diff --git a/policy-F16.patch b/policy-F16.patch index b5957fb..0ecf125 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -65396,10 +65396,18 @@ index 93ec175..0e42018 100644 ') ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..d9eb320 100644 +index af55369..b529945 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te -@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) +@@ -18,6 +18,7 @@ type prelink_cron_system_t; + type prelink_cron_system_exec_t; + domain_type(prelink_cron_system_t) + domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) ++domain_obj_id_change_exemption(prelink_cron_system_t) + + type prelink_log_t; + logging_log_file(prelink_log_t) +@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t) # Local policy # @@ -65408,7 +65416,7 @@ index af55369..d9eb320 100644 allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; -@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) @@ -65421,7 +65429,7 @@ index af55369..d9eb320 100644 kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) -@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t) +@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) @@ -65429,7 +65437,7 @@ index af55369..d9eb320 100644 files_list_all(prelink_t) files_getattr_all_files(prelink_t) -@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t) +@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -65438,7 +65446,7 @@ index af55369..d9eb320 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +103,15 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -65455,7 +65463,7 @@ index af55369..d9eb320 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +121,15 @@ optional_policy(` +@@ -109,6 +122,15 @@ optional_policy(` ') optional_policy(` @@ -65471,7 +65479,7 @@ index af55369..d9eb320 100644 rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +150,7 @@ optional_policy(` +@@ -129,6 +151,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -65479,7 +65487,7 @@ index af55369..d9eb320 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -144,21 +166,37 @@ optional_policy(` +@@ -144,21 +167,37 @@ optional_policy(` corecmd_exec_bin(prelink_cron_system_t) corecmd_exec_shell(prelink_cron_system_t) @@ -66567,10 +66575,10 @@ index 781ad7e..f7b8881 100644 init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te -index 95bce88..95065c3 100644 +index 95bce88..6eaaee9 100644 --- a/policy/modules/admin/shorewall.te +++ b/policy/modules/admin/shorewall.te -@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t) +@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t) # shorewall local policy # @@ -66578,8 +66586,11 @@ index 95bce88..95065c3 100644 +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; dontaudit shorewall_t self:capability sys_tty_config; allow shorewall_t self:fifo_file rw_fifo_file_perms; ++allow shorewall_t self:netlink_socket create_socket_perms; -@@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) + list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) +@@ -59,6 +60,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) @@ -66589,7 +66600,7 @@ index 95bce88..95065c3 100644 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; -@@ -83,13 +86,22 @@ fs_getattr_all_fs(shorewall_t) +@@ -83,13 +87,22 @@ fs_getattr_all_fs(shorewall_t) init_rw_utmp(shorewall_t) @@ -70400,7 +70411,7 @@ index f5afe78..e283f63 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..6eafbbc 100644 +index 2505654..ffb9bd7 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0) @@ -70473,7 +70484,7 @@ index 2505654..6eafbbc 100644 ############################## # # Local Policy -@@ -75,3 +118,159 @@ optional_policy(` +@@ -75,3 +118,161 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -70544,6 +70555,8 @@ index 2505654..6eafbbc 100644 + +fs_getattr_xattr_fs(gnomesystemmm_t) + ++auth_read_passwd(gnomesystemmm_t) ++ +logging_send_syslog_msg(gnomesystemmm_t) + +miscfiles_read_localization(gnomesystemmm_t) @@ -71359,10 +71372,10 @@ index 0000000..fb58f33 +') diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te new file mode 100644 -index 0000000..7d1cef8 +index 0000000..bd84c03 --- /dev/null +++ b/policy/modules/apps/jockey.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,61 @@ +policy_module(jockey, 1.0.0) + +######################################## @@ -71396,6 +71409,8 @@ index 0000000..7d1cef8 +manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) +logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) + ++kernel_read_system_state(jockey_t) ++ +corecmd_exec_bin(jockey_t) +corecmd_exec_shell(jockey_t) + @@ -72249,7 +72264,7 @@ index fbb5c5a..67c1168 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..e745a7c 100644 +index 2e9318b..e170274 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3) @@ -72438,7 +72453,7 @@ index 2e9318b..e745a7c 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -322,31 +354,50 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -322,39 +354,60 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -72495,8 +72510,10 @@ index 2e9318b..e745a7c 100644 +dev_read_generic_usb_dev(mozilla_plugin_t) dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) ++dev_read_realtime_clock(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -355,6 +406,7 @@ dev_write_sound(mozilla_plugin_t) + dev_read_sound(mozilla_plugin_t) + dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -72504,7 +72521,7 @@ index 2e9318b..e745a7c 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -362,15 +414,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -362,15 +415,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -72528,7 +72545,7 @@ index 2e9318b..e745a7c 100644 logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -383,34 +443,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -383,34 +444,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -72577,7 +72594,7 @@ index 2e9318b..e745a7c 100644 ') optional_policy(` -@@ -421,24 +477,35 @@ optional_policy(` +@@ -421,24 +478,35 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -72617,7 +72634,7 @@ index 2e9318b..e745a7c 100644 ') optional_policy(` -@@ -446,10 +513,106 @@ optional_policy(` +@@ -446,10 +514,106 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -77430,7 +77447,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..810487b 100644 +index 3fae11a..3a2c703 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -77695,7 +77712,7 @@ index 3fae11a..810487b 100644 +/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/checkquorum -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) @@ -86341,7 +86358,7 @@ index 57c4a6a..d323c74 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..b2bea9d 100644 +index 1700ef2..6d06ade 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -86353,7 +86370,7 @@ index 1700ef2..b2bea9d 100644 typeattribute $1 fixed_disk_raw_read; ') -@@ -188,6 +190,29 @@ interface(`storage_raw_rw_fixed_disk',` +@@ -188,6 +190,30 @@ interface(`storage_raw_rw_fixed_disk',` storage_raw_write_fixed_disk($1) ') @@ -86376,6 +86393,7 @@ index 1700ef2..b2bea9d 100644 + ') + + allow $1 fixed_disk_device_t:chr_file { read write }; ++ allow $1 fixed_disk_device_t:blk_file { read write }; + typeattribute $1 fixed_disk_raw_write; + typeattribute $1 fixed_disk_raw_read; +') @@ -86383,7 +86401,7 @@ index 1700ef2..b2bea9d 100644 ######################################## ## ## Allow the caller to create fixed disk device nodes. -@@ -205,6 +230,7 @@ interface(`storage_create_fixed_disk_dev',` +@@ -205,6 +231,7 @@ interface(`storage_create_fixed_disk_dev',` allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; @@ -86391,7 +86409,7 @@ index 1700ef2..b2bea9d 100644 dev_add_entry_generic_dirs($1) ') -@@ -269,6 +295,48 @@ interface(`storage_dev_filetrans_fixed_disk',` +@@ -269,6 +296,48 @@ interface(`storage_dev_filetrans_fixed_disk',` dev_filetrans($1, fixed_disk_device_t, blk_file) ') @@ -86440,7 +86458,7 @@ index 1700ef2..b2bea9d 100644 ######################################## ## ## Create block devices in on a tmpfs filesystem with the -@@ -808,3 +876,369 @@ interface(`storage_unconfined',` +@@ -808,3 +877,369 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -87554,7 +87572,7 @@ index 01dd2f1..16789bd 100644 + dev_filetrans($1, tty_device_t, chr_file, "xvc9") +') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te -index 2241b7d..b0ab494 100644 +index 2241b7d..7d78526 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -29,6 +29,7 @@ files_mountpoint(devpts_t) @@ -87565,10 +87583,14 @@ index 2241b7d..b0ab494 100644 # # devtty_t is the type of /dev/tty. -@@ -56,3 +57,9 @@ dev_node(tty_device_t) +@@ -54,5 +55,11 @@ dev_node(tty_device_t) + # + # usbtty_device_t is the type of /dev/usr/tty* # - type usbtty_device_t, serial_device; - dev_node(usbtty_device_t) +-type usbtty_device_t, serial_device; +-dev_node(usbtty_device_t) ++type usbtty_device_t; ++term_tty(usbtty_device_t) + +# +# virtio_device_t is the type of /dev/vport[0-9]p[0-9] @@ -91562,7 +91584,7 @@ index deca9d3..1aa76b0 100644 spamassassin_exec_client(amavis_t) spamassassin_read_lib_files(amavis_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..b3efe6f 100644 +index 9e39aa5..87b9c7d 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,39 +1,55 @@ @@ -91654,7 +91676,7 @@ index 9e39aa5..b3efe6f 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,39 +93,76 @@ ifdef(`distro_suse', ` +@@ -73,39 +93,78 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -91668,8 +91690,10 @@ index 9e39aa5..b3efe6f 100644 +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) -+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/var/lib/openshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++ +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -92502,7 +92526,7 @@ index 6480167..f9d3c63 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..2a489c4 