##
+## Execute CGI in the specified domain.
+##
+##
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
@@ -1165,8 +1381,30 @@ interface(`apache_cgi_domain',`
########################################
##
-## All of the rules required to
-## administrate an apache environment.
+## Execute httpd server in the httpd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apache_systemctl',`
+ gen_require(`
+ type httpd_t;
+ type httpd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 httpd_unit_file_t:file read_file_perms;
+ allow $1 httpd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, httpd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate an apache environment
##
##
##
@@ -1183,18 +1421,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
- attribute httpd_script_domains, httpd_htaccess_type;
type httpd_t, httpd_config_t, httpd_log_t;
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
- type httpd_initrc_exec_t, httpd_suexec_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_unit_file_t;
')
- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
+ allow $1 httpd_t:process signal_perms;
+ ps_process_pattern($1, httpd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1204,10 +1443,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
- files_search_etc($1)
- admin_pattern($1, { httpd_config_t httpd_keytab_t })
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1218,9 +1457,141 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+
+ apache_systemctl($1)
+ admin_pattern($1, httpd_unit_file_t)
+ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ apache_filetrans_named_content($1)
+')
+
+########################################
+##
+## dontaudit read and write an leaked file descriptors
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+##
+## Transition to apache named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_filetrans_named_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ type httpd_tmp_t;
+ ')
+
+
+ apache_filetrans_home_content($1)
+ files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
+ files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
+ files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
+ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
+')
+
+########################################
+##
+## Allow any httpd_exec_t to be an entrypoint of this domain
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`apache_entrypoint',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+ allow $1 httpd_exec_t:file entrypoint;
+')
+
+########################################
+##
+## Execute a httpd_exec_t in the specified domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`apache_exec_domtrans',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ domtrans_pattern($1, httpd_exec_t, $2)
+')
+
+########################################
+##
+## Transition to apache home content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
+ type httpd_user_content_ra_t;
+ ')
- apache_run_all_scripts($1, $2)
- apache_run_helper($1, $2)
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 1a82e29..bce7760 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
+#
+# NOTES:
+# This policy will work with SUEXEC enabled as part of the Apache
+# configuration. However, the user CGI scripts will run under the
+# system_u:system_r:httpd_user_script_t.
+#
+# The user CGI scripts must be labeled with the httpd_user_script_exec_t
+# type, and the directory containing the scripts should also be labeled
+# with these types. This policy allows the user role to perform that
+# relabeling. If it is desired that only admin role should be able to relabel
+# the user CGI scripts, then relabel rule for user roles should be removed.
+#
########################################
#
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
-##
-## Determine whether httpd can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+##
##
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
##
-##
-## Determine whether httpd can use mod_auth_pam.
-##
+##
+## Dontaudit Apache to search dirs.
+##
##
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
##
-##
-## Determine whether httpd can use built in scripting.
-##
+##
+## Allow Apache to use mod_auth_pam
+##
##
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_pam, false)
##
-##
-## Determine whether httpd can check spam.
-##
+##
+## Allow Apache to use mod_auth_ntlm_winbind
+##
##
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
##
-##
-## Determine whether httpd scripts and modules
-## can connect to the network using TCP.
-##
+##
+## Allow httpd scripts and modules execmem/execstack
+##
+##
+gen_tunable(httpd_execmem, false)
+
+##
+##
+## Allow httpd processes to manage IPA content
+##
+##
+gen_tunable(httpd_manage_ipa, false)
+
+##
+##
+## Allow httpd to use built in scripting (usually php)
+##
+##
+gen_tunable(httpd_builtin_scripting, false)
+
+##
+##
+## Allow HTTPD scripts and modules to connect to the network using TCP.
+##
##
gen_tunable(httpd_can_network_connect, false)
##
-##
-## Determine whether httpd scripts and modules
-## can connect to cobbler over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+##
##
gen_tunable(httpd_can_network_connect_cobbler, false)
##
-##
-## Determine whether scripts and modules can
-## connect to databases over the network.
-##
+##
+## Allow HTTPD scripts and modules to server cobbler files.
+##
##
-gen_tunable(httpd_can_network_connect_db, false)
+gen_tunable(httpd_serve_cobbler_files, false)
##
-##
-## Determine whether httpd can connect to
-## ldap over the network.
-##
+##
+## Allow HTTPD to connect to port 80 for graceful shutdown
+##
##
-gen_tunable(httpd_can_network_connect_ldap, false)
+gen_tunable(httpd_graceful_shutdown, false)
##
-##
-## Determine whether httpd can connect
-## to memcache server over the network.
-##
+##
+## Allow HTTPD scripts and modules to connect to databases over the network.
+##
##
-gen_tunable(httpd_can_network_connect_memcache, false)
+gen_tunable(httpd_can_network_connect_db, false)
##
-##
-## Determine whether httpd can act as a relay.
-##
+##
+## Allow httpd to connect to memcache server
+##
##
-gen_tunable(httpd_can_network_relay, false)
+gen_tunable(httpd_can_network_memcache, false)
##
-##
-## Determine whether httpd daemon can
-## connect to zabbix over the network.
-##
+##
+## Allow httpd to act as a relay
+##
##
-gen_tunable(httpd_can_network_connect_zabbix, false)
+gen_tunable(httpd_can_network_relay, false)
##
-##
-## Determine whether httpd can send mail.
-##
+##
+## Allow http daemon to connect to zabbix
+##
##
-gen_tunable(httpd_can_sendmail, false)
+gen_tunable(httpd_can_connect_zabbix, false)
##
-##
-## Determine whether httpd can communicate
-## with avahi service via dbus.
-##
+##
+## Allow http daemon to connect to mythtv
+##
##
-gen_tunable(httpd_dbus_avahi, false)
+gen_tunable(httpd_can_connect_mythtv, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
+## Allow http daemon to check spam
+##
##
-gen_tunable(httpd_enable_cgi, false)
+gen_tunable(httpd_can_check_spam, false)
##
-##
-## Determine whether httpd can act as a
-## FTP server by listening on the ftp port.
-##
+##
+## Allow http daemon to send mail
+##
##
-gen_tunable(httpd_enable_ftp_server, false)
+gen_tunable(httpd_can_sendmail, false)
##
-##
-## Determine whether httpd can traverse
-## user home directories.
-##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
##
-gen_tunable(httpd_enable_homedirs, false)
+gen_tunable(httpd_dbus_avahi, false)
##
-##
-## Determine whether httpd gpg can modify
-## public files used for public file
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
+##
+## Allow Apache to communicate with sssd service via dbus
+##
##
-gen_tunable(httpd_gpg_anon_write, false)
+gen_tunable(httpd_dbus_sssd, false)
##
-##
-## Determine whether httpd can execute
-## its temporary content.
-##
+##
+## Allow httpd cgi support
+##
##
-gen_tunable(httpd_tmp_exec, false)
+gen_tunable(httpd_enable_cgi, false)
##
-##
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-##
+##
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+##
##
-gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_enable_ftp_server, false)
##
-##
-## Determine whether httpd can connect
-## to port 80 for graceful shutdown.
-##
+##
+## Allow httpd to act as a FTP client
+## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
+gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd can
-## manage IPA content files.
-##
+##
+## Allow httpd to connect to the ldap port
+##
##
-gen_tunable(httpd_manage_ipa, false)
+gen_tunable(httpd_can_connect_ldap, false)
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
+## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_enable_homedirs, false)
##
-##
-## Determine whether httpd can read
-## generic user home content files.
-##
+##
+## Allow httpd to read user content
+##
##
gen_tunable(httpd_read_user_content, false)
##
-##
-## Determine whether httpd can change
-## its resource limits.
-##
+##
+## Allow Apache to run in stickshift mode, not transition to passenger
+##
+##
+gen_tunable(httpd_run_stickshift, false)
+
+##
+##
+## Allow Apache to query NS records
+##
+##
+gen_tunable(httpd_verify_dns, false)
+
+##
+##
+## Allow httpd daemon to change its resource limits
+##
##
gen_tunable(httpd_setrlimit, false)
##
-##
-## Determine whether httpd can run
-## SSI executables in the same domain
-## as system CGI scripts.
-##
+##
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
gen_tunable(httpd_ssi_exec, false)
##
-##
-## Determine whether httpd can communicate
-## with the terminal. Needed for entering the
-## passphrase for certificates at the terminal.
-##
+##
+## Allow Apache to execute tmp content.
+##
+##
+gen_tunable(httpd_tmp_exec, false)
+
+##
+##
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+##
##
gen_tunable(httpd_tty_comm, false)
##
-##
-## Determine whether httpd can have full access
-## to its content types.
-##
+##
+## Unify HTTPD handling of all content files.
+##
##
gen_tunable(httpd_unified, false)
##
-##
-## Determine whether httpd can use
-## cifs file systems.
-##
+##
+## Allow httpd to access openstack ports
+##
+##
+gen_tunable(httpd_use_openstack, false)
+
+##
+##
+## Allow httpd to access cifs file systems
+##
##
gen_tunable(httpd_use_cifs, false)
##
##
-## Determine whether httpd can
-## use fuse file systems.
+## Allow httpd to access FUSE file systems
##
##
gen_tunable(httpd_use_fusefs, false)
##
-##
-## Determine whether httpd can use gpg.
-##
+##
+## Allow httpd to run gpg
+##
##
gen_tunable(httpd_use_gpg, false)
##
-##
-## Determine whether httpd can use
-## nfs file systems.
-##
+##
+## Allow httpd to connect to sasl
+##
+##
+gen_tunable(httpd_use_sasl, false)
+
+##
+##
+## Allow httpd to access nfs file systems
+##
##
gen_tunable(httpd_use_nfs, false)
+##
+##
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(httpd_sys_script_anon_write, false)
+
attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
+attribute httpd_content_type;
-# domains that can exec all scripts
+# domains that can exec all users scripts
attribute httpd_exec_scripts;
+attribute httpd_script_type;
attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
-# all script domains
+# user script domains
attribute httpd_script_domains;
-attribute_role httpd_helper_roles;
-roleattribute system_r httpd_helper_roles;
-
type httpd_t;
type httpd_exec_t;
+ifdef(`distro_redhat',`
+ typealias httpd_t alias phpfpm_t;
+ typealias httpd_exec_t alias phpfpm_exec_t;
+')
init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
type httpd_cache_t;
files_type(httpd_cache_t)
+# httpd_config_t is the type given to the configuration files
type httpd_config_t;
files_config_file(httpd_config_t)
type httpd_helper_t;
type httpd_helper_exec_t;
-application_domain(httpd_helper_t, httpd_helper_exec_t)
-role httpd_helper_roles types httpd_helper_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
+type httpd_unit_file_t;
+ifdef(`distro_redhat',`
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
+')
+systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
type httpd_log_t;
+ifdef(`distro_redhat',`
+ typealias httpd_log_t alias phpfpm_log_t;
+')
logging_log_file(httpd_log_t)
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
files_type(httpd_modules_t)
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
-type squirrelmail_spool_t;
-files_tmp_file(squirrelmail_spool_t)
-
-type httpd_suexec_t;
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
+# setup the system domain for system CGI scripts
apache_content_template(sys)
-corecmd_shell_entry_type(httpd_sys_script_t)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
+
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
+typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
type httpd_var_run_t;
+ifdef(`distro_redhat',`
+ typealias httpd_var_run_t alias phpfpm_var_run_t;
+')
files_pid_file(httpd_var_run_t)
-type httpd_passwd_t;
-type httpd_passwd_exec_t;
-domain_type(httpd_passwd_t)
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
-role system_r types httpd_passwd_t;
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
-type httpd_gpg_t;
-domain_type(httpd_gpg_t)
-role system_r types httpd_gpg_t;
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
optional_policy(`
prelink_object_file(httpd_modules_t)
')
+type httpd_passwd_t;
+type httpd_passwd_exec_t;
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
+role system_r types httpd_passwd_t;
+
########################################
#
-# Local policy
+# Apache server local policy
#
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
-allow httpd_t self:unix_dgram_socket sendto;
-allow httpd_t self:unix_stream_socket { accept connectto listen };
-allow httpd_t self:tcp_socket { accept listen };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+# Allow httpd_t to put files in /var/cache/httpd etc
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+can_exec(httpd_t, httpd_exec_t)
+
allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t, httpd_lock_t, file)
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
+allow httpd_t httpd_log_t:dir setattr;
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_suexec_exec_t:process { signal signull };
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -445,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-can_exec(httpd_t, httpd_exec_t)
-
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
kernel_read_kernel_sysctls(httpd_t)
-kernel_read_network_state(httpd_t)
+# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_read_network_state(httpd_t)
kernel_search_network_sysctl(httpd_t)
-corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
-
-corenet_sendrecv_http_server_packets(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
-corenet_tcp_sendrecv_http_port(httpd_t)
-
-corenet_sendrecv_http_cache_server_packets(httpd_t)
+corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
-
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+corenet_tcp_bind_puppet_port(httpd_t)
+# Signal self for shutdown
+tunable_policy(`httpd_graceful_shutdown',`
+ corenet_tcp_connect_http_port(httpd_t)
+')
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
-domain_use_interactive_fds(httpd_t)
-
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
-
-fs_getattr_all_fs(httpd_t)
-fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+# execute perl
+corecmd_exec_bin(httpd_t)
+corecmd_exec_shell(httpd_t)
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
+
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+# for tomcat
files_read_var_lib_symlinks(httpd_t)
-auth_use_nsswitch(httpd_t)
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
+ifdef(`hide_broken_symptoms',`
+ libs_exec_lib_files(httpd_t)
+')
+
logging_send_syslog_msg(httpd_t)
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
-seutil_dontaudit_search_config(httpd_t)
+miscfiles_dontaudit_access_check_cert(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
-ifdef(`TODO',`
- tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
- logging_send_audit_msgs(httpd_t)
- ')
+tunable_policy(`httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
')
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+ files_dontaudit_search_non_security_dirs(httpd_t)
')
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
tunable_policy(`httpd_can_network_connect',`
- corenet_sendrecv_all_client_packets(httpd_t)
corenet_tcp_connect_all_ports(httpd_t)
- corenet_tcp_sendrecv_all_ports(httpd_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_t)
corenet_tcp_connect_gds_db_port(httpd_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_t)
- corenet_sendrecv_mssql_client_packets(httpd_t)
corenet_tcp_connect_mssql_port(httpd_t)
- corenet_tcp_sendrecv_mssql_port(httpd_t)
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
')
tunable_policy(`httpd_can_network_relay',`
- corenet_sendrecv_gopher_client_packets(httpd_t)
+ # allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_sendrecv_gopher_port(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
- corenet_sendrecv_http_cache_client_packets(httpd_t)
corenet_tcp_connect_http_cache_port(httpd_t)
- corenet_tcp_sendrecv_http_cache_port(httpd_t)
- corenet_sendrecv_squid_client_packets(httpd_t)
corenet_tcp_connect_squid_port(httpd_t)
- corenet_tcp_sendrecv_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
- allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
+tunable_policy(`httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -589,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
-# ')
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
+')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_can_connect_ftp',`
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_ldap',`
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_mythtv',`
+ corenet_tcp_connect_mythtv_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
tunable_policy(`httpd_enable_ftp_server',`
- corenet_sendrecv_ftp_server_packets(httpd_t)
corenet_tcp_bind_ftp_port(httpd_t)
- corenet_tcp_sendrecv_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -619,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+tunable_policy(`httpd_use_nfs',`
fs_list_auto_mountpoints(httpd_t)
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
+
+tunable_policy(`httpd_use_nfs',`
+ automount_search_tmp_dirs(httpd_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
')
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_t)
+ # allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
- corenet_tcp_sendrecv_smtp_port(httpd_t)
- corenet_sendrecv_pop_client_packets(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
corenet_tcp_connect_pop_port(httpd_t)
- corenet_tcp_sendrecv_pop_port(httpd_t)
-
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
mta_signal_system_mail(httpd_t)
+ postfix_rw_spool_maildrop_files(httpd_t)
')
-optional_policy(`
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
- ')
-')
-
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_sendrecv_http_port(httpd_t)
-')
-
-optional_policy(`
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
- ')
-')
-
-optional_policy(`
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
+ fs_manage_fusefs_dirs(httpd_t)
+ fs_manage_fusefs_files(httpd_t)
+ fs_manage_fusefs_symlinks(httpd_t)
')
tunable_policy(`httpd_setrlimit',`
@@ -690,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
')
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
- can_exec(httpd_t, httpd_tmp_t)
-')
-
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
+optional_policy(`
+ tunable_policy(`httpd_use_sasl',`
+ sasl_connect(httpd_t)
+ ')
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+optional_policy(`
+ # Support for ABRT retrace server
+ # mod_wsgi
+ abrt_manage_spool_retrace(httpd_t)
+ abrt_domtrans_retrace_worker(httpd_t)
+ abrt_read_config(httpd_t)
')
optional_policy(`
@@ -744,24 +895,32 @@ optional_policy(`
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_t)
+ cron_system_entry(httpd_t, httpd_exec_t)
')
optional_policy(`
- cobbler_read_config(httpd_t)
- cobbler_read_lib_files(httpd_t)
+ cvs_read_data(httpd_t)
')
optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
+ daemontools_service_domain(httpd_t, httpd_exec_t)
')
optional_policy(`
- cvs_read_data(httpd_t)
+ #needed by FreeIPA
+ dirsrv_stream_connect(httpd_t)
')
optional_policy(`
- daemontools_service_domain(httpd_t, httpd_exec_t)
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
')
optional_policy(`
@@ -770,6 +929,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
+
+ tunable_policy(`httpd_dbus_sssd',
+ sssd_dbus_chat(httpd_t)
+ ')
')
optional_policy(`
@@ -781,34 +944,53 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
+')
+
+optional_policy(`
+ gssproxy_stream_connect(httpd_t)
+')
+
+optional_policy(`
+ mirrormanager_manage_pid_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
+')
+
+optional_policy(`
+ jetty_admin(httpd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
- kerberos_manage_host_rcache(httpd_t)
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
')
optional_policy(`
+ # needed by FreeIPA
ldap_stream_connect(httpd_t)
-
- tunable_policy(`httpd_can_network_connect_ldap',`
- ldap_tcp_connect(httpd_t)
- ')
+ ldap_read_certs(httpd_t)
')
optional_policy(`
mailman_signal_cgi(httpd_t)
mailman_domtrans_cgi(httpd_t)
mailman_read_data_files(httpd_t)
+ # should have separate types for public and private archives
mailman_search_data(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
- memcached_stream_connect(httpd_t)
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_memcache',`
- memcached_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ memcached_stream_connect(httpd_t)
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -816,8 +998,18 @@ optional_policy(`
')
optional_policy(`
+ munin_read_config(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with mysql
mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_t)
+ ')
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -826,6 +1018,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -836,20 +1029,40 @@ optional_policy(`
')
optional_policy(`
+ openshift_search_lib(httpd_t)
+ openshift_initrc_signull(httpd_t)
+ openshift_initrc_signal(httpd_t)
+')
+
+optional_policy(`
+ passenger_exec(httpd_t)
+ passenger_kill(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+')
+
+optional_policy(`
pcscd_read_pid_files(httpd_t)
')
optional_policy(`
- postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
+ pki_apache_domain_signal(httpd_t)
+ pki_manage_apache_config_files(httpd_t)
+ pki_manage_apache_lib(httpd_t)
+ pki_manage_apache_log_files(httpd_t)
+ pki_manage_apache_run(httpd_t)
+ pki_read_tomcat_cert(httpd_t)
+')
- tunable_policy(`httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_t)
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
+optional_policy(`
+ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
@@ -857,19 +1070,35 @@ optional_policy(`
')
optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ ')
+')
+
+optional_policy(`
seutil_sigchld_newrole(httpd_t)
')
optional_policy(`
smokeping_read_lib_files(httpd_t)
+ smokeping_read_pid_files(httpd_t)
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
optional_policy(`
+ thin_stream_connect(httpd_t)
+')
+
+optional_policy(`
udev_read_db(httpd_t)
')
@@ -877,65 +1106,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_manage_lib_files(httpd_t)
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
+optional_policy(`
+ zoneminder_append_log(httpd_t)
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
+ zoneminder_stream_connect(httpd_t)
+ zoneminder_exec(httpd_t)
+')
+
########################################
#
-# Helper local policy
+# Apache helper local policy
#
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
+allow httpd_helper_t httpd_config_t:file read_file_perms;
-files_search_etc(httpd_helper_t)
+allow httpd_helper_t httpd_log_t:file append_file_perms;
-logging_search_logs(httpd_helper_t)
logging_send_syslog_msg(httpd_helper_t)
+tunable_policy(`httpd_verify_dns',`
+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
+')
+
+tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
+
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ passenger_manage_lib_files(httpd_t)
+ passenger_getattr_log_files(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
+ passenger_read_lib_files(httpd_t)
+ passenger_stream_connect(httpd_t)
+ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ oddjob_dbus_chat(httpd_t)
+ ')
+')
+
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_helper_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
+')
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
')
########################################
#
-# Suexec local policy
+# Apache suexec local policy
#
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
-allow httpd_suexec_t self:tcp_socket { accept listen };
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
-
dev_read_urand(httpd_suexec_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
-files_read_usr_files(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
+
+# for shell scripts
+corecmd_exec_bin(httpd_suexec_t)
+corecmd_exec_shell(httpd_suexec_t)
+
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -944,123 +1281,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
-miscfiles_read_localization(httpd_suexec_t)
miscfiles_read_public_files(httpd_suexec_t)
-tunable_policy(`httpd_builtin_scripting',`
- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
-
- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
- allow httpd_suexec_t httpdcontent:file read_file_perms;
- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
-')
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
')
tunable_policy(`httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
')
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
- corenet_tcp_connect_smtp_port(httpd_suexec_t)
- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
- corenet_tcp_connect_pop_port(httpd_suexec_t)
- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
mta_send_mail(httpd_suexec_t)
- mta_signal_system_mail(httpd_suexec_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_read_cifs_files(httpd_suexec_t)
- fs_read_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_suexec_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_list_auto_mountpoints(httpd_suexec_t)
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
fs_exec_nfs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_execmem',`
- allow httpd_suexec_t self:process { execmem execstack };
-')
-
-tunable_policy(`httpd_tmp_exec',`
- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
-')
-
-tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_suexec_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_cifs_dirs(httpd_suexec_t)
- fs_manage_cifs_files(httpd_suexec_t)
- fs_manage_cifs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_fusefs_dirs(httpd_suexec_t)
- fs_manage_fusefs_files(httpd_suexec_t)
- fs_read_fusefs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_suexec_t)
- fs_manage_nfs_dirs(httpd_suexec_t)
- fs_manage_nfs_files(httpd_suexec_t)
- fs_manage_nfs_symlinks(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_suexec_t)
+optional_policy(`
+ mailman_domtrans_cgi(httpd_suexec_t)
')
optional_policy(`
- mailman_domtrans_cgi(httpd_suexec_t)
+ mta_stub(httpd_suexec_t)
+
+ # apache should set close-on-exec
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
optional_policy(`
mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1077,172 +1365,106 @@ optional_policy(`
')
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_suexec_t)
-')
-
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_suexec_t)
-')
-
########################################
#
-# Common script local policy
+# Apache system script local policy
#
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
-seutil_dontaudit_search_config(httpd_script_domains)
+logging_inherit_append_all_logs(httpd_sys_script_t)
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_script_domains httpdcontent:file entrypoint;
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
+auth_use_nsswitch(httpd_sys_script_t)
- can_exec(httpd_script_domains, httpdcontent)
+ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-tunable_policy(`httpd_enable_cgi',`
- allow httpd_script_domains self:process { setsched signal_perms };
- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
-
- kernel_read_system_state(httpd_script_domains)
-
- fs_getattr_all_fs(httpd_script_domains)
-
- files_read_etc_runtime_files(httpd_script_domains)
- files_read_usr_files(httpd_script_domains)
-
- libs_read_lib_files(httpd_script_domains)
-
- miscfiles_read_localization(httpd_script_domains)
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
')
optional_policy(`
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
- nis_use_ypbind_uncond(httpd_script_domains)
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
')
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
- corenet_tcp_connect_gds_db_port(httpd_script_domains)
- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
- corenet_tcp_connect_mssql_port(httpd_script_domains)
- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
- mysql_read_config(httpd_script_domains)
- mysql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_script_domains)
- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
')
-optional_policy(`
- postgresql_stream_connect(httpd_script_domains)
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
-')
+tunable_policy(`httpd_use_nfs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
-optional_policy(`
- nscd_use(httpd_script_domains)
+ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
-########################################
-#
-# System script local policy
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
-
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_sys_script_t)
')
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_execmem',`
- allow httpd_sys_script_t self:process { execmem execstack };
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1472,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_cifs_dirs(httpd_sys_script_t)
fs_manage_cifs_files(httpd_sys_script_t)
fs_manage_cifs_symlinks(httpd_sys_script_t)
-')
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
')
tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
+ fs_manage_fusefs_symlinks(httpd_suexec_t)
+ fs_exec_fusefs_files(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_sys_script_t)
- fs_manage_nfs_dirs(httpd_sys_script_t)
- fs_manage_nfs_files(httpd_sys_script_t)
- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_sys_script_t)
+optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
optional_policy(`
- postgresql_unpriv_client(httpd_sys_script_t)
+ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
')
########################################
#
-# Rotatelogs local policy
+# httpd_rotatelogs local policy
#
allow httpd_rotatelogs_t self:capability dac_override;
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
-files_read_etc_files(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
-miscfiles_read_localization(httpd_rotatelogs_t)
########################################
#
@@ -1315,8 +1547,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
- apache_content_template(unconfined)
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
########################################
@@ -1324,49 +1563,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
- fs_read_cifs_symlinks(httpd_user_script_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
- fs_read_nfs_symlinks(httpd_user_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_user_script_t)
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
')
tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
userdom_read_user_home_content_files(httpd_user_script_t)
')
-optional_policy(`
- postgresql_unpriv_client(httpd_user_script_t)
-')
-
########################################
#
-# Passwd local policy
+# httpd_passwd local policy
#
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
-
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1376,38 +1604,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
+
auth_use_nsswitch(httpd_passwd_t)
-miscfiles_read_generic_certs(httpd_passwd_t)
-miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_certs(httpd_passwd_t)
-########################################
-#
-# GPG local policy
-#
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
+dev_read_rand(httpd_script_type)
+dev_read_urand(httpd_script_type)
+
+corecmd_exec_all_executables(httpd_script_type)
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-miscfiles_read_localization(httpd_gpg_t)
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
+fs_getattr_xattr_fs(httpd_script_type)
+
+files_read_etc_runtime_files(httpd_script_type)
+
+libs_read_lib_files(httpd_script_type)
+
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
+ nis_use_ypbind_uncond(httpd_script_type)
')
optional_policy(`
- apache_manage_sys_rw_content(httpd_gpg_t)
+ nscd_socket_use(httpd_script_type)
')
-optional_policy(`
- gpg_entry_type(httpd_gpg_t)
- gpg_exec(httpd_gpg_t)
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
+tunable_policy(`httpd_builtin_scripting',`
+ allow httpd_t httpd_content_type:dir search_dir_perms;
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
+
+ allow httpd_t httpd_content_type:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..462acb8 100644
--- a/apcupsd.fc
+++ b/apcupsd.fc
@@ -1,10 +1,15 @@
+/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0)
+
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
+
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff --git a/apcupsd.if b/apcupsd.if
index f3c0aba..cbe3d4a 100644
--- a/apcupsd.if
+++ b/apcupsd.if
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
########################################
##
+## Execute apcupsd server in the apcupsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apcupsd_systemctl',`
+ gen_require(`
+ type apcupsd_t;
+ type apcupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apcupsd_t)
+')
+
+########################################
+##
+## Create configuration files in /var/lock
+## with a named file type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apcupsd_filetrans_named_content',`
+ gen_require(`
+ type apcupsd_lock_t;
+ ')
+
+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
+')
