 +234,6 @@ kernel_search_network_sysctl(krb5kdc_t) +@@ -221,7 +238,6 @@ kernel_search_network_sysctl(krb5kdc_t) corecmd_exec_bin(krb5kdc_t) @@ -29397,7 +29433,7 @@ index 6a95faf..69502c9 100644 corenet_all_recvfrom_netlabel(krb5kdc_t) corenet_tcp_sendrecv_generic_if(krb5kdc_t) corenet_udp_sendrecv_generic_if(krb5kdc_t) -@@ -242,6 +254,7 @@ dev_read_urand(krb5kdc_t) +@@ -242,6 +258,7 @@ dev_read_urand(krb5kdc_t) fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) @@ -29405,7 +29441,7 @@ index 6a95faf..69502c9 100644 domain_use_interactive_fds(krb5kdc_t) -@@ -253,7 +266,7 @@ selinux_validate_context(krb5kdc_t) +@@ -253,7 +270,7 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) @@ -29414,7 +29450,7 @@ index 6a95faf..69502c9 100644 seutil_read_file_contexts(krb5kdc_t) -@@ -268,6 +281,10 @@ optional_policy(` +@@ -268,6 +285,10 @@ optional_policy(` ') optional_policy(` @@ -29425,7 +29461,18 @@ index 6a95faf..69502c9 100644 nis_use_ypbind(krb5kdc_t) ') -@@ -308,7 +325,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -276,6 +297,10 @@ optional_policy(` + ') + + optional_policy(` ++ sssd_read_public_files(krb5kdc_t) ++') ++ ++optional_policy(` + udev_read_db(krb5kdc_t) + ') + +@@ -308,7 +333,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -29433,7 +29480,7 @@ index 6a95faf..69502c9 100644 corenet_tcp_sendrecv_generic_if(kpropd_t) corenet_tcp_sendrecv_generic_node(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) -@@ -324,8 +340,6 @@ selinux_validate_context(kpropd_t) +@@ -324,8 +348,6 @@ selinux_validate_context(kpropd_t) logging_send_syslog_msg(kpropd_t) @@ -33201,7 +33248,7 @@ index ee72cbe..bdf319a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 26101cb..efd51a0 100644 +index 26101cb..64c2969 100644 --- a/milter.te +++ b/milter.te @@ -9,6 +9,13 @@ policy_module(milter, 1.4.0) @@ -33218,7 +33265,7 @@ index 26101cb..efd51a0 100644 # currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) -@@ -20,6 +27,24 @@ milter_template(spamass) +@@ -20,6 +27,26 @@ milter_template(spamass) type spamass_milter_state_t; files_type(spamass_milter_state_t) @@ -33234,6 +33281,8 @@ index 26101cb..efd51a0 100644 + +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + ++kernel_read_kernel_sysctls(dkim_milter_t) ++ +auth_use_nsswitch(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) @@ -33243,7 +33292,7 @@ index 26101cb..efd51a0 100644 ######################################## # # milter-greylist local policy -@@ -33,11 +58,25 @@ files_type(spamass_milter_state_t) +@@ -33,11 +60,25 @@ files_type(spamass_milter_state_t) allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; @@ -33269,7 +33318,7 @@ index 26101cb..efd51a0 100644 # Allow the milter to read a GeoIP database in /usr/share files_read_usr_files(greylist_milter_t) # The milter runs from /var/lib/milter-greylist and maintains files there -@@ -49,6 +88,14 @@ auth_use_nsswitch(greylist_milter_t) +@@ -49,6 +90,14 @@ auth_use_nsswitch(greylist_milter_t) # Config is in /etc/mail/greylist.conf mta_read_config(greylist_milter_t) @@ -33284,7 +33333,7 @@ index 26101cb..efd51a0 100644 ######################################## # # milter-regex local policy -@@ -88,6 +135,8 @@ corecmd_exec_shell(spamass_milter_t) +@@ -88,6 +137,8 @@ corecmd_exec_shell(spamass_milter_t) corecmd_read_bin_symlinks(spamass_milter_t) corecmd_search_bin(spamass_milter_t) @@ -34406,7 +34455,7 @@ index b397fde..c7c031d 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..0efc1df 100644 +index d4fcb75..bb729e7 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -34763,7 +34812,7 @@ index d4fcb75..0efc1df 100644 - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) +tunable_policy(`mozilla_plugin_can_network_connect',` -+ corenet_tcp_connect_unreserved_ports(mozilla_plugin_t) ++ corenet_tcp_connect_all_ports(mozilla_plugin_t) ') optional_policy(` @@ -36564,10 +36613,21 @@ index 84a7d66..c58f1e7 100644 + clamav_stream_connect(mta_user_agent) +') diff --git a/munin.fc b/munin.fc -index fd71d69..5987e1c 100644 +index fd71d69..5b771ef 100644 --- a/munin.fc +++ b/munin.fc -@@ -41,6 +41,9 @@ +@@ -4,7 +4,9 @@ + /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +-/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) ++ ++# label all plugins as unconfined_munin_plugin_exec_t ++/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) + + # disk plugins + /usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +@@ -41,6 +43,9 @@ /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) @@ -36577,7 +36637,7 @@ index fd71d69..5987e1c 100644 # system plugins /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -51,6 +54,7 @@ +@@ -51,6 +56,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -36585,7 +36645,7 @@ index fd71d69..5987e1c 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -58,11 +62,13 @@ +@@ -58,11 +64,13 @@ /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -42063,10 +42123,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..bf37353 +index 0000000..6e20e72 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,608 @@ +@@ -0,0 +1,644 @@ + +## policy for openshift + @@ -42107,6 +42167,42 @@ index 0000000..bf37353 + allow $1 openshift_initrc_t:process signull; +') + ++####################################### ++## ++## Send a signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signal',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signal; ++') ++ ++######################################## ++## ++## Send a signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signl',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signal; ++') ++ +######################################## +## +## Search openshift cache directories. @@ -43969,10 +44065,10 @@ index b246bdd..3cbcc49 100644 sysnet_dns_name_resolve(pads_t) diff --git a/passenger.fc b/passenger.fc -index 545518d..16638ac 100644 +index 545518d..677ac68 100644 --- a/passenger.fc +++ b/passenger.fc -@@ -1,7 +1,7 @@ +@@ -1,11 +1,10 @@ -/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) @@ -43984,6 +44080,11 @@ index 545518d..16638ac 100644 /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) +-/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) +-/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0) ++/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) + + /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/passenger.if b/passenger.if index f68b573..8fb9cd3 100644 --- a/passenger.if @@ -48196,7 +48297,7 @@ index 46bee12..8ef270f 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index a1e0f60..22a3efd 100644 +index a1e0f60..85b12af 100644 --- a/postfix.te +++ b/postfix.te @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0) @@ -48204,9 +48305,9 @@ index a1e0f60..22a3efd 100644 # +## -+##

-+## Allow postfix_local domain full write access to mail_spool directories -+##

++##

++## Allow postfix_local domain full write access to mail_spool directories ++##

+## +gen_tunable(postfix_local_write_mail_spool, true) + @@ -48357,6 +48458,15 @@ index a1e0f60..22a3efd 100644 mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +@@ -195,7 +216,7 @@ optional_policy(` + ') + + optional_policy(` +-# for postalias ++# for postalias + mailman_manage_data_files(postfix_master_t) + ') + @@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; @@ -48621,7 +48731,7 @@ index a1e0f60..22a3efd 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -48629,15 +48739,16 @@ index a1e0f60..22a3efd 100644 + +# for spampd +corenet_tcp_connect_spamd_port(postfix_master_t) ++corenet_tcp_bind_spamd_port(postfix_master_t) + files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +660,14 @@ optional_policy(` +@@ -565,6 +661,14 @@ optional_policy(` ') optional_policy(` -+ dovecot_stream_connect(postfix_smtp_t) ++ dovecot_stream_connect(postfix_smtp_t) +') + +optional_policy(` @@ -48648,7 +48759,7 @@ index a1e0f60..22a3efd 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -48675,7 +48786,7 @@ index a1e0f60..22a3efd 100644 ') optional_policy(` -@@ -599,6 +710,11 @@ optional_policy(` +@@ -599,6 +711,11 @@ optional_policy(` ') optional_policy(` @@ -48687,7 +48798,7 @@ index a1e0f60..22a3efd 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +727,6 @@ optional_policy(` +@@ -611,7 +728,6 @@ optional_policy(` # Postfix virtual local policy # @@ -48695,7 +48806,7 @@ index a1e0f60..22a3efd 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } +@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) @@ -48703,7 +48814,7 @@ index a1e0f60..22a3efd 100644 files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) -@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -49095,7 +49206,7 @@ index de4bdb7..a4cad0b 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..c4607d4 100644 +index bcbf9ac..5a550bb 100644 --- a/ppp.te +++ b/ppp.te @@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) @@ -49141,7 +49252,7 @@ index bcbf9ac..c4607d4 100644 # -allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; -+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override }; ++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched signal }; +allow pppd_t self:process { getsched setsched signal }; @@ -61642,7 +61753,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..3ec58d6 100644 +index 086cd5f..08ef0c7 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -61767,13 +61878,15 @@ index 086cd5f..3ec58d6 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,10 +176,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t) + corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) - ++corecmd_getattr_all_executables(setroubleshoot_fixit_t) ++ +dev_read_sysfs(setroubleshoot_fixit_t) +dev_read_urand(setroubleshoot_fixit_t) -+ + seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) +seutil_read_module_store(setroubleshoot_fixit_t) @@ -61783,7 +61896,7 @@ index 086cd5f..3ec58d6 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -162,7 +191,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -162,7 +192,16 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -68163,7 +68276,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..8843888 100644 +index db9d2a5..6c25856 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -68179,7 +68292,7 @@ index db9d2a5..8843888 100644 type tuned_log_t; logging_log_file(tuned_log_t) -@@ -22,42 +28,73 @@ files_pid_file(tuned_var_run_t) +@@ -22,43 +28,80 @@ files_pid_file(tuned_var_run_t) # # tuned local policy # @@ -68191,8 +68304,10 @@ index db9d2a5..8843888 100644 +allow tuned_t self:udp_socket create_socket_perms; + +read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) ++exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) + +manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) ++files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -68232,10 +68347,10 @@ index db9d2a5..8843888 100644 -logging_send_syslog_msg(tuned_t) +fs_getattr_all_fs(tuned_t) ++ ++auth_use_nsswitch(tuned_t) -miscfiles_read_localization(tuned_t) -+auth_use_nsswitch(tuned_t) -+ +logging_send_syslog_msg(tuned_t) userdom_dontaudit_search_user_home_dirs(tuned_t) @@ -68261,6 +68376,11 @@ index db9d2a5..8843888 100644 # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) + ') ++ ++optional_policy(` ++ unconfined_dbus_send(tuned_t) ++') diff --git a/tvtime.te b/tvtime.te index 531b1f1..7455f78 100644 --- a/tvtime.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 3dcfb3c..09d7359 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 59%{?dist} +Release: 60%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,35 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Dec 5 2012 Miroslav Grepl 3.11.1-60 +- Add openshift_initrc_signal() interface +- Fix typos +- dspam port is treat as spamd_port_t +- Allow setroubleshoot to getattr on all executables +- Allow tuned to execute profiles scripts in /etc/tuned +- Allow apache to create directories to store its log files +- Allow all directories/files in /var/log starting with passenger to be labeled passenger_log_t +- Looks like apache is sending sinal to openshift_initrc_t now,needs back port to RHEL6 +- Allow Postfix to be configured to listen on TCP port 10026 for email from DSPAM +- Add filename transition for /etc/tuned/active_profile +- Allow condor_master to send mails +- Allow condor_master to read submit.cf +- Allow condor_master to create /tmp files/dirs +- Allow condor_mater to send sigkill to other condor domains +- Allow condor_procd sigkill capability +- tuned-adm wants to talk with tuned daemon +- Allow kadmind and krb5kdc to also list sssd_public_t +- Allow accountsd to dbus chat with init +- Fix git_read_generic_system_content_files() interface +- pppd wants sys_nice by nmcli because of "syscall=sched_setscheduler" +- Fix mozilla_plugin_can_network_connect to allow to connect to all ports +- Label all munin plugins which are not covered by munin plugins policy as unconfined_munin_plugin_exec_t +- dspam wants to search /var/spool for opendkim data +- Revert "Add support for tcp/10026 port as dspam_port_t" +- Turning on labeled networking requires additional access for netlabel_peer_t; these allow rules need to be back ported to RHEL6 +- Allow all application domains to use fifo_files passed in from userdomains, also allow them to write to tmp_files inherited from userdomain +- Allow systemd_tmpfiles_t to setattr on mandb_cache_t + * Sat Dec 1 2012 Miroslav Grepl 3.11.1-59 - consolekit.pp was not removed from the postinstall script