100644 +index 3136c6a..869fc39 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,136 +18,275 @@ policy_module(apache, 2.2.1) @@ -93324,7 +93348,7 @@ index 3136c6a..2a489c4 100644 ') optional_policy(` -@@ -577,6 +927,55 @@ optional_policy(` +@@ -577,6 +927,59 @@ optional_policy(` ') optional_policy(` @@ -93363,6 +93387,10 @@ index 3136c6a..2a489c4 100644 +') + +optional_policy(` ++ openshift_initrc_signull(httpd_t) ++') ++ ++optional_policy(` + tunable_policy(`httpd_run_stickshift', ` + oddjob_dbus_chat(httpd_t) + ') @@ -93380,7 +93408,7 @@ index 3136c6a..2a489c4 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +990,11 @@ optional_policy(` +@@ -591,6 +994,11 @@ optional_policy(` ') optional_policy(` @@ -93392,7 +93420,7 @@ index 3136c6a..2a489c4 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +1007,12 @@ optional_policy(` +@@ -603,6 +1011,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -93405,7 +93433,7 @@ index 3136c6a..2a489c4 100644 ######################################## # # Apache helper local policy -@@ -616,7 +1026,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +1030,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -93418,7 +93446,7 @@ index 3136c6a..2a489c4 100644 ######################################## # -@@ -654,28 +1068,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1072,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -93462,7 +93490,7 @@ index 3136c6a..2a489c4 100644 ') ######################################## -@@ -685,6 +1101,8 @@ optional_policy(` +@@ -685,6 +1105,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -93471,7 +93499,7 @@ index 3136c6a..2a489c4 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1117,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1121,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -93497,7 +93525,7 @@ index 3136c6a..2a489c4 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1163,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1167,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -93530,7 +93558,7 @@ index 3136c6a..2a489c4 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1210,25 @@ optional_policy(` +@@ -769,6 +1214,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -93556,7 +93584,7 @@ index 3136c6a..2a489c4 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1249,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1253,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -93574,7 +93602,7 @@ index 3136c6a..2a489c4 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1268,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1272,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -93631,7 +93659,7 @@ index 3136c6a..2a489c4 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1319,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1323,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -93672,7 +93700,7 @@ index 3136c6a..2a489c4 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1364,20 @@ optional_policy(` +@@ -842,10 +1368,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -93693,7 +93721,7 @@ index 3136c6a..2a489c4 100644 ') ######################################## -@@ -891,11 +1423,146 @@ optional_policy(` +@@ -891,11 +1427,146 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -93711,7 +93739,7 @@ index 3136c6a..2a489c4 100644 + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - ') ++') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) @@ -93816,7 +93844,7 @@ index 3136c6a..2a489c4 100644 + +tunable_policy(`httpd_enable_cgi && allow_ypbind',` + nis_use_ypbind_uncond(httpd_script_type) -+') + ') + +optional_policy(` + nscd_socket_use(httpd_script_type) @@ -96104,10 +96132,10 @@ index 0000000..6d7e034 +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..20156f6 +index 0000000..c34dbef --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,200 @@ +@@ -0,0 +1,201 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -96238,6 +96266,7 @@ index 0000000..20156f6 +corenet_tcp_connect_boinc_port(boinc_t) +corenet_tcp_connect_http_port(boinc_t) +corenet_tcp_connect_http_cache_port(boinc_t) ++corenet_tcp_connect_squid_port(boinc_t) + +files_dontaudit_getattr_boot_dirs(boinc_t) + @@ -103326,7 +103355,7 @@ index 305ddf4..d1b97fb 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..8e23004 100644 +index 0f28095..9ae73ae 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -103485,6 +103514,15 @@ index 0f28095..8e23004 100644 ') optional_policy(` +@@ -341,7 +367,7 @@ optional_policy(` + # Cups configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; + allow cupsd_config_t self:process { getsched signal_perms }; + allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -371,8 +397,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -106599,7 +106637,7 @@ index 9bd812b..53f895e 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..1a2a666 100644 +index fdaeeba..7764130 