+
+########################################
+##
## All of the rules required to
## administrate an apcupsd environment.
##
@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
+ type apcupsd_unit_file_t;
+ type apcupsd_power_t;
')
- allow $1 apcupsd_t:process { ptrace signal_perms };
+ allow $1 apcupsd_t:process signal_perms;
ps_process_pattern($1, apcupsd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apcupsd_t:process ptrace;
+ ')
+
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
+
+ apcupsd_systemctl($1)
+ admin_pattern($1, apcupsd_unit_file_t)
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
+
+ manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
index b236327..a813b6c 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
type apcupsd_var_run_t;
files_pid_file(apcupsd_var_run_t)
+type apcupsd_power_t;
+files_type(apcupsd_power_t)
+
+type apcupsd_unit_file_t;
+systemd_unit_file(apcupsd_unit_file_t)
+
########################################
#
# Local policy
@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
+files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
+
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
-corenet_all_recvfrom_unlabeled(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
@@ -74,19 +82,24 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
-files_read_etc_files(apcupsd_t)
+domain_signull_all_domains(apcupsd_t)
+
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
-term_use_unallocated_ttys(apcupsd_t)
+term_use_all_terms(apcupsd_t)
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
+auth_use_nsswitch(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_user_ttys(apcupsd_t)
+userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
@@ -101,6 +114,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
+optional_policy(`
+ systemd_start_power_services(apcupsd_t)
+ systemd_status_power_services(apcupsd_t)
+')
+
########################################
#
# CGI local policy
@@ -112,7 +130,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
diff --git a/apm.fc b/apm.fc
index ce27d2f..d20377e 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
diff --git a/apm.if b/apm.if
index 1a7a97e..1d29dce 100644
--- a/apm.if
+++ b/apm.if
@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
########################################
##
+## Execute apmd server in the apmd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`apmd_systemctl',`
+ gen_require(`
+ type apmd_t;
+ type apmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 apmd_unit_file_t:file read_file_perms;
+ allow $1 apmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, apmd_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an apm environment.
##
@@ -163,9 +186,13 @@ interface(`apm_admin',`
type apmd_tmp_t;
')
- allow $1 apmd_t:process { ptrace signal_perms };
+ allow $1 apmd_t:process { signal_perms };
ps_process_pattern($1, apmd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 apmd_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, apmd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
type apmd_var_run_t;
files_pid_file(apmd_var_run_t)
+type apmd_unit_file_t;
+systemd_unit_file(apmd_unit_file_t)
+
########################################
#
# Client local policy
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
fs_getattr_xattr_fs(apm_t)
-term_use_all_terms(apm_t)
+term_use_all_inherited_terms(apm_t)
domain_use_interactive_fds(apm_t)
@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
#
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+kernel_request_load_module(apmd_t)
dev_read_input(apmd_t)
dev_read_mouse(apmd_t)
@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
-
-selinux_search_fs(apmd_t)
+fs_read_cgroup_files(apmd_t)
corecmd_exec_all_executables(apmd_t)
@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
+init_read_utmp(apmd_t)
+init_telinit(apmd_t)
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
-miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
modutils_domtrans_insmod(apmd_t)
modutils_read_module_config(apmd_t)
-seutil_dontaudit_read_config(apmd_t)
+seutil_sigchld_newrole(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-userdom_dontaudit_search_user_home_content(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
optional_policy(`
automount_domtrans(apmd_t)
@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(apmd_t)
+ shutdown_domtrans(apmd_t)
')
optional_policy(`
- shutdown_domtrans(apmd_t)
+ sssd_search_lib(apmd_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(apmd_t)
')
optional_policy(`
diff --git a/apt.if b/apt.if
index e2414c4..970736b 100644
--- a/apt.if
+++ b/apt.if
@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
allow $1 apt_var_cache_t:file read_file_perms;
')
diff --git a/apt.te b/apt.te
index e2d8d52..d82403c 100644
--- a/apt.te
+++ b/apt.te
@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
+term_use_all_inherited_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
-miscfiles_read_localization(apt_t)
-
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
-userdom_use_user_terminals(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
optional_policy(`
cron_system_entry(apt_t, apt_exec_t)
diff --git a/arpwatch.fc b/arpwatch.fc
index 9ca0d0f..9a1a61f 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
+
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 50c9b9c..51c8cc0 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
########################################
##
+## Execute arpwatch server in the arpwatch domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`arpwatch_systemctl',`
+ gen_require(`
+ type arpwatch_t;
+ type arpwatch_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, arpwatch_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an arpwatch environment.
##
@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_unit_file_t;
')
- allow $1 arpwatch_t:process { ptrace signal_perms };
+ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 arpwatch_t:process ptrace;
+ ')
+
arpwatch_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
files_list_pids($1)
admin_pattern($1, arpwatch_var_run_t)
+
+ arpwatch_systemctl($1)
+ admin_pattern($1, arpwatch_unit_file_t)
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
index fa18c76..fd6911a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_var_run_t;
files_pid_file(arpwatch_var_run_t)
+type arpwatch_unit_file_t;
+systemd_unit_file(arpwatch_unit_file_t)
+
########################################
#
# Local policy
@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
-kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
+# meminfo
kernel_read_system_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
-files_read_usr_files(arpwatch_t)
files_search_var_lib(arpwatch_t)
auth_use_nsswitch(arpwatch_t)
logging_send_syslog_msg(arpwatch_t)
-miscfiles_read_localization(arpwatch_t)
-
userdom_dontaudit_search_user_home_dirs(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
diff --git a/asterisk.if b/asterisk.if
index 7268a04..6ffd87d 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
domtrans_pattern($1, asterisk_exec_t, asterisk_t)
')
+######################################
+##
+## Execute asterisk in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`asterisk_exec',`
+ gen_require(`
+ type asterisk_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, asterisk_exec_t)
+')
+
#####################################
##
## Connect to asterisk over a unix domain.
@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
type asterisk_var_lib_t, asterisk_initrc_exec_t;
')
- allow $1 asterisk_t:process { ptrace signal_perms };
+ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 asterisk_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 5439f1c..4f8a8a5 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
logging_log_file(asterisk_log_t)
type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)
@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
-
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
can_exec(asterisk_t, asterisk_exec_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_exec_shell(asterisk_t)
-corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-files_read_usr_files(asterisk_t)
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
logging_send_syslog_msg(asterisk_t)
-miscfiles_read_localization(asterisk_t)
-
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
diff --git a/authconfig.fc b/authconfig.fc
new file mode 100644
index 0000000..4579cfe
--- /dev/null
+++ b/authconfig.fc
@@ -0,0 +1,3 @@
+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
+
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
index 0000000..316c324
--- /dev/null
+++ b/authconfig.if
@@ -0,0 +1,127 @@
+
+## policy for authconfig
+
+########################################
+##
+## Execute TEMPLATE in the authconfig domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`authconfig_domtrans',`
+ gen_require(`
+ type authconfig_t, authconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
+')
+
+########################################
+##
+## Search authconfig lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_search_lib',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read authconfig lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_read_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+##
+## Manage authconfig lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_manage_lib_files',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+########################################
+##
+## Manage authconfig lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_manage_lib_dirs',`
+ gen_require(`
+ type authconfig_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an authconfig environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`authconfig_admin',`
+ gen_require(`
+ type authconfig_t;
+ type authconfig_var_lib_t;
+ ')
+
+ allow $1 authconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, authconfig_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, authconfig_var_lib_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
index 0000000..362a049
--- /dev/null
+++ b/authconfig.te
@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
+role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
+
+########################################
+#
+# authconfig local policy
+#
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(authconfig_t)
+domain_named_filetrans(authconfig_t)
+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
diff --git a/automount.fc b/automount.fc
index 92adb37..0a2ffc6 100644
--- a/automount.fc
+++ b/automount.fc
@@ -1,6 +1,8 @@
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
+
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
index 089430a..b0bed70 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
##
##
#
-#
interface(`automount_signal',`
gen_require(`
type automount_t;
@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
########################################
##
+## Allow domain to search of automount temporary
+## directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`automount_search_tmp_dirs',`
+ gen_require(`
+ type automount_tmp_t;
+ ')
+
+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
+')
+
+########################################
+##
## Do not audit attempts to get
## attributes of automount temporary
## directories.
@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
##
+## Execute automount server in the automount domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`automount_systemctl',`
+ gen_require(`
+ type automount_t;
+ type automount_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 automount_unit_file_t:file read_file_perms;
+ allow $1 automount_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, automount_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an automount environment.
##
@@ -153,11 +194,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
+ type automount_unit_file_t;
')
- allow $1 automount_t:process { ptrace signal_perms };
+ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 automount_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
@@ -171,4 +217,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
+
+ automount_systemctl($1)
+ admin_pattern($1, automount_unit_file_t)
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
index a579c3b..11dbe9d 100644
--- a/automount.te
+++ b/automount.te
@@ -22,12 +22,16 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
+type automount_unit_file_t;
+systemd_unit_file(automount_unit_file_t)
+
########################################
#
# Local policy
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability2 block_suspend;
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_all_recvfrom_unlabeled(automount_t)
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
@@ -86,6 +89,7 @@ corenet_udp_bind_all_rpc_ports(automount_t)
files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
+files_getattr_all_files(automount_t)
files_getattr_default_dirs(automount_t)
files_getattr_home_dir(automount_t)
files_getattr_isid_type_dirs(automount_t)
@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
-files_read_usr_files(automount_t)
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
@@ -108,6 +111,7 @@ fs_manage_autofs_symlinks(automount_t)
fs_mount_all_fs(automount_t)
fs_mount_autofs(automount_t)
fs_read_nfs_files(automount_t)
+fs_read_nfs_symlinks(automount_t)
fs_search_all(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_unmount_all_fs(automount_t)
@@ -130,15 +134,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
-miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
-mount_domtrans(automount_t)
-mount_signal(automount_t)
-
userdom_dontaudit_use_unpriv_user_fds(automount_t)
optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+ mount_domtrans_showmount(automount_t)
+ mount_signal(automount_t)
+')
+
+optional_policy(`
fstools_domtrans(automount_t)
')
@@ -160,3 +167,8 @@ optional_policy(`
optional_policy(`
udev_read_db(automount_t)
')
+
+tunable_policy(`mount_anyfile',`
+ files_mounton_non_security(automount_t)
+')
+
diff --git a/avahi.fc b/avahi.fc
index e9fe2ca..4c2d076 100644
--- a/avahi.fc
+++ b/avahi.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
+
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
diff --git a/avahi.if b/avahi.if
index aebe7cb..33fe57b 100644
--- a/avahi.if
+++ b/avahi.if
@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',`
########################################
##
## Connect to avahi using a unix
-$$ stream socket.
+## stream socket.
##
##
##
@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',`
########################################
##
+## Execute avahi server in the avahi domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`avahi_systemctl',`
+ gen_require(`
+ type avahi_t;
+ type avahi_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 avahi_unit_file_t:file read_file_perms;
+ allow $1 avahi_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, avahi_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an avahi environment.
##
@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',`
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ type avahi_unit_file_t;
type avahi_var_lib_t;
')
- allow $1 avahi_t:process { ptrace signal_perms };
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
@@ -169,4 +197,8 @@ interface(`avahi_admin',`
files_search_var_lib($1)
admin_pattern($1, avahi_var_lib_t)
+
+ avahi_systemctl($1)
+ admin_pattern($1, avahi_unit_file_t)
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
index 60e76be..0730647 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
+init_sock_file(avahi_var_run_t)
+
+type avahi_unit_file_t;
+systemd_unit_file(avahi_unit_file_t)
########################################
#
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-corenet_all_recvfrom_unlabeled(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_generic_if(avahi_t)
corenet_udp_sendrecv_generic_if(avahi_t)
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+domain_dontaudit_signull_all_domains(avahi_t)
files_read_etc_runtime_files(avahi_t)
-files_read_usr_files(avahi_t)
auth_use_nsswitch(avahi_t)
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
-miscfiles_read_localization(avahi_t)
miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
sysnet_etc_filetrans_config(avahi_t)
+systemd_login_signull(avahi_t)
+
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
diff --git a/awstats.te b/awstats.te
index d6ab824..116176d 100644
--- a/awstats.te
+++ b/awstats.te
@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
dev_read_urand(awstats_t)
files_dontaudit_search_all_mountpoints(awstats_t)
-files_read_etc_files(awstats_t)
-files_read_usr_files(awstats_t)
fs_list_inotifyfs(awstats_t)
@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t)
logging_read_generic_logs(awstats_t)
-miscfiles_read_localization(awstats_t)
-
sysnet_dns_name_resolve(awstats_t)
tunable_policy(`awstats_purge_apache_log_files',`
@@ -90,9 +86,13 @@ optional_policy(`
# CGI local policy
#
+apache_read_log(httpd_awstats_script_t)
+
+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
+
allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
files_search_var_lib(httpd_awstats_script_t)
-
-apache_read_log(httpd_awstats_script_t)
diff --git a/backup.te b/backup.te
index d6ceef4..c10d39c 100644
--- a/backup.te
+++ b/backup.te
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
-corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
-userdom_use_user_terminals(backup_t)
+userdom_use_inherited_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/bacula.if b/bacula.if
index dcd774e..c240ffa 100644
--- a/bacula.if
+++ b/bacula.if
@@ -69,6 +69,7 @@ interface(`bacula_admin',`
type bacula_t, bacula_etc_t, bacula_log_t;
type bacula_spool_t, bacula_var_lib_t;
type bacula_var_run_t, bacula_initrc_exec_t;
+ attribute_role bacula_admin_roles;
')
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
index 3beba2f..12cd4f6 100644
--- a/bacula.te
+++ b/bacula.te
@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
# Local policy
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
corenet_sendrecv_generic_server_packets(bacula_t)
corenet_udp_bind_generic_port(bacula_t)
+
+#TODO: check port labels for hplip a bacula
+corenet_tcp_bind_bacula_port(bacula_t)
+
corenet_sendrecv_hplip_server_packets(bacula_t)
corenet_tcp_bind_hplip_port(bacula_t)
corenet_udp_bind_hplip_port(bacula_t)
@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
fs_getattr_xattr_fs(bacula_t)
fs_list_all(bacula_t)
+auth_use_nsswitch(bacula_t)
auth_read_shadow(bacula_t)
logging_send_syslog_msg(bacula_t)
@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
domain_use_interactive_fds(bacula_admin_t)
-files_read_etc_files(bacula_admin_t)
-miscfiles_read_localization(bacula_admin_t)
sysnet_dns_name_resolve(bacula_admin_t)
diff --git a/bcfg2.fc b/bcfg2.fc
index fb42e35..8af0e14 100644
--- a/bcfg2.fc
+++ b/bcfg2.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
index ec95d36..7132e1e 100644
--- a/bcfg2.if
+++ b/bcfg2.if
@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
########################################
##
+## Execute bcfg2 server in the bcfg2 domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bcfg2_systemctl',`
+ gen_require(`
+ type bcfg2_t;
+ type bcfg2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bcfg2_t)
+')
+
+
+########################################
+##
## All of the rules required to
## administrate an bcfg2 environment.
##
@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
gen_require(`
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
type bcfg2_var_run_t;
+ type bcfg2_unit_file_t;
')
- allow $1 bcfg2_t:process { ptrace signal_perms };
+ allow $1 bcfg2_t:process { signal_perms };
ps_process_pattern($1, bcfg2_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bcfg2_t:process ptrace;
+ ')
+
bcfg2_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 bcfg2_initrc_exec_t system_r;
@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
files_search_var_lib($1)
admin_pattern($1, bcfg2_var_lib_t)
+
+ bcfg2_systemctl($1)
+ admin_pattern($1, bcfg2_unit_file_t)
+ allow $1 bcfg2_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/bcfg2.te b/bcfg2.te
index 536ec3c..271b976 100644
--- a/bcfg2.te
+++ b/bcfg2.te
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
type bcfg2_var_lib_t;
files_type(bcfg2_var_lib_t)
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
type bcfg2_var_run_t;
files_pid_file(bcfg2_var_run_t)
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
domain_use_interactive_fds(bcfg2_t)
-files_read_usr_files(bcfg2_t)
auth_use_nsswitch(bcfg2_t)
logging_send_syslog_msg(bcfg2_t)
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
index 2b9a3a1..f755e6b 100644
--- a/bind.fc
+++ b/bind.fc
@@ -1,54 +1,75 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
+/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+ifdef(`distro_debian',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+')
-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/proc(/.*)? <>
-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-
-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/bind.if b/bind.if
index 866a1e2..43b445c 100644
--- a/bind.if
+++ b/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
########################################
##
+## Execute bind server in the bind domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bind_systemctl',`
+ gen_require(`
+ type named_unit_file_t;
+ type named_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+##
## Execute ndc in the ndc domain.
##
##
@@ -169,6 +192,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
+ allow $1 named_conf_t:dir list_dir_perms;
read_files_pattern($1, named_conf_t, named_conf_t)
')
@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
########################################
##
+## Create, read, write, and delete
+## BIND configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_manage_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ manage_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+##
## Search bind cache directories.
##
##
@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
########################################
##
+## Read BIND zone files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+##
## Create, read, write, and delete
## bind zone files.
##
@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',`
########################################
##
+## Allow the domain to read bind state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bind_read_state',`
+ gen_require(`
+ type named_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, named_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an bind environment.
