diff --git a/container-selinux.tgz b/container-selinux.tgz index 5589848..edc59bc 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f27-base.patch b/policy-f27-base.patch index 5a6303e..9323512 100644 --- a/policy-f27-base.patch +++ b/policy-f27-base.patch @@ -32011,7 +32011,7 @@ index 6bf0ecc2d..75b2f31f9 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..af9ee8070 100644 +index 8b403774f..764afabed 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32370,7 +32370,7 @@ index 8b403774f..af9ee8070 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +420,107 @@ optional_policy(` +@@ -300,64 +420,108 @@ optional_policy(` # XDM Local policy # @@ -32469,6 +32469,7 @@ index 8b403774f..af9ee8070 100644 -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) ++allow xdm_t xdm_var_run_t:file map; -allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:process { signal signull }; @@ -32491,7 +32492,7 @@ index 8b403774f..af9ee8070 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +529,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +530,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -32525,7 +32526,7 @@ index 8b403774f..af9ee8070 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +563,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +564,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -32581,7 +32582,7 @@ index 8b403774f..af9ee8070 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +618,30 @@ files_list_mnt(xdm_t) +@@ -431,9 +619,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -32612,7 +32613,7 @@ index 8b403774f..af9ee8070 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +650,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +651,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -32668,7 +32669,7 @@ index 8b403774f..af9ee8070 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +702,167 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +703,167 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -32842,7 +32843,7 @@ index 8b403774f..af9ee8070 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +875,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +876,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -32874,7 +32875,7 @@ index 8b403774f..af9ee8070 100644 ') optional_policy(` -@@ -518,8 +910,36 @@ optional_policy(` +@@ -518,8 +911,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -32912,7 +32913,7 @@ index 8b403774f..af9ee8070 100644 ') ') -@@ -530,6 +950,20 @@ optional_policy(` +@@ -530,6 +951,20 @@ optional_policy(` ') optional_policy(` @@ -32933,7 +32934,7 @@ index 8b403774f..af9ee8070 100644 hostname_exec(xdm_t) ') -@@ -547,28 +981,78 @@ optional_policy(` +@@ -547,28 +982,78 @@ optional_policy(` ') optional_policy(` @@ -33021,7 +33022,7 @@ index 8b403774f..af9ee8070 100644 ') optional_policy(` -@@ -580,6 +1064,14 @@ optional_policy(` +@@ -580,6 +1065,14 @@ optional_policy(` ') optional_policy(` @@ -33036,7 +33037,7 @@ index 8b403774f..af9ee8070 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1086,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1087,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -33045,7 +33046,7 @@ index 8b403774f..af9ee8070 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1096,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1097,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -33058,7 +33059,7 @@ index 8b403774f..af9ee8070 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1113,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1114,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -33074,7 +33075,7 @@ index 8b403774f..af9ee8070 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,36 +1129,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,36 +1130,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -33132,7 +33133,7 @@ index 8b403774f..af9ee8070 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1196,29 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1197,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -33165,7 +33166,7 @@ index 8b403774f..af9ee8070 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1230,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1231,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -33180,7 +33181,7 @@ index 8b403774f..af9ee8070 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,28 +1251,25 @@ init_getpgid(xserver_t) +@@ -718,28 +1252,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -33213,7 +33214,7 @@ index 8b403774f..af9ee8070 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; -@@ -785,17 +1315,54 @@ optional_policy(` +@@ -785,17 +1316,54 @@ optional_policy(` ') optional_policy(` @@ -33270,7 +33271,7 @@ index 8b403774f..af9ee8070 100644 ') optional_policy(` -@@ -803,6 +1370,10 @@ optional_policy(` +@@ -803,6 +1371,10 @@ optional_policy(` ') optional_policy(` @@ -33281,7 +33282,7 @@ index 8b403774f..af9ee8070 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1389,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1390,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -33306,7 +33307,7 @@ index 8b403774f..af9ee8070 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1412,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1413,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -33341,7 +33342,7 @@ index 8b403774f..af9ee8070 100644 ') optional_policy(` -@@ -912,7 +1477,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1478,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -33350,7 +33351,7 @@ index 8b403774f..af9ee8070 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1531,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1532,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -33382,7 +33383,7 @@ index 8b403774f..af9ee8070 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1577,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1578,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -40178,7 +40179,7 @@ index c42fbc329..bf211dbee 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e6c..73e51f7ef 100644 +index be8ed1e6c..aa787ff35 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -40349,7 +40350,11 @@ index be8ed1e6c..73e51f7ef 100644 ') optional_policy(` -@@ -135,9 +186,9 @@ optional_policy(` +@@ -132,12 +183,13 @@ optional_policy(` + + optional_policy(` + seutil_sigchld_newrole(iptables_t) ++ seutil_run_setfiles(iptables_t, iptables_roles) ') optional_policy(` @@ -50133,10 +50138,10 @@ index 000000000..5871e072d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..f03b8fa14 +index 000000000..fde80c094 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1037 @@ +@@ -0,0 +1,1039 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50814,6 +50819,8 @@ index 000000000..f03b8fa14 + +dev_write_kmsg(systemd_localed_t) + ++files_mmap_usr_files(systemd_localed_t) ++ +init_dbus_chat(systemd_localed_t) +init_reload_services(systemd_localed_t) + diff --git a/policy-f27-contrib.patch b/policy-f27-contrib.patch index 8b4161e..e4a07f1 100644 --- a/policy-f27-contrib.patch +++ b/policy-f27-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..5c05075a4 100644 +index eb50f070f..964379745 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -839,9 +839,9 @@ index eb50f070f..5c05075a4 100644 +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) - -+auth_use_nsswitch(abrt_t) + ++auth_use_nsswitch(abrt_t) + +init_read_utmp(abrt_t) + +miscfiles_read_generic_certs(abrt_t) @@ -1060,7 +1060,7 @@ index eb50f070f..5c05075a4 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +476,87 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +476,90 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1119,9 +1119,12 @@ index eb50f070f..5c05075a4 100644 domain_use_interactive_fds(abrt_dump_oops_t) +domain_signull_all_domains(abrt_dump_oops_t) -+domain_ptrace_all_domains(abrt_dump_oops_t) +domain_read_all_domains_state(abrt_dump_oops_t) +domain_getattr_all_domains(abrt_dump_oops_t) ++ ++tunable_policy(`deny_ptrace',`',` ++ domain_ptrace_all_domains(abrt_dump_oops_t) ++') +files_manage_non_security_dirs(abrt_dump_oops_t) +files_manage_non_security_files(abrt_dump_oops_t) @@ -1152,7 +1155,7 @@ index eb50f070f..5c05075a4 100644 ####################################### # -@@ -404,25 +564,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +567,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1215,7 +1218,7 @@ index eb50f070f..5c05075a4 100644 ') ####################################### -@@ -430,10 +625,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +628,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -26229,10 +26232,10 @@ index 41c3f6770..653a1ecbb 100644 ## ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te -index aa0ef6e94..3c52d892c 100644 +index aa0ef6e94..d55bbd34c 100644 --- a/dmidecode.te +++ b/dmidecode.te -@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t) +@@ -31,4 +31,9 @@ mls_file_read_all_levels(dmidecode_t) locallogin_use_fds(dmidecode_t) @@ -26241,6 +26244,7 @@ index aa0ef6e94..3c52d892c 100644 + +optional_policy(` + rhsmcertd_rw_lock_files(dmidecode_t) ++ rhsmcertd_read_log(dmidecode_t) +') diff --git a/dnsmasq.fc b/dnsmasq.fc index 23ab808d8..84735a8cb 100644 @@ -27200,7 +27204,7 @@ index d5badb755..c2431fc73 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e66..994752cd2 100644 +index 0aabc7e66..ad49ec71b 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -27456,7 +27460,7 @@ index 0aabc7e66..994752cd2 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,46 +225,69 @@ optional_policy(` +@@ -227,49 +225,73 @@ optional_policy(` ######################################## # @@ -27536,7 +27540,11 @@ index 0aabc7e66..994752cd2 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,53 +298,79 @@ optional_policy(` ++ mysql_rw_db_sockets(dovecot_auth_t) + ') + + optional_policy(` +@@ -277,53 +299,79 @@ optional_policy(` ') optional_policy(` @@ -27635,7 +27643,7 @@ index 0aabc7e66..994752cd2 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +379,6 @@ optional_policy(` +@@ -332,5 +380,6 @@ optional_policy(` ') optional_policy(` @@ -38582,10 +38590,10 @@ index 000000000..d0c5a1502 +/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) diff --git a/hwloc.if b/hwloc.if new file mode 100644 -index 000000000..c2349ecf5 +index 000000000..f98e16612 --- /dev/null +++ b/hwloc.if -@@ -0,0 +1,106 @@ +@@ -0,0 +1,110 @@ +## Dump topology and locality information from hardware tables. + +######################################## @@ -38686,9 +38694,13 @@ index 000000000..c2349ecf5 + type hwloc_dhwd_t, hwloc_var_run_t; + ') + -+ allow $1 hwloc_dhwd_t:process { ptrace signal_perms }; ++ allow $1 hwloc_dhwd_t:process { signal_perms }; + ps_process_pattern($1, hwloc_dhwd_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 hwloc_dhwd_t:process ptrace; ++ ') ++ + admin_pattern($1, hwloc_var_run_t) + files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc") +') @@ -38900,10 +38912,10 @@ index 6517fadbb..f1837481b 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041ef..ea3c93385 100644 +index 4eb7041ef..180e5b799 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,163 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -38936,10 +38948,9 @@ index 4eb7041ef..ea3c93385 100644 + +type hypervvssd_unit_file_t; +systemd_unit_file(hypervvssd_unit_file_t) - - ######################################## - # --# Local policy ++ ++######################################## ++# +# hyperv domain local policy +# + @@ -38953,14 +38964,13 @@ index 4eb7041ef..ea3c93385 100644 +corecmd_exec_bin(hyperv_domain) + +dev_read_sysfs(hyperv_domain) -+ -+######################################## + + ######################################## # +-# Local policy +# hypervkvp local policy - # - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++# ++ +allow hypervkvp_t self:capability sys_ptrace; +allow hypervkvp_t self:process setfscreate; +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms; @@ -39038,12 +39048,17 @@ index 4eb7041ef..ea3c93385 100644 +') + +optional_policy(` ++ firewalld_dbus_chat(hypervkvp_t) ++') ++ ++optional_policy(` + netutils_domtrans_ping(hypervkvp_t) + netutils_domtrans(hypervkvp_t) +') + +optional_policy(` + networkmanager_read_pid_files(hypervkvp_t) ++ networkmanager_dbus_chat(hypervkvp_t) +') + +optional_policy(` @@ -39055,10 +39070,12 @@ index 4eb7041ef..ea3c93385 100644 +') + +######################################## -+# + # +# hypervvssd local policy -+# -+ + # + +-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +allow hypervvssd_t self:capability sys_admin; + +dev_rw_hypervvssd(hypervvssd_t) @@ -56460,7 +56477,7 @@ index ed81cac5a..cd52baf59 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c6a..3f662fbef 100644 +index ff1d68c6a..630956deb 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -56560,7 +56577,7 @@ index ff1d68c6a..3f662fbef 100644 procmail_exec(user_mail_domain) ') -@@ -166,57 +166,77 @@ optional_policy(` +@@ -166,57 +166,79 @@ optional_policy(` uucp_manage_spool(user_mail_domain) ') @@ -56573,24 +56590,25 @@ index ff1d68c6a..3f662fbef 100644 # -allow system_mail_t self:capability { dac_override fowner }; -- --read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) -- --read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) +# newalias required this, not sure if it is needed in 'if' file +allow system_mail_t self:capability { dac_read_search dac_override fowner }; +dontaudit system_mail_t self:capability net_admin; - allow system_mail_t mail_home_t:file manage_file_perms; +-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) ++allow system_mail_t mail_home_t:file manage_file_perms; + + read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + +-allow system_mail_t mail_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter") - +- -allow system_mail_t user_mail_domain:dir list_dir_perms; -allow system_mail_t user_mail_domain:file read_file_perms; -allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; -+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) ++kernel_search_network_sysctl(system_mail_t) corecmd_exec_shell(system_mail_t) @@ -56607,14 +56625,14 @@ index ff1d68c6a..3f662fbef 100644 init_use_script_ptys(system_mail_t) +init_dontaudit_rw_stream_socket(system_mail_t) - --userdom_use_user_terminals(system_mail_t) ++ +userdom_use_inherited_user_terminals(system_mail_t) +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) +userdom_dontaudit_list_user_tmp(system_mail_t) +userdom_dontaudit_read_inherited_admin_home_files(system_mail_t) -+ + +-userdom_use_user_terminals(system_mail_t) +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) + @@ -56657,7 +56675,7 @@ index ff1d68c6a..3f662fbef 100644 ') optional_policy(` -@@ -225,17 +245,21 @@ optional_policy(` +@@ -225,17 +247,21 @@ optional_policy(` ') optional_policy(` @@ -56681,7 +56699,7 @@ index ff1d68c6a..3f662fbef 100644 courier_stream_connect_authdaemon(system_mail_t) ') -@@ -244,9 +268,10 @@ optional_policy(` +@@ -244,9 +270,10 @@ optional_policy(` ') optional_policy(` @@ -56695,7 +56713,7 @@ index ff1d68c6a..3f662fbef 100644 ') optional_policy(` -@@ -258,10 +283,17 @@ optional_policy(` +@@ -258,10 +285,17 @@ optional_policy(` ') optional_policy(` @@ -56713,7 +56731,7 @@ index ff1d68c6a..3f662fbef 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +304,19 @@ optional_policy(` +@@ -272,6 +306,19 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -56733,7 +56751,7 @@ index ff1d68c6a..3f662fbef 100644 ') optional_policy(` -@@ -279,6 +324,10 @@ optional_policy(` +@@ -279,6 +326,10 @@ optional_policy(` ') optional_policy(` @@ -56744,7 +56762,7 @@ index ff1d68c6a..3f662fbef 100644 userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` -@@ -287,42 +336,36 @@ optional_policy(` +@@ -287,42 +338,36 @@ optional_policy(` ') optional_policy(` @@ -56797,7 +56815,7 @@ index ff1d68c6a..3f662fbef 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,44 +374,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,44 +376,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -56867,7 +56885,7 @@ index ff1d68c6a..3f662fbef 100644 ') optional_policy(` -@@ -381,24 +428,49 @@ optional_policy(` +@@ -381,24 +430,49 @@ optional_policy(` ######################################## # @@ -59619,10 +59637,10 @@ index 0641e970f..f3b111172 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682e6..00af8b3b9 100644 +index 7b3e682e6..c1f43fc58 100644 --- a/nagios.te +++ b/nagios.te -@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0) +@@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0) # Declarations # @@ -59640,6 +59658,14 @@ index 7b3e682e6..00af8b3b9 100644 +## +gen_tunable(nagios_run_pnp4nagios, false) + ++## ++##

++## Determine whether Nagios, NRPE can ++## access nfs file systems. ++##

++## ++gen_tunable(nagios_use_nfs, false) ++ +gen_require(` + class passwd rootok; + class passwd passwd; @@ -59648,7 +59674,7 @@ index 7b3e682e6..00af8b3b9 100644 attribute nagios_plugin_domain; type nagios_t; -@@ -27,7 +46,7 @@ type nagios_var_run_t; +@@ -27,7 +54,7 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) type nagios_spool_t; @@ -59657,7 +59683,7 @@ index 7b3e682e6..00af8b3b9 100644 type nagios_var_lib_t; files_type(nagios_var_lib_t) -@@ -39,6 +58,7 @@ nagios_plugin_template(services) +@@ -39,6 +66,7 @@ nagios_plugin_template(services) nagios_plugin_template(system) nagios_plugin_template(unconfined) nagios_plugin_template(eventhandler) @@ -59665,7 +59691,7 @@ index 7b3e682e6..00af8b3b9 100644 type nagios_eventhandler_plugin_tmp_t; files_tmp_file(nagios_eventhandler_plugin_tmp_t) -@@ -46,6 +66,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) +@@ -46,6 +74,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) type nagios_system_plugin_tmp_t; files_tmp_file(nagios_system_plugin_tmp_t) @@ -59675,7 +59701,7 @@ index 7b3e682e6..00af8b3b9 100644 type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -63,30 +86,33 @@ files_pid_file(nrpe_var_run_t) +@@ -63,30 +94,33 @@ files_pid_file(nrpe_var_run_t) allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; @@ -59717,7 +59743,7 @@ index 7b3e682e6..00af8b3b9 100644 allow nagios_t nagios_plugin_domain:process signal_perms; -@@ -96,11 +122,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; +@@ -96,11 +130,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms; allow nagios_t nagios_etc_t:file read_file_perms; allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; @@ -59736,7 +59762,7 @@ index 7b3e682e6..00af8b3b9 100644 manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) -@@ -110,11 +138,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +@@ -110,11 +146,14 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) @@ -59753,7 +59779,7 @@ index 7b3e682e6..00af8b3b9 100644 kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -123,7 +154,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +162,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -59761,7 +59787,7 @@ index 7b3e682e6..00af8b3b9 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,18 +173,16 @@ domain_read_all_domains_state(nagios_t) +@@ -143,18 +181,16 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -59781,7 +59807,7 @@ index 7b3e682e6..00af8b3b9 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -162,6 +190,41 @@ mta_send_mail(nagios_t) +@@ -162,6 +198,47 @@ mta_send_mail(nagios_t) mta_signal_system_mail(nagios_t) mta_kill_system_mail(nagios_t) @@ -59820,10 +59846,16 @@ index 7b3e682e6..00af8b3b9 100644 + allow nagios_t nagios_log_t:file execute; +') + ++tunable_policy(`nagios_use_nfs',` ++ fs_manage_nfs_files(nagios_t) ++ fs_manage_nfs_dirs(nagios_t) ++ fs_manage_nfs_symlinks(nagios_t) ++') ++ optional_policy(` netutils_kill_ping(nagios_t) ') -@@ -178,35 +241,37 @@ optional_policy(` +@@ -178,35 +255,38 @@ optional_policy(` # # CGI local policy # @@ -59855,6 +59887,7 @@ index 7b3e682e6..00af8b3b9 100644 - rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + files_search_spool(nagios_script_t) + rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t) ++ read_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t) - allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) @@ -59879,7 +59912,7 @@ index 7b3e682e6..00af8b3b9 100644 ') ######################################## -@@ -214,7 +279,7 @@ optional_policy(` +@@ -214,7 +294,7 @@ optional_policy(` # Nrpe local policy # @@ -59888,7 +59921,7 @@ index 7b3e682e6..00af8b3b9 100644 dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; -@@ -229,9 +294,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +@@ -229,9 +309,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -59899,7 +59932,7 @@ index 7b3e682e6..00af8b3b9 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -252,8 +317,8 @@ dev_read_urand(nrpe_t) +@@ -252,8 +332,8 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) @@ -59909,7 +59942,7 @@ index 7b3e682e6..00af8b3b9 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,10 +327,34 @@ auth_use_nsswitch(nrpe_t) +@@ -262,10 +342,40 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -59943,10 +59976,16 @@ index 7b3e682e6..00af8b3b9 100644 +') + + ++tunable_policy(`nagios_use_nfs',` ++ fs_manage_nfs_files(nrpe_t) ++ fs_manage_nfs_dirs(nrpe_t) ++ fs_manage_nfs_symlinks(nrpe_t) ++') ++ optional_policy(` inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') -@@ -309,16 +398,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -309,16 +419,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # Mail local policy # @@ -59967,7 +60006,7 @@ index 7b3e682e6..00af8b3b9 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,9 +434,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,9 +455,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -59982,7 +60021,7 @@ index 7b3e682e6..00af8b3b9 100644 fs_getattr_all_fs(nagios_checkdisk_plugin_t) storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) -@@ -357,9 +451,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +472,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -59996,7 +60035,7 @@ index 7b3e682e6..00af8b3b9 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +487,11 @@ optional_policy(` +@@ -391,6 +508,11 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -60008,7 +60047,7 @@ index 7b3e682e6..00af8b3b9 100644 ') optional_policy(` -@@ -402,32 +503,40 @@ optional_policy(` +@@ -402,32 +524,40 @@ optional_policy(` # System local policy # @@ -60052,7 +60091,7 @@ index 7b3e682e6..00af8b3b9 100644 ####################################### # # Event local policy -@@ -442,9 +551,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,9 +572,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -76860,7 +76899,7 @@ index ded95ec3a..db49c5774 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83eca..df61ef8e5 100644 +index 5cfb83eca..d1b4b0874 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -77715,7 +77754,7 @@ index 5cfb83eca..df61ef8e5 100644 ') optional_policy(` -@@ -774,31 +730,101 @@ optional_policy(` +@@ -774,31 +730,102 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -77821,6 +77860,7 @@ index 5cfb83eca..df61ef8e5 100644 + +optional_policy(` + mysql_stream_connect(postfix_domain) ++ mysql_rw_db_sockets(postfix_domain) +') + +optional_policy(` @@ -85870,7 +85910,7 @@ index 44605825c..4c66c2502 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fed1..193195e3c 100644 +index 403a4fed1..941be7d73 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -85903,11 +85943,21 @@ index 403a4fed1..193195e3c 100644 +allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; -+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace}; ++allow radiusd_t self:process { getsched setrlimit setsched sigkill signal}; allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket { accept listen }; allow radiusd_t self:tcp_socket { accept listen }; -@@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +@@ -43,15 +53,17 @@ allow radiusd_t radiusd_etc_t:dir list_dir_perms; + allow radiusd_t radiusd_etc_t:file read_file_perms; + allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms; + ++tunable_policy(`deny_ptrace',`',` ++ allow radiusd_t self:process ptrace; ++') ++ + manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) + manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) + manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) @@ -85918,7 +85968,7 @@ index 403a4fed1..193195e3c 100644 logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) -@@ -60,11 +68,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -60,11 +72,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -85931,7 +85981,7 @@ index 403a4fed1..193195e3c 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,12 +82,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,12 +86,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) @@ -85954,7 +86004,7 @@ index 403a4fed1..193195e3c 100644 corenet_sendrecv_snmp_client_packets(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) -@@ -97,7 +115,6 @@ domain_use_interactive_fds(radiusd_t) +@@ -97,7 +119,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -85962,7 +86012,7 @@ index 403a4fed1..193195e3c 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +126,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +130,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -85970,7 +86020,7 @@ index 403a4fed1..193195e3c 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -117,11 +133,22 @@ sysnet_use_ldap(radiusd_t) +@@ -117,11 +137,22 @@ sysnet_use_ldap(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_search_user_home_dirs(radiusd_t) @@ -85993,7 +86043,7 @@ index 403a4fed1..193195e3c 100644 logrotate_exec(radiusd_t) ') -@@ -132,6 +159,11 @@ optional_policy(` +@@ -132,6 +163,11 @@ optional_policy(` ') optional_policy(` @@ -86005,7 +86055,7 @@ index 403a4fed1..193195e3c 100644 samba_domtrans_winbind_helper(radiusd_t) ') -@@ -140,5 +172,10 @@ optional_policy(` +@@ -140,5 +176,10 @@ optional_policy(` ') optional_policy(` @@ -100519,10 +100569,10 @@ index 000000000..7a058a82a +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 000000000..55576aaf6 +index 000000000..7d54ef1d6 --- /dev/null +++ b/sbd.