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -106637,7 +106675,7 @@ index fdaeeba..1a2a666 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +104,20 @@ optional_policy(` +@@ -96,7 +104,21 @@ optional_policy(` ') optional_policy(` @@ -106650,6 +106688,7 @@ index fdaeeba..1a2a666 100644 +') + +optional_policy(` ++ networkmanager_read_conf(dnsmasq_t) + networkmanager_read_pid_files(dnsmasq_t) +') + @@ -106658,7 +106697,7 @@ index fdaeeba..1a2a666 100644 ') optional_policy(` -@@ -113,5 +134,7 @@ optional_policy(` +@@ -113,5 +135,7 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -117001,7 +117040,7 @@ index d72276f..cb8c563 100644 mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te -index 7f68872..72c1f8a 100644 +index 7f68872..b3dfcb5 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -117025,7 +117064,15 @@ index 7f68872..72c1f8a 100644 manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) -@@ -103,6 +110,10 @@ logging_send_syslog_msg(mpd_t) +@@ -87,6 +94,7 @@ corenet_sendrecv_http_cache_client_packets(mpd_t) + corenet_sendrecv_pulseaudio_client_packets(mpd_t) + corenet_sendrecv_soundd_client_packets(mpd_t) + ++dev_read_urand(mpd_t) + dev_read_sound(mpd_t) + dev_write_sound(mpd_t) + dev_read_sysfs(mpd_t) +@@ -103,6 +111,10 @@ logging_send_syslog_msg(mpd_t) miscfiles_read_localization(mpd_t) @@ -117036,7 +117083,7 @@ index 7f68872..72c1f8a 100644 optional_policy(` alsa_read_rw_config(mpd_t) ') -@@ -122,5 +133,14 @@ optional_policy(` +@@ -122,5 +134,14 @@ optional_policy(` ') optional_policy(` @@ -118189,7 +118236,7 @@ index 64268e4..58ec9a6 100644 + uucp_manage_spool(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc -index fd71d69..26597b2 100644 +index fd71d69..5987e1c 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -41,6 +41,9 @@ @@ -118210,7 +118257,13 @@ index fd71d69..26597b2 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -63,6 +67,7 @@ +@@ -58,11 +62,13 @@ + /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) + /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) @@ -118315,7 +118368,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..b6a2813 100644 +index f17583b..4dd4fa5 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -118528,13 +118581,17 @@ index f17583b..b6a2813 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +345,37 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +345,41 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) +term_getattr_all_ttys(system_munin_plugin_t) +term_getattr_all_ptys(system_munin_plugin_t) + ++optional_policy(` ++ bind_read_config(system_munin_plugin_t) ++') ++ +################################ +# +# local policy for munin plugin domains @@ -119538,7 +119595,7 @@ index 386543b..8fe1d63 100644 /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if -index 2324d9e..da61d01 100644 +index 2324d9e..a26865a 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -119613,7 +119670,33 @@ index 2324d9e..da61d01 100644 ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +236,90 @@ interface(`networkmanager_read_pid_files',` +@@ -153,6 +198,25 @@ interface(`networkmanager_signal',` + allow $1 NetworkManager_t:process signal; + ') + ++####################################### ++## ++## Read NetworkManager conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_read_conf',` ++ gen_require(` ++ type NetworkManager_etc_t; ++ ') ++ ++ allow $1 NetworkManager_etc_t:dir list_dir_perms; ++ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) ++') ++ + ######################################## + ## + ## Read NetworkManager lib files. +@@ -191,3 +255,90 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -122368,10 +122451,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/policy/modules/services/openshift.if b/policy/modules/services/openshift.if new file mode 100644 -index 0000000..681f8a0 +index 0000000..71d6f47 --- /dev/null +++ b/policy/modules/services/openshift.if -@@ -0,0 +1,556 @@ +@@ -0,0 +1,574 @@ + +## policy for openshift + @@ -122394,6 +122477,24 @@ index 0000000..681f8a0 + domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t) +') + ++###################################### ++## ++## Send a null signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signull',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signull; ++') ++ +######################################## +## +## Search openshift cache directories. @@ -132258,10 +132359,10 @@ index 0000000..6572600 +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..581107c +index 0000000..1bf96b9 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te -@@ -0,0 +1,77 @@ +@@ -0,0 +1,81 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## @@ -132337,6 +132438,10 @@ index 0000000..581107c +rpm_read_db(rhsmcertd_t) + +optional_policy(` ++ dmidecode_domtrans(rhsmcertd_t) ++') ++ ++optional_policy(` + gnome_dontaudit_search_config(rhsmcertd_t) +') diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc @@ -139320,10 +139425,10 @@ index 0000000..bab5617 + diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te new file mode 100644 -index 0000000..df04e25 +index 0000000..51c9a04 --- /dev/null +++ b/policy/modules/services/svnserve.te -@@ -0,0 +1,54 @@ +@@ -0,0 +1,55 @@ +policy_module(svnserve, 1.0.0) + +######################################## @@ -139353,6 +139458,7 @@ index 0000000..df04e25 +# + +allow svnserve_t self:fifo_file rw_fifo_file_perms; ++allow svnserve_t self:tcp_socket create_stream_socket_perms; +allow svnserve_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) @@ -139613,16 +139719,17 @@ index 25eee43..621f343 100644 /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if -index 38bb312..4b691ac 100644 +index 38bb312..a018070 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if -@@ -13,9 +13,33 @@ +@@ -13,9 +13,34 @@ interface(`tftp_read_content',` gen_require(` type tftpdir_t; + type tftpdir_rw_t; ') ++ list_dirs_pattern($1, tftpdir_t, tftpdir_t) read_files_pattern($1, tftpdir_t, tftpdir_t) + read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) + @@ -139650,7 +139757,7 @@ index 38bb312..4b691ac 100644 ') ######################################## -@@ -40,6 +64,91 @@ interface(`tftp_manage_rw_content',` +@@ -40,6 +65,91 @@ interface(`tftp_manage_rw_content',` ######################################## ## @@ -139742,7 +139849,7 @@ index 38bb312..4b691ac 100644 ## All of the rules required to administrate ## an tftp environment ## -@@ -55,13 +164,19 @@ interface(`tftp_admin',` +@@ -55,13 +165,19 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') @@ -140781,7 +140888,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te -index db9d2a5..12334bb 100644 +index db9d2a5..4808975 100644 --- a/policy/modules/services/tuned.te +++ b/policy/modules/services/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -140843,18 +140950,27 @@ index db9d2a5..12334bb 100644 # to allow cpu tuning dev_rw_netcontrol(tuned_t) -@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t) +@@ -47,17 +69,34 @@ files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) -+fs_getattr_xattr_fs(tuned_t) ++fs_getattr_all_fs(tuned_t) + +auth_use_nsswitch(tuned_t) + logging_send_syslog_msg(tuned_t) miscfiles_read_localization(tuned_t) -@@ -58,6 +84,14 @@ optional_policy(` + + userdom_dontaudit_search_user_home_dirs(tuned_t) + ++optional_policy(` ++ dbus_system_bus_client(tuned_t) ++ dbus_connect_system_bus(tuned_t) ++') ++ + # to allow disk tuning + optional_policy(` fstools_domtrans(tuned_t) ') @@ -146647,7 +146763,7 @@ index c9981d1..75a7d17 100644 init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 7f88f5f..67a111c 100644 +index 7f88f5f..045777f 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1) @@ -146683,7 +146799,7 @@ index 7f88f5f..67a111c 100644 -allow zabbix_t self:fifo_file rw_file_perms; -allow zabbix_t self:process { setsched getsched signal }; +allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; -+allow zabbix_t self:process setsched; ++allow zabbix_t self:process { setsched signal_perms }; +allow zabbix_t self:sem create_sem_perms; +allow zabbix_t self:fifo_file rw_fifo_file_perms; allow zabbix_t self:unix_stream_socket create_stream_socket_perms; @@ -146768,22 +146884,23 @@ index 7f88f5f..67a111c 100644 zabbix_tcp_connect(zabbix_agent_t) + diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc -index 3defaa1..7436a1c 100644 +index 3defaa1..ddefee5 100644 --- a/policy/modules/services/zarafa.fc +++ b/policy/modules/services/zarafa.fc -@@ -8,8 +8,10 @@ +@@ -8,8 +8,11 @@ /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) -/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) ++/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/log/zarafa/dagent\.log -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) /var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) /var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) /var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -@@ -18,9 +20,11 @@ +@@ -18,9 +21,11 @@ /var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index d2bdd43..03f4ef0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 159%{?dist} +Release: 160%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -479,6 +479,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 13 2012 Miroslav Grepl 3.10.0-160 +- Allow BOINC client to use an HTTP proxy for all connections +- Add labeling for /var/lib/zarafa-webapp +- Allow mozilla plugins to read /dev/hpet +- Allow MPD to read /dev/radnom +- Allow dnsmasq to read /etc/NetworkManager +- Fix storage_rw_inherited_fixed_disk_dev() to cover also blk_file +- httpd needs to send signull to openshift init script +- Fix tftp_read_content() interface + * Mon Nov 5 2012 Miroslav Grepl 3.10.0-159 - More fixes for passwd/group labeling - New ypbind pkg wants to search /var/run which is caused by sd_notify