##
@@ -362,12 +445,20 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
- type named_cache_t, named_zone_t, named_initrc_exec_t;
- type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
+ type named_unit_file_t;
+ ')
+
+ allow $1 named_t:process signal_perms;
+ ps_process_pattern($1, named_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
')
- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { named_t ndc_t })
+ bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
domain_system_change_exemption($1)
@@ -383,11 +474,15 @@ interface(`bind_admin',`
files_list_etc($1)
admin_pattern($1, named_conf_t)
+ admin_pattern($1, named_keytab_t)
+
files_list_var($1)
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
files_list_pids($1)
admin_pattern($1, named_var_run_t)
- bind_run_ndc($1, $2)
+ admin_pattern($1, named_unit_file_t)
+ bind_systemctl($1)
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
index 076ffee..1672ca4 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)
type named_conf_t;
-files_type(named_conf_t)
+files_config_file(named_conf_t)
files_mountpoint(named_conf_t)
# for secondary zone files
@@ -44,6 +44,9 @@ files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
+type named_unit_file_t;
+systemd_unit_file(named_unit_file_t)
+
type named_log_t;
logging_log_file(named_log_t)
@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
# Local policy
#
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
can_exec(named_t, named_exec_t)
-append_files_pattern(named_t, named_log_t, named_log_t)
-create_files_pattern(named_t, named_log_t, named_log_t)
-setattr_files_pattern(named_t, named_log_t, named_log_t)
+manage_files_pattern(named_t, named_log_t, named_log_t)
logging_log_filetrans(named_t, named_log_t, file)
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
-corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)
+dev_dontaudit_write_urand(named_t)
domain_use_interactive_fds(named_t)
@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
+ # needed by FreeIPA with DNS support
+ dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+ cron_system_entry(named_t, named_exec_t)
+')
+
+optional_policy(`
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
@@ -183,6 +194,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
+ kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
')
optional_policy(`
@@ -209,7 +221,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
-kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_kernel_sysctls(ndc_t)
-corenet_all_recvfrom_unlabeled(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
-miscfiles_read_localization(ndc_t)
+userdom_use_inherited_user_terminals(ndc_t)
userdom_use_user_terminals(ndc_t)
diff --git a/bird.te b/bird.te
index d4d71ec..f53b135 100644
--- a/bird.te
+++ b/bird.te
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
corenet_tcp_sendrecv_bgp_port(bird_t)
# /etc/iproute2/rt_realms
-files_read_etc_files(bird_t)
logging_send_syslog_msg(bird_t)
diff --git a/bitlbee.if b/bitlbee.if
index e73fb79..2badfc0 100644
--- a/bitlbee.if
+++ b/bitlbee.if
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
type bitlbee_log_t, bitlbee_tmp_t;
')
- allow $1 bitlbee_t:process { ptrace signal_perms };
+ allow $1 bitlbee_t:process signal_perms;
ps_process_pattern($1, bitlbee_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bitlbee_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index ac8c91e..48a96b7 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
allow bitlbee_t self:process { setsched signal };
+
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:tcp_socket { accept listen };
-allow bitlbee_t self:unix_stream_socket { accept listen };
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file })
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
-kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_kernel_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
corenet_sendrecv_ircd_server_packets(bitlbee_t)
corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_interwise_port(bitlbee_t)
corenet_tcp_connect_ircd_port(bitlbee_t)
corenet_tcp_sendrecv_ircd_port(bitlbee_t)
@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
-files_read_usr_files(bitlbee_t)
-
libs_legacy_use_shared_libs(bitlbee_t)
auth_use_nsswitch(bitlbee_t)
logging_send_syslog_msg(bitlbee_t)
-miscfiles_read_localization(bitlbee_t)
-
optional_policy(`
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
')
diff --git a/blueman.fc b/blueman.fc
index c295d2e..4f84e9c 100644
--- a/blueman.fc
+++ b/blueman.fc
@@ -1,3 +1,4 @@
+
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.if b/blueman.if
index 16ec525..1dd4059 100644
--- a/blueman.if
+++ b/blueman.if
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
allow $1 blueman_t:dbus send_msg;
allow blueman_t $1:dbus send_msg;
+ ps_process_pattern(blueman_t, $1)
')
########################################
diff --git a/blueman.te b/blueman.te
index bc5c984..63a4b1d 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
type blueman_t;
type blueman_exec_t;
-dbus_system_domain(blueman_t, blueman_exec_t)
+init_daemon_domain(blueman_t, blueman_exec_t)
type blueman_var_lib_t;
files_type(blueman_var_lib_t)
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
#
allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { execmem signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-kernel_read_net_sysctls(blueman_t)
+kernel_rw_net_sysctls(blueman_t)
kernel_read_system_state(blueman_t)
kernel_request_load_module(blueman_t)
@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
+dev_rwx_zero(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
-files_read_usr_files(blueman_t)
auth_use_nsswitch(blueman_t)
logging_send_syslog_msg(blueman_t)
-miscfiles_read_localization(blueman_t)
-
sysnet_domtrans_ifconfig(blueman_t)
+sysnet_dns_name_resolve(blueman_t)
optional_policy(`
avahi_domtrans(blueman_t)
')
optional_policy(`
+ bluetooth_read_config(blueman_t)
+')
+
+optional_policy(`
+ dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
+optional_policy(`
dnsmasq_domtrans(blueman_t)
dnsmasq_read_pid_files(blueman_t)
')
optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
+optional_policy(`
iptables_domtrans(blueman_t)
')
+
+optional_policy(`
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
index 2b9c7f3..0086b95 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
@@ -5,10 +5,14 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
+
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0a..3e8a553 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ allow $2 bluetooth_helper_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 bluetooth_helper_t:process ptrace;
+ ')
allow $2 bluetooth_t:socket rw_socket_perms;
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ bluetooth_stream_connect($2)
stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
- files_search_pids($2)
')
#####################################
@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
########################################
##
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+##
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
##
+## Execute bluetooth server in the bluetooth domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bluetooth_systemctl',`
+ gen_require(`
+ type bluetooth_t;
+ type bluetooth_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bluetooth_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an bluetooth environment.
##
@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
- type bluetooth_initrc_exec_t;
+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
')
- allow $1 bluetooth_t:process { ptrace signal_perms };
+ allow $1 bluetooth_t:process signal_perms;
ps_process_pattern($1, bluetooth_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bluetooth_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
+
+ bluetooth_systemctl($1)
+ admin_pattern($1, bluetooth_unit_file_t)
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
index 6f09d24..231de05 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
+type bluetooth_unit_file_t;
+systemd_unit_file(bluetooth_unit_file_t)
+
########################################
#
# Local policy
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t)
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
kernel_request_load_module(bluetooth_t)
kernel_search_debugfs(bluetooth_t)
-corecmd_exec_bin(bluetooth_t)
-corecmd_exec_shell(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
-files_read_usr_files(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t)
-miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+# machine-info
+systemd_hostnamed_read_config(bluetooth_t)
+systemd_dbus_chat_hostnamed(bluetooth_t)
+
optional_policy(`
dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
optional_policy(`
cups_dbus_chat(bluetooth_t)
@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
term_dontaudit_use_all_ttys(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
index 6d3ccad..bda740a 100644
--- a/boinc.fc
+++ b/boinc.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
index 02fefaa..fbcef10 100644
--- a/boinc.if
+++ b/boinc.if
@@ -1,9 +1,165 @@
-## Platform for computing using volunteered resources.
+## policy for boinc
########################################
##
-## All of the rules required to
-## administrate an boinc environment.
+## Execute a domain transition to run boinc.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+#######################################
+##
+## Dontaudit getattr on boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_dontaudit_getattr_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ dontaudit $1 boinc_var_lib_t:file getattr;
+')
+
+########################################
+##
+## Search boinc lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Create, read, write, and delete
+## boinc lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+##
+## Manage boinc var_lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+#######################################
+##
+## Execute boinc server in the boinc domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`boinc_systemctl',`
+ gen_require(`
+ type boinc_t;
+ type boinc_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 boinc_unit_file_t:file read_file_perms;
+ allow $1 boinc_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, boinc_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an boinc environment.
##
##
##
@@ -19,26 +175,32 @@
#
interface(`boinc_admin',`
gen_require(`
-
- type boinc_t, boinc_project_t, boinc_log_t;
- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
- type boinc_project_var_lib_t, boinc_project_tmp_t;
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ type boinc_unit_file_t;
')
- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { boinc_t boinc_project_t })
+ allow $1 boinc_t:process signal_perms;
+ ps_process_pattern($1, boinc_t)
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 boinc_t:process ptrace;
+ ')
+
+ boinc_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_logs($1)
- admin_pattern($1, boinc_log_t)
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
- files_search_tmp($1)
- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
+ boinc_systemctl($1)
+ admin_pattern($1, boinc_unit_file_t)
- files_search_var_lib($1)
- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
+ allow $1 boinc_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/boinc.te b/boinc.te
index 7c92aa1..44edba7 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
-policy_module(boinc, 1.0.3)
+policy_module(boinc, 1.0.0)
########################################
#
# Declarations
#
-type boinc_t;
+##
+##
+## Allow boinc_domain execmem/execstack.
+##
+##
+gen_tunable(boinc_execmem, true)
+
+attribute boinc_domain;
+
+type boinc_t, boinc_domain;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
-type boinc_project_var_lib_t;
-files_type(boinc_project_var_lib_t)
-
type boinc_log_t;
logging_log_file(boinc_log_t)
+type boinc_unit_file_t;
+systemd_unit_file(boinc_unit_file_t)
+
type boinc_project_t;
domain_type(boinc_project_t)
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
role system_r types boinc_project_t;
type boinc_project_tmp_t;
files_tmp_file(boinc_project_tmp_t)
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:process signal;
+allow boinc_domain self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_runtime_files(boinc_domain)
+
+fs_getattr_all_fs(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+
+tunable_policy(`boinc_execmem',`
+ allow boinc_domain self:process { execstack execmem };
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
+
########################################
#
-# Local policy
+# boinc local policy
#
allow boinc_t self:process { setsched setpgid signull sigkill };
-allow boinc_t self:unix_stream_socket { accept listen };
-allow boinc_t self:tcp_socket { accept listen };
+
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
allow boinc_t self:shm create_shm_perms;
-allow boinc_t self:fifo_file rw_fifo_file_perms;
-allow boinc_t self:sem create_sem_perms;
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-
-# entry files to the boinc_project_t domain
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+# this should be created by default by boinc
+# we need this label for transition to boinc_project_t
+# other boinc lib files will end up with boinc_var_lib_t
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
-
-can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
+# needs read /proc/interrupts
kernel_read_system_state(boinc_t)
+kernel_read_network_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
-corenet_all_recvfrom_unlabeled(boinc_t)
+dev_getattr_mouse_dev(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
corenet_all_recvfrom_netlabel(boinc_t)
corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
corenet_tcp_bind_generic_node(boinc_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_t)
-corenet_sendrecv_boinc_server_packets(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
corenet_tcp_bind_boinc_port(boinc_t)
-corenet_tcp_connect_boinc_port(boinc_t)
-corenet_tcp_sendrecv_boinc_port(boinc_t)
-
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
corenet_tcp_bind_boinc_client_port(boinc_t)
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
-
-corenet_sendrecv_http_client_packets(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
corenet_tcp_connect_http_port(boinc_t)
-corenet_tcp_sendrecv_http_port(boinc_t)
-
-corenet_sendrecv_http_cache_client_packets(boinc_t)
corenet_tcp_connect_http_cache_port(boinc_t)
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
-
-corenet_sendrecv_squid_client_packets(boinc_t)
corenet_tcp_connect_squid_port(boinc_t)
-corenet_tcp_sendrecv_squid_port(boinc_t)
-
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-dev_rw_xserver_misc(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
files_dontaudit_getattr_boot_dirs(boinc_t)
-files_getattr_all_dirs(boinc_t)
-files_getattr_all_files(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_etc_runtime_files(boinc_t)
-files_read_usr_files(boinc_t)
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
-miscfiles_read_fonts(boinc_t)
-miscfiles_read_localization(boinc_t)
+modutils_dontaudit_exec_insmod(boinc_t)
-optional_policy(`
- mta_send_mail(boinc_t)
-')
+xserver_stream_connect(boinc_t)
optional_policy(`
- sysnet_dns_name_resolve(boinc_t)
+ mta_send_mail(boinc_t)
')
########################################
#
-# Project local policy
+# boinc-projects local policy
#
allow boinc_project_t self:capability { setuid setgid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+allow boinc_t boinc_project_t:process noatsecure;
+
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
+tunable_policy(`deny_ptrace',`',`
+ allow boinc_project_t self:process ptrace;
+')
+
+allow boinc_project_t self:process { execstack };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
allow boinc_project_t boinc_project_var_lib_t:file execmod;
-can_exec(boinc_project_t, boinc_project_var_lib_t)
allow boinc_project_t boinc_t:shm rw_shm_perms;
-allow boinc_project_t boinc_tmpfs_t:file { read write };
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(boinc_project_t)
-kernel_read_network_state(boinc_project_t)
kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
-corenet_all_recvfrom_unlabeled(boinc_project_t)
-corenet_all_recvfrom_netlabel(boinc_project_t)
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
-corenet_tcp_bind_generic_node(boinc_project_t)
-
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
corenet_tcp_connect_boinc_port(boinc_project_t)
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
files_dontaudit_search_home(boinc_project_t)
+# needed by java
+fs_read_hugetlbfs_files(boinc_project_t)
+
+optional_policy(`
+ gnome_read_gconf_config(boinc_project_t)
+')
+
optional_policy(`
java_exec(boinc_project_t)
')
+
+# until solution for VirtualBox, java ..
+optional_policy(`
+ unconfined_domain(boinc_project_t)
+')
diff --git a/brctl.te b/brctl.te
index bcd1e87..6294955 100644
--- a/brctl.te
+++ b/brctl.te
@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
domain_use_interactive_fds(brctl_t)
-files_read_etc_files(brctl_t)
term_dontaudit_use_console(brctl_t)
-miscfiles_read_localization(brctl_t)
-
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
diff --git a/bugzilla.fc b/bugzilla.fc
index fce0b6e..fb6e397 100644
--- a/bugzilla.fc
+++ b/bugzilla.fc
@@ -1,4 +1,4 @@
-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262..bf0cefa 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
interface(`bugzilla_admin',`
gen_require(`
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
- type httpd_bugzilla_htaccess_t;
+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
')
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
ps_process_pattern($1, httpd_bugzilla_script_t)
- files_search_usr($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_bugzilla_script_t:process ptrace;
+ ')
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_list_var_lib(httpd_bugzilla_script_t)
+
admin_pattern($1, httpd_bugzilla_script_exec_t)
admin_pattern($1, httpd_bugzilla_script_t)
admin_pattern($1, httpd_bugzilla_content_t)
@@ -76,5 +78,7 @@ interface(`bugzilla_admin',`
files_search_var_lib($1)
admin_pattern($1, httpd_bugzilla_rw_content_t)
- apache_list_sys_content($1)
+ optional_policy(`
+ apache_list_sys_content($1)
+ ')
')
diff --git a/bugzilla.te b/bugzilla.te
index 41f8251..57f094e 100644
--- a/bugzilla.te
+++ b/bugzilla.te
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
apache_content_template(bugzilla)
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
########################################
#
# Local policy
@@ -14,7 +17,6 @@ apache_content_template(bugzilla)
allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
files_search_var_lib(httpd_bugzilla_script_t)
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
+auth_read_passwd(httpd_bugzilla_script_t)
+
+dev_read_sysfs(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
sysnet_use_ldap(httpd_bugzilla_script_t)
+miscfiles_read_certs(httpd_bugzilla_script_t)
+
optional_policy(`
mta_send_mail(httpd_bugzilla_script_t)
')
diff --git a/bumblebee.fc b/bumblebee.fc
new file mode 100644
index 0000000..b5ee23b
--- /dev/null
+++ b/bumblebee.fc
@@ -0,0 +1,7 @@
+/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
+
+/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0)
+
+/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0)
diff --git a/bumblebee.if b/bumblebee.if
new file mode 100644
index 0000000..de66654
--- /dev/null
+++ b/bumblebee.if
@@ -0,0 +1,121 @@
+## policy for bumblebee
+
+########################################
+##
+## Execute bumblebee in the bumblebee domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bumblebee_domtrans',`
+ gen_require(`
+ type bumblebee_t, bumblebee_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
+')
+
+########################################
+##
+## Read bumblebee PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bumblebee_read_pid_files',`
+ gen_require(`
+ type bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
+')
+
+########################################
+##
+## Execute bumblebee server in the bumblebee domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`bumblebee_systemctl',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 bumblebee_unit_file_t:file read_file_perms;
+ allow $1 bumblebee_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, bumblebee_t)
+')
+
+########################################
+##
+## Connect to bumblebee over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bumblebee_stream_connect',`
+ gen_require(`
+ type bumblebee_t, bumblebee_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an bumblebee environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`bumblebee_admin',`
+ gen_require(`
+ type bumblebee_t;
+ type bumblebee_var_run_t;
+ type bumblebee_unit_file_t;
+ ')
+
+ allow $1 bumblebee_t:process { signal_perms };
+ ps_process_pattern($1, bumblebee_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 bumblebee_t:process ptrace;
+ ')
+
+ files_search_pids($1)
+ admin_pattern($1, bumblebee_var_run_t)
+
+ bumblebee_systemctl($1)
+ admin_pattern($1, bumblebee_unit_file_t)
+ allow $1 bumblebee_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
index 0000000..6e058fc
--- /dev/null
+++ b/bumblebee.te
@@ -0,0 +1,65 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bumblebee_t;
+type bumblebee_exec_t;
+init_daemon_domain(bumblebee_t, bumblebee_exec_t)
+
+type bumblebee_var_run_t;
+files_pid_file(bumblebee_var_run_t)
+
+type bumblebee_unit_file_t;
+systemd_unit_file(bumblebee_unit_file_t)
+
+########################################
+#
+# bumblebee local policy
+#
+
+allow bumblebee_t self:capability { setgid };
+allow bumblebee_t self:process { fork signal_perms };
+allow bumblebee_t self:fifo_file rw_fifo_file_perms;
+allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
+files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
+corecmd_exec_bin(bumblebee_t)
+
+dev_read_sysfs(bumblebee_t)
+
+auth_read_passwd(bumblebee_t)
+
+logging_send_syslog_msg(bumblebee_t)
+
+modutils_domtrans_insmod(bumblebee_t)
+modutils_signal_insmod(bumblebee_t)
+
+sysnet_dns_name_resolve(bumblebee_t)
+
+xserver_domtrans(bumblebee_t)
+xserver_kill(bumblebee_t)
+xserver_signal(bumblebee_t)
+xserver_stream_connect(bumblebee_t)
+xserver_manage_xkb_libs(bumblebee_t)
+corenet_tcp_connect_xserver_port(bumblebee_t)
+
+optional_policy(`
+ apm_stream_connect(bumblebee_t)
+')
+
+optional_policy(`
+ unconfined_domain(bumblebee_t)
+')
diff --git a/cachefilesd.fc b/cachefilesd.fc
index 648c790..aa03fc8 100644
--- a/cachefilesd.fc
+++ b/cachefilesd.fc
@@ -1,9 +1,34 @@
-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
diff --git a/cachefilesd.if b/cachefilesd.if
index 8de2ab9..3b41945 100644
--- a/cachefilesd.if
+++ b/cachefilesd.if
@@ -1,39 +1,35 @@
-## CacheFiles user-space management daemon.
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## policy for cachefilesd
########################################
##
-## All of the rules required to
-## administrate an cachefilesd environment.
+## Execute a domain transition to run cachefilesd.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
-##
-##
-## Role allowed access.