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,62 @@ +policy_module(sbd, 1.0.0) + +######################################## @@ -100540,6 +100590,9 @@ index 000000000..55576aaf6 +type sbd_unit_file_t; +systemd_unit_file(sbd_unit_file_t) + ++type sbd_tmpfs_t; ++userdom_user_tmpfs_file(sbd_tmpfs_t) ++ +######################################## +# +# sbd local policy @@ -100555,6 +100608,10 @@ index 000000000..55576aaf6 +manage_lnk_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t) +files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file }) + ++manage_files_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t) ++manage_dirs_pattern(sbd_t, sbd_tmpfs_t, sbd_tmpfs_t) ++fs_tmpfs_filetrans(sbd_t, sbd_tmpfs_t, { file dir }) ++ +kernel_read_system_state(sbd_t) +kernel_dgram_send(sbd_t) +kernel_rw_kernel_sysctl(sbd_t) @@ -123058,7 +123115,7 @@ index dd63de028..38ce6208e 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c617..bf2ae51d0 100644 +index 7f496c617..4c90f35a2 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -123097,7 +123154,7 @@ index 7f496c617..bf2ae51d0 100644 type zabbix_log_t; logging_log_file(zabbix_log_t) -@@ -36,27 +41,61 @@ files_tmp_file(zabbix_tmp_t) +@@ -36,27 +41,62 @@ files_tmp_file(zabbix_tmp_t) type zabbix_tmpfs_t; files_tmpfs_file(zabbix_tmpfs_t) @@ -123153,6 +123210,7 @@ index 7f496c617..bf2ae51d0 100644 -allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms; +allow zabbix_t self:capability { dac_read_search dac_override }; ++allow zabbix_t self:process { setrlimit }; + +manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) @@ -123171,7 +123229,7 @@ index 7f496c617..bf2ae51d0 100644 manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -@@ -70,13 +109,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -70,13 +110,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) kernel_read_system_state(zabbix_t) @@ -123185,7 +123243,7 @@ index 7f496c617..bf2ae51d0 100644 corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) -@@ -85,24 +120,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) +@@ -85,24 +121,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) corenet_sendrecv_http_client_packets(zabbix_t) corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t) @@ -123213,7 +123271,7 @@ index 7f496c617..bf2ae51d0 100644 tunable_policy(`zabbix_can_network',` corenet_sendrecv_all_client_packets(zabbix_t) corenet_tcp_connect_all_ports(zabbix_t) -@@ -110,12 +139,11 @@ tunable_policy(`zabbix_can_network',` +@@ -110,12 +140,11 @@ tunable_policy(`zabbix_can_network',` ') optional_policy(` @@ -123228,7 +123286,7 @@ index 7f496c617..bf2ae51d0 100644 ') optional_policy(` -@@ -125,6 +153,7 @@ optional_policy(` +@@ -125,6 +154,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -123236,7 +123294,7 @@ index 7f496c617..bf2ae51d0 100644 ') ######################################## -@@ -132,18 +161,9 @@ optional_policy(` +@@ -132,18 +162,9 @@ optional_policy(` # Agent local policy # @@ -123257,7 +123315,7 @@ index 7f496c617..bf2ae51d0 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +171,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +172,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -123277,7 +123335,7 @@ index 7f496c617..bf2ae51d0 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -170,6 +187,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +@@ -170,6 +188,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) @@ -123308,7 +123366,7 @@ index 7f496c617..bf2ae51d0 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) -@@ -177,21 +218,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +219,50 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9837173..e10b933 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 283.13%{?dist} +Release: 283.14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -722,6 +722,15 @@ exit 0 %endif %changelog +* Thu Oct 26 2017 Lukas Vrabec - 3.13.1-283.14 +- Allow zabbix_t domain to change its resource limits +- Add new boolean nagios_use_nfs +- Allow system_mail_t to search network sysctls +- Hide all allow rules with ptrace inside deny_ptrace boolean +- Allow nagios_script_t to read nagios_spool_t files +- Make user account setup in gnome-initial-setup working in Workstation Live system. BZ(1499170) +- Allow iptables_t to run setfiles to restore context on system + * Wed Oct 25 2017 Lukas Vrabec - 3.13.1-283.13 - Allow nmbd_t domain to mmap files labeled as samba_var_t. BZ(1505877) - Updatre unconfined_dontaudit_read_state() interface to dontaudit also acess to files. BZ(1503466)