Add vnstat policy

allow logrotate to mail syslog files
Allow chrom-sandbox to search nfs_t
Allow libvirt to send audit messages
Dontaudit leaked console to xauth

policy/modules/admin/logrotate.te

@@ -124,7 +124,12 @@ userdom_dontaudit_list_admin_dir(logrotate_t)
 cron_system_entry(logrotate_t, logrotate_exec_t)
 cron_search_spool(logrotate_t)
 
-mta_send_mail(logrotate_t)
+#mta_send_mail(logrotate_t)
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
+logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 
 ifdef(`distro_debian', `
 	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;

policy/modules/apps/chrome.te

@@ -80,12 +80,13 @@ optional_policy(`
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
-	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-	fs_dontaudit_read_nfs_files(chrome_sandbox_t)
-	fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
+	fs_search_nfs(chrome_sandbox_t)
+	fs_read_inherited_nfs_files(chrome_sandbox_t)
+	fs_read_nfs_symlinks(chrome_sandbox_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+	fs_search_cifs(chrome_sandbox_t)
+	fs_read_inherited_cifs_files(chrome_sandbox_t)
 	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-	fs_dontaudit_read_cifs_files(chrome_sandbox_t)
 ')

policy/modules/kernel/filesystem.if

@@ -1233,6 +1233,24 @@ interface(`fs_dontaudit_append_cifs_files',`
 	dontaudit $1 cifs_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read inherited files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_read_inherited_cifs_files',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:file read_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or
@@ -2534,6 +2552,24 @@ interface(`fs_dontaudit_append_nfs_files',`
 	dontaudit $1 nfs_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_read_inherited_nfs_files',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	allow $1 nfs_t:file read_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or

policy/modules/roles/staff.te

@@ -152,6 +152,10 @@ optional_policy(`
 	virt_stream_connect(staff_t)
 ')
 
+optional_policy(`
+	vnstatd_read_lib_files(staff_t)
+')
+
 optional_policy(`
 	webadm_role_change(staff_r)
 ')

policy/modules/services/aiccu.te

@@ -23,7 +23,7 @@ files_pid_file(aiccu_var_run_t)
 # aiccu local policy
 #
 
-allow aiccu_t self:capability { kill net_admin };
+allow aiccu_t self:capability { kill net_admin net_raw };
 dontaudit aiccu_t self:capability sys_tty_config;
 allow aiccu_t self:process signal;
 allow aiccu_t self:fifo_file rw_fifo_file_perms;

policy/modules/services/cron.te

@@ -328,6 +328,10 @@ optional_policy(`
 	udev_read_db(crond_t)
 ')
 
+optional_policy(`
+	vnstatd_search_lib(crond_t)
+')
+
 ########################################
 #
 # System cron process domain

policy/modules/services/dbus.if

@@ -169,6 +169,7 @@ template(`dbus_role_template',`
 	')
 
 	optional_policy(`
+		xserver_search_xdm_lib($1_dbusd_t)
 		xserver_use_xdm_fds($1_dbusd_t)
 		xserver_rw_xdm_pipes($1_dbusd_t)
 	')

policy/modules/services/rhcs.fc

@@ -8,6 +8,7 @@
 
 /var/lock/fence_manual\.lock		--	gen_context(system_u:object_r:fenced_lock_t,s0)
 
+/var/lib/cluster(/.*)?				gen_context(system_u:object_r:cluster_var_lib_t,s0)
 /var/lib/qdiskd(/.*)?				gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
 
 /var/log/cluster/.*\.*log			<<none>>

policy/modules/services/virt.te

@@ -350,6 +350,7 @@ modutils_read_module_config(virtd_t)
 modutils_manage_module_config(virtd_t)
 
 logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
 
 selinux_validate_context(virtd_t)
 

policy/modules/services/vnstatd.fc

@@ -0,0 +1,6 @@
+
+/usr/bin/vnstat		--	gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd	--	gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)?		gen_context(system_u:object_r:vnstatd_var_lib_t,s0)

policy/modules/services/vnstatd.if

@@ -0,0 +1,150 @@
+
+## <summary>policy for vnstatd</summary>
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstatd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans',`
+	gen_require(`
+		type vnstatd_t, vnstatd_exec_t;
+	')
+
+	domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstat.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans_vnstat',`
+	gen_require(`
+		type vnstat_t, vnstat_exec_t;
+	')
+
+	domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+## <summary>
+##	Search vnstatd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_search_lib',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_read_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage vnstatd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_dirs',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vnstatd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vnstatd_admin',`
+	gen_require(`
+		type vnstatd_t;
+                type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, vnstatd_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, vnstatd_var_lib_t)
+
+')

policy/modules/services/vnstatd.if~

@@ -0,0 +1,150 @@
+
+## <summary>policy for vnstatd</summary>
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstatd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans',`
+	gen_require(`
+		type vnstatd_t, vnstatd_exec_t;
+	')
+
+	domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run vnstat.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans_vnstat',`
+	gen_require(`
+		type vnstat_t, vnstat_exec_t;
+	')
+
+	domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+## <summary>
+##	Search vnstatd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_search_lib',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_read_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	vnstatd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_files',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage vnstatd lib dirs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_dirs',`
+	gen_require(`
+		type vnstatd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+        manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an vnstatd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vnstatd_admin',`
+	gen_require(`
+		type vnstatd_t;
+                type vnstatd_var_lib_t;
+	')
+
+	allow $1 vnstatd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, vnstatd_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, vnstatd_var_lib_t)
+
+')

policy/modules/services/vnstatd.te

@@ -0,0 +1,69 @@
+policy_module(vnstatd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+permissive vnstatd_t;
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
+
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+########################################
+#
+# vnstat local policy
+#
+allow vnstat_t self:process { signal };
+
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
+
+

policy/modules/services/vnstatd.te~

@@ -0,0 +1,76 @@
+policy_module(vnstatd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+permissive vnstatd_t;
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstat_t;
+domain_type(vnstat_t)
+type vnstat_exec_t;
+domain_entry_file(vnstat_t, vnstat_exec_t)
+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
+
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+########################################
+#
+# vnstat local policy
+#
+allow vnstat_t self:process { signal };
+
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
+
+optional_policy(`
+	gen_require(`
+		type crond_t;
+	')
+	vnstatd_search_lib(crond_t)
+')
+

policy/modules/services/xserver.te

@@ -352,8 +352,9 @@ fs_dontaudit_leaks(xauth_t)
 fs_getattr_all_fs(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
-# cjp: why?
-term_use_ptmx(xauth_t)
+# Probably a leak
+term_dontaudit_use_ptmx(xauth_t)
+term_dontaudit_use_console(xauth_t)
 
 auth_use_nsswitch(xauth_t)