-##
-##
-##
#
-interface(`cachefilesd_admin',`
+interface(`cachefilesd_domtrans',`
gen_require(`
- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
- type cachefilesd_var_run_t;
+ type cachefilesd_t, cachefilesd_exec_t;
')
- allow $1 cachefilesd_t:process { ptrace signal_perms };
- ps_process_pattern($1, cachefilesd_t)
-
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 cachefilesd_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_var($1)
- admin_pattern($1, cachefilesd_cache_t)
-
- files_search_pids($1)
- admin_pattern($1, cachefilesd_var_run_t)
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
index 581c8ef..2c71b1d 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,143 @@
-policy_module(cachefilesd, 1.0.1)
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd, 1.0.17)
-########################################
+###############################################################################
#
# Declarations
#
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
type cachefilesd_t;
type cachefilesd_exec_t;
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
-type cachefilesd_initrc_exec_t;
-init_script_file(cachefilesd_initrc_exec_t)
-
-type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
-
+#
+# The cachefilesd daemon pid file context
+#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
-########################################
#
-# Local policy
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+optional_policy(`
+ rpm_use_script_fds(cachefilesd_t)
+')
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
-
-dev_rw_cachefiles(cachefilesd_t)
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
-files_create_all_files_as(cachefilesd_t)
-files_read_etc_files(cachefilesd_t)
+# Allow access to cache superstructure
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
+# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
+# Basic access
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
-logging_send_syslog_msg(cachefilesd_t)
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
-miscfiles_read_localization(cachefilesd_t)
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
-init_dontaudit_use_script_ptys(cachefilesd_t)
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
-optional_policy(`
- rpm_use_script_fds(cachefilesd_t)
-')
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if
index cd9c528..ba793b7 100644
--- a/calamaris.if
+++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',`
attribute_role calamaris_roles;
')
- lightsquid_domtrans($1)
+ calamaris_domtrans($1)
roleattribute $2 calamaris_roles;
')
diff --git a/calamaris.te b/calamaris.te
index f4f21d3..de28437 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
dev_read_urand(calamaris_t)
-files_read_usr_files(calamaris_t)
+files_search_pids(calamaris_t)
files_read_etc_runtime_files(calamaris_t)
-libs_read_lib_files(calamaris_t)
-
auth_use_nsswitch(calamaris_t)
logging_send_syslog_msg(calamaris_t)
-miscfiles_read_localization(calamaris_t)
-
userdom_dontaudit_list_user_home_dirs(calamaris_t)
optional_policy(`
diff --git a/callweaver.te b/callweaver.te
index 528051e..44e5b7d 100644
--- a/callweaver.te
+++ b/callweaver.te
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
auth_use_nsswitch(callweaver_t)
-miscfiles_read_localization(callweaver_t)
diff --git a/canna.if b/canna.if
index 400db07..f416e22 100644
--- a/canna.if
+++ b/canna.if
@@ -43,9 +43,13 @@ interface(`canna_admin',`
type canna_var_run_t, canna_initrc_exec_t;
')
- allow $1 canna_t:process { ptrace signal_perms };
+ allow $1 canna_t:process signal_perms;
ps_process_pattern($1, canna_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 canna_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, canna_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
index 4ec0626..88e7e89 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_all_recvfrom_unlabeled(canna_t)
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_generic_if(canna_t)
corenet_tcp_sendrecv_generic_node(canna_t)
@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
domain_use_interactive_fds(canna_t)
-files_read_etc_files(canna_t)
files_read_etc_runtime_files(canna_t)
-files_read_usr_files(canna_t)
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
logging_send_syslog_msg(canna_t)
-miscfiles_read_localization(canna_t)
-
sysnet_read_config(canna_t)
userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d..cb94e5e 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
+ type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t;
')
- allow $1 ccs_t:process { ptrace signal_perms };
+ allow $1 ccs_t:process { signal_perms };
ps_process_pattern($1, ccs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ccs_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 ccs_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
- admin_pattern($1, ccs_conf_t)
+ admin_pattern($1, cluster_conf_t)
files_search_var_lib($1)
admin_pattern($1, ccs_var_lib_t)
diff --git a/ccs.te b/ccs.te
index b85b53b..476aaa3 100644
--- a/ccs.te
+++ b/ccs.te
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
-dontaudit ccs_t self:process ptrace;
+
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { accept connectto listen };
allow ccs_t self:tcp_socket { accept listen };
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_all_recvfrom_unlabeled(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_generic_if(ccs_t)
corenet_udp_sendrecv_generic_if(ccs_t)
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
dev_read_urand(ccs_t)
-files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
+init_signal(ccs_t)
logging_send_syslog_msg(ccs_t)
-miscfiles_read_localization(ccs_t)
-
sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
- aisexec_stream_connect(ccs_t)
- corosync_stream_connect(ccs_t)
+ rhcs_stream_connect_cluster(ccs_t)
')
optional_policy(`
diff --git a/cdrecord.if b/cdrecord.if
index fbc20f6..4de4a00 100644
--- a/cdrecord.if
+++ b/cdrecord.if
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
- allow $2 cdrecord_t:process { ptrace signal_perms };
+ allow $2 cdrecord_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 cdrecord_t:process ptrace;
+ ')
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
index 55fb26a..a7555c0 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
domain_use_interactive_fds(cdrecord_t)
-files_read_etc_files(cdrecord_t)
-
term_use_controlling_term(cdrecord_t)
term_list_ptys(cdrecord_t)
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
logging_send_syslog_msg(cdrecord_t)
-miscfiles_read_localization(cdrecord_t)
-
-userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)
+userdom_use_inherited_user_terminals(cdrecord_t)
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(cdrecord_t)
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt(cdrecord_t)
- fs_read_nfs_files(cdrecord_t)
- fs_read_nfs_symlinks(cdrecord_t)
-')
+userdom_home_manager(cdrecord_t)
optional_policy(`
resmgr_stream_connect(cdrecord_t)
diff --git a/certmaster.if b/certmaster.if
index 0c53b18..ef29f6e 100644
--- a/certmaster.if
+++ b/certmaster.if
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
interface(`certmaster_admin',`
gen_require(`
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
- type certmaster_etc_rw_t, certmaster_var_log_t;
- type certmaster_initrc_exec_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
- allow $1 certmaster_t:process { ptrace signal_perms };
+ allow $1 certmaster_t:process signal_perms;
ps_process_pattern($1, certmaster_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmaster_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index bf82163..2b571c7 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
files_list_var(certmaster_t)
-files_search_etc(certmaster_t)
-files_read_usr_files(certmaster_t)
auth_use_nsswitch(certmaster_t)
-miscfiles_read_localization(certmaster_t)
miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8..cd8eb4d 100644
--- a/certmonger.fc
+++ b/certmonger.fc
@@ -2,6 +2,8 @@
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
+
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
/var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/certmonger.if b/certmonger.if
index 008f8ef..144c074 100644
--- a/certmonger.if
+++ b/certmonger.if
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
')
ps_process_pattern($1, certmonger_t)
- allow $1 certmonger_t:process { ptrace signal_perms };
+ allow $1 certmonger_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmonger_t:process ptrace;
+ ')
certmonger_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 certmonger_initrc_exec_t system_r;
allow $2 system_r;
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, certmonger_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
index 2354e21..9a5e1fd 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
type certmonger_var_run_t;
files_pid_file(certmonger_var_run_t)
+type certmonger_unconfined_exec_t;
+application_executable_file(certmonger_unconfined_exec_t)
+
########################################
#
# Local policy
@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
+
allow certmonger_t self:process { getsched setsched sigkill signal };
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
-allow certmonger_t self:unix_stream_socket { accept listen };
-allow certmonger_t self:tcp_socket { accept listen };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
kernel_read_kernel_sysctls(certmonger_t)
kernel_read_system_state(certmonger_t)
+kernel_read_network_state(certmonger_t)
corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+
+corenet_tcp_connect_http_port(certmonger_t)
+corenet_tcp_connect_http_cache_port(certmonger_t)
+
+corenet_tcp_connect_ldap_port(certmonger_t)
+
+corenet_tcp_connect_pki_ca_port(certmonger_t)
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
corecmd_exec_bin(certmonger_t)
corecmd_exec_shell(certmonger_t)
+dev_read_rand(certmonger_t)
dev_read_urand(certmonger_t)
domain_use_interactive_fds(certmonger_t)
-files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
+files_list_home(certmonger_t)
fs_search_cgroup_dirs(certmonger_t)
@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t)
logging_send_syslog_msg(certmonger_t)
-miscfiles_read_localization(certmonger_t)
-miscfiles_manage_generic_cert_files(certmonger_t)
+miscfiles_manage_all_certs(certmonger_t)
+
+systemd_exec_systemctl(certmonger_t)
userdom_search_user_home_content(certmonger_t)
optional_policy(`
- apache_initrc_domtrans(certmonger_t)
apache_search_config(certmonger_t)
apache_signal(certmonger_t)
apache_signull(certmonger_t)
+ apache_systemctl(certmonger_t)
')
optional_policy(`
@@ -92,11 +107,51 @@ optional_policy(`
')
optional_policy(`
- kerberos_read_keytab(certmonger_t)
+ dirsrv_manage_config(certmonger_t)
+ dirsrv_signal(certmonger_t)
+ dirsrv_signull(certmonger_t)
+')
+
+optional_policy(`
+ ipa_manage_lib(certmonger_t)
+')
+
+optional_policy(`
kerberos_use(certmonger_t)
+ kerberos_read_keytab(certmonger_t)
')
optional_policy(`
pcscd_read_pid_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
+
+optional_policy(`
+ pki_rw_tomcat_cert(certmonger_t)
+ pki_read_tomcat_lib_files(certmonger_t)
+')
+
+########################################
+#
+# certmonger_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type certmonger_unconfined_t;
+ domain_type(certmonger_unconfined_t)
+
+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
+ role system_r types certmonger_unconfined_t;
+
+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
+
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
+
+ init_domtrans_script(certmonger_unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(certmonger_unconfined_t)
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
index 403af41..1a4bd9c 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
+kernel_read_system_state(certwatch_t)
+
+corecmd_exec_bin(certwatch_t)
+
+dev_read_rand(certwatch_t)
dev_read_urand(certwatch_t)
-files_read_etc_files(certwatch_t)
-files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
+auth_read_passwd(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
miscfiles_read_all_certs(certwatch_t)
-miscfiles_read_localization(certwatch_t)
+miscfiles_manage_generic_cert_dirs(certwatch_t)
+
+sysnet_read_config(certwatch_t)
-userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_use_inherited_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
+ apache_domtrans(certwatch_t)
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
optional_policy(`
+ mta_send_mail(certwatch_t)
+')
+
+optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
+++ b/cfengine.if
@@ -13,7 +13,6 @@
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
- type cfengine_log_t, cfengine_var_lib_t;
')
########################################
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
# Policy
#
+ kernel_read_system_state(cfengine_$1_t)
+
auth_use_nsswitch(cfengine_$1_t)
+
+ logging_send_syslog_msg(cfengine_$1_t)
+')
+
+######################################
+##
+## Search cfengine lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_search_lib_files',`
+ gen_require(`
+ type cfengine_var_lib_t;
+ ')
+
+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
')
########################################
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
dontaudit $1 cfengine_var_log_t:file write_file_perms;
')
+#####################################
+##
+## Allow the specified domain to append cfengine's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_append_inherited_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ cfengine_search_lib_files($1)
+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
+')
+
+####################################
+##
+## Dontaudit the specified domain to write cfengine's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cfengine_dontaudit_write_log',`
+ gen_require(`
+ type cfengine_var_log_t;
+ ')
+
+ dontaudit $1 cfengine_var_log_t:file write;
+')
+
########################################
##
## All of the rules required to
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
- allow $1 cfengine_domain:process { ptrace signal_perms };
+ allow $1 cfengine_domain:process { signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')
+
diff --git a/cfengine.te b/cfengine.te
index 8af5bbe..168f01f 100644
--- a/cfengine.te
+++ b/cfengine.te
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
-kernel_read_system_state(cfengine_domain)
-
corecmd_exec_bin(cfengine_domain)
corecmd_exec_shell(cfengine_domain)
dev_read_urand(cfengine_domain)
dev_read_sysfs(cfengine_domain)
-logging_send_syslog_msg(cfengine_domain)
-
-miscfiles_read_localization(cfengine_domain)
-
+sysnet_dns_name_resolve(cfengine_domain)
sysnet_domtrans_ifconfig(cfengine_domain)
########################################
diff --git a/cgroup.if b/cgroup.if
index 85ca63f..1d1c99c 100644
--- a/cgroup.if
+++ b/cgroup.if
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
type cgrules_etc_t, cgclear_t;
')
- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+ allow $1 cgclear_t:process signal_perms;
+ ps_process_pattern($1, cgclear_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgclear_t:process ptrace;
+ ')
+
+ allow $1 cgconfig_t:process signal_perms;
+ ps_process_pattern($1, cgconfig_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgconfig_t:process ptrace;
+ ')
+
+ allow $1 cgred_t:process signal_perms;
+ ps_process_pattern($1, cgred_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgred_t:process ptrace;
+ ')
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index fdee107..a4c2efb 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
kernel_read_system_state(cgclear_t)
+auth_use_nsswitch(cgclear_t)
+
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
-files_read_etc_files(cgconfig_t)
-
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
+auth_use_nsswitch(cgconfig_t)
+
########################################
#
# cgred local policy
#
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t cgconfig_etc_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
-files_read_etc_files(cgred_t)
-fs_write_cgroup_files(cgred_t)
+fs_manage_cgroup_dirs(cgred_t)
+fs_manage_cgroup_files(cgred_t)
+fs_list_inotifyfs(cgred_t)
-logging_send_syslog_msg(cgred_t)
+auth_use_nsswitch(cgred_t)
-miscfiles_read_localization(cgred_t)
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
index 0000000..d020d89
--- /dev/null
+++ b/chrome.fc
@@ -0,0 +1,10 @@
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
index 0000000..23407b8
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,137 @@
+
+## policy for chrome
+
+########################################
+##
+## Execute a domain transition to run chrome_sandbox.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+
+ allow $1 chrome_sandbox_t:fd use;
+
+ dontaudit chrome_sandbox_t $1:socket_class_set getattr;
+ allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
+
+ ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+ ')
+')
+
+
+########################################
+##
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the chrome_sandbox domain.
+##
+##
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+ role $2 types chrome_sandbox_nacl_t;
+')
+
+########################################
+##
+## Role access for chrome sandbox
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`chrome_role_notrans',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ type chrome_sandbox_nacl_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+ role $1 types chrome_sandbox_nacl_t;
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+##
+## Role access for chrome sandbox
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`chrome_role',`
+ chrome_role_notrans($1, $2)
+ chrome_domtrans_sandbox($2)
+')
+
+########################################
+##
+## Dontaudit read/write to a chrome_sandbox leaks
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`chrome_dontaudit_sandbox_leaks',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
index 0000000..b4f29e9
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,249 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+ubac_constrained(chrome_sandbox_t)
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+type chrome_sandbox_nacl_t;
+type chrome_sandbox_nacl_exec_t;
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
+type chrome_sandbox_home_t;
+userdom_user_home_content(chrome_sandbox_home_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:sem create_sem_perms;
+allow chrome_sandbox_t self:msgq create_msgq_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+fs_read_dos_files(chrome_sandbox_t)
+fs_read_hugetlbfs_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_t)
+
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dns_name_resolve(chrome_sandbox_t)
+
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
+
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+userdom_search_user_home_content(chrome_sandbox_t)
+# This one we should figure a way to make it more secure
+userdom_manage_home_certs(chrome_sandbox_t)
+
+optional_policy(`
+ gnome_exec_config_home_files(chrome_sandbox_t)
+ gnome_read_generic_cache_files(chrome_sandbox_t)
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
+')
+
+optional_policy(`
+ mozilla_write_user_home_files(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
+ fs_exec_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_files(chrome_sandbox_t)
+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_exec_cifs_files(chrome_sandbox_t)
+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_files(chrome_sandbox_t)
+ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_search_fusefs(chrome_sandbox_t)
+ fs_read_fusefs_files(chrome_sandbox_t)
+ fs_exec_fusefs_files(chrome_sandbox_t)
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(chrome_sandbox_t)
+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
+ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
+')
+
+optional_policy(`
+ bumblebee_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ cups_stream_connect(chrome_sandbox_t)
+')
+
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
+
+
+########################################
+#
+# chrome_sandbox_nacl local policy
+#
+
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
+
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
+
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
+
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+dev_rwx_zero(chrome_sandbox_nacl_t)
+
+init_read_state(chrome_sandbox_nacl_t)
+
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
index 4e4143e..a665b32 100644
--- a/chronyd.fc
+++ b/chronyd.fc
@@ -2,6 +2,8 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
diff --git a/chronyd.if b/chronyd.if
index 32e8265..0de4af3 100644
--- a/chronyd.if
+++ b/chronyd.if
@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
########################################
##
-## Connect to chronyd using a unix
-## domain stream socket.
+## Read chronyd keys files.
##
##
##
@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
##
##
#
-interface(`chronyd_stream_connect',`
+interface(`chronyd_read_keys',`
gen_require(`
- type chronyd_t, chronyd_var_run_t;
+ type chronyd_keys_t;
')
- files_search_pids($1)
- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
')
########################################
##
-## Send to chronyd using a unix domain
-## datagram socket.
+## Append chronyd keys files.
##
##
##
@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
##
##
#
-interface(`chronyd_dgram_send',`
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+##
+## Execute chronyd server in the chronyd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
+ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
+
+#######################################
+##
+## Connect to chronyd using a unix
+## domain stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`chronyd_stream_connect',`
gen_require(`
type chronyd_t, chronyd_var_run_t;
')
files_search_pids($1)
- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
########################################
##
-## Read chronyd key files.
+## Send to chronyd using a unix domain
+## datagram socket.
##
##
##
@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
##
##
#
-interface(`chronyd_read_key_files',`
+interface(`chronyd_dgram_send',`
gen_require(`
- type chronyd_keys_t;
+ type chronyd_t, chronyd_var_run_t;
')
- files_search_etc($1)
- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+ files_search_pids($1)
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
')
####################################
@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
#
interface(`chronyd_admin',`
gen_require(`
- type chronyd_t, chronyd_var_log_t;
- type chronyd_var_run_t, chronyd_var_lib_t;
- type chronyd_initrc_exec_t, chronyd_keys_t;
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t, chronyd_unit_file_t;
')
- allow $1 chronyd_t:process { ptrace signal_perms };
+ allow $1 chronyd_t:process signal_perms;
ps_process_pattern($1, chronyd_t)
- chronyd_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 chronyd_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_etc($1)
+ files_list_etc($1)
admin_pattern($1, chronyd_keys_t)
- logging_search_logs($1)
+ logging_list_logs($1)
admin_pattern($1, chronyd_var_log_t)
- files_search_var_lib($1)
+ files_list_var_lib($1)
admin_pattern($1, chronyd_var_lib_t)
- files_search_pids($1)
+ files_list_pids($1)
admin_pattern($1, chronyd_var_run_t)
+
+ admin_pattern($1, chronyd_tmpfs_t)
+
+ admin_pattern($1, chronyd_unit_file_t)
+ chronyd_systemctl($1)
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
index 914ee2d..d0c8001 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
type chronyd_tmpfs_t;
files_tmpfs_file(chronyd_tmpfs_t)
+type chronyd_unit_file_t;
+systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
# Local policy
#
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
-allow chronyd_t self:process { getcap setcap setrlimit signal };
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
+allow chronyd_t chronyd_keys_t:file append_file_perms;
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
@@ -76,18 +83,20 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
+domain_dontaudit_getsession_all_domains(chronyd_t)
+
+dev_read_rand(chronyd_t)
+dev_read_urand(chronyd_t)
+dev_read_sysfs(chronyd_t)
+
dev_rw_realtime_clock(chronyd_t)
auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
-miscfiles_read_localization(chronyd_t)
+mta_send_mail(chronyd_t)
optional_policy(`
gpsd_rw_shm(chronyd_t)
')
-
-optional_policy(`
- mta_send_mail(chronyd_t)
-')
diff --git a/cipe.te b/cipe.te
index 28c8475..9b86dd1 100644
--- a/cipe.te
+++ b/cipe.te
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_all_recvfrom_unlabeled(ciped_t)
corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_generic_node(ciped_t)
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
domain_use_interactive_fds(ciped_t)
-files_read_etc_files(ciped_t)
files_read_etc_runtime_files(ciped_t)
files_dontaudit_search_var(ciped_t)
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
logging_send_syslog_msg(ciped_t)
-miscfiles_read_localization(ciped_t)
-
sysnet_read_config(ciped_t)
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
diff --git a/clamav.fc b/clamav.fc
index d72afcc..c53b80d 100644
--- a/clamav.fc
+++ b/clamav.fc
@@ -6,6 +6,8 @@
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
+
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
diff --git a/clamav.if b/clamav.if
index 4cc4a5c..99c5cca 100644
--- a/clamav.if
+++ b/clamav.if
@@ -1,4 +1,4 @@
-## ClamAV Virus Scanner.
+## ClamAV Virus Scanner
########################################
##
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
type clamd_t, clamd_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamd_exec_t, clamd_t)
')
########################################
##
-## Connect to clamd using a unix
-## domain stream socket.
+## Connect to run clamd.
##
##
##
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
########################################
##
-## Append clamav log files.
+## Allow the specified domain to append
+## to clamav log files.
##
##
##
@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
########################################
##
-## Create, read, write, and delete
-## clamav pid content.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`clamav_manage_pid_content',`
- gen_require(`
- type clamd_var_run_t;
- ')
-
- files_search_pids($1)
- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
-')
-
-########################################
-##
## Read clamav configuration files.
##
##
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
########################################
##
-## Search clamav library directories.
+## Search clamav libraries directories.
##
##
##
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
type clamscan_t, clamscan_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
')
########################################
##
-## Execute clamscan in the caller domain.
+## Execute clamscan without a transition.
##
##
##
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
type clamscan_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, clamscan_exec_t)
')
-#######################################
+########################################
##
-## Read clamd process state files.
+## Manage clamd pid content.
##
##
##
@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
##
##
#
-interface(`clamav_read_state_clamd',`
+interface(`clamav_manage_clamd_pid',`
gen_require(`
- type clamd_t;
+ type clamd_var_run_t;
')
- kernel_search_proc($1)
- allow $1 clamd_t:dir list_dir_perms;
- read_files_pattern($1, clamd_t, clamd_t)
- read_lnk_files_pattern($1, clamd_t, clamd_t)
+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
+')
+
+#######################################
+##
+## Read clamd state files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`clamav_read_state_clamd',`
+ gen_require(`
+ type clamd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, clamd_t)
+')
+
+#######################################
+##
+## Execute clamd server in the clamd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`clamd_systemctl',`
+ gen_require(`
+ type clamd_t;
+ type clamd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 clamd_unit_file_t:file read_file_perms;
+ allow $1 clamd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, clamd_t)
')
########################################
##
-## All of the rules required to
-## administrate an clamav environment.
+## All of the rules required to administrate
+## an clamav environment
##
##
##
@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
##
##
##
-## Role allowed access.
+## The role to be allowed to manage the clamav domain.
