diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index eb183239..2b08ed69 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12763,7 +12763,7 @@ index 3f6e4dc..88c4f19 100644 mta_getattr_spool(comsat_t) diff --git a/condor.fc b/condor.fc -index 23dc348..7cc536b 100644 +index 23dc348..c4450f7 100644 --- a/condor.fc +++ b/condor.fc @@ -1,4 +1,5 @@ @@ -12772,6 +12772,15 @@ index 23dc348..7cc536b 100644 /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) +@@ -8,6 +9,8 @@ + /usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + /usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + ++/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0) ++ + /var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) + + /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) diff --git a/condor.if b/condor.if index 3fe3cb8..5fe84a6 100644 --- a/condor.if @@ -13229,10 +13238,20 @@ index 3fe3cb8..5fe84a6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..95daaa7 100644 +index 3f2b672..39f85e7 100644 --- a/condor.te +++ b/condor.te -@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) +@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) + type condor_startd_tmpfs_t; + files_tmpfs_file(condor_startd_tmpfs_t) + ++type condor_etc_rw_t; ++files_config_file(condor_etc_rw_t) ++ + type condor_log_t; + logging_log_file(condor_log_t) + +@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t) type condor_var_run_t; files_pid_file(condor_var_run_t) @@ -13242,7 +13261,7 @@ index 3f2b672..95daaa7 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -57,10 +60,15 @@ condor_domain_template(startd) +@@ -57,15 +63,20 @@ condor_domain_template(startd) # Global local policy # @@ -13257,16 +13276,22 @@ index 3f2b672..95daaa7 100644 +allow condor_domain self:udp_socket create_socket_perms; +allow condor_domain self:unix_stream_socket create_stream_socket_perms; +allow condor_domain self:netlink_route_socket r_netlink_socket_perms; ++ ++rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) - append_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,13 +94,12 @@ allow condor_domain condor_master_t:tcp_socket getattr; +-append_files_pattern(condor_domain, condor_log_t, condor_log_t) +-create_files_pattern(condor_domain, condor_log_t, condor_log_t) +-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t) ++manage_files_pattern(condor_domain, condor_log_t, condor_log_t) + logging_log_filetrans(condor_domain, condor_log_t, { dir file }) + + manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) +@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) -kernel_read_system_state(condor_domain) -+ -+ corecmd_exec_bin(condor_domain) corecmd_exec_shell(condor_domain) @@ -13276,18 +13301,19 @@ index 3f2b672..95daaa7 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +113,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +114,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) -logging_send_syslog_msg(condor_domain) -- --miscfiles_read_localization(condor_domain) +auth_read_passwd(condor_domain) +-miscfiles_read_localization(condor_domain) ++sysnet_dns_name_resolve(condor_domain) + tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +130,7 @@ optional_policy(` +@@ -125,7 +133,7 @@ optional_policy(` # Master local policy # @@ -13296,25 +13322,27 @@ index 3f2b672..95daaa7 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -133,6 +138,8 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) +can_exec(condor_master_t, condor_master_exec_t) ++ ++kernel_read_system_state(condor_master_t) + corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) +@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t) - domain_read_all_domains_state(condor_master_t) - --auth_use_nsswitch(condor_master_t) -+auth_read_passwd(condor_master_t) + auth_use_nsswitch(condor_master_t) ++logging_send_syslog_msg(condor_master_t) ++ optional_policy(` mta_send_mail(condor_master_t) -@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; + mta_read_config(condor_master_t) +@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13323,7 +13351,7 @@ index 3f2b672..95daaa7 100644 ##################################### # # Negotiator local policy -@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13332,7 +13360,17 @@ index 3f2b672..95daaa7 100644 ###################################### # # Procd local policy -@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; + + allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; + +-allow condor_procd_t condor_startd_t:process sigkill; ++allow condor_procd_t condor_domain:process sigkill; ++ + + domain_read_all_domains_state(condor_procd_t) + +@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13341,7 +13379,7 @@ index 3f2b672..95daaa7 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13350,7 +13388,7 @@ index 3f2b672..95daaa7 100644 ##################################### # # Startd local policy -@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13363,7 +13401,7 @@ index 3f2b672..95daaa7 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +263,7 @@ optional_policy(` +@@ -249,3 +271,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -25262,10 +25300,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..7244e2c +index 0000000..06e17e3 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,167 @@ +@@ -0,0 +1,169 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25394,6 +25432,8 @@ index 0000000..7244e2c +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) + ++domain_read_all_domains_state(glusterd_t) ++ +domain_use_interactive_fds(glusterd_t) + +fs_mount_all_fs(glusterd_t) @@ -29487,6 +29527,76 @@ index e207823..4e0f8ba 100644 userdom_dontaudit_use_unpriv_user_fds(howl_t) userdom_dontaudit_search_user_home_dirs(howl_t) +diff --git a/hypervkvp.fc b/hypervkvp.fc +new file mode 100644 +index 0000000..2a69ee4 +--- /dev/null ++++ b/hypervkvp.fc +@@ -0,0 +1,3 @@ ++/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) ++ ++/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) +diff --git a/hypervkvp.if b/hypervkvp.if +new file mode 100644 +index 0000000..7743be5 +--- /dev/null ++++ b/hypervkvp.if +@@ -0,0 +1,21 @@ ++ ++## policy for hypervkvp ++ ++######################################## ++## ++## Execute TEMPLATE in the hypervkvp domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`hypervkvp_domtrans',` ++ gen_require(` ++ type hypervkvp_t, hypervkvp_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t) ++') +diff --git a/hypervkvp.te b/hypervkvp.te +new file mode 100644 +index 0000000..fd3b26b +--- /dev/null ++++ b/hypervkvp.te +@@ -0,0 +1,28 @@ ++policy_module(hypervkvp, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type hypervkvp_t; ++type hypervkvp_exec_t; ++init_daemon_domain(hypervkvp_t, hypervkvp_exec_t) ++ ++type hypervkvp_initrc_exec_t; ++init_script_file(hypervkvp_initrc_exec_t) ++ ++######################################## ++# ++# hypervkvp local policy ++# ++# ++ ++allow hypervkvp_t self:fifo_file rw_fifo_file_perms; ++allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms; ++ ++logging_send_syslog_msg(hypervkvp_t) ++ ++miscfiles_read_localization(hypervkvp_t) ++ ++sysnet_dns_name_resolve(hypervkvp_t) diff --git a/i18n_input.te b/i18n_input.te index 3bed8fa..a738d7f 100644 --- a/i18n_input.te @@ -35685,6 +35795,163 @@ index b9270f7..15f3748 100644 +optional_policy(` + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') +diff --git a/lsm.fc b/lsm.fc +new file mode 100644 +index 0000000..711c04b +--- /dev/null ++++ b/lsm.fc +@@ -0,0 +1,5 @@ ++/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) ++ ++/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) ++ ++/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) +diff --git a/lsm.if b/lsm.if +new file mode 100644 +index 0000000..f3e94d7 +--- /dev/null ++++ b/lsm.if +@@ -0,0 +1,103 @@ ++ ++## lsmd SELINUX policy ++ ++######################################## ++## ++## Execute TEMPLATE in the lsmd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lsmd_domtrans',` ++ gen_require(` ++ type lsmd_t, lsmd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, lsmd_exec_t, lsmd_t) ++') ++######################################## ++## ++## Read lsmd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lsmd_read_pid_files',` ++ gen_require(` ++ type lsmd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) ++') ++ ++######################################## ++## ++## Execute lsmd server in the lsmd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lsmd_systemctl',` ++ gen_require(` ++ type lsmd_t; ++ type lsmd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 lsmd_unit_file_t:file read_file_perms; ++ allow $1 lsmd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, lsmd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an lsmd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`lsmd_admin',` ++ gen_require(` ++ type lsmd_t; ++ type lsmd_var_run_t; ++ type lsmd_unit_file_t; ++ ') ++ ++ allow $1 lsmd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, lsmd_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, lsmd_var_run_t) ++ ++ lsmd_systemctl($1) ++ admin_pattern($1, lsmd_unit_file_t) ++ allow $1 lsmd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/lsm.te b/lsm.te +new file mode 100644 +index 0000000..14fe4d7 +--- /dev/null ++++ b/lsm.te +@@ -0,0 +1,31 @@ ++policy_module(lsm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type lsmd_t; ++type lsmd_exec_t; ++init_daemon_domain(lsmd_t, lsmd_exec_t) ++ ++type lsmd_var_run_t; ++files_pid_file(lsmd_var_run_t) ++ ++type lsmd_unit_file_t; ++systemd_unit_file(lsmd_unit_file_t) ++ ++######################################## ++# ++# lsmd local policy ++# ++allow lsmd_t self:capability { setgid }; ++allow lsmd_t self:process { fork }; ++allow lsmd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++ ++logging_send_syslog_msg(lsmd_t) diff --git a/mailman.fc b/mailman.fc index 7fa381b..bbe6b01 100644 --- a/mailman.fc @@ -42853,7 +43120,7 @@ index 97370e4..92138ca 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index c48dc17..f93fa69 100644 +index c48dc17..6355fb4 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,11 +1,24 @@ @@ -42889,7 +43156,7 @@ index c48dc17..f93fa69 100644 /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) -@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) +@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) @@ -42905,6 +43172,7 @@ index c48dc17..f93fa69 100644 +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) ++/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) @@ -43444,7 +43712,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..0f6abcb 100644 +index 9f6179e..94457fe 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -43617,7 +43885,7 @@ index 9f6179e..0f6abcb 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -153,29 +160,22 @@ optional_policy(` +@@ -153,29 +160,23 @@ optional_policy(` ####################################### # @@ -43643,6 +43911,7 @@ index 9f6179e..0f6abcb 100644 -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) ++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -43653,7 +43922,7 @@ index 9f6179e..0f6abcb 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -43681,7 +43950,7 @@ index 9f6179e..0f6abcb 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +209,7 @@ optional_policy(` +@@ -205,7 +210,7 @@ optional_policy(` ######################################## # @@ -43690,7 +43959,7 @@ index 9f6179e..0f6abcb 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -43708,7 +43977,7 @@ index 9f6179e..0f6abcb 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -67802,6 +68071,368 @@ index 9a8f052..3baa71a 100644 + + unconfined_domain_noaudit(realmd_consolehelper_t) ') +diff --git a/redis.fc b/redis.fc +new file mode 100644 +index 0000000..638d6b4 +--- /dev/null ++++ b/redis.fc +@@ -0,0 +1,11 @@ ++/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) ++ ++/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) ++ ++/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) ++ ++/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) ++ ++/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) ++ ++/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) +diff --git a/redis.if b/redis.if +new file mode 100644 +index 0000000..72a2d7b +--- /dev/null ++++ b/redis.if +@@ -0,0 +1,271 @@ ++ ++## redis-server SELinux policy ++ ++######################################## ++## ++## Execute TEMPLATE in the redis domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`redis_domtrans',` ++ gen_require(` ++ type redis_t, redis_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, redis_exec_t, redis_t) ++') ++ ++######################################## ++## ++## Execute redis server in the redis domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_initrc_domtrans',` ++ gen_require(` ++ type redis_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, redis_initrc_exec_t) ++') ++######################################## ++## ++## Read redis's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`redis_read_log',` ++ gen_require(` ++ type redis_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, redis_log_t, redis_log_t) ++') ++ ++######################################## ++## ++## Append to redis log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_append_log',` ++ gen_require(` ++ type redis_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, redis_log_t, redis_log_t) ++') ++ ++######################################## ++## ++## Manage redis log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_manage_log',` ++ gen_require(` ++ type redis_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, redis_log_t, redis_log_t) ++ manage_files_pattern($1, redis_log_t, redis_log_t) ++ manage_lnk_files_pattern($1, redis_log_t, redis_log_t) ++') ++ ++######################################## ++## ++## Search redis lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_search_lib',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ allow $1 redis_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read redis lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_read_lib_files',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t) ++') ++ ++######################################## ++## ++## Manage redis lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_manage_lib_files',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t) ++') ++ ++######################################## ++## ++## Manage redis lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_manage_lib_dirs',` ++ gen_require(` ++ type redis_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t) ++') ++ ++######################################## ++## ++## Read redis PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`redis_read_pid_files',` ++ gen_require(` ++ type redis_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, redis_var_run_t, redis_var_run_t) ++') ++ ++######################################## ++## ++## Execute redis server in the redis domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`redis_systemctl',` ++ gen_require(` ++ type redis_t; ++ type redis_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 redis_unit_file_t:file read_file_perms; ++ allow $1 redis_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, redis_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an redis environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`redis_admin',` ++ gen_require(` ++ type redis_t; ++ type redis_initrc_exec_t; ++ type redis_log_t; ++ type redis_var_lib_t; ++ type redis_var_run_t; ++ type redis_unit_file_t; ++ ') ++ ++ allow $1 redis_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, redis_t) ++ ++ redis_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 redis_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, redis_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, redis_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, redis_var_run_t) ++ ++ redis_systemctl($1) ++ admin_pattern($1, redis_unit_file_t) ++ allow $1 redis_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/redis.te b/redis.te +new file mode 100644 +index 0000000..e5e9cf7 +--- /dev/null ++++ b/redis.te +@@ -0,0 +1,62 @@ ++policy_module(redis, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type redis_t; ++type redis_exec_t; ++init_daemon_domain(redis_t, redis_exec_t) ++ ++type redis_initrc_exec_t; ++init_script_file(redis_initrc_exec_t) ++ ++type redis_log_t; ++logging_log_file(redis_log_t) ++ ++type redis_var_lib_t; ++files_type(redis_var_lib_t) ++ ++type redis_var_run_t; ++files_pid_file(redis_var_run_t) ++ ++type redis_unit_file_t; ++systemd_unit_file(redis_unit_file_t) ++ ++######################################## ++# ++# redis local policy ++# ++ ++allow redis_t self:process { setrlimit signal_perms }; ++allow redis_t self:fifo_file rw_fifo_file_perms; ++allow redis_t self:unix_stream_socket create_stream_socket_perms; ++allow redis_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) ++manage_files_pattern(redis_t, redis_log_t, redis_log_t) ++manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) ++ ++manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) ++ ++manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) ++ ++kernel_read_system_state(redis_t) ++ ++corenet_tcp_bind_generic_node(redis_t) ++corenet_tcp_bind_redis_port(redis_t) ++ ++dev_read_sysfs(redis_t) ++dev_read_urand(redis_t) ++ ++logging_send_syslog_msg(redis_t) ++ ++miscfiles_read_localization(redis_t) ++ ++sysnet_dns_name_resolve(redis_t) ++ diff --git a/remotelogin.fc b/remotelogin.fc index 327baf0..d8691bd 100644 --- a/remotelogin.fc @@ -84046,10 +84677,10 @@ index c6aaac7..a5600a8 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..e5433ad +index 0000000..744f0ce --- /dev/null +++ b/swift.fc -@@ -0,0 +1,28 @@ +@@ -0,0 +1,29 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -84069,7 +84700,8 @@ index 0000000..e5433ad + +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) + -+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0) ++/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) ++/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) + +# This seems to be a de-facto standard when using swift. +/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) @@ -84209,10 +84841,10 @@ index 0000000..015c2c9 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..2d5942c +index 0000000..c7b2bf6 --- /dev/null +++ b/swift.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,69 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -84224,6 +84856,9 @@ index 0000000..2d5942c +type swift_exec_t; +init_daemon_domain(swift_t, swift_exec_t) + ++type swift_var_cache_t; ++files_type(swift_var_cache_t) ++ +type swift_var_run_t; +files_pid_file(swift_var_run_t) + @@ -84245,6 +84880,11 @@ index 0000000..2d5942c +allow swift_t self:unix_stream_socket create_stream_socket_perms; +allow swift_t self:unix_dgram_socket create_socket_perms; + ++manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++files_var_filetrans(swift_t,swift_var_cache_t, { dir file }) ++ +manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) @@ -91080,7 +91720,7 @@ index 9dec06c..bdba959 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..65dbdd3 100644 +index 1f22fba..cbd02ae 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -91615,7 +92255,7 @@ index 1f22fba..65dbdd3 100644 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; -allow virtd_t self:unix_stream_socket { accept connectto listen }; -allow virtd_t self:tcp_socket { accept listen }; -+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto }; +allow virtd_t self:tcp_socket create_stream_socket_perms; allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; allow virtd_t self:rawip_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 1d44ca85..5a79d4c6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -538,6 +538,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Aug 23 2013 Miroslav Grepl 3.12.1-72 +- Add policy for lsmd +- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory +- Update condor_master rules to allow read system state info and allow logging +- Add labeling for /etc/condor and allow condor domain to write it (bug) +- Allow condor domains to manage own logs +- Allow glusterd to read domains state +- Fix initial hypervkvp policy +- Add policy for hypervkvpd +- Fix redis.if summary + * Wed Aug 21 2013 Miroslav Grepl 3.12.1-71 - Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984