##
##
##
@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
type freshclam_t, freshclam_var_log_t;
+ type clamd_unit_file_t;
')
- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
+ allow $1 clamd_t:process signal_perms;
+ ps_process_pattern($1, clamd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 clamd_t:process ptrace;
+ allow $1 clamscan_t:process ptrace;
+ allow $1 freshclam_t:process ptrace;
+ ')
+
+ allow $1 clamscan_t:process signal_perms;
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process signal_perms;
+ ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
+ clamd_systemctl($1)
+ admin_pattern($1, clamd_unit_file_t)
+ allow $1 clamd_unit_file_t:service all_service_perms;
+
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
@@ -217,11 +251,21 @@ interface(`clamav_admin',`
admin_pattern($1, clamd_var_lib_t)
logging_list_logs($1)
- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
+ admin_pattern($1, clamd_var_log_t)
files_list_pids($1)
admin_pattern($1, clamd_var_run_t)
files_list_tmp($1)
- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
+ admin_pattern($1, clamd_tmp_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+
')
diff --git a/clamav.te b/clamav.te
index 8e1fef9..c8c9a5a 100644
--- a/clamav.te
+++ b/clamav.te
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t)
+type clamd_unit_file_t;
+systemd_unit_file(clamd_unit_file_t)
+
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
+
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
corecmd_exec_shell(clamd_t)
-corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_generic_if(clamd_t)
corenet_tcp_sendrecv_generic_node(clamd_t)
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
corenet_sendrecv_generic_client_packets(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+corenet_tcp_connect_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
-miscfiles_read_localization(clamd_t)
-
-tunable_policy(`clamd_use_jit',`
- allow clamd_t self:process execmem;
-',`
- dontaudit clamd_t self:process execmem;
-')
-
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
amavis_create_pid_files(clamd_t)
')
@@ -165,6 +161,31 @@ optional_policy(`
mta_send_mail(clamd_t)
')
+optional_policy(`
+ spamd_stream_connect(clamd_t)
+ spamassassin_read_pid_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
+',`
+ dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
+')
+
+optional_policy(`
+ antivirus_domain_template(clamd_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(clamscan_t)
+')
+
+optional_policy(`
+ antivirus_domain_template(freshclam_t)
+')
+
########################################
#
# Freshclam local policy
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
logging_send_syslog_msg(freshclam_t)
-miscfiles_read_localization(freshclam_t)
tunable_policy(`clamd_use_jit',`
allow freshclam_t self:process execmem;
@@ -241,6 +261,10 @@ optional_policy(`
')
optional_policy(`
+ clamd_systemctl(freshclam_t)
+')
+
+optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
kernel_read_system_state(clamscan_t)
-corenet_all_recvfrom_unlabeled(clamscan_t)
corenet_all_recvfrom_netlabel(clamscan_t)
corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
corecmd_read_all_executables(clamscan_t)
-files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
files_search_var_lib(clamscan_t)
init_read_utmp(clamscan_t)
init_dontaudit_write_utmp(clamscan_t)
-miscfiles_read_localization(clamscan_t)
miscfiles_read_public_files(clamscan_t)
sysnet_dns_name_resolve(clamscan_t)
@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
')
optional_policy(`
- amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff --git a/clockspeed.te b/clockspeed.te
index b59c592..4b8cddc 100644
--- a/clockspeed.te
+++ b/clockspeed.te
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
files_list_var_lib(clockspeed_cli_t)
-files_read_etc_files(clockspeed_cli_t)
-miscfiles_read_localization(clockspeed_cli_t)
-userdom_use_user_terminals(clockspeed_cli_t)
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
########################################
#
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
files_list_var_lib(clockspeed_srv_t)
-files_read_etc_files(clockspeed_srv_t)
-miscfiles_read_localization(clockspeed_srv_t)
optional_policy(`
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
diff --git a/clogd.te b/clogd.te
index 29782b8..685edff 100644
--- a/clogd.te
+++ b/clogd.te
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
logging_send_syslog_msg(clogd_t)
-miscfiles_read_localization(clogd_t)
-
optional_policy(`
- aisexec_stream_connect(clogd_t)
- corosync_stream_connect(clogd_t)
+ rhcs_stream_connect_cluster(clogd_t)
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
index 0000000..6cc6774
--- /dev/null
+++ b/cloudform.fc
@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
+
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
+/var/log/cloud-init\.log.* -- gen_context(system_u:object_r:cloud_log_t,s0)
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
+
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
index 0000000..8ac848b
--- /dev/null
+++ b/cloudform.if
@@ -0,0 +1,42 @@
+## cloudform policy
+
+#######################################
+##
+## Creates types and rules for a basic
+## cloudform daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`cloudform_domain_template',`
+ gen_require(`
+ attribute cloudform_domain;
+ ')
+
+ type $1_t, cloudform_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ kernel_read_system_state($1_t)
+')
+
+######################################
+##
+## Execute mongod in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cloudform_exec_mongod',`
+ gen_require(`
+ type mongod_exec_t;
+ ')
+
+ can_exec($1, mongod_exec_t)
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
index 0000000..496ce03
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,300 @@
+policy_module(cloudform, 1.0)
+########################################
+#
+# Declarations
+#
+
+attribute cloudform_domain;
+
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
+cloudform_domain_template(cloud_init)
+
+type cloud_init_tmp_t;
+files_tmp_file(cloud_init_tmp_t)
+
+type cloud_init_unit_file_t;
+systemd_unit_file(cloud_init_unit_file_t)
+
+type cloud_var_lib_t;
+files_type(cloud_var_lib_t)
+
+type cloud_log_t;
+logging_log_file(cloud_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
+type deltacloudd_var_run_t;
+files_pid_file(deltacloudd_var_run_t)
+
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
+type iwhd_initrc_exec_t;
+init_script_file(iwhd_initrc_exec_t)
+
+type iwhd_var_lib_t;
+files_type(iwhd_var_lib_t)
+
+type iwhd_var_run_t;
+files_pid_file(iwhd_var_run_t)
+
+type mongod_initrc_exec_t;
+init_script_file(mongod_initrc_exec_t)
+
+type mongod_log_t;
+logging_log_file(mongod_log_t)
+
+type mongod_var_lib_t;
+files_type(mongod_var_lib_t)
+
+type mongod_tmp_t;
+files_tmp_file(mongod_tmp_t)
+
+type mongod_var_run_t;
+files_pid_file(mongod_var_run_t)
+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
+########################################
+#
+# cloudform_domain local policy
+#
+
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
+dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+dev_read_sysfs(cloudform_domain)
+
+auth_read_passwd(cloudform_domain)
+
+miscfiles_read_certs(cloudform_domain)
+
+#################################
+#
+# cloud-init local policy
+#
+
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
+
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
+
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
+
+kernel_read_network_state(cloud_init_t)
+
+corenet_tcp_connect_http_port(cloud_init_t)
+
+corecmd_exec_bin(cloud_init_t)
+corecmd_exec_shell(cloud_init_t)
+
+domain_read_all_domains_state(cloud_init_t)
+
+fs_getattr_all_fs(cloud_init_t)
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
+
+miscfiles_read_localization(cloud_init_t)
+
+selinux_validate_context(cloud_init_t)
+
+systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_exec_systemctl(cloud_init_t)
+systemd_start_all_services(cloud_init_t)
+
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
+optional_policy(`
+ dmidecode_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ fstools_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ hostname_exec(cloud_init_t)
+')
+
+optional_policy(`
+ mount_domtrans(cloud_init_t)
+')
+
+optional_policy(`
+ # it check file context and run restorecon
+ seutil_read_file_contexts(cloud_init_t)
+ seutil_domtrans_setfiles(cloud_init_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(cloud_init_t)
+ ssh_read_user_home_files(cloud_init_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(cloud_init_t)
+ sysnet_read_dhcpc_state(cloud_init_t)
+ sysnet_dns_name_resolve(cloud_init_t)
+')
+
+optional_policy(`
+ rpm_domtrans(cloud_init_t)
+ rpm_transition_script(cloud_init_t)
+ unconfined_domain(cloud_init_t)
+')
+
+########################################
+#
+# deltacloudd local policy
+#
+
+allow deltacloudd_t self:capability { dac_override setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
+allow deltacloudd_t self:process signal;
+
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
+
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
+kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+corenet_tcp_connect_http_port(deltacloudd_t)
+corenet_tcp_connect_keystone_port(deltacloudd_t)
+
+auth_use_nsswitch(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
+
+optional_policy(`
+ sysnet_read_config(deltacloudd_t)
+')
+
+########################################
+#
+# iwhd local policy
+#
+
+allow iwhd_t self:capability { chown kill };
+allow iwhd_t self:process { fork };
+
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
+
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
+
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
+
+kernel_read_system_state(iwhd_t)
+
+corenet_tcp_bind_generic_node(iwhd_t)
+corenet_tcp_bind_websm_port(iwhd_t)
+corenet_tcp_connect_all_ports(iwhd_t)
+
+dev_read_rand(iwhd_t)
+dev_read_urand(iwhd_t)
+
+userdom_home_manager(iwhd_t)
+
+########################################
+#
+# mongod local policy
+#
+
+allow mongod_t self:process { execmem setsched signal };
+
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
+allow mongod_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+#needed by dbomatic
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
+
+corenet_tcp_bind_generic_node(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
+corenet_tcp_connect_mongod_port(mongod_t)
+corenet_tcp_connect_postgresql_port(mongod_t)
+
+kernel_read_vm_sysctls(mongod_t)
+kernel_read_system_state(mongod_t)
+
+fs_getattr_all_fs(mongod_t)
+
+optional_policy(`
+ mysql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(mongod_t)
+')
+
+optional_policy(`
+ sysnet_dns_name_resolve(mongod_t)
+')
diff --git a/cmirrord.if b/cmirrord.if
index cc4e7cb..f348d27 100644
--- a/cmirrord.if
+++ b/cmirrord.if
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
type cmirrord_t, cmirrord_tmpfs_t;
')
- allow $1 cmirrord_t:shm rw_shm_perms;
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
fs_search_tmpfs($1)
')
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
- allow $1 cmirrord_t:process { ptrace signal_perms };
+ allow $1 cmirrord_t:process signal_perms;
ps_process_pattern($1, cmirrord_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cmirrord_t:process ptrace;
+ ')
+
cmirrord_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
index d8e9958..e4c023c 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
# Local policy
#
-allow cmirrord_t self:capability { net_admin kill };
+allow cmirrord_t self:capability { sys_admin net_admin kill };
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
logging_send_syslog_msg(cmirrord_t)
-miscfiles_read_localization(cmirrord_t)
-
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
+
+optional_policy(`
+ rhcs_rw_cluster_tmpfs(cmirrord_t)
+')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208..2b650a7 100644
--- a/cobbler.fc
+++ b/cobbler.fc
@@ -4,6 +4,7 @@
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
index c223f81..8b567c1 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')
+
+
+########################################
+##
+## Read cobbler configuration dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+')
+
+
########################################
##
## Read cobbler configuration files.
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
interface(`cobbler_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type cobbler_tmp_t;
')
allow $1 cobblerd_t:process { ptrace signal_perms };
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
-
- apache_search_sys_content($1)
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
index 2a71346..3a38b11 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
-kernel_dontaudit_search_network_state(cobblerd_t)
+kernel_read_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
corenet_tcp_connect_http_port(cobblerd_t)
corenet_sendrecv_http_client_packets(cobblerd_t)
+dev_read_sysfs(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
-files_read_etc_files(cobblerd_t)
files_read_etc_runtime_files(cobblerd_t)
-files_read_usr_files(cobblerd_t)
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
term_use_console(cobblerd_t)
+auth_use_nsswitch(cobblerd_t)
+
logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
')
optional_policy(`
+ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
@@ -170,6 +173,7 @@ optional_policy(`
bind_domtrans(cobblerd_t)
bind_initrc_domtrans(cobblerd_t)
bind_manage_zone(cobblerd_t)
+ bind_systemctl(cobblerd_t)
')
optional_policy(`
@@ -179,12 +183,22 @@ optional_policy(`
optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
+ dhcpd_systemctl(cobblerd_t)
')
optional_policy(`
dnsmasq_domtrans(cobblerd_t)
dnsmasq_initrc_domtrans(cobblerd_t)
dnsmasq_write_config(cobblerd_t)
+ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(cobblerd_t)
')
optional_policy(`
@@ -192,13 +206,13 @@ optional_policy(`
')
optional_policy(`
+ rsync_exec(cobblerd_t)
rsync_read_config(cobblerd_t)
- rsync_manage_config_files(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
')
optional_policy(`
- tftp_manage_config_files(cobblerd_t)
- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
+ tftp_manage_config(cobblerd_t)
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
index 0000000..ee6e817
--- /dev/null
+++ b/cockpit.fc
@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/cockpit.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/lib/systemd/system/cockpit.socket -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/lib/systemd/system/cockpitd.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
+
+/usr/libexec/cockpitd -- gen_context(system_u:object_r:cockpit_exec_t,s0)
+
+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000..25e3237
--- /dev/null
+++ b/cockpit.if
@@ -0,0 +1,186 @@
+
+## policy for cockpit
+
+########################################
+##
+## Execute TEMPLATE in the cockpit domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cockpit_domtrans',`
+ gen_require(`
+ type cockpit_t, cockpit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cockpit_exec_t, cockpit_t)
+')
+
+########################################
+##
+## Search cockpit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_search_lib',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ allow $1 cockpit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read cockpit lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_read_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+##
+## Manage cockpit lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_manage_lib_files',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+##
+## Manage cockpit lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_manage_lib_dirs',`
+ gen_require(`
+ type cockpit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t)
+')
+
+########################################
+##
+## Execute cockpit server in the cockpit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cockpit_systemctl',`
+ gen_require(`
+ type cockpit_t;
+ type cockpit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 cockpit_unit_file_t:file read_file_perms;
+ allow $1 cockpit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cockpit_t)
+')
+
+
+########################################
+##
+## Send and receive messages from
+## cockpit over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cockpit_dbus_chat',`
+ gen_require(`
+ type cockpit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cockpit_t:dbus send_msg;
+ allow cockpit_t $1:dbus send_msg;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an cockpit environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`cockpit_admin',`
+ gen_require(`
+ type cockpit_t;
+ type cockpit_var_lib_t;
+ type cockpit_unit_file_t;
+ ')
+
+ allow $1 cockpit_t:process { signal_perms };
+ ps_process_pattern($1, cockpit_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cockpit_t:process ptrace;
+ ')
+
+ files_search_var_lib($1)
+ admin_pattern($1, cockpit_var_lib_t)
+
+ cockpit_systemctl($1)
+ admin_pattern($1, cockpit_unit_file_t)
+ allow $1 cockpit_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 0000000..589262d
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,95 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cockpit_t;
+type cockpit_exec_t;
+init_daemon_domain(cockpit_t, cockpit_exec_t)
+
+type cockpit_var_lib_t;
+files_type(cockpit_var_lib_t)
+
+type cockpit_unit_file_t;
+systemd_unit_file(cockpit_unit_file_t)
+
+########################################
+#
+# cockpit local policy
+#
+allow cockpit_t self:capability net_admin;
+allow cockpit_t self:fifo_file rw_fifo_file_perms;
+allow cockpit_t self:unix_stream_socket create_stream_socket_perms;
+allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow cockpit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
+manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t)
+files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file })
+
+kernel_read_system_state(cockpit_t)
+kernel_read_network_state(cockpit_t)
+
+corecmd_exec_bin(cockpit_t)
+corecmd_exec_shell(cockpit_t)
+
+corenet_tcp_bind_cockpit_port(cockpit_t)
+
+dev_read_sysfs(cockpit_t)
+
+domain_use_interactive_fds(cockpit_t)
+domain_read_all_domains_state(cockpit_t)
+
+files_read_etc_files(cockpit_t)
+files_list_tmp(cockpit_t)
+
+fs_read_tmpfs_symlinks(cockpit_t)
+fs_list_cgroup_dirs(cockpit_t)
+fs_read_cgroup_files(cockpit_t)
+fs_getattr_all_fs(cockpit_t)
+
+auth_use_nsswitch(cockpit_t)
+
+init_dbus_chat(cockpit_t)
+init_status(cockpit_t)
+init_read_state(cockpit_t)
+init_list_pid_dirs(cockpit_t)
+
+logging_send_syslog_msg(cockpit_t)
+
+miscfiles_read_localization(cockpit_t)
+
+systemd_status_all_unit_files(cockpit_t)
+systemd_read_logind_sessions_files(cockpit_t)
+
+udev_read_pid_files(cockpit_t)
+
+optional_policy(`
+ dbus_system_bus_client(cockpit_t)
+ dbus_connect_system_bus(cockpit_t)
+
+ optional_policy(`
+ accountsd_dbus_chat(cockpit_t)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat_disk(cockpit_t)
+ devicekit_dbus_chat_power(cockpit_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(cockpit_t)
+ networkmanager_stream_connect(cockpit_t)
+ ')
+
+ optional_policy(`
+ realmd_dbus_chat(cockpit_t)
+ ')
+')
+
+optional_policy(`
+ docker_stream_connect(cockpit_t)
+')
diff --git a/collectd.fc b/collectd.fc
index 79a3abe..2e7d7ed 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
+
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
diff --git a/collectd.if b/collectd.if
index 954309e..f4db2ca 100644
--- a/collectd.if
+++ b/collectd.if
@@ -2,8 +2,144 @@
########################################
##
-## All of the rules required to
-## administrate an collectd environment.
+## Transition to collectd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`collectd_domtrans',`
+ gen_require(`
+ type collectd_t, collectd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, collectd_exec_t, collectd_t)
+')
+
+########################################
+##
+## Execute collectd server in the collectd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_initrc_domtrans',`
+ gen_require(`
+ type collectd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+')
+
+########################################
+##
+## Search collectd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_search_lib',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ allow $1 collectd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read collectd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_read_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Manage collectd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_manage_lib_files',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Manage collectd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`collectd_manage_lib_dirs',`
+ gen_require(`
+ type collectd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
+')
+
+########################################
+##
+## Execute collectd server in the collectd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`collectd_systemctl',`
+ gen_require(`
+ type collectd_t;
+ type collectd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 collectd_unit_file_t:file read_file_perms;
+ allow $1 collectd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, collectd_t)
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an collectd environment
##
##
##
@@ -20,13 +156,17 @@
interface(`collectd_admin',`
gen_require(`
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
- type collectd_var_lib_t;
+ type collectd_var_lib_t, collectd_unit_file_t;
')
- allow $1 collectd_t:process { ptrace signal_perms };
+ allow $1 collectd_t:process signal_perms;
ps_process_pattern($1, collectd_t)
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 collectd_t:process ptrace;
+ ')
+
+ collectd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
allow $2 system_r;
@@ -36,4 +176,9 @@ interface(`collectd_admin',`
files_search_var_lib($1)
admin_pattern($1, collectd_var_lib_t)
+
+ collectd_systemctl($1)
+ admin_pattern($1, collectd_unit_file_t)
+ allow $1 collectd_unit_file_t:service all_service_perms;
')
+
diff --git a/collectd.te b/collectd.te
index 6471fa8..6ade0ea 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
apache_content_template(collectd)
+type httpd_collectd_script_tmp_t;
+files_tmp_file(httpd_collectd_script_tmp_t)
+
########################################
#
# Local policy
#
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_admin sys_nice };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow collectd_t self:udp_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
+auth_getattr_passwd(collectd_t)
+auth_read_passwd(collectd_t)
+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
+domain_use_interactive_fds(collectd_t)
+domain_read_all_domains_state(collectd_t)
+
files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
fs_getattr_all_fs(collectd_t)
-miscfiles_read_localization(collectd_t)
+init_read_utmp(collectd_t)
logging_send_syslog_msg(collectd_t)
@@ -75,16 +89,31 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
+ mysql_stream_connect(collectd_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(collectd_t)
+')
+
+optional_policy(`
virt_read_config(collectd_t)
+ virt_stream_connect(collectd_t)
')
########################################
#
-# Web local policy
+# Web collectd local policy
#
-optional_policy(`
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-')
+
+files_search_var_lib(httpd_collectd_script_t)
+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+
+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
+
+auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 717ea0b..22e0385 100644
--- a/colord.fc
+++ b/colord.fc
@@ -4,5 +4,7 @@
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
+
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/colord.if b/colord.if
index 8e27a37..825f537 100644
--- a/colord.if
+++ b/colord.if
@@ -1,4 +1,4 @@
-## GNOME color manager.
+## GNOME color manager
########################################
##
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
type colord_t, colord_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, colord_exec_t, colord_t)
')
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
allow $1 colord_t:dbus send_msg;
allow colord_t $1:dbus send_msg;
+ ps_process_pattern(colord_t, $1)
')
######################################
@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
')
+
+########################################
+##
+## Execute colord server in the colord domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`colord_systemctl',`
+ gen_require(`
+ type colord_t;
+ type colord_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 colord_unit_file_t:file read_file_perms;
+ allow $1 colord_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
index 09f18e2..3547d05 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
+init_daemon_domain(colord_t, colord_exec_t)
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
+type colord_unit_file_t;
+systemd_unit_file(colord_unit_file_t)
+
########################################
#
# Local policy
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
allow colord_t self:capability { dac_read_search dac_override };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
+
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow colord_t self:tcp_socket { accept listen };
+allow colord_t self:tcp_socket create_stream_socket_perms;
allow colord_t self:shm create_shm_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
-dev_read_sysfs(colord_t)
dev_read_urand(colord_t)
-dev_list_sysfs(colord_t)
+dev_read_sysfs(colord_t)
dev_rw_generic_usb_dev(colord_t)
domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
+fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
fs_dontaudit_getattr_all_fs(colord_t)
+fs_getattr_tmpfs(colord_t)
+fs_read_cgroup_files(colord_t)
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
auth_use_nsswitch(colord_t)
+init_read_state(colord_t)
+
logging_send_syslog_msg(colord_t)
-miscfiles_read_localization(colord_t)
+systemd_read_logind_sessions_files(colord_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(colord_t)
- fs_read_nfs_files(colord_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_getattr_cifs(colord_t)
- fs_read_cifs_files(colord_t)
-')
+userdom_rw_user_tmpfs_files(colord_t)
+userdom_home_reader(colord_t)
+userdom_list_user_home_content(colord_t)
+userdom_read_inherited_user_home_content_files(colord_t)
optional_policy(`
cups_read_config(colord_t)
cups_read_rw_config(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
+ cups_read_state(colord_t)
+')
+
+optional_policy(`
+ gnome_read_home_icc_data_content(colord_t)
+ # Fixes lots of breakage in F16 on upgrade
+ gnome_read_generic_data_home_files(colord_t)
')
optional_policy(`
@@ -133,3 +143,16 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(colord_t)
+ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+ # allow to read /run/initial-setup-$username
+ xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
diff --git a/comsat.te b/comsat.te
index 3f6e4dc..88c4f19 100644
--- a/comsat.te
+++ b/comsat.te
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
dev_read_urand(comsat_t)
fs_getattr_xattr_fs(comsat_t)
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
logging_send_syslog_msg(comsat_t)
-miscfiles_read_localization(comsat_t)
-
userdom_dontaudit_getattr_user_ttys(comsat_t)
mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc
index 23dc348..c4450f7 100644
--- a/condor.fc
+++ b/condor.fc
@@ -1,4 +1,5 @@
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
@@ -8,6 +9,8 @@
/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if
index 3fe3cb8..e979b3d 100644
--- a/condor.if
+++ b/condor.if
@@ -1,81 +1,396 @@
-## High-Throughput Computing System.
+
+## policy for condor
+
+#####################################
+##
+## Creates types and rules for a basic
+## condor init daemon domain.
+##
+##
+##
+## Prefix for the domain.
+##
+##
+#
+template(`condor_domain_template',`
+ gen_require(`
+ type condor_master_t;
+ attribute condor_domain;
+ ')
+
+ #############################
+ #
+ # Declarations
+ #
+
+ type condor_$1_t, condor_domain;
+ type condor_$1_exec_t;
+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
+ role system_r types condor_$1_t;
+
+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
+ allow condor_master_t condor_$1_exec_t:file ioctl;
+
+ kernel_read_system_state(condor_$1_t)
+
+ corenet_all_recvfrom_netlabel(condor_$1_t)
+ corenet_all_recvfrom_unlabeled(condor_$1_t)
+
+ auth_use_nsswitch(condor_$1_t)
+
+ logging_send_syslog_msg(condor_$1_t)
+')
+
+########################################
+##
+## Transition to condor.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`condor_domtrans_master',`
+ gen_require(`
+ type condor_master_t, condor_master_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, condor_master_exec_t, condor_master_t)
+')
+
+#######################################
+##
+## Allows to start userland processes
+## by transitioning to the specified domain,
+## with a range transition.
+##
+##
+##
+## The process type entered by condor_startd.
+##
+##
+##
+##
+## The executable type for the entrypoint.
+##
+##
+##
+##
+## Range for the domain.
+##
+##
+#
+interface(`condor_startd_ranged_domtrans_to',`
+ gen_require(`
+ type sshd_t;
+ ')
+ condor_startd_domtrans_to($1, $2)
+
+
+ ifdef(`enable_mcs',`
+ range_transition condor_startd_t $2:process $3;
+ ')
+
+')
#######################################
##
-## The template to define a condor domain.
+## Allows to start userlandprocesses
+## by transitioning to the specified domain.
##
-##
+##
+##
+## The process type entered by condor_startd.
+##
+##
+##
+##
+## The executable type for the entrypoint.
+##
+##
+#
+interface(`condor_startd_domtrans_to',`
+ gen_require(`
+ type condor_startd_t;
+ ')
+
+ domtrans_pattern(condor_startd_t, $2, $1)
+')
+
+########################################
+##
+## Read condor's log files.
+##
+##
##
-## Domain prefix to be used.
+## Domain allowed access.
##
##
+##
#
-template(`condor_domain_template',`
+interface(`condor_read_log',`
gen_require(`
- attribute condor_domain;
- type condor_master_t;
+ type condor_log_t;
')
- #############################
- #
- # Declarations
- #
+ logging_search_logs($1)
+ read_files_pattern($1, condor_log_t, condor_log_t)
+')
- type condor_$1_t, condor_domain;
- type condor_$1_exec_t;
- domain_type(condor_$1_t)
- domain_entry_file(condor_$1_t, condor_$1_exec_t)
- role system_r types condor_$1_t;
+########################################
+##
+## Append to condor log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_append_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- #############################
- #
- # Policy
- #
+ logging_search_logs($1)
+ append_files_pattern($1, condor_log_t, condor_log_t)
+')
- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
- allow condor_master_t condor_$1_exec_t:file ioctl;
+########################################
+##
+## Manage condor log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_log',`
+ gen_require(`
+ type condor_log_t;
+ ')
- auth_use_nsswitch(condor_$1_t)
+ logging_search_logs($1)
+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
+ manage_files_pattern($1, condor_log_t, condor_log_t)
+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
')
########################################
##
-## All of the rules required to
-## administrate an condor environment.
+## Search condor lib directories.
##
##
##
## Domain allowed access.
##
##
-##
+#
+interface(`condor_search_lib',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ allow $1 condor_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read condor lib files.
+##
+##
##
-## Role allowed access.
+## Domain allowed access.
##
##
-##
#
-interface(`condor_admin',`
+interface(`condor_read_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+######################################
+##
+## Read and write condor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Manage condor lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_lib_files',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Manage condor lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_manage_lib_dirs',`
+ gen_require(`
+ type condor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
+')
+
+########################################
+##
+## Read condor PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_read_pid_files',`
gen_require(`
- attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
- type condor_var_run_t, condor_startd_tmp_t;
+ type condor_var_run_t;
')
- allow $1 condor_domain:process { ptrace signal_perms };
+ files_search_pids($1)
+ allow $1 condor_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute condor server in the condor domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`condor_systemctl',`
+ gen_require(`
+ type condor_domain;
+ type condor_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 condor_unit_file_t:file read_file_perms;
+ allow $1 condor_unit_file_t:service manage_service_perms;
+
ps_process_pattern($1, condor_domain)
+')
+
+#######################################
+##
+## Read and write condor_startd server TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_tcp_sockets_startd',`
+ gen_require(`
+ type condor_startd_t;
+ ')
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 condor_initrc_exec_t system_r;
- allow $2 system_r;
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
+')
+
+######################################
+##
+## Read and write condor_schedd server TCP sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_rw_tcp_sockets_schedd',`
+ gen_require(`
+ type condor_schedd_t;
+ ')
+
+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+##
+## All of the rules required to administrate
+## an condor environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`condor_admin',`
+ gen_require(`
+ attribute condor_domain;
+ type condor_initrc_exec_t, condor_log_t;
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t;
+ type condor_unit_file_t;
+ ')
+
+ allow $1 condor_domain:process { signal_perms };
+ ps_process_pattern($1, condor_domain)
+
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 condor_initrc_exec_t system_r;
+ allow $2 system_r;
logging_search_logs($1)
admin_pattern($1, condor_log_t)
- files_search_locks($1)
- admin_pattern($1, condor_var_lock_t)
+ files_search_locks($1)
+ admin_pattern($1, condor_var_lock_t)
files_search_var_lib($1)
admin_pattern($1, condor_var_lib_t)
@@ -85,4 +400,13 @@ interface(`condor_admin',`
files_search_tmp($1)
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
+
+ condor_systemctl($1)
+ admin_pattern($1, condor_unit_file_t)
+ allow $1 condor_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/condor.te b/condor.te
index 3f2b672..8fb887d 100644
--- a/condor.te
+++ b/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
type condor_log_t;
logging_log_file(condor_log_t)
@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t;
files_pid_file(condor_var_run_t)
+type condor_unit_file_t;
+systemd_unit_file(condor_unit_file_t)
+
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
@@ -57,15 +63,21 @@ condor_domain_template(startd)
# Global local policy
#
+allow condor_domain self:capability dac_override;
+allow condor_domain self:capability2 block_suspend;
+
allow condor_domain self:process signal_perms;
allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
-allow condor_domain self:unix_stream_socket { accept listen };
+allow condor_domain self:tcp_socket create_stream_socket_perms;
+allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
allow condor_domain condor_master_t:process signull;
allow condor_domain condor_master_t:tcp_socket getattr;
+allow condor_domain condor_master_t:udp_socket { read write };
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain)
corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain)
-corenet_all_recvfrom_netlabel(condor_domain)
-corenet_all_recvfrom_unlabeled(condor_domain)
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain)
+auth_read_passwd(condor_domain)
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
@@ -125,7 +135,7 @@ optional_policy(`
# Master local policy
#
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
+allow condor_master_t self:capability { setuid setgid sys_ptrace };
allow condor_master_t condor_domain:process { sigkill signal };
@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
+logging_send_syslog_msg(condor_master_t)
+
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
+corenet_tcp_bind_http_port(condor_collector_t)
+
#####################################
#
# Negotiator local policy
@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
+
######################################
#
# Procd local policy
@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
-allow condor_procd_t condor_startd_t:process sigkill;
+allow condor_procd_t condor_domain:process sigkill;
+
domain_read_all_domains_state(condor_procd_t)
@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+allow condor_schedd_t condor_master_tmp_t:dir getattr;
+
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
+
#####################################
#
# Startd local policy
@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
+init_initrc_domain(condor_startd_t)
libs_exec_lib_files(condor_startd_t)
-files_read_usr_files(condor_startd_t)
-
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
@@ -249,3 +273,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
+
+optional_policy(`
+ unconfined_domain(condor_startd_t)
+')
diff --git a/conman.fc b/conman.fc
new file mode 100644
index 0000000..5f97ba9
--- /dev/null
+++ b/conman.fc
@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0)
+
+/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0)
+
+/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0)
+
diff --git a/conman.if b/conman.if
new file mode 100644
index 0000000..54b4b04
--- /dev/null
+++ b/conman.if
@@ -0,0 +1,142 @@
+## Conman is a program for connecting to remote consoles being managed by conmand
+
+########################################
+##
+## Execute conman in the conman domin.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`conman_domtrans',`
+ gen_require(`
+ type conman_t, conman_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, conman_exec_t, conman_t)
+')
+
+########################################
+##
+## Read conman's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_read_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Append to conman log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_append_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Manage conman log files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`conman_manage_log',`
+ gen_require(`
+ type conman_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, conman_log_t, conman_log_t)
+ manage_files_pattern($1, conman_log_t, conman_log_t)
+')
+
+########################################
+##
+## Execute conman server in the conman domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`conman_systemctl',`
+ gen_require(`
+ type conman_t;
+ type conman_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 conman_unit_file_t:file read_file_perms;
+ allow $1 conman_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, conman_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an conman environment
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`conman_admin',`
+ gen_require(`
+ type conman_t;
+ type conman_log_t;
+ type conman_unit_file_t;
+ ')
+
+ allow $1 conman_t:process { signal_perms };
+ ps_process_pattern($1, conman_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 conman_t:process ptrace;
+ ')
+
+ logging_search_logs($1)
+ admin_pattern($1, conman_log_t)
+
+ conman_systemctl($1)
+ admin_pattern($1, conman_unit_file_t)
+ allow $1 conman_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/conman.te b/conman.te
new file mode 100644
index 0000000..d6b0314
--- /dev/null
+++ b/conman.te
@@ -0,0 +1,49 @@
+policy_module(conman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type conman_t;
+type conman_exec_t;
+init_daemon_domain(conman_t, conman_exec_t)
+
+type conman_log_t;
+logging_log_file(conman_log_t)
+
+type conman_unit_file_t;
+systemd_unit_file(conman_unit_file_t)
+
+########################################
+#
+# conman local policy
+#
+
+allow conman_t self:capability { sys_tty_config };
+allow conman_t self:process { setrlimit signal_perms };
+
+allow conman_t self:fifo_file rw_fifo_file_perms;
+allow conman_t self:unix_stream_socket create_stream_socket_perms;
+allow conman_t self:tcp_socket { accept listen create_socket_perms };
+
+manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
+manage_files_pattern(conman_t, conman_log_t, conman_log_t)
+logging_log_filetrans(conman_t, conman_log_t, { dir })
+
+corenet_tcp_bind_generic_node(conman_t)
+corenet_tcp_bind_conman_port(conman_t)
+
+corecmd_exec_bin(conman_t)
+
+auth_read_passwd(conman_t)
+
+logging_send_syslog_msg(conman_t)
+
+sysnet_dns_name_resolve(conman_t)
+
+userdom_use_user_ptys(conman_t)
+
+optional_policy(`
+ freeipmi_stream_connect(conman_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..0647a3b 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
########################################
##
+## dontaudit Send and receive messages from
+## consolekit over dbus.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 consolekit_t:dbus send_msg;
+ dontaudit consolekit_t $1:dbus send_msg;
+')
+
+########################################
+##
## Send and receive messages from
## consolekit over dbus.
##
@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
########################################
##
+## Dontaudit attempts to read consolekit log files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+##
## Read consolekit log files.
##
##
@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
+########################################
+##
+## List consolekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+##
+## Allow the domain to read consolekit state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_read_state',`
+ gen_require(`
+ type consolekit_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, consolekit_t)
+')
+
+########################################
+##
+## Execute consolekit server in the consolekit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`consolekit_systemctl',`
+ gen_require(`
+ type consolekit_t;
+ type consolekit_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 consolekit_unit_file_t:file read_file_perms;
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
index 5f0c793..580dff0 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
+type consolekit_unit_file_t;
+systemd_unit_file(consolekit_unit_file_t)
+
########################################
#
# Local policy
#
allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
-files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
-mcs_ptrace_all(consolekit_t)
-
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
auth_manage_pam_console_data(consolekit_t)
auth_write_login_records(consolekit_t)
+init_read_utmp(consolekit_t)
+
logging_send_syslog_msg(consolekit_t)
logging_send_audit_msgs(consolekit_t)
-miscfiles_read_localization(consolekit_t)
+systemd_exec_systemctl(consolekit_t)
+systemd_start_power_services(consolekit_t)
+userdom_read_all_users_state(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(consolekit_t)
-')
+userdom_home_reader(consolekit_t)
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(consolekit_t)
+optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
')
ifdef(`distro_debian',`
@@ -112,13 +113,6 @@ optional_policy(`
')
')
-optional_policy(`
- hal_ptrace(consolekit_t)
-')
-
-optional_policy(`
- networkmanager_append_log_files(consolekit_t)
-')
optional_policy(`
policykit_domtrans_auth(consolekit_t)
diff --git a/corosync.fc b/corosync.fc
index da39f0f..6a96733 100644
--- a/corosync.fc
+++ b/corosync.fc
@@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
diff --git a/corosync.if b/corosync.if
index 694a037..b836c07 100644
--- a/corosync.if
+++ b/corosync.if
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
')
+#######################################
+##
+## Setattr corosync log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_setattr_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+
#####################################
##
## Connect to corosync over a unix
@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
+ type corosync_var_lib_t;
')
files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
######################################
##
-## Read and write corosync tmpfs files.
+## Allow the specified domain to read/write corosync's tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corosync_rw_tmpfs',`
+ gen_require(`
+ type corosync_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+
+')
+
+########################################
+##
+## Execute corosync server in the corosync domain.
##
##
##
-## Domain allowed access.
+## Domain allowed to transition.
##
##
#
-interface(`corosync_rw_tmpfs',`
+interface(`corosync_systemctl',`
gen_require(`
- type corosync_tmpfs_t;
+ type corosync_t;
+ type corosync_unit_file_t;
')
- fs_search_tmpfs($1)
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+ systemd_exec_systemctl($1)
+ allow $1 corosync_unit_file_t:file read_file_perms;
+ allow $1 corosync_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, corosync_t)
')
######################################
@@ -160,12 +204,17 @@ interface(`corosync_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
+ type corosync_unit_file_t;
')
- allow $1 corosync_t:process { ptrace signal_perms };
+ allow $1 corosync_t:process signal_perms;
ps_process_pattern($1, corosync_t)
- corosync_initrc_domtrans($1)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 corosync_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
@@ -183,4 +232,8 @@ interface(`corosync_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
+
+ corosync_systemctl($1)
+ admin_pattern($1, corosync_unit_file_t)
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
index eeea48d..691ca11 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
+type corosync_unit_file_t;
+systemd_unit_file(corosync_unit_file_t)
+
########################################
#
# Local policy
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
-files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
userdom_read_user_tmp_files(corosync_t)
-userdom_manage_user_tmpfs_files(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
optional_policy(`
ccs_read_config(corosync_t)
@@ -129,20 +137,29 @@ optional_policy(`
')
optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
qpidd_rw_shm(corosync_t)
')
optional_policy(`
- rhcs_getattr_fenced_exec_files(corosync_t)
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
rhcs_rw_cluster_shm(corosync_t)
rhcs_rw_cluster_semaphores(corosync_t)
rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+ rhcs_manage_cluster_lib_files(corosync_t)
+ rhcs_relabel_cluster_lib_files(corosync_t)
')
optional_policy(`
- rgmanager_manage_tmpfs_files(corosync_t)
+ rpc_search_nfs_state_data(corosync_t)
')
optional_policy(`
- rpc_search_nfs_state_data(corosync_t)
-')
\ No newline at end of file
+ wdmd_rw_tmpfs(corosync_t)
+')
diff --git a/couchdb.fc b/couchdb.fc
index c086302..4f33119 100644
--- a/couchdb.fc
+++ b/couchdb.fc
@@ -1,3 +1,6 @@
+
+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
diff --git a/couchdb.if b/couchdb.if
index 83d6744..3f0c0dc 100644
--- a/couchdb.if
+++ b/couchdb.if
@@ -2,6 +2,44 @@
########################################
##
+## Allow to read couchdb log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_read_log_files',`
+ gen_require(`
+ type couchdb_log_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, couchdb_log_t, couchdb_log_t)
+')
+
+########################################
+##
+## Allow to read couchdb lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_read_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an couchdb environment.
##
@@ -10,6 +48,151 @@
## Domain allowed access.
##
##
+#
+interface(`couchdb_manage_lib_files',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
+## Manage couchdb lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_lib_dirs',`
+ gen_require(`
+ type couchdb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+')
+
+########################################
+##
+## Allow to read couchdb conf files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_read_conf_files',`
+ gen_require(`
+ type couchdb_conf_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+')
+
+########################################
+##
+## Read couchdb PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_read_pid_files',`
+ gen_require(`
+ type couchdb_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 couchdb_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Search couchdb PID dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_search_pid_dirs',`
+ gen_require(`
+ type couchdb_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
+')
+
+#######################################
+##
+## Allow domain to manage couchdb content.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`couchdb_manage_files',`
+ gen_require(`
+ type couchdb_var_run_t;
+ type couchdb_log_t;
+ type couchdb_var_lib_t;
+ type couchdb_conf_t;
+ ')
+
+ manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
+ manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+ manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+')
+
+########################################
+##
+## Execute couchdb server in the couchdb domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`couchdb_systemctl',`
+ gen_require(`
+ type couchdb_t;
+ type couchdb_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 couchdb_unit_file_t:file read_file_perms;
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, couchdb_t)
+')
+
+
+########################################
+##
+## All of the rules required to administrate
+## an couchdb environment
+##
+##
+##
+## Domain allowed access.
+##
+##
##
##
## Role allowed access.
@@ -19,14 +202,19 @@
#
interface(`couchdb_admin',`
gen_require(`
+ type couchdb_unit_file_t;
type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
type couchdb_tmp_t;
')
- allow $1 couchdb_t:process { ptrace signal_perms };
+ allow $1 couchdb_t:process { signal_perms };
ps_process_pattern($1, couchdb_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 couchdb_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 couchdb_initrc_exec_t system_r;
@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
files_search_pids($1)
admin_pattern($1, couchdb_var_run_t)
+
+ admin_pattern($1, couchdb_unit_file_t)
+ couchdb_systemctl($1)
+ allow $1 couchdb_unit_file_t:service all_service_perms;
+
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
')
diff --git a/couchdb.te b/couchdb.te
index 503adab..046fe9b 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
type couchdb_var_run_t;
files_pid_file(couchdb_var_run_t)
+type couchdb_unit_file_t;
+systemd_unit_file(couchdb_unit_file_t)
+
########################################
#
# Local policy
@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t)
dev_read_sysfs(couchdb_t)
dev_read_urand(couchdb_t)
-files_read_usr_files(couchdb_t)
-
fs_getattr_xattr_fs(couchdb_t)
auth_use_nsswitch(couchdb_t)
-miscfiles_read_localization(couchdb_t)
diff --git a/courier.fc b/courier.fc
index 8a4b596..cbecde8 100644
--- a/courier.fc
+++ b/courier.fc
@@ -9,17 +9,18 @@
/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+')
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/courier.if b/courier.if
index 10f820f..acdb179 100644
--- a/courier.if
+++ b/courier.if
@@ -1,12 +1,12 @@
-## Courier IMAP and POP3 email servers.
+## Courier IMAP and POP3 email servers
-#######################################
+########################################
##
-## The template to define a courier domain.
+## Template for creating courier server processes.
##
-##
+##
##
-## Domain prefix to be used.
+## Prefix name of the server process.
##
##
#
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
attribute courier_domain;
')
- ########################################
+ ##############################
#
# Declarations
#
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
type courier_$1_exec_t;
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
- ########################################
+ ##############################
#
- # Policy
+ # Declarations
#
can_exec(courier_$1_t, courier_$1_exec_t)
+
+ kernel_read_system_state(courier_$1_t)
+
+ corenet_all_recvfrom_netlabel(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
+ corenet_udp_sendrecv_generic_node(courier_$1_t)
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+ logging_send_syslog_msg(courier_$1_t)
')
########################################
##
-## Execute the courier authentication
-## daemon with a domain transition.
+## Execute the courier authentication daemon with
+## a domain transition.
##
##
##
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
#######################################
##
-## Connect to courier-authdaemon over
-## a unix stream socket.
+## Connect to courier-authdaemon over a unix stream socket.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`courier_stream_connect_authdaemon',`
- gen_require(`
- type courier_authdaemon_t, courier_spool_t;
- ')
+ gen_require(`
+ type courier_authdaemon_t, courier_spool_t;
+ ')
files_search_spool($1)
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
')
########################################
##
-## Execute the courier POP3 and IMAP
-## server with a domain transition.
+## Execute the courier POP3 and IMAP server with
+## a domain transition.
##
##
##
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
type courier_pop_t, courier_pop_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')
########################################
##
-## Read courier config files.
+## Read courier config files
##
##
##
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
##
-##
+##
##
## Domain allowed access.
##
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
- files_search_var($1)
+ files_search_spool($1)
read_files_pattern($1, courier_spool_t, courier_spool_t)
')
########################################
##
-## Read and write courier spool pipes.
+## Read and write to courier spool pipes.
##
##
##
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
type courier_spool_t;
')
- files_search_var($1)
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
index 77bb077..1499c3f 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
files_config_file(courier_etc_t)
type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
type courier_var_lib_t;
files_type(courier_var_lib_t)
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
files_pid_filetrans(courier_domain, courier_var_run_t, dir)
kernel_read_kernel_sysctls(courier_domain)
-kernel_read_system_state(courier_domain)
corecmd_exec_bin(courier_domain)
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
domain_use_interactive_fds(courier_domain)
-files_read_etc_files(courier_domain)
files_read_etc_runtime_files(courier_domain)
-files_read_usr_files(courier_domain)
fs_getattr_xattr_fs(courier_domain)
fs_search_auto_mountpoints(courier_domain)
-logging_send_syslog_msg(courier_domain)
-
sysnet_read_config(courier_domain)
userdom_dontaudit_use_unpriv_user_fds(courier_domain)
@@ -77,6 +72,10 @@ optional_policy(`
')
optional_policy(`
+ mysql_stream_connect(courier_domain)
+')
+
+optional_policy(`
udev_read_db(courier_domain)
')
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
libs_read_lib_files(courier_authdaemon_t)
-miscfiles_read_localization(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
dev_read_rand(courier_tcpd_t)
dev_read_urand(courier_tcpd_t)
-miscfiles_read_localization(courier_tcpd_t)
########################################
#
diff --git a/cpucontrol.te b/cpucontrol.te
index 2f1aad6..155a337 100644
--- a/cpucontrol.te
+++ b/cpucontrol.te
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
init_use_fds(cpucontrol_domain)
init_use_script_ptys(cpucontrol_domain)
-logging_send_syslog_msg(cpucontrol_domain)
-
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
optional_policy(`
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
-kernel_list_proc(cpucontrol_t)
kernel_read_proc_symlinks(cpucontrol_t)
dev_read_sysfs(cpucontrol_t)
dev_rw_cpu_microcode(cpucontrol_t)
+logging_send_syslog_msg(cpucontrol_t)
+
optional_policy(`
rhgb_use_ptys(cpucontrol_t)
')
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
domain_read_all_domains_state(cpuspeed_t)
-files_read_etc_files(cpuspeed_t)
files_read_etc_runtime_files(cpuspeed_t)
-miscfiles_read_localization(cpuspeed_t)
+logging_send_syslog_msg(cpuspeed_t)
diff --git a/cpufreqselector.te b/cpufreqselector.te
index a3bbc21..7fd7d8f 100644
--- a/cpufreqselector.te
+++ b/cpufreqselector.te
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
# Local policy
#
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+allow cpufreqselector_t self:process getsched;
kernel_read_system_state(cpufreqselector_t)
-files_read_etc_files(cpufreqselector_t)
-files_read_usr_files(cpufreqselector_t)
-
dev_rw_sysfs(cpufreqselector_t)
-miscfiles_read_localization(cpufreqselector_t)
-
userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -51,3 +47,7 @@ optional_policy(`
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
diff --git a/cron.fc b/cron.fc
index 6e76215..4819e90 100644
--- a/cron.fc
+++ b/cron.fc
@@ -3,6 +3,9 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
@@ -12,9 +15,7 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -27,13 +28,23 @@
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <>
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <>
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+')
+
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <>
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -43,19 +54,23 @@
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
ifdef(`distro_debian',`
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
+
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/atjobs/[^/]* -- <>
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
')
ifdef(`distro_gentoo',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
')
-ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
')
diff --git a/cron.if b/cron.if
index 1303b30..058864e 100644
--- a/cron.if
+++ b/cron.if
@@ -2,11 +2,12 @@
#######################################
##
-## The template to define a crontab domain.
+## The common rules for a crontab domain.
##
-##
+##
##
-## Domain prefix to be used.
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
##
##
#
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+ kernel_read_system_state($1_t)
+
auth_domtrans_chk_passwd($1_t)
auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ userdom_home_reader($1_t)
+
')
########################################
##
-## Role access for cron.
+## Role access for cron
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
##
@@ -60,57 +68,37 @@ interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
type user_cron_spool_t, crond_t;
- bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
-
role $1 types { cronjob_t crontab_t };
- ##############################
- #
- # Local policy
- #
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
+ allow crond_t $2:process transition;
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
- allow $2 crontab_t:process { ptrace signal_perms };
+ # crontab shows up in user ps
ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process signal_perms;
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 crontab_t:process ptrace;
+ ')
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
corecmd_exec_bin(crontab_t)
corecmd_exec_shell(crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
-
- allow $2 user_cron_spool_t:file entrypoint;
-
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -119,78 +107,38 @@ interface(`cron_role',`
dbus_stub(cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
##
-## Role access for unconfined cron.
+## Role access for unconfined cronjobs
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
+ type unconfined_cronjob_t;
')
- ##############################
- #
- # Declarations
- #
-
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types unconfined_cronjob_t;
- ##############################
- #
- # Local policy
- #
-
- domtrans_pattern($2, crontab_exec_t, crontab_t)
-
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
-
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
-
- allow $2 crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, crontab_t)
-
- corecmd_exec_bin(crontab_t)
- corecmd_exec_shell(crontab_t)
-
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
-
- allow $2 user_cron_spool_t:file entrypoint;
-
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, unconfined_cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
-')
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+ allow $2 unconfined_cronjob_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
+ ')
optional_policy(`
gen_require(`
@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
-
allow unconfined_cronjob_t $2:dbus send_msg;
')
')
########################################
##
-## Role access for admin cron.
+## Role access for cron
##
##
##
-## Role allowed access.
+## Role allowed access
##
##
##
##
-## User domain for the role.
+## User domain for the role
##
##
+##
#
interface(`cron_admin_role',`
gen_require(`
- type cronjob_t, crontab_exec_t, admin_crontab_t;
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ type user_cron_spool_t, crond_t;
class passwd crontab;
- type crond_t, user_cron_spool_t;
- bool cron_userdomain_transition;
')
- ##############################
- #
- # Declarations
- #
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
- role $1 types { cronjob_t admin_crontab_t };
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
- ##############################
- #
- # Local policy
- #
+ # Manipulate other users crontab.
+ allow $2 self:passwd crontab;
+ # Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- allow $2 crond_t:process sigchld;
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 admin_crontab_t:process ptrace;
+ ')
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ allow $2 crond_t:process sigchld;
+ allow crond_t $2:process transition;
- allow $2 admin_crontab_t:process { ptrace signal_perms };
- ps_process_pattern($2, admin_crontab_t)
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- # Manipulate other users crontab.
- allow $2 self:passwd crontab;
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+ #corecmd_shell_domtrans(admin_crontab_t, $2)
corecmd_exec_bin(admin_crontab_t)
corecmd_exec_shell(admin_crontab_t)
- tunable_policy(`cron_userdomain_transition',`
- allow crond_t $2:process transition;
- allow crond_t $2:fd use;
- allow crond_t $2:key manage_key_perms;
-
- allow $2 user_cron_spool_t:file entrypoint;
-
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
-
- allow $2 cronjob_t:process { ptrace signal_perms };
- ps_process_pattern($2, cronjob_t)
- ',`
- dontaudit crond_t $2:process transition;
- dontaudit crond_t $2:fd use;
- dontaudit crond_t $2:key manage_key_perms;
-
- dontaudit $2 user_cron_spool_t:file entrypoint;
-
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
-
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
- ')
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -285,13 +213,13 @@ interface(`cron_admin_role',`
dbus_stub(admin_cronjob_t)
allow cronjob_t $2:dbus send_msg;
- ')
+ ')
')
########################################
##
-## Make the specified program domain
-## accessable from the system cron jobs.
+## Make the specified program domain accessable
+## from the system cron jobs.
##
##
##
@@ -307,15 +235,15 @@ interface(`cron_admin_role',`
interface(`cron_system_entry',`
gen_require(`
type crond_t, system_cronjob_t;
- type user_cron_spool_log_t;
')
- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
-
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
+
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -333,13 +261,12 @@ interface(`cron_domtrans',`
type system_cronjob_t, crond_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
')
########################################
##
-## Execute crond in the caller domain.
+## Execute crond_exec_t
##
##
##
@@ -352,7 +279,6 @@ interface(`cron_exec',`
type crond_exec_t;
')
- corecmd_search_bin($1)
can_exec($1, crond_exec_t)
')
@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',`
########################################
##
-## Use crond file descriptors.
+## Execute crond server in the crond domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cron_systemctl',`
+ gen_require(`
+ type crond_unit_file_t;
+ type crond_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, crond_t)
+')
+
+########################################
+##
+## Inherit and use a file descriptor
+## from the cron daemon.
##
##
##
@@ -394,7 +344,7 @@ interface(`cron_use_fds',`
########################################
##
-## Send child terminated signals to crond.
+## Send a SIGCHLD signal to the cron daemon.
##
##
##
@@ -412,7 +362,7 @@ interface(`cron_sigchld',`
########################################
##
-## Set the attributes of cron log files.
+## Send a generic signal to cron daemon.
##
##
##
@@ -420,17 +370,17 @@ interface(`cron_sigchld',`
##
##
#
-interface(`cron_setattr_log_files',`
+interface(`cron_signal',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file setattr_file_perms;
+ allow $1 crond_t:process signal;
')
########################################
##
-## Create cron log files.
+## Read a cron daemon unnamed pipe.
##
##
##
@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',`
##
##
#
-interface(`cron_create_log_files',`
+interface(`cron_read_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- create_files_pattern($1, cron_log_t, cron_log_t)
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
')
########################################
##
-## Write to cron log files.
+## Read crond state files.
##
##
##
@@ -456,18 +406,20 @@ interface(`cron_create_log_files',`
##
##
#
-interface(`cron_write_log_files',`
+interface(`cron_read_state_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- allow $1 cron_log_t:file write_file_perms;
+ kernel_search_proc($1)
+ ps_process_pattern($1, crond_t)
')
+
########################################
##
-## Create, read, write and delete
-## cron log files.
+## Send and receive messages from
+## crond over dbus.
##
##
##
@@ -475,48 +427,37 @@ interface(`cron_write_log_files',`
##
##
#
-interface(`cron_manage_log_files',`
+interface(`cron_dbus_chat_crond',`
gen_require(`
- type cron_log_t;
+ type crond_t;
+ class dbus send_msg;
')
- manage_files_pattern($1, cron_log_t, cron_log_t)
-
- logging_search_logs($1)
+ allow $1 crond_t:dbus send_msg;
+ allow crond_t $1:dbus send_msg;
')
########################################
##
-## Create specified objects in generic
-## log directories with the cron log file type.
+## Do not audit attempts to write cron daemon unnamed pipes.
##
##
##
-## Domain allowed access.
-##
-##
-##
-##
-## Class of the object being created.
-##
-##
-##
-##
-## The name of the object being created.
+## Domain to not audit.
##
##
#
-interface(`cron_generic_log_filetrans_log',`
+interface(`cron_dontaudit_write_pipes',`
gen_require(`
- type cron_log_t;
+ type crond_t;
')
- logging_log_filetrans($1, cron_log_t, $2, $3)
+ dontaudit $1 crond_t:fifo_file write;
')
########################################
##
-## Read cron daemon unnamed pipes.
+## Read and write a cron daemon unnamed pipe.
##
##
##
@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',`
##
##
#
-interface(`cron_read_pipes',`
+interface(`cron_rw_pipes',`
gen_require(`
type crond_t;
')
- allow $1 crond_t:fifo_file read_fifo_file_perms;
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Do not audit attempts to write
-## cron daemon unnamed pipes.
+## Read and write inherited user spool files.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`cron_dontaudit_write_pipes',`
+interface(`cron_rw_inherited_user_spool_files',`
gen_require(`
- type crond_t;
+ type user_cron_spool_t;
')
- dontaudit $1 crond_t:fifo_file write;
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
')
########################################
##
-## Read and write crond unnamed pipes.
+## Read and write inherited spool files.
##
##
##
@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',`
##
##
#
-interface(`cron_rw_pipes',`
+interface(`cron_rw_inherited_spool_files',`
gen_require(`
- type crond_t;
+ type cron_spool_t;
')
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
')
########################################
##
-## Read and write crond TCP sockets.
+## Read, and write cron daemon TCP sockets.
##
##
##
@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',`
########################################
##
-## Do not audit attempts to read and
-## write cron daemon TCP sockets.
+## Dontaudit Read, and write cron daemon TCP sockets.
##
##
##
@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
########################################
##
-## Search cron spool directories.
+## Search the directory containing user cron tables.
##
##
##
@@ -627,8 +566,26 @@ interface(`cron_search_spool',`
########################################
##
-## Create, read, write, and delete
-## crond pid files.
+## Search the directory containing user cron tables.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_system_spool',`
+ gen_require(`
+ type cron_system_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
+')
+
+########################################
+##
+## Manage pid files used by cron
##
##
##
@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
+ files_search_pids($1)
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
########################################
##
-## Execute anacron in the cron
-## system domain.
+## Execute anacron in the cron system domain.
##
##
##
@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',`
type system_cronjob_t, anacron_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
')
########################################
##
-## Use system cron job file descriptors.
+## Inherit and use a file descriptor
+## from system cron jobs.
##
##
##
@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',`
########################################
##
-## Read system cron job lib files.
+## Write a system cron job unnamed pipe.
##
##
##
@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',`
##
##
#
-interface(`cron_read_system_job_lib_files',`
+interface(`cron_write_system_job_pipes',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t;
')
- files_search_var_lib($1)
- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ allow $1 system_cronjob_t:fifo_file write;
')
########################################
##
-## Create, read, write, and delete
-## system cron job lib files.
+## Read and write a system cron job unnamed pipe.
##
##
##
@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',`
##
##
#
-interface(`cron_manage_system_job_lib_files',`
+interface(`cron_rw_system_job_pipes',`
gen_require(`
- type system_cronjob_var_lib_t;
+ type system_cronjob_t;
')
- files_search_var_lib($1)
- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
-## Write system cron job unnamed pipes.
+## Allow read/write unix stream sockets from the system cron jobs.
##
##
##
@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',`
##
##
#
-interface(`cron_write_system_job_pipes',`
+interface(`cron_rw_system_job_stream_sockets',`
gen_require(`
type system_cronjob_t;
')
- allow $1 system_cronjob_t:file write;
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
')
########################################
##
-## Read and write system cron job
-## unnamed pipes.
+## Read temporary files from the system cron jobs.
##
##
##
@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',`
##
##
#
-interface(`cron_rw_system_job_pipes',`
+interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_cronjob_t;
+ type system_cronjob_tmp_t, cron_var_run_t;
')
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
')
########################################
##
-## Read and write inherited system cron
-## job unix domain stream sockets.
+## Do not audit attempts to append temporary
+## files from the system cron jobs.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`cron_rw_system_job_stream_sockets',`
+interface(`cron_dontaudit_append_system_job_tmp_files',`
gen_require(`
- type system_cronjob_t;
+ type system_cronjob_tmp_t;
')
- allow $1 system_cronjob_t:unix_stream_socket { read write };
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
')
########################################
##
-## Read system cron job temporary files.
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`cron_read_system_job_tmp_files',`
+interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
')
- files_search_tmp($1)
- allow $1 system_cronjob_tmp_t:file read_file_perms;
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
')
########################################
##
-## Do not audit attempts to append temporary
-## system cron job files.
+## Read temporary files from the system cron jobs.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`cron_dontaudit_append_system_job_tmp_files',`
+interface(`cron_read_system_job_lib_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_var_lib_t;
')
- dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
########################################
##
-## Do not audit attempts to write temporary
-## system cron job files.
+## Manage files from the system cron jobs.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`cron_dontaudit_write_system_job_tmp_files',`
+interface(`cron_manage_system_job_lib_files',`
gen_require(`
- type system_cronjob_tmp_t;
+ type system_cronjob_var_lib_t;
')
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+#######################################
+##
+## Create, read, write and delete
+## cron log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cron_manage_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ manage_files_pattern($1, cron_log_t, cron_log_t)
+
+ logging_search_logs($1)
+')
+
+#######################################
+##
+## Create specified objects in generic
+## log directories with the cron log file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`cron_generic_log_filetrans_log',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
index 28e1b86..439a761 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.5.10)
+policy_module(cron, 2.2.1)
gen_require(`
class passwd rootok;
@@ -11,46 +11,37 @@ gen_require(`
##
##
-## Determine whether system cron jobs
-## can relabel filesystem for
-## restoring file contexts.
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
##
##
gen_tunable(cron_can_relabel, false)
##
##
-## Determine whether crond can execute jobs
-## in the user domain as opposed to the
-## the generic cronjob domain.
-##
-##
-gen_tunable(cron_userdomain_transition, false)
-
-##
-##
-## Determine whether extra rules
-## should be enabled to support fcron.
+## Enable extra rules in the cron domain
+## to support fcron.
##
##
gen_tunable(fcron_crond, false)
-attribute cron_spool_type;
attribute crontab_domain;
+attribute cron_spool_type;
type anacron_exec_t;
application_executable_file(anacron_exec_t)
type cron_spool_t;
-files_type(cron_spool_t)
-mta_system_content(cron_spool_t)
+files_spool_file(cron_spool_t)
+# var/lib files
type cron_var_lib_t;
files_type(cron_var_lib_t)
type cron_var_run_t;
files_pid_file(cron_var_run_t)
+# var/log files
type cron_log_t;
logging_log_file(cron_log_t)
@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t)
+type crond_unit_file_t;
+systemd_unit_file(crond_unit_file_t)
+
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t)
@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
-mta_system_content(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
type system_cronjob_t alias system_crond_t;
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
-type system_cronjob_var_lib_t;
-files_type(system_cronjob_var_lib_t)
-
-type system_cronjob_var_run_t;
-files_pid_file(system_cronjob_var_run_t)
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
+# Type of user crontabs once moved to cron spool.
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
mta_system_content(user_cron_spool_t)
-type user_cron_spool_log_t;
-logging_log_file(user_cron_spool_log_t)
-ubac_constrained(user_cron_spool_log_t)
-mta_system_content(user_cron_spool_log_t)
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
-##############################
-#
-# Common crontab local policy
-#
-
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
-allow crontab_domain self:process { getcap setsched signal_perms };
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
-
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
-
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
-
-allow crontab_domain crond_t:process signal;
-allow crontab_domain crond_var_run_t:file read_file_perms;
-
-kernel_read_system_state(crontab_domain)
-
-selinux_dontaudit_search_fs(crontab_domain)
-
-files_list_spool(crontab_domain)
-files_read_etc_files(crontab_domain)
-files_read_usr_files(crontab_domain)
-files_search_pids(crontab_domain)
-
-fs_getattr_xattr_fs(crontab_domain)
-fs_manage_cgroup_dirs(crontab_domain)
-fs_rw_cgroup_files(crontab_domain)
-
-domain_use_interactive_fds(crontab_domain)
-
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
-
-auth_rw_var_auth(crontab_domain)
-
-logging_send_syslog_msg(crontab_domain)
-logging_send_audit_msgs(crontab_domain)
-logging_set_loginuid(crontab_domain)
-
-init_dontaudit_write_utmp(crontab_domain)
-init_read_utmp(crontab_domain)
-init_read_state(crontab_domain)
-
-miscfiles_read_localization(crontab_domain)
-
-seutil_read_config(crontab_domain)
-
-userdom_manage_user_tmp_dirs(crontab_domain)
-userdom_manage_user_tmp_files(crontab_domain)
-userdom_use_user_terminals(crontab_domain)
-userdom_read_user_home_content_files(crontab_domain)
-userdom_read_user_home_content_symlinks(crontab_domain)
-
-tunable_policy(`fcron_crond',`
- dontaudit crontab_domain crond_t:process signal;
-')
-
########################################
#
-# Admin local policy
+# Admin crontab local policy
#
-allow admin_crontab_t self:capability fsetid;
-allow admin_crontab_t crond_t:process signal;
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +143,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
')
########################################
#
-# Daemon local policy
+# Cron daemon local policy
#
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
-allow crond_t self:unix_stream_socket { accept connectto listen };
+allow crond_t self:unix_stream_socket connectto;
allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
-allow crond_t system_cronjob_t:process transition;
-allow crond_t system_cronjob_t:fd use;
-allow crond_t system_cronjob_t:key manage_key_perms;
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
+dev_read_urand(crond_t)
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
-kernel_read_kernel_sysctls(crond_t)
-kernel_read_fs_sysctls(crond_t)
-kernel_search_key(crond_t)
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
-corecmd_exec_bin(crond_t)
corecmd_list_bin(crond_t)
-
-dev_read_sysfs(crond_t)
-dev_read_urand(crond_t)
+corecmd_exec_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
domain_subj_id_change_exemption(crond_t)
domain_role_change_exemption(crond_t)
-fs_getattr_all_fs(crond_t)
-fs_list_inotifyfs(crond_t)
-fs_manage_cgroup_dirs(crond_t)
-fs_rw_cgroup_files(crond_t)
-fs_search_auto_mountpoints(crond_t)
-
-files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
files_read_generic_spool(crond_t)
files_list_usr(crond_t)
+# Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
+files_read_all_locks(crond_t)
-mls_fd_share_all_levels(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
+# needed by "crontab -e"
mls_file_read_all_levels(crond_t)
mls_file_write_all_levels(crond_t)
+
+# needed because of kernel check of transition
mls_process_set_level(crond_t)
-mls_trusted_object(crond_t)
-selinux_get_fs_mount(crond_t)
-selinux_validate_context(crond_t)
-selinux_compute_access_vector(crond_t)
-selinux_compute_create_context(crond_t)
-selinux_compute_relabel_context(crond_t)
-selinux_compute_user_contexts(crond_t)
+# to make cronjob working
+mls_fd_share_all_levels(crond_t)
+mls_trusted_object(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
-auth_domtrans_chk_passwd(crond_t)
-auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
-miscfiles_read_localization(crond_t)
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
+userdom_manage_all_users_keys(crond_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t cronjob_t:process transition;
- dontaudit crond_t cronjob_t:fd use;
- dontaudit crond_t cronjob_t:key manage_key_perms;
-',`
- allow crond_t cronjob_t:process transition;
- allow crond_t cronjob_t:fd use;
- allow crond_t cronjob_t:key manage_key_perms;
-')
+mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
+ # pam_limits is used
allow crond_t self:process setrlimit;
- optional_policy(`
- logwatch_search_cache_dir(crond_t)
- ')
+')
+
+optional_policy(`
+ logwatch_search_cache_dir(crond_t)
+')
+
+optional_policy(`
+ bind_read_config(crond_t)
')
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(crond_t)
')
')
-tunable_policy(`allow_polyinstantiation',`
+tunable_policy(`polyinstantiation_enabled',`
files_polyinstantiate_all(crond_t)
')
-tunable_policy(`fcron_crond',`
- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
@@ -353,102 +297,136 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client(crond_t)
-
- optional_policy(`
- hal_dbus_chat(crond_t)
- ')
-
- optional_policy(`
- unconfined_dbus_send(crond_t)
- ')
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
')
optional_policy(`
- amanda_search_var_lib(crond_t)
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
')
optional_policy(`
- amavis_search_lib(crond_t)
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+ init_dbus_chat(crond_t)
')
optional_policy(`
- djbdns_search_tinydns_keys(crond_t)
- djbdns_link_tinydns_keys(crond_t)
+ amanda_search_var_lib(crond_t)
')
optional_policy(`
- hal_write_log(crond_t)
+ antivirus_search_db(crond_t)
')
optional_policy(`
- locallogin_search_keys(crond_t)
- locallogin_link_keys(crond_t)
+ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
')
optional_policy(`
- mta_send_mail(crond_t)
+ # cjp: why?
+ munin_search_lib(crond_t)
')
optional_policy(`
- munin_search_lib(crond_t)
+ rpc_search_nfs_state_data(crond_t)
')
optional_policy(`
- postgresql_search_db(crond_t)
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
')
optional_policy(`
- rpc_search_nfs_state_data(crond_t)
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
')
optional_policy(`
- rpm_read_pipes(crond_t)
+ systemd_use_fds_logind(crond_t)
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
')
optional_policy(`
- seutil_sigchld_newrole(crond_t)
+ udev_read_db(crond_t)
')
optional_policy(`
- udev_read_db(crond_t)
+ vnstatd_search_lib(crond_t)
')
########################################
#
-# System local policy
+# System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+# This is to handle creation of files in /var/log directory.
+# Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+# This is to handle /var/lib/misc directory. Used currently
+# by prelink var/lib files for cron
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+mls_file_read_to_clearance(system_cronjob_t)
+
+# anacron forces the following
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+# write temporary files
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
-allow system_cronjob_t crond_t:fd use;
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
-allow system_cronjob_t crond_t:process sigchld;
-
+# Read from /var/spool/cron.
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_cronjob_t)
corecmd_exec_all_executables(system_cronjob_t)
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
-files_read_usr_files(system_cronjob_t)
files_read_var_files(system_cronjob_t)
+# for nscd:
files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
files_create_boot_flag(system_cronjob_t)
-mls_file_read_to_clearance(system_cronjob_t)
-
init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
-miscfiles_read_localization(system_cronjob_t)
-
seutil_read_config(system_cronjob_t)
+userdom_manage_tmpfs_files(system_cronjob_t, file)
+userdom_tmpfs_filetrans(system_cronjob_t, file)
+
ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
+ # via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
')
')
+selinux_get_fs_mount(system_cronjob_t)
+
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_cronjob_t)
',`
- selinux_get_fs_mount(system_cronjob_t)
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
+ # Needed for certwatch
apache_exec_modules(system_cronjob_t)
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
+ apache_manage_lib(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+ bind_read_config(system_cronjob_t)
')
optional_policy(`
@@ -546,10 +543,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
-
- optional_policy(`
- networkmanager_dbus_chat(system_cronjob_t)
- ')
')
optional_policy(`
@@ -581,6 +574,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
@@ -588,15 +582,23 @@ optional_policy(`
')
optional_policy(`
- postfix_read_config(system_cronjob_t)
+ networkmanager_dbus_chat(system_cronjob_t)
')
optional_policy(`
+ postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
prelink_delete_cache(system_cronjob_t)
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
- prelink_relabelfrom_lib(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+ rkhunter_manage_lib_files(system_cronjob_t)
')
optional_policy(`
@@ -606,6 +608,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
@@ -613,12 +616,24 @@ optional_policy(`
')
optional_policy(`
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
+ userdom_filetrans_home_content(crond_t)
')
########################################
#
-# Cronjob local policy
+# User cronjobs local policy
#
allow cronjob_t self:process { signal_perms setsched };
@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
kernel_read_system_state(cronjob_t)
kernel_read_kernel_sysctls(cronjob_t)
+# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(cronjob_t)
-corenet_all_recvfrom_unlabeled(cronjob_t)
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
-
-corenet_sendrecv_all_client_packets(cronjob_t)
corenet_tcp_connect_all_ports(cronjob_t)
-
-corecmd_exec_all_executables(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
dev_read_urand(cronjob_t)
fs_getattr_all_fs(cronjob_t)
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
domain_dontaudit_read_all_domains_state(cronjob_t)
domain_dontaudit_getattr_all_domains(cronjob_t)
files_exec_etc_files(cronjob_t)
-files_read_etc_runtime_files(cronjob_t)
-files_read_var_files(cronjob_t)
-files_read_usr_files(cronjob_t)
-files_search_spool(cronjob_t)
+# for nscd:
files_dontaudit_search_pids(cronjob_t)
libs_exec_lib_files(cronjob_t)
libs_exec_ld_so(cronjob_t)
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
logging_search_logs(cronjob_t)
seutil_read_config(cronjob_t)
-miscfiles_read_localization(cronjob_t)
userdom_manage_user_tmp_files(cronjob_t)
userdom_manage_user_tmp_symlinks(cronjob_t)
userdom_manage_user_tmp_pipes(cronjob_t)
userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
userdom_manage_user_home_content_files(cronjob_t)
userdom_manage_user_home_content_symlinks(cronjob_t)
userdom_manage_user_home_content_pipes(cronjob_t)
userdom_manage_user_home_content_sockets(cronjob_t)
-tunable_policy(`cron_userdomain_transition',`
- dontaudit cronjob_t crond_t:fd use;
- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- dontaudit cronjob_t crond_t:process sigchld;
-
- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
-',`
- allow cronjob_t crond_t:fd use;
- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
- allow cronjob_t crond_t:process sigchld;
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
- allow cronjob_t user_cron_spool_t:file entrypoint;
+tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
')
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
optional_policy(`
nis_use_ypbind(cronjob_t)
')
########################################
#
-# Unconfined local policy
+# Unconfined cronjobs local policy
#
optional_policy(`
- type unconfined_cronjob_t;
- domain_type(unconfined_cronjob_t)
- domain_cron_exemption_target(unconfined_cronjob_t)
-
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t unconfined_cronjob_t:process transition;
dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ allow crond_t unconfined_cronjob_t:fd use;
unconfined_domain(unconfined_cronjob_t)
+')
- tunable_policy(`cron_userdomain_transition',`
- dontaudit crond_t unconfined_cronjob_t:process transition;
- dontaudit crond_t unconfined_cronjob_t:fd use;
- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
- ',`
- allow crond_t unconfined_cronjob_t:process transition;
- allow crond_t unconfined_cronjob_t:fd use;
- allow crond_t unconfined_cronjob_t:key manage_key_perms;
- ')
+##############################
+#
+# crontab common policy
+#
+
+# dac_override is to create the file in the directory under /tmp
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
+allow crontab_domain crond_t:process signal;
+allow crontab_domain crond_var_run_t:file read_file_perms;
+
+# create files in /var/spool/cron
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
+files_list_spool(crontab_domain)
+
+# crontab signals crond by updating the mtime on the spooldir
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
+
+# for the checks used by crontab -u
+selinux_dontaudit_search_fs(crontab_domain)
+
+fs_getattr_xattr_fs(crontab_domain)
+fs_manage_cgroup_dirs(crontab_domain)
+fs_manage_cgroup_files(crontab_domain)
+
+domain_use_interactive_fds(crontab_domain)
+
+files_dontaudit_search_pids(crontab_domain)
+
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
+
+auth_rw_var_auth(crontab_domain)
+
+logging_send_audit_msgs(crontab_domain)
+logging_set_loginuid(crontab_domain)
+
+init_dontaudit_write_utmp(crontab_domain)
+init_read_utmp(crontab_domain)
+init_read_state(crontab_domain)
+
+
+seutil_read_config(crontab_domain)
+
+userdom_manage_user_tmp_dirs(crontab_domain)
+userdom_manage_user_tmp_files(crontab_domain)
+# Access terminals.
+userdom_use_inherited_user_terminals(crontab_domain)
+# Read user crontabs
+userdom_read_user_home_content_files(crontab_domain)
+userdom_read_user_home_content_symlinks(crontab_domain)
+
+tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit crontab_domain crond_t:process signal;
+')
+
+optional_policy(`
+ ssh_dontaudit_use_ptys(crontab_domain)
+')
+
+optional_policy(`
+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+ openshift_transition(system_cronjob_t)
')
diff --git a/ctdb.fc b/ctdb.fc
index 8401fe6..9131995 100644
--- a/ctdb.fc
+++ b/ctdb.fc
@@ -2,11 +2,16 @@
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
+
+/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
/var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
diff --git a/ctdb.if b/ctdb.if
index b25b01d..e99c5c6 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,144 @@
-## Clustered Database based on Samba Trivial Database.
+
+## policy for ctdbd
+
+########################################
+##
+## Transition to ctdbd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_domtrans',`
+ gen_require(`
+ type ctdbd_t, ctdbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
+')
+
+########################################
+##
+## Execute ctdbd server in the ctdbd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_initrc_domtrans',`
+ gen_require(`
+ type ctdbd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+')
+
+########################################
+##
+## Read ctdbd's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`ctdbd_read_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Append to ctdbd log files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`ctdbd_append_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
########################################
##
-## Create, read, write, and delete
-## ctdbd lib files.
+## Manage ctdbd log files
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ctdbd_manage_log',`
+ gen_require(`
+ type ctdbd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
+
+########################################
+##
+## Search ctdbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_search_lib',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Read ctdbd lib files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_lib_files',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Manage ctdbd lib files.
##
##
##
@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
')
files_search_var_lib($1)
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
')
-#######################################
+########################################
##
-## Connect to ctdbd with a unix
-## domain stream socket.
+## Manage ctdbd lib files.
##
##
##
@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',`
##
##
#
-interface(`ctdbd_stream_connect',`
+interface(`ctdbd_manage_var_files',`
gen_require(`
- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ type ctdbd_var_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
+')
+
+########################################
+##
+## Manage ctdbd lib directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
+
+########################################
+##
+## Read ctdbd PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_read_pid_files',`
+ gen_require(`
+ type ctdbd_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
+ allow $1 ctdbd_var_run_t:file read_file_perms;
+')
+
+#######################################
+##
+## Connect to ctdbd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ctdbd_stream_connect',`
+ gen_require(`
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
')
########################################
##
-## All of the rules required to
-## administrate an ctdb environment.
+## All of the rules required to administrate
+## an ctdbd environment
##
##
##
@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',`
##
##
#
-interface(`ctdb_admin',`
+interface(`ctdbd_admin',`
gen_require(`
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
+ type ctdbd_t, ctdbd_initrc_exec_t;
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
- allow $1 ctdbd_t:process { ptrace signal_perms };
+ allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ctdbd_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
+ ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
@@ -74,12 +269,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
- files_search_tmp($1)
- admin_pattern($1, ctdbd_tmp_t)
-
files_search_var_lib($1)
admin_pattern($1, ctdbd_var_lib_t)
files_search_pids($1)
admin_pattern($1, ctdbd_var_run_t)
')
+
diff --git a/ctdb.te b/ctdb.te
index 6ce66e7..7725178 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
type ctdbd_var_lib_t;
files_type(ctdbd_var_lib_t)
+type ctdbd_var_t;
+files_type(ctdbd_var_t)
+
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
#
allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+allow ctdbd_t self:capability2 block_suspend;
allow ctdbd_t self:process { setpgid signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
allow ctdbd_t self:packet_socket create_socket_perms;
allow ctdbd_t self:tcp_socket create_stream_socket_perms;
+allow ctdbd_t self:udp_socket create_socket_perms;
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
+
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
kernel_read_network_state(ctdbd_t)
@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
+corenet_udp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
+corenet_tcp_connect_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
+fs_getattr_all_fs(ctdbd_t)
+
+auth_read_passwd(ctdbd_t)
+
logging_send_syslog_msg(ctdbd_t)
-miscfiles_read_localization(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
@@ -109,6 +126,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
+ samba_systemctl(ctdbd_t)
')
optional_policy(`
diff --git a/cups.fc b/cups.fc
index 949011e..9437dbe 100644
--- a/cups.fc
+++ b/cups.fc
@@ -1,77 +1,91 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
-
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 06da9a0..c18145d 100644
--- a/cups.if
+++ b/cups.if
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
interface(`cups_read_config',`
gen_require(`
type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
')
files_search_etc($1)
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
')
########################################
@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
########################################
##
+## Execute cupsd server in the cupsd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`cupsd_systemctl',`
+ gen_require(`
+ type cupsd_t;
+ type cupsd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 cupsd_unit_file_t:file read_file_perms;
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, cupsd_t)
+')
+
+########################################
+##
## All of the rules required to
## administrate an cups environment.
##
@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',`
interface(`cups_admin',`
gen_require(`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+ type cupsd_etc_t, cupsd_log_t;
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
- type hplip_t, ptal_t;
+ type ptal_t;
+ type cupsd_unit_file_t;
')
- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+ ps_process_pattern($1, { cups_pdf_t ptal_t })
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -348,13 +379,64 @@ interface(`cups_admin',`
logging_list_logs($1)
admin_pattern($1, cupsd_log_t)
- files_list_spool($1)
- admin_pattern($1, cupsd_spool_t)
-
files_list_tmp($1)
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
-
- files_list_pids($1)
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
+
+ cupsd_systemctl($1)
+ admin_pattern($1, cupsd_unit_file_t)
+ allow $1 cupsd_unit_file_t:service all_service_perms;
+')
+
+########################################
+##
+## Transition to cups named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_filetrans_named_content',`
+ gen_require(`
+ type cupsd_rw_etc_t;
+ type cupsd_etc_t;
+ ')
+
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
+')
+
+########################################
+##
+## Allow the domain to read cups state files in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cups_read_state',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
index 9f34c2e..e694e2f 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.15.9)
# Declarations
#
-type cupsd_config_t;
+##
+##
+## Allow cups execmem/execstack
+##
+##
+gen_tunable(cups_execmem, false)
+
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
type cupsd_config_exec_t;
init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
type cupsd_config_var_run_t;
files_pid_file(cupsd_config_var_run_t)
-type cupsd_t;
+type cupsd_t, cups_domain;
type cupsd_exec_t;
+typealias cupsd_t alias hplip_t;
+typealias cupsd_exec_t alias hplip_exec_t;
init_daemon_domain(cupsd_t, cupsd_exec_t)
mls_trusted_object(cupsd_t)
type cupsd_etc_t;
+typealias cupsd_etc_t alias hplip_etc_t;
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
@@ -33,13 +45,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
+typealias cupsd_log_t alias hplip_var_log_t;
logging_log_file(cupsd_log_t)
-type cupsd_lpd_t;
+type cupsd_var_lib_t alias hplip_var_lib_t;
+files_type(cupsd_var_lib_t)
+
+type cupsd_lpd_t, cups_domain;
type cupsd_lpd_exec_t;
-domain_type(cupsd_lpd_t)
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-role system_r types cupsd_lpd_t;
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
type cupsd_lpd_tmp_t;
files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
-type cups_pdf_t;
+type cups_pdf_t, cups_domain;
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
+typealias cupsd_tmp_t alias hplip_tmp_t;
files_tmp_file(cupsd_tmp_t)
type cupsd_var_run_t;
+typealias cupsd_var_run_t alias hplip_var_run_t;
files_pid_file(cupsd_var_run_t)
init_daemon_run_dir(cupsd_var_run_t, "cups")
mls_trusted_object(cupsd_var_run_t)
-type hplip_t;
-type hplip_exec_t;
-init_daemon_domain(hplip_t, hplip_exec_t)
-cups_backend(hplip_t, hplip_exec_t)
-
-type hplip_etc_t;
-files_config_file(hplip_etc_t)
-
-type hplip_tmp_t;
-files_tmp_file(hplip_tmp_t)
-
-type hplip_var_lib_t;
-files_type(hplip_var_lib_t)
-
-type hplip_var_run_t;
-files_pid_file(hplip_var_run_t)
+type cupsd_unit_file_t;
+systemd_unit_file(cupsd_unit_file_t)
type ptal_t;
type ptal_exec_t;
@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
+#######################################
+#
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
+
+corecmd_exec_bin(cups_domain)
+corecmd_exec_shell(cups_domain)
+
+dev_read_urand(cups_domain)
+dev_read_rand(cups_domain)
+dev_read_sysfs(cups_domain)
+
+fs_getattr_all_fs(cups_domain)
+
+miscfiles_read_fonts(cups_domain)
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
+
+optional_policy(`
+ lpd_manage_spool(cups_domain)
+')
+
########################################
#
# Cups local policy
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:process { getpgid setpgid setsched };
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
-allow cupsd_t self:tcp_socket { accept listen };
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
+can_exec(cupsd_t, cupsd_rw_etc_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -133,28 +166,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
+
manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
-allow cupsd_t hplip_t:process { signal sigkill };
-
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
-allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -162,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
-kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
kernel_request_load_module(cupsd_t)
-corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -189,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
-corecmd_exec_bin(cupsd_t)
-corecmd_exec_shell(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_receive_hplip_server_packets(cupsd_t)
+corenet_tcp_bind_hplip_port(cupsd_t)
+corenet_tcp_connect_hplip_port(cupsd_t)
+corenet_tcp_bind_glance_port(cupsd_t)
+corenet_tcp_connect_glance_port(cupsd_t)
+
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_tcp_connect_ipp_port(cupsd_t)
+
+corenet_sendrecv_howl_server_packets(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
dev_rw_printer(cupsd_t)
-dev_read_urand(cupsd_t)
-dev_read_sysfs(cupsd_t)
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
@@ -206,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
-files_read_usr_files(cupsd_t)
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
@@ -215,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
-files_write_generic_pid_pipes(cupsd_t)
files_dontaudit_getattr_all_tmp_files(cupsd_t)
files_dontaudit_list_home(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
+files_dontaudit_write_usr_dirs(cupsd_t)
-fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
+fs_rw_inherited_tmpfs_files(cupsd_t)
+mls_dbus_send_all_levels(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
@@ -235,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
+term_use_ptmx(cupsd_t)
+term_use_usb_ttys(cupsd_t)
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -247,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
-miscfiles_read_localization(cupsd_t)
-miscfiles_read_fonts(cupsd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
-
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
+sysnet_dns_name_resolve(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
+
optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -275,6 +320,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
+ init_dbus_chat(cupsd_t)
+
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -285,8 +332,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
+ # talk to processes that do not have policy
optional_policy(`
unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
')
')
@@ -299,8 +348,8 @@ optional_policy(`
')
optional_policy(`
+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
kerberos_manage_host_rcache(cupsd_t)
- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
')
optional_policy(`
@@ -309,7 +358,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
- lpd_manage_spool(cupsd_t)
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -337,7 +385,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
+')
+
+optional_policy(`
+ vmware_read_system_config(cupsd_t)
')
########################################
@@ -345,12 +397,11 @@ optional_policy(`
# Configuration daemon local policy
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -375,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+can_exec(cupsd_config_t, cupsd_exec_t)
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -395,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
-corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_shell(cupsd_config_t)
-
-dev_read_sysfs(cupsd_config_t)
-dev_read_urand(cupsd_config_t)
-dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
-files_read_usr_files(cupsd_config_t)
files_read_var_symlinks(cupsd_config_t)
files_search_all_mountpoints(cupsd_config_t)
-fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -420,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
-miscfiles_read_localization(cupsd_config_t)
-miscfiles_read_hwdata(cupsd_config_t)
-
-seutil_dontaudit_search_config(cupsd_config_t)
-
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -452,9 +488,12 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_read_config(cupsd_config_t)
+')
+
+optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
- hal_dontaudit_use_fds(hplip_t)
')
optional_policy(`
@@ -490,10 +529,6 @@ optional_policy(`
# Lpd local policy
#
-allow cupsd_lpd_t self:capability { setuid setgid };
-allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
-allow cupsd_lpd_t self:tcp_socket { accept listen };
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -511,31 +546,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
-kernel_read_network_state(cupsd_lpd_t)
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
-dev_read_urand(cupsd_lpd_t)
-dev_read_rand(cupsd_lpd_t)
-
-fs_getattr_xattr_fs(cupsd_lpd_t)
-
files_search_home(cupsd_lpd_t)
auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
-miscfiles_read_localization(cupsd_lpd_t)
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
-
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -546,7 +573,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -562,148 +588,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
-files_read_usr_files(cups_pdf_t)
-
-corecmd_exec_bin(cups_pdf_t)
-corecmd_exec_shell(cups_pdf_t)
-
auth_use_nsswitch(cups_pdf_t)
-miscfiles_read_localization(cups_pdf_t)
-miscfiles_read_fonts(cups_pdf_t)
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
-
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_filetrans_home_content(cups_pdf_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
-
-optional_policy(`
- lpd_manage_spool(cups_pdf_t)
-')
-
-########################################
-#
-# HPLIP local policy
-#
-
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
-dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_fifo_file_perms;
-allow hplip_t self:process signal_perms;
-allow hplip_t self:tcp_socket { accept listen };
-allow hplip_t self:rawip_socket create_socket_perms;
-
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
-
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
-
-allow hplip_t hplip_etc_t:dir list_dir_perms;
-allow hplip_t hplip_etc_t:file read_file_perms;
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
-
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
-
-kernel_read_system_state(hplip_t)
-kernel_read_kernel_sysctls(hplip_t)
-
-corenet_all_recvfrom_unlabeled(hplip_t)
-corenet_all_recvfrom_netlabel(hplip_t)
-corenet_tcp_sendrecv_generic_if(hplip_t)
-corenet_udp_sendrecv_generic_if(hplip_t)
-corenet_raw_sendrecv_generic_if(hplip_t)
-corenet_tcp_sendrecv_generic_node(hplip_t)
-corenet_udp_sendrecv_generic_node(hplip_t)
-corenet_raw_sendrecv_generic_node(hplip_t)
-corenet_tcp_sendrecv_all_ports(hplip_t)
-corenet_udp_sendrecv_all_ports(hplip_t)
-corenet_tcp_bind_generic_node(hplip_t)
-corenet_udp_bind_generic_node(hplip_t)
-
-corenet_sendrecv_hplip_client_packets(hplip_t)
-corenet_receive_hplip_server_packets(hplip_t)
-corenet_tcp_bind_hplip_port(hplip_t)
-corenet_tcp_connect_hplip_port(hplip_t)
-
-corenet_sendrecv_ipp_client_packets(hplip_t)
-corenet_tcp_connect_ipp_port(hplip_t)
-
-corenet_sendrecv_howl_server_packets(hplip_t)
-corenet_udp_bind_howl_port(hplip_t)
-
-corecmd_exec_bin(hplip_t)
-
-dev_read_sysfs(hplip_t)
-dev_rw_printer(hplip_t)
-dev_read_urand(hplip_t)
-dev_read_rand(hplip_t)
-dev_rw_generic_usb_dev(hplip_t)
-dev_rw_usbfs(hplip_t)
-
-domain_use_interactive_fds(hplip_t)
-
-files_read_etc_files(hplip_t)
-files_read_etc_runtime_files(hplip_t)
-files_read_usr_files(hplip_t)
-
-fs_getattr_all_fs(hplip_t)
-fs_search_auto_mountpoints(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-logging_send_syslog_msg(hplip_t)
-
-miscfiles_read_localization(hplip_t)
-
-sysnet_dns_name_resolve(hplip_t)
-
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
+userdom_home_manager(cups_pdf_t)
optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
+ gnome_read_config(cups_pdf_t)
')
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
-')
-
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
@@ -731,7 +632,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_all_recvfrom_unlabeled(ptal_t)
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -741,13 +641,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
-dev_read_sysfs(ptal_t)
dev_read_usbfs(ptal_t)
dev_rw_printer(ptal_t)
domain_use_interactive_fds(ptal_t)
-files_read_etc_files(ptal_t)
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -755,8 +653,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
-miscfiles_read_localization(ptal_t)
-
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -769,3 +665,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
+
diff --git a/cvs.fc b/cvs.fc
index 75c8be9..9dcffb2 100644
--- a/cvs.fc
+++ b/cvs.fc
@@ -1,3 +1,6 @@
+HOME_DIR/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
+/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0)
+
/etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --git a/cvs.if b/cvs.if
index 9fa7ffb..089c8d4 100644
--- a/cvs.if
+++ b/cvs.if
@@ -1,5 +1,23 @@
## Concurrent versions system.
+######################################
+##
+## Dontaudit Attempts to list the CVS data and metadata.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`cvs_dontaudit_list_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
+')
+
########################################
##
## Read CVS data and metadata content.
@@ -41,6 +59,24 @@ interface(`cvs_exec',`
########################################
##
+## Transition to cvs named content
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`cvs_filetrans_home_content',`
+ gen_require(`
+ type cvs_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
+')
+
+########################################
+##
## All of the rules required to
## administrate an cvs environment
##
@@ -59,12 +95,18 @@ interface(`cvs_exec',`
interface(`cvs_admin',`
gen_require(`
type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
- type cvs_data_t, cvs_var_run_t;
+ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ type cvs_home_t;
')
- allow $1 cvs_t:process { ptrace signal_perms };
+ allow $1 cvs_t:process signal_perms;
ps_process_pattern($1, cvs_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 cvs_t:process ptrace;
+ ')
+
+ # Allow cvs_t to restart the apache service
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
@@ -78,4 +120,7 @@ interface(`cvs_admin',`
files_list_pids($1)
admin_pattern($1, cvs_var_run_t)
+
+ userdom_search_user_home_dirs($1)
+ admin_pattern($1, cvs_home_t)
')
diff --git a/cvs.te b/cvs.te
index 53fc3af..d7cdaaf 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
## password files.
##
##
-gen_tunable(allow_cvs_read_shadow, false)
+gen_tunable(cvs_read_shadow, false)
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+init_domain(cvs_t, cvs_exec_t)
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
+type cvs_home_t;
+userdom_user_home_content(cvs_home_t)
+
########################################
#
# Local policy
#
-allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+userdom_search_user_home_dirs(cvs_t)
+allow cvs_t cvs_home_t:file read_file_perms;
+
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
+init_dontaudit_read_utmp(cvs_t)
+
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-miscfiles_read_localization(cvs_t)
-
mta_send_mail(cvs_t)
-userdom_dontaudit_search_user_home_dirs(cvs_t)
-
# cjp: typeattribute doesnt work in conditionals yet
auth_can_read_shadow_passwords(cvs_t)
-tunable_policy(`allow_cvs_read_shadow',`
+tunable_policy(`cvs_read_shadow',`
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
@@ -103,4 +117,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --git a/cyphesis.te b/cyphesis.te
index 916427f..556f1ac 100644
--- a/cyphesis.te
+++ b/cyphesis.te
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
corecmd_search_bin(cyphesis_t)
corecmd_getattr_bin_files(cyphesis_t)
-corenet_all_recvfrom_unlabeled(cyphesis_t)
corenet_tcp_sendrecv_generic_if(cyphesis_t)
corenet_tcp_sendrecv_generic_node(cyphesis_t)
corenet_tcp_bind_generic_node(cyphesis_t)
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
domain_use_interactive_fds(cyphesis_t)
-files_read_etc_files(cyphesis_t)
-files_read_usr_files(cyphesis_t)
logging_send_syslog_msg(cyphesis_t)
-miscfiles_read_localization(cyphesis_t)
-
sysnet_dns_name_resolve(cyphesis_t)
optional_policy(`
diff --git a/cyrus.if b/cyrus.if
index 6508280..a2860e3 100644
--- a/cyrus.if
+++ b/cyrus.if
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
')
+#######################################
+##